Exploits web browser using beef and metasploit

1. Open beef from backtack, then in the brower, the interface of beef should be like this
    

    then after login with user& password (both: beef), the interface will be like this

the beef control panel will detect our IP after in browser of windows target we copy the beef web address ( use Host IP ).

2. open msfconsole

   then i will start by using the aurora metasploit module and then set my payload.like below:

   now the payload is ready, from the pic above we know if the url http://0.0.0:80/, we should change it with our Local ID ( 192.168.56.1), and became http://192.168.56:80/, then we go to beef control panel and put it as site redirect, and then "execute".

3. So right now if we open internet explorer in windows target then open/browse http://192.168.56:80/

   

    our payload will be automatically execute(see the console)when we browse it

 

then the result is

Congratulations......i think our payload is working.    

    

 

    

Msfpayload and Msf encode

Msf Paylaods

The msfpayload is component of Metasploit allows  to generate shellcode, executables, and much more for use in exploits outside of the Framework. Shellcode can be generated in many formats including C, Ruby, JavaScript, and even Visual Basic for Applications. Each output format will be useful in various situations. For example, if we are working with a Python-based proof of concept, C-style output might be best; or  working on a browser exploit, a JavaScript output format might be best.

MSFencode
The shellcode generated by msfpayload is fully functional, but it contains several null characters that, when interpreted by many programs, signify the end of a string, and this will cause the code to terminate before completion. In other words, those x00s and xffs can break your payload!
In addition, shellcode traversing a network in cleartext is likely to be picked up by intrusion detection systems (IDSs) and antivirus software. To address this problem, Metasploit’s developers offer msfencode, which helps you to avoid bad characters and evade antivirus and IDSs by encoding the original payload in a way that does not include “bad” characters. Enter msfencode -h to see a list of msfencode options.

Example :

Social Engineering And SET

Social engineering, in the context of security, is understood to mean the art of manipulating people into performing actions or divulging confidential information. While it is similar to a confidence trick or simple fraud, the term typically applies to trickery or deception for the purpose of information gathering, fraud, or computer system access; in most cases the attacker never comes face-to-face with the victims.

The Social-Engineer Toolkit (SET) is specifically designed to perform advanced attacks against the human element. Originally this tool was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration testers arsenal. SET was written by David Kennedy (ReL1K) and with a lot of help from the community in incorporating attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted an focused attacks against a person or organization used during a penetration test.(http://www.offensive-security.com/metasploit-unleashed/SET)

An example Using Auxiliary modules

Scanning SMB version

For example we have hosts 192.168.56.101 are available on the network, we can attempt to determine which operating systems they are running. This will help us narrow down our attacks to target a specific system and will stop us from wasting time on those that aren't vulnerable to a particular exploit.

Since there are many systems in our scan that have port 445 open, we will use the 'scanner/smb/version' module to determine which version of Windows is running on a target and which Samba version is on a Linux host. 

Linux Exlpoits

1. we need to turn off Linux ASLR, with :

then compile this vulnerable alpications:

   

then load it in debugger and try to trigger out buffer overflow

No we will try the offset needed to trigger an overwrite, open it in GDB

we are succed to overwrite the EIP now, and see the few informations below

then to get the ESP address :

 

 

 then to get esp address is bfffef5c - 200 = bfffed5c

then i try to send 383 byte junk like this :

 but didnt work yet.
  

File Sharing Wizard SEH Remote exploits

To get the vulner of this aplication 1st lets running wiresark:

then after we get the informations which we catched from wiresark, now we will load it into our fuzzer:

and now open the file sharing wizard and OllyDbg, running it with the fuzzer

now the file sharing wizard became crash and when we see from ollydbg , the SEH handler is 41414141, with press shift+F9 we can overwrite the EIP now.

the next step is we must get POP,POP RETN address,

we got thePOP RETN address from nt.dll module library is 662D08F5.

Now we are loking for offset to overwrite SEH using pattern create

so we need 1025 byte as the trigger of SEH Handler

Controlling CPU process

then breakpoint on the address of POP RETN , like this:

 

 from the picture above, when we breakpoint the address already pointed to the SEH Handler.

Generate Shellcode

 Using Metasploit Frame work, with typing cd /pentest/exploits/framework2 then type ./msfweb

and goes to web browser of metasploits 

after we get the payload we need to remove all the bad characters and test it again untill it totally free from bad character, like below:

then put in fuzzer

 and finally 

SEH Buffer Overflow on BigAnt Server

In BigAnt Server we will try the fuzzing to the "USV" command of BigAnt server. First we run the BigAnt server then attach proses of antserver.exe to the Ollydbg. we have restart the bigAnt server and also Ollydbg every time we do the fuzzing.

we will try to send buffer data 2500 byte to the BigAnt server. and see what will happen here

The aplication got crash but is not missing, because BigAnt server is using SEH, to see inside SEH, click view then SEH chain

it is obviously if buffer which we sent filled in SEH chain. To continue data from SEH chain to memory, press shift+F9, and the EIP become 41414141

if we see in 3rd line from window olly dbg, buffer which we send already placed in stack. to look up the data inside of aplication memory, just right click on stack line then choose follow in dump.

Now the next steps is we need to get the "jump Stone" address .
we must to get address which is inside consist of POP, POP RETN. Thoose address will we use to overwrite SEH address in the aplication. we use menu "view" then "executable modules"

there is a two conditions of "jump stone" adress we can use to overwrite SEH adress:
a. the module is not compile using /safeSEH ON
b. The Module has not or did not use opsi flag IMAGE_DLLCHARACTERISTIC_NO_SEH

To know the location of POP, POP RETN we are using OllyDbg then "view" then "executable modules" and double click on vbajet32.dll, after inside of window CPU of vbajet32.dll, right click again, choose "search for" then "sequence of commands".

From the picture above ollyDbg found inside of vbajet32.dll address, is on offset 0F9A196A.

Get the Offset to overwrite SEH

we are using tools pattern_create on metasploit to make string_pattern for 2500 byte, then we load it into the fuzzer.

now re are running the aplication and OllyDbg again, and it has crash then we got new EIP value here

then we load the EIP value to the pattern_offset like this:

so we need around 966 byte as trigger of SEH Handler, then we use it into the fuzzer:

then we run it to the aplicatons again, then the SEH chain will be like this:

so the buffer which we loaded is true and as the planning.

Control CPU Process
To get the byte address  which we use as SEH trigger now we loaded offset address of vbajet32.dll inside of fuzzer.

before we run the OllyDbg and BigAnts, we need to install breakpoints on SEH memory address, we do that just to make sure if our exploits really pointed to the target.

then press shift+F9 to pass vbajet 32dll then press F7 till reach RETN. like this picture:

because of the space memory just 4 byte and this is not enought to keep a shellcode, we need other process to relocated to the address which has enough memory space . to get it just right click on 015FFD7D then "follow in dump" then "selection". and we got like this:

Create Shellcode
same like exploits before now we need te create payload from framework mwtasploits , we will use windows reverse shell here as the picture:

after we generate the payload, we need to clear up the bad character from the shellcode , and make sure if the shell code is free from bad character with check it manually then send it row by row with fuzzer, finally the result is like this:

and we run it to the BigAnt server , and finally we success to remote the target: