Archives

All posts for the month September, 2017

Hello aspiring hackers. Today we will learn about Windows applications enumeration exploit. This is a POST exploit in Metasploit which means this exploit is only available when we get a meterpreter session on the target system. Once a Windows system is hacked, privilege escalation is the next step. One of the ways to escalate privileges in a Windows system would be to find vulnerabilities in the programs installed in our target Windows system. We can do this manually but Metasploit has a post module to do exactly this. Let us see how to use it.

Send the current meterpreter session to background and load the enum_applications module as shown below. Just like any other POST module, it needs only one option, the session id of the meterpreter session we just sent to background.

Set the session Id and execute the module as shown below.

As you can see, the module successfully gave us the programs installed on our victim’s system. Now we can search for any vulnerabilities in those programs which we could be used in privilege escalation

Hello aspiring hackers. Today we are going to learn about a remote code execution exploit in Microsoft Windows. Its called Microsoft Windows Lnk CVE_2017_8464_lnk_rce exploit. Earlier also we have seen some LNK vulnerabilities in Microsoft Windows but this one is special. You know why? A victim need not even click on the file we are creating as part of this exploit. We can host this file on a web server and direct our victim to that site. Otherwise we can save the file to a USB drive and insert it in our target’s system. Both require a bit of social engineering.

This exploit works due to a vulnerability in Microsoft Windows that could allow remote code execution if the icon of a specially crafted shortcut is displayed. An attacker who successfully exploits this vulnerability could gain the same user rights as the local user. Let us see how this exploit works.

Load the exploit as shown below and check the options it requires. using “show options” command.

Type command “info” to see more information about the module.

Set the windows/meterpreter/reverse_tcp payload and configure its options as shown below.

Set the LHOST address and run the exploit. It will create a file in the folder as shown below.

Now send the file to our victim using any one of the methods discussed above. We will get a meterpreter session as shown below.

If the exploit got interrupted as shown below, type command “sessions -l” to see the available meterpreter sessions as shown below.

 

Easy Chat Server is a Windows based software useful to set up a simple chat server. It is considered the simplest solution to set up a community chat room for a group or company. It is considered the simplest because it doesn’t require any other installation like Java. The latest version of Easy Chat server suffers from a buffer overflow vulnerability. This vulnerability is triggered during user registration to the easy chat server. Let’s see how we can exploit this vulnerability. During a pen test, while scanning the network, I happen to find a live system with open ports. Most important of this is that port 80 is open. Port 80 signifies a web server is running.

I decide to take a closer look at the system by running a verbose scan as shown below.

On port 80, a program called Easy Chat Server is running. I check Metasploit to find any exploits related to it. I found one related to versions 2.0 to 3.1 of Easy Chat Server. I am not sure of the version my target system is running. I load the exploit and check its options.

I set the target IP and use the “check” command to see if this exploit will work but unfortunately this exploit doesn’t support check command. I decide to take my chances and execute the exploit using the “run” command.

Voila, I got the meterpreter session on our target.

 

Vulnerability Assessment is the process of evaluating the weakness of a system or network. It identifies the vulnerabilities in a system or network and helps black hats to devise exploits to get access to a target system or network. For example, imagine I am a black hat who performed a Nmap scan on the target (in this case, Metasploitable). The target has displayed so many banners of the services running.

So the first thing I do is perform a Google search for any exploit or vulnerability for the service displayed. Luckily in the example below, we get an exploit for the aforementioned version o -f ftp server and that happens to be a Metasploit exploit. The only thing hacker has to do is download the exploit and run it.

Here’s another example for another service. Here we have vulnerabilities listed. So we have to write an exploit for that vulnerability.

Displayed banners are like a godsend to hackers who are trying to breach the system or net -work. Searching for vulnerabilities or exploits for that particular service is the only thing hackers have to do. If the hackers are lucky, they might get an exploit or in the worst case a vulnerability. But what do black hats do if they don’t get any vulnerability or exploit for the service running on the target. Will they give up?. Well most probably no. If the service is running a open source version, they will download it and test it for vulnerabilities on their own system. Well if the service is running a commercial version, they will try to grab a pirated version of the software to test it. Once they are successful in finding a vulnerability, they will write an exploit for it. Python, Ruby, C and C++ are some of the common programming languages used to write an exploit.