Archives

All posts for the month July, 2016

Bypass uac stands for bypassing user account control. User account control is the security measure introduced in Windows OS since Windows 7. It helps in preventing any malicious program from running with admin privileges. With UAC, applications and tasks always run with privileges of a standard or non-administrator account, unless a user authorizes administrator-level access to the system. UAC will not allow any unauthorized program from making any inadvertent changes to the system.

This may include even our meterpreter shell. We have seen many exploits where we got meterpreter shell. But when you check your privileges by typing command “getuid”, we can see that we are running as a standard user as shown below. When we try to get system privileges with  command “getsystem”, we can see it failed.

epw71

Bypass uac exploit as its name implies, bypasses the user account control security feature in Windows 7 to give us system privileges.  This is available in Metasploit. For this exploit to work, we should already have a meterpreter shell on our target system.

Now let use see how to get system privileges with this exploit. First background the current meterpreter session by typing command “background”. Next search for bypassuac exploit as shown below.

epw72

Load the exploit as shown below. Type command “show options” to see what options we need to set. We can see only one option is required: session. This is the session id number with which our previous meterpreter session was running. While we background our session, we saw that our session id number is 1. ( see the above image ). Set session id option to 1 as shown below.

epw73

Type command “exploit” to run our exploit. Type command “getsystem” to try to get the system privileges once again. This time we successfully got the system privileges as shown below.

epw74

Hello aspiring hackers. Previously we have seen how to perform Joomla version enumeration and Joomla plugin enumeration with Metasploit. Metasploit also has a module for Joomla webpages enumeration which can be useful in seeing pages of a Joomla website which can give further information about the website.

Start Metasploit and load the module as shown below.  Type command “show options” to see the options we need to set.

joomla_pages1

As other auxiliary options, it has RHOSTS option instead of RHOST option. We can set multiple IP addresses to scan for their pages with space in between as shown below. Set the targeturi.

joomla_v2

Type command “run” to execute the exploit. We will get the result as shown below.

joomla_pages3

Good evening aspiring ethical hackers. Joomla is one of the most popular CMS for websites. To further improve its features Joomla has components or extensions which can be installed by the web admin as per requirement. These are similar to plugins in WordPress. Last month hackers found many vulnerabilities in so many extensions of Joomla.

But how do we find out Joomla websites with this vulnerable plugins installed. Once again, Metasploit saves the day for us as it has an auxiliary module for Joomla plugin enumeration. Start Metasploit and load the module as shown below.

joomla_plugins1

This module has Rhosts option instead of Rhost option as we generally scan multiple IP addresses to check for vulnerable websites. Set the IP addresses as shown below with space between each IP address.

joomla_v2

Now type command “run” to see the plugins installed on all these websites.

joomla_plugins3

How does this module work? If you have seen in the first image, this module takes the list of plugins to enumerate from file “usr/share/metasploit-framework/data/wordlists/joomla.txt”. I have little knowledge whether this file is updated as fast as the Joomla plugins developed.  You can open this file with any text editor as shown below.

joomla_plugins4

If the component you want to search for is not listed, you can make your own entry as shown below. I have added two components here, which are vulnerable to sql injection but not included in the file before. Save and close the file.

joomla_plugins5

I run the scan again and found one Joomla website with this plugin installed.  Happy hacking.

joomla_plugins6

Good morning friends. Today we will see about hacking Nagios with Metasploit. Nagios, also known as Nagios Core, is a free and open source computer-software application that is used to  monitor systems, networks and infrastructure. It offers monitoring and alerting services for servers, switches, applications and services. Italso alerts users when things go wrong and alerts them a second time when the problem has been resolved.

Versions of Nagios XI 5.2.7 and below suffer from SQL injection, auth bypass, file upload, command injection, and privilege escalation vulnerabilities. This exploit uses all these vulnerabilities to get a root shell on the victim’s machine. Now let’ see how this exploit works. Start Metasploit and load the module as shown below.

nagios1

Let us set a new payload as shown below.

nagios2

Set the target IP address as shown below. Use check command to see whether our target is vulnerable as shown below. If our target is vulnerable, type command “run” to execute our exploit. If everything goes right, we will get a shell on our target as shown below.

nagios3

How to stay safe:

The current version of Nagios available is 5.29. Please update to the latest version.

 

Good morning aspiring hackers. Today we will see Windows hacking with Cypher. Cypher is a simple tool to automatically add shellcode to PE files. PE files means portable executable files.

But what is shellcode? It is a list of carefully crafted instructions that can be executed once the code is injected into a running application. So in simple terms, Cypher allows us to add shellcode to portable executable files like…. well it can be any Windows executable. Usually we use shellcode to get a remote shell or create a backdoor shell on our target system.  Cypher even allows us to get the powerful meterpreter shell.

Now let us see how to perform Windows hacking with this tool. First, let us git clone this tool into Kali Linux using commands as shown below.

cypher1

Make sure you are in the same directory where cypher is cloned. It gives information on how to create different types of payloads. Let us add a reverse meterpreter shell  using the command shown below.

cypher2

Now let us see all the options we specified.

addShell.py  : syntax of Cypher

-f                   :  the ‘f’ option stands for file. This is to specify the portable executable into which we want to create our                            backdoor. Remember that some executables are packed and don’t allow writing shell code. Test and                                use accordingly. Here, I’m using plink.exe located on my Desktop.

-t                   : the target OS for which you want to create this backdoor for. These include four options: 0,1,2,3. These                           are for Windows 7 32bit, Windows 7  64 bit, Windows 8.1 64bit and Windows 10 64bit respectively.                                 Here I have specified it as 1 since I’m testing it on Windows 7 64bit OS.

-d                  : offset. This is nothing but distance between the point where we are trying to enter our shellcode to the                           point where we are exactly placing our shellcode. Even if you don’t understand that sentence above, let                           me tell you why it’s important. The success of injecting our shellcode into an executable is that the                                   executable should work fine even after we inject our backdoor. The exe shouldn’t crash. By default, this                           value is set to four. But if your exe is crashing, set it to a greater value( I set it to 10) as I did above.

-H                : attacker’s IP address. In our case, IP address of Kali Linux.

-P                 : the port on which we want our shell back.

-p                 : Mind the lowercase. This stands for payload we want to set. ‘1’ stands for                                                                                  Windows/meterpreter/reverse_http.  The other options are,  

                        0 – windows/shell/reverse_tcp, 2- Windows/meterpreter/reverse_http + PrependMigrate,                                                3-  Windows/meterpreter/reverse_https, 4- Windows/meterpreter/reverse_https + PrependMigrate

After setting all the options, hit on Enter. The payload will be created with the same name but end with _evil as shown below. I leave sending the package to our intended victim to you but remember almost every antivirus can detect our file as malicious.

Since my blog is committed to make hacking as close to reality as possible, I have a solution. Google for “making Finfisher undetectable”. Open the first link Google search finds and follow some of the steps shown there. Trust me this works. Now send the package to the victim.

cypher3

Now to listen to our reverse shell, we need a listener. Open Metasploit and create a reverse_http listener as shown below.

cypher4

Set the required options like IP address and port. Note that they should be same as we specified while we added shell code to the file. Type run command. The exploit should hang on as shown below.

cypher5

Now when our victim clicks on the file we sent, we should get a meterpreter reverse shell as shown below.

cypher6

See how to hack Windows 10 with Hercules 

Upload shell to hack a website: Part2-webshells in Kali Linux

Hello aspiring hackers. It would be completely unfair to discuss about web shells without discussing about Weevely.

Weevely is a command line web shell dynamically extended over the network at runtime, designed for remote administration and penetration testing or bad things. It provides a ssh-like terminal just dropping a PHP script on the target server, even in restricted environments. The best thing about Weevely is its stealth functionality. So today we will see how Weevely functions.

It is inbuilt installed in Kali Linux although here I have downloaded from Github. So let us first generate a  shell as shown below. “tadada” is the famous ( or rather infamous ) password we have assigned for our shell and the name assigned to our shell is backdoor. Now let us upload this shell to our target. In this howto, I have uploaded it into both Wamp server and Linux web server.  Go here to see how to upload the shell.

weevely1

After uploading the shell, we can connect to our shell using the command shown below. Well we made a connection.

weevely2

Now let us type command “:help” to see all the commands weevely provides. We will see usage of each command.

weevely3

:audit_filesystem

This command, as the name implies is used to audit the file system of the remote web server. The below screenshot shows the result of this command on a Linux web server.

weevely4

:audit_etcpasswd

This command needs no explanation. It is used to view the passwd file of our target and obviously will work only on Linux.

weevely6

:audit_phpconf

This command lets us have a look at the php configuration on the remote web server as shown below. We can get lot of information which can be useful in further hacks.

weevely7

:system_info

This command is used to know the whole system information. Below we can see lot of info about our target system.

weevely8

:system_extensions

This command shows us the system extensions enabled on the web server. Here are the apache_modules

weevely9

and the php_extensions enabled on the web server.

weevely10

:backdoor_tcp

If you have gone through the above link, you already know what is a backdoor. We can create a backdoor on the web server as shown below. Here we have created a shell backdoor using netcat on port 80.

weevely11

Now open another terminal and type the command shown below. The IP address is our target’s address. It directly provides us a connection to port 80 of the target. You can also use other ports to connect to but the port should be open on our target.

weevely12

:backdoor_reversetcp

We also saw the reverse backdoors in our previous howtos. Here, we are creating a backdoor to our attacker machine on port 1122.  The IP address should be our attacker machine’s.

weevely13

Once we create a reverse backdoor, we just need to listen on the port we specified above using netcat as shown below.

weevely14

:file_ls

This is akin to “ls” command in Linux. It is used to see the contents of the directory.

weevely15

:file_rm

It is used to delete any file from the directory. For example, I deleted the file c99.php.c999jpg as shown below.If our command has worked successfully, the terminal will return a true as shown below.

weevely16

:file_upload

This is used to upload files. I have uploaded the c99 shell below. Go here to know more about the c99 shell and how it is used to hack the websites.

weevely17

:file_read

Used to read files.

weevely18

:file_webdownload

What if file upload doesn’t work? We can download any files from the internet. Suppose imagine we want to download a virus into our target and file upload doesn’t function ( in rare case ). We can host the virus on any free uploading site and download it using  command shown below.

weevely19

:file_touch

Now this one is important. This command is used to change time stamps. Let us change time stamps for files we have just uploaded. This is useful in raising less suspicions on the other side.

weevely20

As we can see, time stamps of our files have been successfully changed.

weevely21

:file_check

This command is used to see if a file exists as shown below.

weevely22

:file_enum

To enumerate the permissions of the files.

weevely24

:file_cp

To make a copy of a file.

weevely25

:file_edit

To edit a file not only in this directory but also other directories. For example, let us edit a file in the home directory with the name virus.

weevely26

This are the contents of the file. Oh bad english.

weevely27

Let’s correct it. Actually this is used to edit files and change their script.

weevely28

For example, we can edit the index page to deface the website.

weevely29

:file_cd

To change directories.

weevely30

:file_find

To search for files with specific properties. For example, we have searched for all writable files in the directory. Similarly we can also search for executable files.

weevely31

:file_zip

Weevely provides us many functions to compress and decompress files. These include tar,bzip, gzip and zip. Here I am showing you an example of compressing two files into a zip archive.

weevely32

:sql_console

Used to connect to the sql console.

weevely33

:bruteforce_sql

We are not always lucky to have an unprotected sql connection. In that case, this command can be used to bruteforce the credentals.

33a

:sql_dump

After we get the credentials, we can dump the database we want using this command.

33b

:net_scan

In this howto itself, we saw how to create a backdoor and we also discussed that an open port is required for creating this backdoor. We can scan for open ports using this command. We can see just port 80 is open.

weevely34

:net_ifconfig

Used to check all the network interfaces of the system.

weevely35

:shell_sh

This command is used to execute any shell command on the system.

:shell_php

Shell_php command is used to execute php commands on the target server. Here I have executed phpinfo() command.

weevely36

Once we get  a shell, we can also execute all the standard commands of the shell like whoami, uname and hostname etc..etc.

weevely37

Well that was weevely for you. Hope that was helpful.