Metasploit Sniffing victim’s network

Aloha,

Lets see how we can use the Metasploit framework to sniff the victim’s network and what we can get from that.

Our Lab:
A  MacBook with Vmware Fusion on it.
Target: A Virtual Guest with Windows XP SP3 with two Ip addresses  172.16.225.10 , 192.168.0.10
Attacker: A Virtual Guest with Backtrack 5R1 with the Ip address 172.16.225.251

Continue reading

PoURaN PE-Encryptor: A XOR based encryptor injecting code to EXE/DLL files..Full C/ASM source available.

 

– =[ The tool presented in this post, is the automatic process of what presented manually here : 133tsec previous post ]= –

What did I use:
PEditor – to check fast the pe header values..
Ollydbg – ofc.. the most usefull one..
M$ VC Compiler – to compile :p
HxD – HexEditor
Notepad++ – The best source/text editor 🙂

References:
Structures in PE: IMAGE_NT_HEADERS,IMAGE_FILE_HEADER,

IMAGE_OPTIONAL_HEADER,IMAGE_DATA_DIRECTORY
..And ofcourse IcZelion’s tuts are very helpful for such topics..

Source: PoURaN PE-Cryptor v1.00 cpp

Hello 🙂
As title says, am going to present you a PE Encryptor that i coded in C++ and inline asm.. Actually, I used .cpp source file and not c, for only onw reason.. to use some SEH easy.. 🙂  I used M$ Visual studio’s command line compiler, and it is a console application. I started coding it, and I was sure that in 3-4 days it should be ready 😛 but I was absolutely wrong.. The most time took me to optimize some functionalities, and to test it in many executables etc.. Many probs occured, and needed lot of debugging and changes. So after about 10-12 days, I have a good working tool 😀

  1. At the moment (in this version) it is a simple pe encryptor doing the following: Takes as input a PE file (.exe or .dll)
  2. Takes as second input a “source” file, a file with raw data, that are going to XOR encrypt the sections, and later decrypt them.. These data will be injected in the PE as is, and will be used in runtime for decryption of the sections.
  3. Asks for the output filename.. The resulted .exe/.dll with injected code and encrypted sections..

The above files must have a max of 100 chars in filenames… (no you’ll not overflow the buffer if you input > 100chars :p )

After taking some input from the user, it checks for a valid header (depends on some standard chars and if there is an exception searching the header.. look at the source). Opens and maps the files into memory. Some functions receive as argument the handle of the files, and some functions receives the pointer to the mapped file on memory.. Most of them returns a pointer to the memory where the pe file is changed.

Am starting by addind a new section in the PE file, named “.PoURaN” and giving it the correct section values so the file is correctly aligned.. The file with the new section is a copy of the original PE file with only a section added, and 4096bytes more in space, and stored in disk with a filename same with the original PE, added by “.new”.. for example if the pe file is “test.exe” the added section file will be “test.exe.new”

The next move is to take that “added section” new file, map it in memory, make again some pe verification, and then read the sections one by one, and through a function named “IsSectionEncryptable” i confirm which of the sections are gonna be encrypted. After looping all sections, i XOR encrypt the “IsSectionEncryptable” sections with the source/key file given (as second input).. Then reading the PE Header i make the proper changes to the injected assembly code, (hardcoded addresses, OEP etc..) and injecting them in the last section.. After the injected code, I add the source/key file as is.. I change the header to make the PE file valid after the changes (you can see the sources) and there it is..!

Where the encryptor doesn’t work:

  1. Files with already 8 sections: Yes doesnt work on those.. Cos normal PE has max 8 sections..
  2. Files with messed sections.. If there are random bytes between the last section header,  and the rawdata of the 1st section, this check will fail, and exit(0);
  3. At the moment, the encryptor has as “IsSectionEncryptable” criteria, the section’s characteristics.. It looks for the two executable flags (20h and 20000000h ..look the sources or video).. If there is no such section (like aspack, makes all sections C0000040h) it will not work either!! 😀
  4. Some fucked up PE Header may cause exceptions or failure of the encryptor.. 😀 let me know for that plz.. 🙂
  5.  …. maybe some more that I miss atm.. plz let me know too …

 

Ofcourse the source code is not at it’s best shape.. I know i made some n00bish fast implementation but I hope to improve it soon.. Optimizations that I already have in mind, will be posted ofcourse, and new versions… and added functionalities.. So keep in touch 🙂

Any recommendations and/or discussions, ofcourse, are welcome!

Below I show the compile, and use of the encryptor, with some executables and a dll example.. Enjoy!

Compile & use on 2 executables.. one executable i just create, and another one 3rd party executable..

 

Here am using the cryptor on a virus, facing some difficulties, and showing how i bypass them.. After that, i compare the virustotal results as expected.. 🙂

Attacking SQL Database Server using Metasploit

Aloha,

Lets see how we can use the Metasploit framework to pawn an MS SQL Server

Our Lab:
A  MacBook with Vmware Fusion on it
Target: A Vrtual Guest with Windows 2003 Server with the Ip address  172.16.226.131
Attacker: A Virtual Guest with Backtrack 5R1 with the Ip address 172.16.226.128

So Lets go….

 

Commands:

  • nmap -O target

The SQL Database TCP port 1433.

  • mssql_ping

Setting the RHOSTS option we can get information about the database including version information, server name etc

  • mssql_login

Setting the options RHOSTS, PASS_FILE, VERBOSE  we can brute-force attack the target for valid credentials. If the server is misconfigured or the passwords are weak we can find accounts that we can use in the next command. Here I am attacking to the “sa” account. The “sa” account is the DBO (db_owner) for all databases created on the server. The account has administrative privileges on the database.

[+] 172.16.226.131:1433 – MSSQL – successful login ‘sa’ : ‘password’

  • mssql_payload

Setting the options RHOSTS,PASSWORD which are set from the previous command  we can try to exploit the Server. The exploit uses the “xp_cmdshell” stored procedure to execute commands on the Server.

[*] Meterpreter session 1 opened

  • getsystem

I am working on a new post about metepreter so stay tuned…. 

 

 

Manual code injection for runtime executable decryption : An Antivirus bypass example

In this post I show a way to inject data in an executable, and some code, to encrypt with xor the whole code segment.. As an example, I’ll use a virus executable, encrypt it in this way and upload it in VirusTotal and check it 🙂
Tools I used:

1. Hex Editor (I Recommend HxD http://mh-nexus.de/en/downloads.php?product=HxD)
2. PEditor by yoda&M.o.D. ( PEditor )
3. Ollydbg ( http://www.ollydbg.de/download.htm )

 

I will follow the below steps:
1. Find a dummy image to use it’s raw data… (1)
2. Find an executable with virus
3. Check the results in VirusTotal..
4. Modify the PE Header of infected executable, to add a new segment
5. Select some data from the image file (1) and add them in the new segment
6. Encrypt permanently the original segments
7. Inject some code to make the XOR decryption using olly to check step by step the execution flow
8. Confirming that exe is working fine, and upload to VirusTotal to check for the new results 😀

 

1. Find a dummy image to use it’s raw data

    Well, this is easy.. Let’s use google to search an image… What i searched is “virus” 🙂 Now we have to select an image with complexity.. It has to be a bit complex, cos if you think the jpeg contents, they have to be as much complex as they can, in order not to be a repeatable pattern.. So i select this image for the example http://www.healthinitiative.org/IMAGES/virus_big.jpg ..it has some complexity but not so much.. anyway i like this image 😀 ..Also think that u can use a fractal image.. it gonna give you a cool complexity! 😉

 

 2. Find an executable with virus

    These days i receive a spam from a brazilian friend (who is infected with the virus) with a trojan executable.. A quick analysis of this will be presented in a future post, cos atm is still active, and victim’s personnal info (user;pass) are available publicly…. The executable is packed with ASPack.

3. Check the results in VirusTotal

    Uploading that executable to VirusTotal I take the following results

VirusTotal Scan before encryption

VirusTotal Scan before encryption


Continue reading

A reversing / analysis approach of FlexCrypt : Exploitation-one failed

- The following stuff is done in an environment of Win XP SP3 VM w/ .NET v2.0 .. Also tested in Win7x64 and Win7x86 -
- Tools used : Just ollydbg
- App can be found in :http://www.flexcrypt.com/flexcryptfree.html . 

Everything started when I firstly saw the security magazine “Hakin9” (http://hakin9.org/) presenting FlexCrypt .. I downloaded flexcrypt, and started to testing functionality etc… But I have a bad habit… after some minutes, instead of looking the functionality, i fired up Ollydbg and started exploring its code… I focused on every interface that was accepting user’s input. I wanted to check some BoF vulnerabilities. My attention was caught by the Registration Dialogbox. Fuzzing the input by hand (exception appears in string length > 452) I noticed that the application throws an exception…! That needs examination..

First of all, we assume that the operation is simple : U press Validate -> some function (1) reads your input storing it to a buffer -> string manipulations and memory allocations happen -> some function (2) validates your input -> message for good or bad news 🙂

So, hands on.. attaching Olly on the process, cause the application to overflow entering a long input. Olly shows up, and we land in KERNEL32 :

Kernel RtlRaiseException

Continue reading

Pentesting ToolKits and Targets

Aloha,

Here we go.

We need knowledge, we need tools and targets we need  a lab  environment.

It is illegal to try penetration procedures in live environments without the written permissions of the owner so a test environment is a must have.  In a another post I will  analyze how we can create a lab environment, for now lets see  a list in no particular order of toolkits and targets. Luckily enough there are plenty out there.!

This list will always be updated .

Penetration Toolkits
These  are live CDs or DVDs. I am not going to analyze any of this right now. I am using the Backtrack linux distribution probably because is the first one I started with or…….

Targets
These are live CDs, projects or vmdk files. You can use them  for pen-testing skill development and testing.