n-quire

Thanks i8igmac. It's not quite the point-and-click solution I had hoped for. But it's probably a better way for me to learn. I'll give it a crack.

I could do that, but it's not exactly subtle. Most users would know somethings wrong when the PDF doesn't open. I'm trying to learn about manipulating PDFs. So I'd prefer to get a proper PDF 'tojan' working. The 'adobe_pdf_embedded_exe' works well except that the AV knows it's signature. If I knew where to look I should be able to change the signature enough to dodge the watchdogs.

Does anyone know a good way to change the signature of the metasploit "adobe_pdf_embedded_exe_nojs" exploit to get it past antivirus? I'm trying to copy the exploited PDF onto my test PC but the AV blocks it (BLOODHOUND.PDF.24). I can successfully avoid the AV with a venom tweaked reverse_tcp EXE, but can't figure out how to do the same with a PDF. (I can't even find the code for the exploit - I would expect it in the exploits\CVE2010-1240 folder) I'm using my tweaked reverse_tcp as the exe in the pdf. The exe gets past the AV without any problems. So the problem must be with the adobe_pdf_embedded... exploit. Has anyone managed to do this? Any advice or better ideas? I'm not fussed about the actual exploitation of the PC at this stage. I trying to learn how to dodge the antivirus.

Don't worry. I never leave my creds as the default. I've changed them to admin/password.

Thanks for the feedback. You guys are helpful as always. It turns out wpscan didn't pickup my vulnerable plugin because it couldn't detect the version (I should have read the screen properly). Manually running the exploit worked fine.

So, if the username and password is to access the daemon, does that mean I should be using my root login?

I'm playing around with msfrpcd. I've seen a few references to it on various sites. I'd like to do a similar thing to this https://vimeo.com/29660886, where wpscan automatically runs an appropriate exploit. Here's what he does in the video - In one terminal run: msfrpc -S -U wpscan -P wpscan -f -t web -u RPC2 In another terminal run : wpscan --url http://www.my_test_site.com --enumerate p I have 2 questions: 1. what is the username and password used for in msfrpcd? I seem to be able to enter any text in there. Is it so that I can connect to the session from somewhere else? Does wpscan somehow need to use the same username? 2. Has anyone got the example from the video to work? msfrpcd seems to be working; wpscan scans my site and enumerates all the plugins - but I don't get an Exploit option at the end of the process. The video is fairly old so maybe the functions have been depreciated since then.

Thanks Cooper. My brief search only returned Russian sites (my russian is good enough to get any info). The gitHub one looks useful.

I'm trying to learn about the wmap scanner inside metasploit on my Kali box. I've set my wmap_sites and wm_targets, but when I go "wmap_run -t" I get an error: Error while running command wmap_run: uninitialized constant Msf::Modules::Mod61757.......[a whole lot of numbers]....::Metasploit3::BruteforceTask There's a bunch of other call stack stuff too. Has anyone else encountered this type of error with wmap? Do I need to do some extra setup to get it to work? Or is wmap only functional in the Pro version of Metasploit?

The site looks interesting, but doesn't give any details. It shows who's hitting what ports. It could just be a ping, not a genuine attack. Even then I don't know if I can trust the data.

Thanks guys. I'm back in now. :)

Is the http://map.ipviking.com/ site genuine? I've heard conflicting opinions. on this. Some say that Norse have set up honeypots and report what hits them. Someone else said it's actually fake randomised data. I've also heard that the site itself acts as a lure to hackers. Does anyone have anyone know whether the data is 100% accurate?

Yes. I'm an idiot. I changed my root password on my Kali box... and then forgot it. I can't believe I was that dumb. Maybe it's a good opportunity for me to try to crack or brute force the password. But before I do that - is there a "factory reset" feature? Or would that require a clean reinstall.

Here's a few screenshots. First, a sample of the packets. All I filtered on was the the ether host and ether dst. So it should be all the traffic for that machine. The Action is always the same Block Ack Policy And finally, the Key Message always has the same WPA Key Data, the WPA Key Nonce and WPA Key MIC change. (I assume the WPA Key info can be used for something, but I am not advanced enough to get anywhere without an Ack handshake).

Thanks digip. So it's general noise rather than "real" activity. That makes sense. If it was a hacker I don't know why they persist in trying something that obviously doesn't work.