Archives

All posts for the month April, 2017

During a pen test, it  sometimes becomes necessary to change Windows password. Although we have a hashdump feature to dump the password hashes of all users in a remote Windows system, this exploit directly changes the password of the user we want in the registry. Thus it saves the trouble of cracking the password hashes altogether.

This works on a local user account. This can be pretty useful if we need credentials but can’t crack the hashes. Mind that you need to have system privileges on the remote system to use this exploit (See how to escalate privileges). Let’s see how this exploit works.

First acquire system privileges on the system. Background the session (note the meterpreter session id) and load the hashcarver exploit as shown below.

 Type command  “show options” to see the options required. Session is the meterpreter session id, user is the user in the remote system whose password you want to change and “pass” is the password you want to set for the user.

My session id is 2, Kanishka is the username for which I want to change the pasword and I want the new password to be “hacked”.

When all the options are set, execute the exploit using command “run.  The exploit runs as shown and successfully changes the password. Happy hacking.

Here I bring you a fictional account of a Real Time Hacking Scenario originally published in Hackercool Magazine Feb 2017 Issue. This knowledge is strictly for education purposes and should be used only in pen testing.

Hi,everyone. I’m hackercool, allegedly a black hat hacker for some people but I still consider myself a script kiddie. The month of February was jampacked with parties for me. Most important of them was a get together with my scho- ol friends (none of my friends know about my hacker identity). With the ubiquitous smart phones nowadays, many photographs were taken. It was a very good opportunity to test my new digital camera.

I took numerous photographs of my friends in various poses but I didn’t pose for even a single photograph. None of my friends even took note of my absence but it’s a wonderful feeling to get lost in the crowd. You don’t know it. When I began to forget about the party, some of my friends requested me for the photos I took with my digital camera. They asked me to whatsapp them but I informed them I would send them my USB.

By now, my hacker instinct became active. I decided to hack my friends (or atleast try to hack them). I wanted to test how many would fall for it. Stage set. Plan in motion. Most of my friends (or for that matter many computer users in India) prefer Windows as their operating system. So I started my attack assuming my friends are using a Windows OS.

The channel of my attack was sending a USB drive to them which would have not only the party photos but also a specific  malware to hack them. There was one problem though. Even normal computer users would have both Windows Firewall ON and antivirus installed (I’m assuming all my targets are latest Windows 10). So I can’t use any renown malware or RATS since their signatures would be easily detected by many Antivirus.

So I decided to create a customised payload that would bypass most antivirus. Many people just assume antivirus cannot be bypassed but as you will see now, it’s a reality only hackers know about. For this attack, I decided to use Hercules customized payload generator.(More about this payload generator was discussed in Dec 2016 issue of Hackercool magazine and also on this blog). I have used this program a couple of times before and I am loving it.

It almost bypasses all antivirus, ofcourse until now. There’s a reason why I say that. Remember that the battle between malware and anti-malware is like that of between Newt and Garter snake, they continuously evolve. Hercules can be installed in Kali Linux which is my attacker system. (As already told, its installation is given in Dec 2016 issue of Hackercool magazine).

Open Hercules as shown below. It has three options : generate payload, bind payload and update. The first option will just generate a payload we want while the second option will bind the payload with another program’s executabl -e. The second option would have been excellent to me but Hercules seems to be under revamp and this op-tion is not added yet now. So I had no other option but to generate just a payload now. So I chose option 1.

Next, I need to select the type of payload. I had four payloads to select ; meterpreter reverse tcp, meterpreter reverse http, meterpreter reverse https and a Hercules reverse shell. I was not in the mood to try something new. Since I am well accustomed with the meterpreter reverse tcp payload, I decided to choose that option.

Next, I entered some options required for the hack to work.

LHOST= IP of my attacker machine

LPORT= the local port on which the reverse connection is to be sent.

persistence, migration and UPX functions are explained in the NOT JUST ANOTHER TOOL in the Dec 2016 issue of Hackercool magazine. I have not enabled all these options as it would attract the attention of anti-malware.

I named the payload “sunny_leone_unseen”. I hope you already know why but if you don’t know, you will know soon. The payload is saved at the location shown below.

Generating the payload is the easiest part of the hack. Now begins the difficult part. Convincing our victims to click on our payload. I just can’t ask them to click on the payload although that has worked for me sometimes. First I checked the payload if it was indeed undetectable by antivirus. Success there.

After thinking for sometime, I decided to do it in two ways. First one, by binding. Binding is a process of combining two exe files or other files into one. It is the age old way of sending the virus to victims. I chose love calculator as the other program to bind my payload to. Since most of my victims were on the younger side I expect that this will have more probability of being clicked on. The Love calculator is shown below.

Come on, the love between us is only 58.5%.

We have many binders available. A quick Google search should give you enough options. But I used Rakabulle binder for my job. Just add the files to compile as shown below and click on “Build Raka”. That will bind the two programs into one.

But there is a problem with binding. As I already told you, binding has been there for a long time. So even if we bind two genuine programs together, antivirus may flag it off as malware. I wanted to play smart. I also used the second method as backup.

Second method is a bit popular on the internet. It’s changing the icon of the exe file we generated. First, I created a shortcut for my file and changed the icon of the shortcut as shown below. Then I hid the payloa d. Now let me tell you about the name of my payload. My intention is to maximise the chances of my victim’s clicking on my payload. So I gave that name (Just Google sunny leone for more info).

All done. Now before I passed mu USB drive to my friends, I started a listener on Metasploit as shown below.

I have set the required options and typed command “run” to start the listener as shown below.

After starting the listener, I passed on the USB drive to my first victim. I was not expecting very quick results as all of them were employees. To quicken my chances, I gave it to my first victim on Friday evening. I thought the weekend would give them enough time to become my victim. My system was continuously on. It was a horrendous wait but it finally happened.  One victim fell for the trap. I got one meterpreter session. I quickly checked the OS info. It was a Windows 7. I was encouraged.

I was expecting atleast three connection on the same day. So I quickly backgrounded the session and started the handler again to rece- ive more connections. Very soon I got the second meterpreter session.

I sent even that session to background and waited, but there was no third connection. I waited for some more time and went out to do some errand. Even after returning, I had only two connections. So I thik I would have to be  content with them.