Archives

All posts by kanishka10

During a pen test, it  sometimes becomes necessary to change Windows password. Although we have a hashdump feature to dump the password hashes of all users in a remote Windows system, this exploit directly changes the password of the user we want in the registry. Thus it saves the trouble of cracking the password hashes altogether.

This works on a local user account. This can be pretty useful if we need credentials but can’t crack the hashes. Mind that you need to have system privileges on the remote system to use this exploit (See how to escalate privileges). Let’s see how this exploit works.

First acquire system privileges on the system. Background the session (note the meterpreter session id) and load the hashcarver exploit as shown below.

 Type command  “show options” to see the options required. Session is the meterpreter session id, user is the user in the remote system whose password you want to change and “pass” is the password you want to set for the user.

My session id is 2, Kanishka is the username for which I want to change the pasword and I want the new password to be “hacked”.

When all the options are set, execute the exploit using command “run.  The exploit runs as shown and successfully changes the password. Happy hacking.

Here I bring you a fictional account of a Real Time Hacking Scenario originally published in Hackercool Magazine Feb 2017 Issue. This knowledge is strictly for education purposes and should be used only in pen testing.

Hi,everyone. I’m hackercool, allegedly a black hat hacker for some people but I still consider myself a script kiddie. The month of February was jampacked with parties for me. Most important of them was a get together with my scho- ol friends (none of my friends know about my hacker identity). With the ubiquitous smart phones nowadays, many photographs were taken. It was a very good opportunity to test my new digital camera.

I took numerous photographs of my friends in various poses but I didn’t pose for even a single photograph. None of my friends even took note of my absence but it’s a wonderful feeling to get lost in the crowd. You don’t know it. When I began to forget about the party, some of my friends requested me for the photos I took with my digital camera. They asked me to whatsapp them but I informed them I would send them my USB.

By now, my hacker instinct became active. I decided to hack my friends (or atleast try to hack them). I wanted to test how many would fall for it. Stage set. Plan in motion. Most of my friends (or for that matter many computer users in India) prefer Windows as their operating system. So I started my attack assuming my friends are using a Windows OS.

The channel of my attack was sending a USB drive to them which would have not only the party photos but also a specific  malware to hack them. There was one problem though. Even normal computer users would have both Windows Firewall ON and antivirus installed (I’m assuming all my targets are latest Windows 10). So I can’t use any renown malware or RATS since their signatures would be easily detected by many Antivirus.

So I decided to create a customised payload that would bypass most antivirus. Many people just assume antivirus cannot be bypassed but as you will see now, it’s a reality only hackers know about. For this attack, I decided to use Hercules customized payload generator.(More about this payload generator was discussed in Dec 2016 issue of Hackercool magazine and also on this blog). I have used this program a couple of times before and I am loving it.

It almost bypasses all antivirus, ofcourse until now. There’s a reason why I say that. Remember that the battle between malware and anti-malware is like that of between Newt and Garter snake, they continuously evolve. Hercules can be installed in Kali Linux which is my attacker system. (As already told, its installation is given in Dec 2016 issue of Hackercool magazine).

Open Hercules as shown below. It has three options : generate payload, bind payload and update. The first option will just generate a payload we want while the second option will bind the payload with another program’s executabl -e. The second option would have been excellent to me but Hercules seems to be under revamp and this op-tion is not added yet now. So I had no other option but to generate just a payload now. So I chose option 1.

Next, I need to select the type of payload. I had four payloads to select ; meterpreter reverse tcp, meterpreter reverse http, meterpreter reverse https and a Hercules reverse shell. I was not in the mood to try something new. Since I am well accustomed with the meterpreter reverse tcp payload, I decided to choose that option.

Next, I entered some options required for the hack to work.

LHOST= IP of my attacker machine

LPORT= the local port on which the reverse connection is to be sent.

persistence, migration and UPX functions are explained in the NOT JUST ANOTHER TOOL in the Dec 2016 issue of Hackercool magazine. I have not enabled all these options as it would attract the attention of anti-malware.

I named the payload “sunny_leone_unseen”. I hope you already know why but if you don’t know, you will know soon. The payload is saved at the location shown below.

Generating the payload is the easiest part of the hack. Now begins the difficult part. Convincing our victims to click on our payload. I just can’t ask them to click on the payload although that has worked for me sometimes. First I checked the payload if it was indeed undetectable by antivirus. Success there.

After thinking for sometime, I decided to do it in two ways. First one, by binding. Binding is a process of combining two exe files or other files into one. It is the age old way of sending the virus to victims. I chose love calculator as the other program to bind my payload to. Since most of my victims were on the younger side I expect that this will have more probability of being clicked on. The Love calculator is shown below.

Come on, the love between us is only 58.5%.

We have many binders available. A quick Google search should give you enough options. But I used Rakabulle binder for my job. Just add the files to compile as shown below and click on “Build Raka”. That will bind the two programs into one.

But there is a problem with binding. As I already told you, binding has been there for a long time. So even if we bind two genuine programs together, antivirus may flag it off as malware. I wanted to play smart. I also used the second method as backup.

Second method is a bit popular on the internet. It’s changing the icon of the exe file we generated. First, I created a shortcut for my file and changed the icon of the shortcut as shown below. Then I hid the payloa d. Now let me tell you about the name of my payload. My intention is to maximise the chances of my victim’s clicking on my payload. So I gave that name (Just Google sunny leone for more info).

All done. Now before I passed mu USB drive to my friends, I started a listener on Metasploit as shown below.

I have set the required options and typed command “run” to start the listener as shown below.

After starting the listener, I passed on the USB drive to my first victim. I was not expecting very quick results as all of them were employees. To quicken my chances, I gave it to my first victim on Friday evening. I thought the weekend would give them enough time to become my victim. My system was continuously on. It was a horrendous wait but it finally happened.  One victim fell for the trap. I got one meterpreter session. I quickly checked the OS info. It was a Windows 7. I was encouraged.

I was expecting atleast three connection on the same day. So I quickly backgrounded the session and started the handler again to rece- ive more connections. Very soon I got the second meterpreter session.

I sent even that session to background and waited, but there was no third connection. I waited for some more time and went out to do some errand. Even after returning, I had only two connections. So I thik I would have to be  content with them.

 

Hello aspiring hackers. There’s been a loooong (forgive the grammatical error) gap  in updating the blog. Well, blame it on 70% hectic schedule and 30% procrastination. But today we will see how to hack windows with HTA web server.

First things first. What is HTA web server? HTA stands for HTML application. So this server hosts a HTA file, which when opened will execute a payload via powershell. Ofcourse, the browser warns the user before executing the payload.

Now let’s see how this works. We will use this exploit to hack Windows 10. Start Metasploit and load the module as shown below.

Set the reverse meterpreter payload as it is a local exploit.

Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.

As you can see, it has generated an url. We need to make the victim click on this particular url for our exploit to work. We have already seen in our previous howto’s, how to make that happen. When the victim clicks on the url we sent him as shown below

the browser prompts a warning about the payload as shown below.

When the user ignores the user and clicks on “run”,  a meterpreter session is opened as shown below.

This session can be viewed and opened as shown below.

Hello aspiring hackers. Till now we have seen various ways of hacking windows, escalating privileges and creating a persistent backdoor for later access. After we have successfully created a backdoor, it’s time to perform further reconnaissance. Windows post exploitation recon helps us in gathering further info about our target network. This can be helpful to us in finding more vulnerable systems to hack and pivot.

If you have observed carefully while starting Metasploit, it has number of modules specified as “post”. Some of these are useful in recon. For us to do post recon we need to first hack the system and get metertpreter session on it. Now let us see how to perform this recon with Metasploit.

The first module useful in reconnaissance in the arp scanner. Arp scanner helps us to identify any hidden devices in the network. Hidden devices are those devices which don’t respond to normal requests like ping etc. For example, some firewalls intentionally don’t respond to ping requests. ARP scanning can detect these devices.

winpostexrc1

The checkvm module helps us to find out if the machine we hacked is a virtual machine, which in this case is true.

winpostexrc2

The dumplinks module will parse .lnk files from a user’s Recent Documents folder and Microsoft Office’s Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

winpostexrc4

In some cases, we need to know what are the applications installed in the system we hacked. For example, in a case where we cannot escalate privileges and maybe a vulnerable program installed in the target can help us in privilege escalation. The enum_applications module exactly does that.

We can see in this specific case, there are only two programs installed.

winpostexrc5

The enum_logged_on_users module helps us in finding out the users logged in.  This may help us in knowing the usernames of the system.

In our case, we go to know the username as “admin”.

winpostexrc6

The enum_shares module will list the shares of both configured and recently used shares on the compromised system. My target doesn’t have any shares.

winpostexrc7

The enum_snmp module will enumerate the SNMP service on the target, if installed. It will also enumerate its community strings.

In our case, there’s no SNMP service installed.

winpostexrc8

The hashdump module does exactly what it says. It dumps the password hashes from the target system as shown below. May I remind you that meterpreter already has this hashdump function.

winpostexrc9

The usb_history module retrieves the history of usb devices connected to the target system. In my case, no USB devices were connected to the target.

winpostexrc10

The most interesting of all these is the lester script. The lester script suggests local exploits for the target system. This script automatically searches and lists exploits for the targeted system. Now you may question why do we need exploits for the system we already hacked. Well maybe to escalate privileges or find an exploit which gives us more power on the system.

winpostexrc11

That’s all for today folks. I will be back soon.

Hello everybody. Today we will see about Zabbix toggleids sql injection exploit. First things first, what’s Zabbix. It is an enterprise open source monitoring software for networks and applications designed to monitor and track the status of various network services, servers, and other network hardware.

Zabbix uses MySQL, PostgreSQL, SQLite, Oracle or IBM DB2 to store data. Its backend is written in C and the web frontend is written in PHP. It has a web based interface and can be installed in both Linux and Windows. It boasts of over 13,000 downloads per week.

Zabbix version 3.0.3 suffers from SQL injection which can be exploited to steal the credentials. Let’s see how this exploit works. Start Metasploit and load the module as shown below.

zabbix_toggleids1

As you can see, we need to set only one option “RHOST” which is the IP address of the target running Zabbix. Once you set the target, check whether its vulnerable or not using the “check” command.

zabbix_toggleids2

Once we know target is vulnerable, executing the exploit using command “run” downloads the current usernames and password hashes from database to a JSON file. We can crack these password hashes and login into the Zabbix instance. See how to crack hashes with Kali Linux.

How to stay safe?

There are patches available. Please update.

Hello aspiring hackers, till now we have only seen hacking windows operating systems with customized payload generators. Today we will see hacking Linux OS with Arcanus framework.

Although not as great as Windows, people using Linux OS are growing day by day. In my opinion, Linux os is a bit easy to hack with payload generators as there is a general myth that Linux is immune to malware. Some of my friends use Linux as dual boot to keep themselves safe from virus. Here are some more myths people have about Linux security.

Ok, now let us see how to hack Linux OS with Arcanus Framework. Start Arcanus Framework and select the option 3 since we are generating a Linux payload. If you are new to Arcanus Framework, go here.

arcalin1

Hit Enter. Enter your IP address (Kali Linux in this case) and the listening port as shown below.

arcalin2

Hit Enter. It will generate the payload in the same directory start to automatically listen for a reverse shell as shown below.

arcalin3

Send the generated payload to our victim. When he runs it, we should get a shell on his system as shown below.

arcalin4

 

Hello friends.. I took a long break from the blog (actually I was channeling my energy on my monthly magazine Hackercool). But I am here now back with a bang or should I say hack. Ok, Most of the times we only get a command shell on our target while hacking, although we wish we got a meterpreter session (like the case here). Today we will see how to upgrade the command shell to meterpreter.

First thing we need is to background the current command shell session. Hit on CTRL+C. Don’t abort the session altogether. If it happened by mistake ( like it happened to me below), select “no” when it asks whether to abort a session. Then hit CTRL+Z and select Yes. Your session has been sent to background. Remember the session number.

shell_to_meterpreter1

Load the command shell to meterpreter upgrade module. We need only one option, the session id we sent to background.

shell_to_meterpreter2

Specify the session id and run the exploit as shown below. We will get the meterpreter session.

shell_to_meterpreter3

Type command “sessions -l” to see all our sessions as shown below.

shell_to_meterpreter4

We can load the meterpreter session as shown below.

shell_to_meterpreter5

If you found that helpful. Please check out my monthly magazine Hackercool (in the side widget) which is free but you can also PAY WHAT YOU WANT.

Good eveninggggggg friends. I am very happy and the cause for my happiness is the Hackercool pdf monthly magazine I recently started. The test edition was received positively. But some of the security conscious readers have raised concerns whether this pdf magazine may be booby trapped to hack my readers. So I thought it would be good to make a howto on pdf forensics. By the end of this article, you will be able to tell whether the pdf you received is genuine or malicious.

For this howto, I will create a malicious PDF with Metasploit using the following exploit.

pdfforensics1

As is well known, this exploit hides an exe within a PDF file. This PDF file can be sent to our target using any social engineering technique. When the target user clicks on it, we will get reverse_tcp connection. Another file we will be analyzing is the PDF copy of my Hackercool monthly magazine. Both of the files are shown below.

pdfforensics1a

The first tool will be using is pdfid. Pdfid will scan a file to look for certain PDF keywords, allowing you to identify PDF documents that contain (for example) JavaScript or execute an action when opened. It will also handle name obfuscation.

Let us first analyze the pdf we created with Metasploit as shown below. As we can see below, the evil.pdf has JavaScript, Openaction and launch objects which are indeed malicious.

pdfforensics2

Now let us analyze my monthly magazine as shown below.

pdfforensics3

As you have seen above, it’s totally clean. No JavaScript, nothing. That should calm my magazine readers.

Now coming to the malicious PDF, we can disable the malicious elements of the file using pdfid as shown below. Now the file is clean.

pdfforensics3a

Now if we want to do further analysis on the malicious PDF, we can use another tool called pdf-parser. It will parse a PDF document to identify the fundamental elements used in the analyzed file.

Type command “pdf-parser /root/Desktop/evil.pdf” without quotes.

That will parse the entire PDF and its objects (We saw earlier that our malicious pdf contains 12 objects). On observation, objects 10 and 9 evoke some interest. We can also parse each object of the pdf file.  Let us parse the object 10 as shown below.

We can see it has a launch action which launches the cmd.exe.

pdfforensics4

Similarly in object 9 we can see a JavaScript action.

pdfforensics5

Using pdf-parser with the ‘c’ option will display the content for objects without streams or  with streams without filters.

pdfforensics6

On observation we can see a stream that looks like shellcode present in object 8.

pdfforensics7

That’s all for today my friends. Please have a look at my monthly magazine.

 

 

WARNING : This knowledge is only for ethical purposes. Misuse this info at your own risk.

Good morning ethical hackers. Polycom HDX devices are popular worldwide for video conferencing. They are fit for meeting rooms and conference halls of various sizes as they support 1 to 3 displays. The login component of the Polycom Command Shell on Polycom HDX video endpoints, running software versions 3.0.5 and earlier, is vulnerable to an authorization bypass when simultaneous connections are made to the service, allowing remote network attackers to gain access to a sandboxed telnet prompt without authentication.

So when all the conventional methods to get access to a network, this can work as an entry point of course if they are using this product. Let us see how this can be used in our pen test. Start Metasploit and load the exploit as shown below.

psh_auth_bypass1

Set the target and check if it’s vulnerable as shown below using “check” command.

psh_auth_bypass2a

 

You can use the default payload or choose the required payload. I am using the below payload. After setting payload, type command “run” to run the exploit.  The exploit works as shown below.

psh_auth_bypass3

 

Good afternoon friends. Recently we have seen about windows hacking with Arcanus framework. Today we will learn about another payload generator that helps us in bypassing antivirus ( till date) during pentest of Windows machines. That is Hercules framework.

Let’s start by cloning Hercules framework from github as shown below.

2hercules1

After cloning, a new directory with name HERCULES will be created. Move into that directory and do a “ls”. We should see a file named “Setup”. First change the permissions of this file using chmod as shown below. Once we get execute permissions on the Setup file, execute the file using command “./Setup“.

2hercules2

The setup automatically installs Hercules as shown below and

2hercules3

successfully ends as shown below. You have successfully installed Hercules framework in Kali Linux.

2hercules4

Type command “HERCULES” to start the framework. It’s interface looks like below. In this part, let’s generate a payload. Enter option “1”.

2hercules6

Select what type of payload you want to create. There are four payloads as shown below. I am choosing the first one. You can choose appropriately.

2hercules7

After we select the type of payload we want to create, we need to enter some options. Let us see the options it provides. LHOST and LPORT are self explanatory.  Choosing Persistence function adds our running binary to Windows startup registry so that we can have persistent access to the target.  Since we have already know how to create a persistent backdoor we will not enable it here.

Migration function triggers a loop that tries to migrate to a remote process. UPX ( Ultimate Packer for executables ) is an open source executable packer. To those newbies who have no idea what packers are, they are used to compress the executables. Software vendors also use them to obfuscate the code. We will see more about packers in our future howtos.

Concerning this howto, remember that enabling migration, persistence and UPX functions may increase the chances of your payload being detected by Antivirus.

2hercules8

Here I have only enabled the UPX function so the packing process begins as shown below.

2hercules9

Once the packing process is over, your final binary file is stored with the name you have given to it. I named it as “res”.

2hercules10

Next start the listener on Metasploit as shown below and send the  binary file to our target. Once he clicks on our executable file, we will get the meterpreter session as shown below.

2hercules11

In our part2 of this howto, we will see how to bind our payload to other executables.