tag:blogger.com,1999:blog-14998044600839367832024-03-13T08:06:46.015+05:30hardw00tw00t everything ;)Hardik Mehtahttp://www.blogger.com/profile/10483445655104073560noreply@blogger.comBlogger7125tag:blogger.com,1999:blog-1499804460083936783.post-59693530743081687582018-09-03T22:06:00.004+05:302022-02-02T18:34:32.918+05:30Compromising P-CSCF using VoLTE<div dir="ltr" style="text-align: left;" trbidi="on">
<div style="text-align: left;">
<div class="MsoNormal">
<span style="font-size: 13.5pt; line-height: 107%;">The
IP Multimedia Subsystem (IMS) facilitates telecom operators in
delivering multimedia applications and voice traffic over IP transport. Proxy
Call Session Control Function (P-CSCF) is the first node in IMS Platform </span><span style="line-height: 107%;"><span style="font-size: x-small;"><i>(figure
1)</i></span></span><span style="font-size: 13.5pt; line-height: 107%;"> to interact with the User Equipment (UE) when initiating a VoLTE call.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 13.5pt; line-height: 107%;"><br /></span></div>
</div>
<div class="separator" style="clear: both; text-align: center;">
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnnFo1JMWD8uzbYdGOui2QINWxjn1gzguav7HexgJ-PuPOdocuueSrwWyNHkWFRfjiJIOwrAB5d1qn6MjpwQYJ1_cjPUjVhyphenhyphenaNdUGneIi7uoXHMfQG5agwiSzt8CDsRUnMjYbIdOmprTKx/s1600/IMS_pcscf_placement.png" style="margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" data-original-height="365" data-original-width="562" height="258" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhnnFo1JMWD8uzbYdGOui2QINWxjn1gzguav7HexgJ-PuPOdocuueSrwWyNHkWFRfjiJIOwrAB5d1qn6MjpwQYJ1_cjPUjVhyphenhyphenaNdUGneIi7uoXHMfQG5agwiSzt8CDsRUnMjYbIdOmprTKx/s400/IMS_pcscf_placement.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoNormal">
<span style="line-height: 107%;"><span style="font-size: xx-small;"><i>figure
1 - Placement of P-CSCF in IMS Platform</i></span><span style="font-size: 13.5pt;"><o:p></o:p></span></span></div>
</td></tr>
</tbody></table>
<b><span face=""calibri" , sans-serif" style="line-height: 107%;">Identify and Compromise P-CSCF with VoLTE phone:</span></b><span face=""calibri" , sans-serif" style="font-size: 18pt; line-height: 107%;"><br />
</span><span style="font-family: inherit;"><span face=""calibri" , sans-serif" style="font-size: 13.5pt;">1) Initiate a call with VoLTE phone and
simultaneously open phone's terminal to list currently established sessions. It
was possible to identify the IP address of serving P-CSCF node, connected on
port 5060 </span></span><span style="font-size: x-small;"><i>(figure
2)</i></span><span style="font-family: inherit;">.</span><br />
<span style="font-family: inherit;"><span style="font-family: "times" , "times new roman" , serif;"><br /></span>
</span><br />
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwsARGqEVlqQlpx-CySdBRsGT4VZ2wi54MdkHZ5gnN4jcTdCOu1brPPhJxC_hcsTG62wKaUIchy0cGqT12rq2Ckwftb8C1ZH5r1VmTGxi-hvUh9XuOL4rNDML3gvuZGXkoQ_C687jcfM0R/s1600/pcscf_established.png" style="margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" data-original-height="390" data-original-width="380" height="320" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgwsARGqEVlqQlpx-CySdBRsGT4VZ2wi54MdkHZ5gnN4jcTdCOu1brPPhJxC_hcsTG62wKaUIchy0cGqT12rq2Ckwftb8C1ZH5r1VmTGxi-hvUh9XuOL4rNDML3gvuZGXkoQ_C687jcfM0R/s320/pcscf_established.png" width="310" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoNormal">
<i><span style="line-height: 107%;"><span style="font-size: xx-small;">figure
2 - Identifying P-CSCF node connected on port 5060 (SIP protocol)</span></span></i><span style="font-size: 13.5pt; line-height: 107%;"><o:p></o:p></span></div>
</td></tr>
</tbody></table>
<span face=""calibri" , sans-serif" style="font-size: 13.5pt; line-height: 107%;">2) Management console of application server and P-CSCF application </span><i><span face=""calibri" , sans-serif" style="line-height: 107%;"><span style="font-size: x-small;">(figure 3 & figure 4)</span></span></i><span face=""calibri" , sans-serif" style="font-size: 13.5pt; line-height: 107%;"> were found by performing a service scan on identified IP
address.</span><br />
<div style="text-align: center;">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx55fg4QsXw1gjt-eAaldzQpxR8ajd1mUFJ8WWl0u4wYi5ZUy9goiWOosubEYx3AbE9VQlcuvVwBm2MzG03oh-7x878V8GlKmwwuLs0IuaP45qLWI4mxENH8RxMAh6WSplDO8l-W55oHxN/s1600/pcscf_management.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="299" data-original-width="405" height="236" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEgx55fg4QsXw1gjt-eAaldzQpxR8ajd1mUFJ8WWl0u4wYi5ZUy9goiWOosubEYx3AbE9VQlcuvVwBm2MzG03oh-7x878V8GlKmwwuLs0IuaP45qLWI4mxENH8RxMAh6WSplDO8l-W55oHxN/s320/pcscf_management.png" width="320" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i style="font-family: inherit; font-size: 12.8px;"><span style="line-height: 13.696px;"><span style="font-size: xx-small;">figure 3 - P-CSCF applications's management console</span></span></i></td></tr>
</tbody></table>
</div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin3n9eb8yZBUm2OAd5QULGluB2T0A9ljmL-PRJg2VsPH_CDx3kIcCQ0AAJLRKWKLgga4Uf1RpXnc7ZhwzTwHeNda0SBIreZ281yDtWN3MmA5zV6E8vhmqvmj5mHZo94gKUNBg__CtXr9qL/s1600/glassfish_management.png" style="margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" data-original-height="579" data-original-width="905" height="255" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEin3n9eb8yZBUm2OAd5QULGluB2T0A9ljmL-PRJg2VsPH_CDx3kIcCQ0AAJLRKWKLgga4Uf1RpXnc7ZhwzTwHeNda0SBIreZ281yDtWN3MmA5zV6E8vhmqvmj5mHZo94gKUNBg__CtXr9qL/s400/glassfish_management.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div>
<div class="MsoNormal">
<i><span style="line-height: 107%;"><span style="font-size: xx-small;">figure
4 - Application server's management console</span><span style="font-size: 10pt;"><o:p></o:p></span></span></i></div>
</div>
</td></tr>
</tbody></table>
<div class="MsoNormal">
<span style="font-size: 13.5pt; line-height: 107%;">3)
Application server, Oracle Glassfish, was found to be weakly configured and
could be accessed using weak credentials </span><span style="line-height: 107%;"><span style="font-size: x-small;"><i>(figure 5)</i></span></span><span style="font-size: 13.5pt; line-height: 107%;">.<o:p></o:p></span></div>
<div>
<div style="text-align: center;">
<span style="font-family: inherit;"><br /></span></div>
<div>
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2gpXwJg6aB5CEYTmy9GocANuiJ5fwVuFHkGWc-7bmCP-hJgU8oz7AU2iGzeBPoRzSOFzeNQIfZEYMqDxFdZ3-WBvaR6UCuaWoSp_iSXgOjfEwsL2lPi80EYjUP4LuXHJ2jP5UpvDwy2kq/s1600/galssfish.png" style="margin-left: auto; margin-right: auto;"><span style="font-family: inherit;"><img border="0" data-original-height="584" data-original-width="1021" height="228" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEh2gpXwJg6aB5CEYTmy9GocANuiJ5fwVuFHkGWc-7bmCP-hJgU8oz7AU2iGzeBPoRzSOFzeNQIfZEYMqDxFdZ3-WBvaR6UCuaWoSp_iSXgOjfEwsL2lPi80EYjUP4LuXHJ2jP5UpvDwy2kq/s400/galssfish.png" width="400" /></span></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><div class="MsoNormal">
<i><span style="line-height: 107%;"><span style="font-size: xx-small;">figure
5 - Access to Oracle Glassfish server using weak credentials</span><span style="font-size: 10pt;"><o:p></o:p></span></span></i></div>
</td></tr>
</tbody></table>
<div style="text-align: left;">
<div class="MsoNormal">
<span style="font-size: 13.5pt; line-height: 107%;">4)
A reverse shell was triggered using a web shell and gained root access of the
P-CSCF node </span><span style="line-height: 107%;"><span style="font-size: xx-small;"><i>(figure 6)</i></span></span><span style="font-size: 13.5pt; line-height: 107%;">.<o:p></o:p></span></div>
</div>
<div style="text-align: left;">
<div class="MsoNormal">
<table align="center" cellpadding="0" cellspacing="0" class="tr-caption-container" style="margin-left: auto; margin-right: auto; text-align: center;"><tbody>
<tr><td style="text-align: center;"><a href="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdFnoKRPL1_rJhm9rqpHQrzMui3BH-y5SfOYilZyelOjefiuSodsxfpSYneaH3G78mRKtWcm3tjfd9OBnSPIegEidZhDMhBXbitrH4HCsbuf__s5LuURPkXDATHC71FXO6pI7oaf6chvZn/s1600/root_pcscf.png" style="margin-left: auto; margin-right: auto;"><img border="0" data-original-height="394" data-original-width="737" height="213" src="https://blogger.googleusercontent.com/img/b/R29vZ2xl/AVvXsEhdFnoKRPL1_rJhm9rqpHQrzMui3BH-y5SfOYilZyelOjefiuSodsxfpSYneaH3G78mRKtWcm3tjfd9OBnSPIegEidZhDMhBXbitrH4HCsbuf__s5LuURPkXDATHC71FXO6pI7oaf6chvZn/s400/root_pcscf.png" width="400" /></a></td></tr>
<tr><td class="tr-caption" style="text-align: center;"><i style="font-size: 12.8px;"><span style="line-height: 13.696px;"><span style="font-size: xx-small;">figure 6 - Gained root access to P-CSCF (IMS)</span></span></i></td></tr>
</tbody></table>
<span style="font-size: 13.5pt; line-height: 107%;"><br /></span>
<span style="font-size: 13.5pt; line-height: 107%;">After
gaining access to the IMS platform, Attacker can compromise other core telecom
components in the network.<o:p></o:p></span></div>
<div class="MsoNormal">
<span style="font-size: 13.5pt; line-height: 107%;"><br />
To prevent from such attacks, telecom operators should ensure traffic
segregation between user plane, control plane and management plane. It is
highly recommended to patch all the core network elements with latest
security patches released by the vendor. Also develop and implement minimum
security guidelines before integrating nodes in the network.<o:p></o:p></span></div>
<div class="MsoNormal">
<br /></div>
<div class="MsoNormal">
<span style="font-size: 13.5pt; line-height: 107%;">Hope
you enjoyed reading, suggestions are always welcome.</span><br />
<span style="font-size: 13.5pt; line-height: 107%;"><br /></span></div>
</div>
</div>
</div>
<div style="text-align: left;">
<div style="text-align: right;">
<span style="font-size: 13.5pt;"><br /></span>
<span style="font-size: 13.5pt;">Cheers!</span><br />
<div class="MsoNormal">
<span style="color: black; font-size: 13.5pt; line-height: 107%;"><a href="https://twitter.com/hardw00t?lang=en" target="_blank">@hardw00t</a></span><br /></div>
</div>
</div>
</div>
Hardik Mehtahttp://www.blogger.com/profile/10483445655104073560noreply@blogger.comtag:blogger.com,1999:blog-1499804460083936783.post-38966404751214128612017-05-23T01:50:00.000+05:302017-05-23T01:50:22.966+05:30Create secured Meterpreter connection using Metasploit Paranoid Mode<div dir="ltr" style="text-align: left;" trbidi="on">
Metasploit Paranoid Mode helps you in creating and maintaining your meterpreter session over SSL.<br />
<br />
This is achieved by verifying the handler certificate.<br />
<br />
Below demonstration is performed from Kali linux system to exploit Windows 7 system using paranoid mode feature, to create payload, and metasploit, to handle the session using meterpreter.<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/vV_33An_GWE/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/vV_33An_GWE?feature=player_embedded" width="320"></iframe></div>
<span style="font-size: small;"><br /></span>
<div style="text-align: left;">
<span style="font-size: small;">Following payloads can be used in Paranoid Mode.</span></div>
<div style="text-align: left;">
</div>
<div style="text-align: left;">
<span style="font-family: Verdana,sans-serif;"><span style="font-size: small;"><code>Staged (payload.bat|ps1|txt|exe):<br />windows/meterpreter/reverse_winhttps<br />windows/meterpreter/reverse_https<br />windows/x64/meterpreter/reverse_https<br /><br />Stageless (binary.exe):<br />windows/meterpreter_reverse_https<br />windows/x64/meterpreter_reverse_https</code></span></span></div>
<br />
The script can be found <a href="https://github.com/r00t-3xp10it/Meterpreter_Paranoid_Mode-SSL" target="_blank">here</a>.<br />
<br />
<br /></div>
Hardik Mehtahttp://www.blogger.com/profile/10483445655104073560noreply@blogger.comtag:blogger.com,1999:blog-1499804460083936783.post-79317229771131409272017-05-18T00:30:00.001+05:302017-05-18T19:22:08.387+05:30Exploit MS17-010 without FuzzBunch binaries<div dir="ltr" style="text-align: left;" trbidi="on">
EternalBlue exploit has been fully ported to Metasploit by <a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="2912296196" dir="ltr" href="https://twitter.com/zerosum0x0" style="background: rgb(245, 248, 250); color: red; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; text-decoration-line: none; white-space: pre-wrap;">@zerosum0x0</a><span style="background-color: #f5f8fa; color: #14171a; font-family: "helvetica neue" , "helvetica" , "arial" , sans-serif; font-size: 14px; white-space: pre-wrap;"> </span><a class="twitter-atreply pretty-link js-nav" data-mentioned-user-id="14195461" dir="ltr" href="https://twitter.com/JennaMagius" style="background: rgb(245, 248, 250); color: red; font-family: "Helvetica Neue", Helvetica, Arial, sans-serif; font-size: 14px; text-decoration-line: none; white-space: pre-wrap;">@JennaMagius</a><br />
<br />
<div>
<br /></div>
<div>
Video:</div>
<br />
<br />
<iframe allowfullscreen="" frameborder="0" height="270" src="https://www.youtube.com/embed/0ZPqDNONCZk" width="480"></iframe><br />
<br />
Follow me on Twitter - @<a href="https://twitter.com/hardw00t" target="_blank">hardw00t</a></div>
Hardik Mehtahttp://www.blogger.com/profile/10483445655104073560noreply@blogger.comtag:blogger.com,1999:blog-1499804460083936783.post-78760224985845100692017-05-14T15:24:00.000+05:302018-09-05T04:20:47.126+05:30Infecting systems with WannaCry ransomeware<div dir="ltr" style="text-align: left;" trbidi="on">
On 12th May 2017, a ransomware was released called WannaCry.<br />
WannaCry leverages the EternalBlue exploit, which was released with the recent NSA data leaks by ShadowBrokers, to target all the windows systems which are not patched with MS17-010.<br />
<br />
Video showing Live WannaCry infection:<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/0TxYaFatvFc/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/0TxYaFatvFc?feature=player_embedded" width="320"></iframe></div>
<br />
<br />
White list URL <span style="background-color: rgba(27 , 31 , 35 , 0.05); color: #24292e; font-family: , "consolas" , "liberation mono" , "menlo" , "courier" , monospace; font-size: 13.6px;">www.iuqerfsodp9ifjaposdfjhgosurijfaewrwergwea.com</span> to stop the virus from infecting the host and from spreading.<br />
<br />
Microsoft had release a patch for MS17-010 on 14th March 2017 - <a href="https://technet.microsoft.com/en-us/library/security/ms17-010.aspx" style="background-color: white; box-sizing: border-box; color: #0366d6; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; text-decoration-line: none;">https://technet.microsoft.com/en-us/library/security/ms17-010.aspx</a><br />
<br />
Recently, They have also released a patch for Windows XP, Server 2003 and Windows 8 to fight the attack - <a href="https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/">https://blogs.technet.microsoft.com/msrc/2017/05/12/customer-guidance-for-wannacrypt-attacks/</a><br />
<br />
Malware samples can be found on -<br />
<span style="background-color: white; color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px;"><a href="https://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE">https://transfer.sh/PnDIl/CYBERed01ebfbc9eb5bbea545af4d01bf5f1071661840480439c6e5babe8e080e41aa.EXE</a></span><br />
<span style="background-color: white; color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px;"><br /></span>
<span style="background-color: white; color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px;"><a href="https://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE">https://transfer.sh/ZhnxR/CYBER1be0b96d502c268cb40da97a16952d89674a9329cb60bac81a96e01cf7356830.EXE</a></span><br />
<span style="background-color: white; color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px;"><br /></span>
<span style="color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol";"><a href="https://mega.nz/#!VRtRAaZD!BNcDDAsSSAyb7k3IBdTyy1E1CrOBF5RqVf7MlIFucEI">https://mega.nz/#!VRtRAaZD!BNcDDAsSSAyb7k3IBdTyy1E1CrOBF5RqVf7MlIFucEI</a></span><span style="background-color: white; color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px;"> </span><br />
<span style="background-color: white; color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol"; font-size: 16px;">password: </span><span style="color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol";">hackerhouse</span><br />
<span style="color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol";"><br /></span>
<br />
<div style="box-sizing: border-box; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; margin-bottom: 16px;">
This ransomware will look for and encrypt following filetypes:</div>
<div style="box-sizing: border-box; color: #24292e; font-family: -apple-system, BlinkMacSystemFont, "Segoe UI", Helvetica, Arial, sans-serif, "Apple Color Emoji", "Segoe UI Emoji", "Segoe UI Symbol"; font-size: 16px; margin-bottom: 16px;">
.doc, .docx, .xls, .xlsx, .ppt, .pptx, .pst, .ost, .msg, .eml, .vsd, .vsdx, .txt, .csv, .rtf, .123, .wks, .wk1, .pdf, .dwg, .onetoc2, .snt, .jpeg, .jpg, .docb, .docm, .dot, .dotm, .dotx, .xlsm, .xlsb, .xlw, .xlt, .xlm, .xlc, .xltx, .xltm, .pptm, .pot, .pps, .ppsm, .ppsx, .ppam, .potx, .potm, .edb, .hwp, .602, .sxi, .sti, .sldx, .sldm, .sldm, .vdi, .vmdk, .vmx, .gpg, .aes, .ARC, .PAQ, .bz2, .tbk, .bak, .tar, .tgz, .gz, .7z, .rar, .zip, .backup, .iso, .vcd, .bmp, .png, .gif, .raw, .cgm, .tif, .tiff, .nef, .psd, .ai, .svg, .djvu, .m4u, .m3u, .mid, .wma, .flv, .3g2, .mkv, .3gp, .mp4, .mov, .avi, .asf, .mpeg, .vob, .mpg, .wmv, .fla, .swf, .wav, .mp3, .sh, .class, .jar, .java, .rb, .asp, .php, .jsp, .brd, .sch, .dch, .dip, .pl, .vb, .vbs, .ps1, .bat, .cmd, .js, .asm, .h, .pas, .cpp, .c, .cs, .suo, .sln, .ldf, .mdf, .ibd, .myi, .myd, .frm, .odb, .dbf, .db, .mdb, .accdb, .sql, .sqlitedb, .sqlite3, .asc, .lay6, .lay, .mml, .sxm, .otg, .odg, .uop, .std, .sxd, .otp, .odp, .wb2, .slk, .dif, .stc, .sxc, .ots, .ods, .3dm, .max, .3ds, .uot, .stw, .sxw, .ott, .odt, .pem, .p12, .csr, .crt, .key, .pfx, .der</div>
<span style="color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol";"><br /></span>
<span style="color: #24292e; font-family: , "blinkmacsystemfont" , "segoe ui" , "helvetica" , "arial" , sans-serif , "apple color emoji" , "segoe ui emoji" , "segoe ui symbol";"><br /></span></div>
Hardik Mehtahttp://www.blogger.com/profile/10483445655104073560noreply@blogger.comtag:blogger.com,1999:blog-1499804460083936783.post-6037401270606070122017-05-01T13:17:00.000+05:302017-05-01T13:19:42.224+05:30Mimikatz in JScript - Running in memory<div dir="ltr" style="text-align: left;" trbidi="on">
<br />
Video PoC of running Mimikatz in JS from memory.<br />
<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/WaWaqF1h9CY/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/WaWaqF1h9CY?feature=player_embedded" width="320"></iframe></div>
<br />
<br />
Test was performed on Windows 7 x64.<br />
<br />
Mimikatz.js can be found <a href="https://gist.github.com/hardw00t/302790bea71d8ff42aeb3d1e102007d1" target="_blank">here</a>.<br />
<br />
<br />
Script to convert any .Net application JS can be found <a href="https://github.com/tyranid/DotNetToJScript" target="_blank">here</a>. <br />
<br />
<br />
Follow me on Twitter - <a href="https://twitter.com/hardw00t" target="_blank">@hardw00t</a></div>
Hardik Mehtahttp://www.blogger.com/profile/10483445655104073560noreply@blogger.comtag:blogger.com,1999:blog-1499804460083936783.post-82331291022958862702017-05-01T04:08:00.000+05:302017-05-01T04:08:39.163+05:30Exploiting MS17-010 with Metasploit<div dir="ltr" style="text-align: left;" trbidi="on">
MS17-010 has made lot of fuzz recently, specially after the NSA data leak by ShadowBrokers.<br />
<br />
The exploits are made to run on old version of Python and Windows.<br />
So far we have been using it with FuzzBunch, an exploitation framework similar to Metasploit which was part of the data leak.<br />
<br />
We will be using EternalBlue exploit (MS17-010) to compromise Windows server 2008 R2 system.<br />
A test bed was created to perform this, test bed was configured with following:<br />
<br />
1) Kali Linux<br />
2) Windows Server 2008 R2 SP1<br />
<br />
You can download the exploit from <a href="https://github.com/hardw00t/Eternalblue-Doublepulsar-Metasploit" target="_blank">here</a> or use the following command to clone the repository:<br />
<br />
<blockquote class="tr_bq">
git clone https://github.com/hardw00t/Eternalblue-Doublepulsar-Metasploit </blockquote>
<br />
Now copy the <span class="css-truncate css-truncate-target">'eternalblue_doublepulsar.rb' to the exploit module of Metasploit.</span><br />
<span class="css-truncate css-truncate-target"><br /></span>
<span class="css-truncate css-truncate-target">Finally reload all the modules of Metasploit and run the exploit on vulnerable target.</span><br />
<span class="css-truncate css-truncate-target"><br /></span>
<span class="css-truncate css-truncate-target">Follow the below video to run the exploit using Metasploit:</span><br />
<span class="css-truncate css-truncate-target"><br /></span>
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/DxPueg6qXcw/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/DxPueg6qXcw?feature=player_embedded" width="320"></iframe></div>
<span class="css-truncate css-truncate-target"><br /></span></div>
Hardik Mehtahttp://www.blogger.com/profile/10483445655104073560noreply@blogger.comtag:blogger.com,1999:blog-1499804460083936783.post-67956486996650791892017-05-01T03:22:00.003+05:302017-05-01T04:09:46.875+05:30Exploiting MS17-010 using FuzzBunch and Metasploit<div dir="ltr" style="text-align: left;" trbidi="on">
FuzzBunch is a exploit framework like Metasploit, which was released in the recent NSA data leak by ShadowBrokers.<br />
<br />
The leaked data can be found <a href="https://github.com/x0rz/EQGRP_Lost_in_Translation" rel="nofollow" target="_blank">here</a>.<br />
<br />
The framework included following exploits:<br />
<br />
1) EternalBlue - MS17-010<br />
2) EternalSynergy - MS17-010<br />
3) EternalRomance - MS17-010<br />
4) EternalChampion - MS17-010<br />
5) EmeraldThread - MS10-061<br />
6) EskimoRoll - MS14-068<br />
7) EducatedScholar - MS09-050<br />
8) EclipsedWing - MS08-067<br />
<br />
Here we will be using EternalBlue with DoublePulsar, DoublePlusar is used for DLL injection.<br />
<br />
A virtual test bed was created for this activity. Virtual envirnment involved the following:<br />
1) Windows XP x86 - installed with Python 2.6, Pywin32 and FuzzBunch repository<br />
2) Windows Server 2k8 R2 SP1<br />
<br />
Video PoC:<br />
<br />
<div class="separator" style="clear: both; text-align: center;">
<iframe allowfullscreen="" class="YOUTUBE-iframe-video" data-thumbnail-src="https://i.ytimg.com/vi/B8kkHAa_ntk/0.jpg" frameborder="0" height="266" src="https://www.youtube.com/embed/B8kkHAa_ntk?feature=player_embedded" width="320"></iframe></div>
<br /></div>
Hardik Mehtahttp://www.blogger.com/profile/10483445655104073560noreply@blogger.com