Archives

All posts for the month November, 2015

Good Evening Friends. In our previous howto, we have seen how to use Joomla com_contenthistory Error-Based SQL Injection exploit. Today we will see how to exploit the WordPress Ajax Loadmore PHP upload vulnerability using Metasploit. This module exploits an arbitrary file upload in the WordPress Ajax Load More plugin version 2.8.1.1. I have tested this exploit on the above said plugin in WordPress version 4.1.3 on Windows.  The only offside is this exploit requires credentials. Start Metasploit and load the exploit as shown below.

wpajaxfu1

Set payload as below.

wpajaxfu2

Type command “show options” to see the required options for this exploit.

wpajaxfu3

Set the required options as shown below. Set the remote IP address, targeturi, password and username as shown below.

wpajaxfu4

After setting all the options, check whether once again as shown below.

wpajaxfu5

Type command “exploit” and we will get the meterpreter session as shown below.

wpajaxfu6

 

Good Evening Friends. Today we will see how to exploit the “Joomla Error-Based SQL Injection” vulnerability found recently to enumerate usernames and password hashes found in remote servers where Joomla is installed. This vulnerability is found in Joomla versions 3.2 to 3.4.4. Now let’s see how to use this exploit to enumerate usernames and password hashes. This exploit is available in Metasploit. I am testing this exploit on Joomla version 3.4.4.

joomla error-based sql injection0

Start Metasploit and load the exploit as shown below.

joomla error-based sql injection1

Set the required options as shown below and type command “exploit”. After some time, a text file containing usernames and password hashes is downloaded and stored in your system as shown below.

joomla error-based sql injection3

Now open the text file with any text editor available in kali Linux. I have used gedit.

joomla3

This is the text file we have downloaded. As you can see below, we can see usernames and password hashes of the joomla installation.

joomla error-based sql injection4

This howto is part of  a  series called  Metasploitable Tutorials. So it would be good if you follow this as part of that series. Today we will see scanning and banner grabbing of Metasploitable. Scanning is the second stage of hacking where we gather more information about our target. Imagine a scenario where we got the IP address range  of our target and we want to check how many live systems are there. This is network scanning. There are many tools in our attacker system but we will use Zenmap.  Open a terminal and type command “zenmap”. It would open a GUI tool as shown below. Give the IP address range as shown below. (192.168.25.100-130, it may differ for you ) and select “ping scan” . Then click on “scan”. It will show all the live systems. In our case, only Metasploitable.

metasps1

Now let’s do port scanning of the live system. Now in target field, specify only the IP address of Metasploitable. In Profile, select “slow and comprehensive scan” and click on “scan”. It will show all the open ports as shown below.

metasps2

But there is another tool which is widely used for port scanning. Enter nmap. Nmap is a versatile port scanner. (Zenmap is the GUI version of Nmap). The default way to use Nmap is shown below. It would list all the open ports.

metasps3

 

metasps4

Next we will see how to grab banners.  Banners display information about  the type of service running at the open ports of our target. This can reveal some important information about our target which can be used for hacking. The Nmap command for banner grabbing  and its results are shown below. We got a lot of banners.

metasps5

 

metasps6

Next we will use Nmap to find out the operating system of our target. The command is given below.

metasps7

The OS details are given below.

metasps8

There is another way of grabbing banners. It is telnetting to each port as shown below. The results can also be seen.

metasps9

 

metasps10

That’s all for today friends. I will be right back soon.

Good evening Friends. Today we will see how to install Veil Evasion in Kali Linux. Although this howto is made on Kali Linux Sana, it is same for all the versions of Kali. For the novices, Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. First of all download and save the zip file of veil evasion as shown below from here.

veil1a

Next, Open terminal and go to the directory where the zip has been downloaded. Commonly it is root or Downloads. Mine is in root. Next unzip the contents of the zip file by using command unzip “Veil-Evasion-master.zip” as shown below.

veil2

When unzipping is finished, type “ls” command once again. You will see a new directory “Veil-Evasion-master”. Change into that directory as shown below and type “ls” to see the contents of that directory.

veil3

There will be a dircetory named “setup”. Change into that directory. You will see a file named “setup.sh”. Execute that file using command  “./setup.shveil4

It will prompt you a question whether you want to continue with the installation or not. Type “y”.

veil5

The installation will start. It will ask you whether to install Wine. Click on “Install”.

veil6

Next it will install Python. Click on “Next”.

veil7

Click on “Next”.

veil8

If it asks you to overwrite existing files of any Python, select “yes”.

veil9

Click on “Next” for the below window.

veil10

Finsih the installation by clicking on “finish”.

veil11

Next, the system will ask you to install pywin32. Pywin32 is a set of extension modules that provides access to many of the Windows API functions. Click on “Next”.

veil12

Click on “Next”.

veil13

Click on “Next”.

veil14

Click on “Finish” the script.

veil15

Next it will install pycrypto. Click on “Next”.

veil16

Click On “Next”.

veil17

Select language as “English” and click on “OK”.

veil19

Next it prompt you to install Ruby. Accept the license and click on “Next”.

veil20

Click on Install.

veil21

Click on Finish to to finish the installation of Ruby.

veil22

You will see the below screen as the installation finishes.

veil23

Now let us see if our installation has been successful by starting the program. Go to the “Veil-Evasion-master” directory in which there is a python script called “Veil-Evasion.py”. Execute this script by typing command “./Veil-Evasion.py”.

veil24

This is how Veil-Evasion looks when started.

veil25

 

 

 

 

 

Good evening friends. Today we will see how to bypass antivirus with Veil Evasion to hack a remote system. Veil-Evasion is a tool to generate payload executables that bypass common antivirus solutions. First we need to install Veil-Evasion in Kali Linux. Next, go to the installed directory as shown below. In the directory where it’s installed, there is another directory with name Veil-Evasion. Navigate to that directory. Type command “ls” to show the contents of that directory. There is a python script with name “Veil-Evasion.py”. Execute that script by typing command “./Veil-Evasion.py

veilab1

It will open the Veil evasion framework as shown below.

veilab2

It has total 46 payloads. To see the available payloads, type command “list“. Some of the available payloads are shown below.

veilab3

 

veilab4

To select any payload, just type its number. In my case, I am using “36”. I have successfully bypassed Avast antivirus with this payload. Type number “36” and hit Enter. It will show the available commands for that payload.

veilab5

Next type command “generate” to generate our payload.

veilab6

It will ask you as to how you want to generate the shellcode. Use the first option i.e msfvenom as we will use Metasploit to connect to the remote system.  It will ask you to enter the payload. By default it is “windows/meterpreter/reverse_tcp” . So just hit Enter. Then you will be prompted to enter the values of “Lhost”  and “Lport”, i.e the address of Kali Linux and local port for the connection. Hit on Enter when it asks for extra msfvenom options and the shellcode starts generating as shown below.

veilab7

Next, you will be asked to enter name for the executable of the payload. Give any name and hit on Enter. Next, it will ask you as to how you would like to create your executable. Choose the default option by just hitting “Enter” as shown below.

veilab8

Your executable will be generated and the directory in which it is created will be shown as below.

veilab9

Now we need to start Metasploit and load the handler exploit and payload as shown below.

veilab10

The payload, LHOST address and LPORT should be same as given in the executable file we created. Type command “exploit”. The exploit will stop at the stage shown below.

veilab11

Now send that executable( in this case “viras.exe” ) file to our victim. When he clicks on it, we will get a meterpreter session as shown below. Type command “sysinfo” to get the system information.

veilab12

Hi Guys and Girls. Since I am writing  many howtos on how to exploit different vulnerabilities in both web and operating systems using Metasploit, I thought may be it would be very helpful for beginners to make a guide to Meterpreter since it is the most widely used payload for our exploits. That begs the question as what is a payload which further begs the question of what is an exploit. To be put clearly,  exploit is “a defined way in which to take advantage of the given vulnerability”. Imagine a house ( containing lots and lots of money ) is locked with a complex number lock decoding which is almost impossible, but the lock has a weakness. If you hit it very hard, the lock may break. This is its vulnerability. Now to take advantage of this vulnerability, we need something like HAMMER to hit it very hard.  Here, hammer is our exploit.

Now let us define payload. A payload defines what exactly we want to  do after a system is exploited. And here, meterpreter is our payload.  Meterpreter has lot of adavantages over other payloads. It is powerful, extensible and most importantly stealthy. It uses encrypted communication, writes nothing to disk and doesn’t create any new processes. Ok, Ok, Ok. That’ s lot of theory. Now let’s get to the main concept of this howto. For this howto, I have exploited a Windows system with Kali Linux and acquired a meterpreter session. As soon as you get the meterpreter session, type “?” or “help”. This will give all the commands available with meterpreter. In this Part 1. we will see all the file system commands. As the name implies these commands are used in filesystem manipulation.

mepe1

1. pwd

The first command we will see is “pwd” which stands for “print working directory”.  It shows the current working directory in the remote system as shown below.

mepe2

2. cd

“cd” stands for “change directory”. This command is used to change our working directory in the remote machine. The command “cd ..” means going one directory back. Here we did it twice to go to the “C:\” directory.

mepe3

3. ls

The “ls” command is used to list files and directories. For example, I want to see the contents of Desktop in my remote system. Navigate to that directory and type command “ls”. As shown below, we can see the files and directories on Desktop in remote machine.

mepe4

4. cat

The “cat” command allows us to create single or multiple files, see contents of file, concatenate files and redirect output in terminal or files as we require. Here, we will use the “cat”  command to view the contents of the file h323log present on the remote system as shown below.

mepe5

 

mepe6

5. edit

“edit” command is used to edit the file. It will open the file in Vi editor in which we can make changes as shown below.

mepe7

Here I have deleted two lines in the file.

mepe8

6. mv

The “mv” command is used to move the files to another directory as shown below. Here, we have moved the file h323log.txt to another directory called “cracked”.

mepe9

7. search

The “search” command is used to search for specific files in the remote system as shown below.

mepe10

 

mepe11

8. download

The “download” command is used to download any files from the remote system to our system. For example, let us download the samspade file present on the Desktop of remote system to  our system as shown below.

mepe12

9. lpwd, getlwd, getwd

The “lpwd” and “getlwd” commands are used to print local working directory i.e the working directory of attacker system. The “getwd” command is used to get the working directory of remote system.

mepe13

10. lcd

The “lcd” command is used to change the local working directory as shown below.

mepe14

11. upload

The “upload” command is used to upload any files to the remote system from our local system. Here, we have to give the exact path of the remote system where we want to upload our file as shown below.

mepe15

12. rm

The “rm” command is used to delete files in the remote system. We use this command generally to delete any executable files we have uploaded so that our victim doesn’t get any suspicion.

mepe16

13. rmdir

The “rmdir” command is used to delete directories since “rm” command cannot do it. Its usage is shown below.

mepe17

14. mkdir

The “mkdir” command is used to create new directories or folders on the remote system as shown below.

mepe18

Hope this guide was helpful. I will be back with “part 2” soon.

Good Evening Friends. Recently Metasploit released an exploit for the Nibbleblog file upload vulnerabiltiy. To those people who don’t know what is Nibbleblog it is a powerful engine for creating blogs.  In fact we can say it is the simplest blog creation system. In this scenario, we will hack a remote system which is using Nibblebog 4.0.3. We will upload a file into the remote system using nibbleblog File upload vulnerabilty. The only downside of this exploit is that it requires credentials. Update Metasploit and start it. Type command “search nibbleblog” to search for all exploits related to nibbleblog as shown below.

nibbleblog1

Load the exploit as shown below.

nibbleblog2

Set all the options required as shown below. I am running nibbleblog on my wamp server on another system. So I am giving its IP address below.

nibbleblog3

Type command “show payloads” to see the payloads available for this system. You will see all the available options as shown below.

nibbleblog4

Choose the payload “php/meterpreter/reverse_tcp”.

nibbleblog5

Set the required options. i.e lhost which is IP address of your Kali machine. As I already told you, we need the credentials of the blog we wanna hack. Type command “exploit“.  Eventhough you get error as shown below, don’t worry, your exploit has successfully run. The file has been uploaded.

nibbleblog6

Now we have start a listener to listen to our reverse_tcp connection. Load the listener exploit as shown below. Set all the required options as shown.

nibbleblog7

Type command “exploit“. The exploit will run and stop at the shown below stage.

nibbleblog8

Now open browser. The file you just uploaded is saved by default as image.php in the remote system. Now go to the exact path as highlighted below. The only thing that may change for you is IP address. Hit on enter.

nibbleblog9

Now if you go back to the terminal, You should have already got meterpreter session as shown below. Happy Hacking.

nibbleblog10

Hope it was helpful.

Good Evening friends. Today we will see how to perform DOS attack on Wifi networks. We will use a tool called mdk3 which is inbuilt in Kali Linux and we need a compatible wifi adapter for this attack. If all is set, open a terminal and type command “mdk3” to see various attacks available in this tool as shown below.

mdk1

Scroll down to see more options. We can see the various testing modes available in this tool. We will use the deauthentication attack for this Wifi DOS. As the name implies, this attack disconnects all clients connected to the wifi network.

mdk2

Before we start our attack, we have to start our adapter in monitor mode. Type command “airmon-ng start wlan0“. (where wlan0 is your wifi interface and may differ for you).

mdk3

Then type command “mdk3 mon0 d -i <ESSID name>” and you will see the tool disconnecting all the clients connected to the Wifi network you are targeting.  Here,

“mon0” – is the ineterface where monitor mode has been started. This can be different for you.

d  –  is the deauthentication mode

ESSID – is the name of the Wifi network.

mdk4a

 

Hope this was helpful.

 

 

Good evening friends. Today we will see how to exploit a Windows 7 system with PDF shaper buffer overflow exploit which exploits a vulnerability in PDF shaper 3.4. To those newbies who don’t know what is PDF shaper, it is a “collection of free PDF tools, which allows you to merge, split, encrypt and decrypt PDFs, convert images to PDF, convert PDF to Word RTF or images, extract text and images from PDF. ”

We will use Kali Linux as the attacker machine for hacking Windows 7.  Start Metasploit and search for “pdf shaper” exploit. as shown below.

pdfshaper2

 

pdfshaper3

Copy the exploit path as shown above and load the exploit as shown below. Set the payload as “windows/meterpreter/reverse_tcp”.

pdfshaper4

Set the IP address of Kali Linux as LHOST. Type command “exploit”. A pdf file will be created as shown below.

pdfshaper5

We have to send this pdf file to our target. Before that, we will have to start a listener for this specific exploit. Load the following exploit and payload as given in the below image.

pdfshaper6

Set lhost and lport exactly as same as the values we have given above. Type command “exploit”.

pdfshaper7

Now send the file to our target. When he uses PDF shaper to convert our pdf to image as shown below

pdfshaper1

pdfshaper8

pdfshaper9

we get a meterpreter session on our attacker system as shown below.

pdfshaper10

 

Good evening friends. It’s been a long time since I  made a howto on hacking. In this howto, I’m going to show you how to exploit Windows 7 using recently released ms15-100 Microsoft Windows Media Center MCL exploit. For this, I am gonna use pentest lab i created in our previous howto. I am using Kali Linux as my attacker system for hacking windows 7.

Start Metasploit by typing command “msfconsole”. Search for our exploit using command as shown below.

ms15_100a

Load the exploit as shown below.

ms15_100b

Set the IP address of Kali Linux to “srvhost” option. Set payload as “windows/meterpreter/reverse_tcp“.  Set Lhost as IP address of Kali Linux.

ms15_100c

Check if all the necessary options are set by typing command “show options“. Now run  the exploit by typing command “exploit“. You will get the following result. Now copy the underlined link and send it to your victim.

ms15_100d

When your victim clicks on the link, he will get a popup asking him to download and save the file.

ms15_100e

When the user clicks on  the downloaded file,  we will get a meterpreter session on our attacker system as shown below. Type command “sessions -l ” to see the available sessions. We have one session available below.

ms15_100f

Type command “sessions -i  1“( 1 is the session number available to us and can vary for you) to use the meterpreter session. Type “sysinfo” to know about the target system.  Hurrah, we have successfully hacked our target.

ms15_100g