Tuesday 23 May 2017

Create secured Meterpreter connection using Metasploit Paranoid Mode

Metasploit Paranoid Mode helps you in creating and maintaining your meterpreter session over SSL.

This is achieved by verifying the handler certificate.

Below demonstration is performed from Kali linux system to exploit Windows 7 system using paranoid mode feature, to create payload, and metasploit, to handle the session using meterpreter.

Following payloads can be used in Paranoid Mode.
Staged (payload.bat|ps1|txt|exe):

Stageless (binary.exe):

The script can be found here.

Sunday 14 May 2017

Infecting systems with WannaCry ransomeware

On 12th May 2017, a ransomware was released called WannaCry.
WannaCry leverages the EternalBlue exploit, which was released with the recent NSA data leaks by ShadowBrokers, to target all the windows systems which are not patched with MS17-010.

Video showing Live WannaCry infection:

White list URL www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com to stop the virus from infecting the host and from spreading.

Microsoft had release a patch for MS17-010 on 14th March 2017 - https://technet.microsoft.com/en-us/library/security/ms17-010.aspx

Recently, They have also released a patch for Windows XP, Server 2003 and Windows 8 to fight the attack - https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/

Malware samples can be found on -


password: hackerhouse

This ransomware will look for and encrypt following filetypes:
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der

Monday 1 May 2017

Mimikatz in JScript - Running in memory

Video PoC of running Mimikatz in JS from memory.

Test was performed on Windows 7 x64.

Mimikatz.js can be found here.

Script to convert any .Net application JS can be found here.

Follow me on Twitter - @hardw00t

Exploiting MS17-010 with Metasploit

MS17-010 has made lot of fuzz recently, specially after the NSA data leak by ShadowBrokers.

The exploits are made to run on old version of Python and Windows.
So far we have been using it with FuzzBunch, an exploitation framework similar to Metasploit which was part of the data leak.

We will be using EternalBlue exploit (MS17-010) to compromise Windows server 2008 R2 system.
A test bed was created to perform this, test bed was configured with following:

1) Kali Linux
2) Windows Server 2008 R2 SP1

You can download the exploit from here or use the following command to clone the repository:

git clone https://github.com/hardw00t/Eternalblue-Doublepulsar-Metasploit

Now copy the 'eternalblue_doublepulsar.rb' to the exploit module of Metasploit.

Finally reload all the modules of Metasploit and run the exploit on vulnerable target.

Follow the below video to run the exploit using Metasploit:

Exploiting MS17-010 using FuzzBunch and Metasploit

FuzzBunch is a exploit framework like Metasploit, which was released in the recent NSA data leak by ShadowBrokers.

The leaked data can be found here.

The framework included following exploits:

1) EternalBlue - MS17-010
2) EternalSynergy - MS17-010
3) EternalRomance - MS17-010
4) EternalChampion - MS17-010
5) EmeraldThread - MS10-061
6) EskimoRoll - MS14-068
7) EducatedScholar - MS09-050
8) EclipsedWing - MS08-067

Here we will be using EternalBlue with DoublePulsar, DoublePlusar is used for DLL injection.

A virtual test bed was created for this activity. Virtual envirnment involved the following:
1) Windows XP x86 - installed with Python 2.6, Pywin32 and FuzzBunch repository
2) Windows Server 2k8 R2 SP1

Video PoC: