Page 2 of 13 FirstFirst 123412 ... LastLast
Results 11 to 20 of 123

Thread: Pentesting Documentation

  1. #11
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default

    Thanks for the words of encouragement KMDave, and thank you for the tip hate I saw a video about using the meterpreter's passwd dump but I haven't gotten around to it yet I'm definitely going to try it out soon.

    Following up to what was posted bellow:

    Using the meterpreter to dump hashes is much better than the more conventional methods because it doesn't doesn't touch the registry or the disk. Finding this out actually disappointed me a little bit because I've been trying to figure out how to write scripts that DO modify the "victim's" registry; now I find out that that actually isn't very sneaky at all, more on that farther down.

    From reading about what exactly creating noise on a system is I've come to the following conclusion: Noise on system = excess traffic = easier to be detected. After thinking about it and doing some research its hard for me to think of another way to start the keylogger without creating any noise because if I start the keyscan manually via keyscan_start or automatically via a script it still starts the keyscan. However, I did find some other interesting material on perhaps eliminating the noise that is created: There is an interesting pdf that I found titled ChiCon07_Gates_ Metasploit-Day-2-FunStuff (google the title and you should be able to find it) on page 26 it talks about clearing the event log. KMDave, I'm not sure if this is what you were talking about but I'm sure it is a step in the right direction.

    Follow up to Automatically Start sniffing keys Concluding Questions:

    After reading a bit of the above mentioned pdf it provided a link to a section of the metasploit website that had provided the answers to both questions (I think). The reason I say I think is because I don't fully understand how exactly I can use it to reference what I am trying to look up. I have some experience with C++ so I am no stranger to classes and objects and OOP but the lay out of the documentation is confusing to me. I'm pretty sure that the site does address the questions I had and will help teach me how to automate not only events in a meterpreter session but also on a "victim's" Windows Box. Here is the link: http://www.metasploit.com/documents/api/rex/index.html

    Concluding Questions/Goals:
    1. Explore more about hiding/deleting presence on a victims computer.
    2. Learn how to use the above link as a tool to write scripts: An example:
    How can I use the Rex Documentation (above link) to teach myself what exactly the following line of code does:
    Code:
     session.ui.keyscan_start
    ? Note: I already understand what that particular function is but I'm not sure exactly how this is happening, I think that the Rex Documentation will provide the answers but I'm not sure how to search for them.
    3. Use scripting to automate all of the following:
    -Interact with sessions
    -Kill processes
    -Delete/Move files
    -Modify registry (in particular I want to try to modify the registry so that it will execute a payload at scheduled intervals Note: I've already read up a bit on the Windows Task Scheduler but I'm still trying to find out what Reg Keys it modifies so I can automate the process)
    -Sweep LAN and install other files/payloads on computers on the "victim's" LAN: this one interests me a lot but I think its more down the road.

    I really appreciate the advice so far thank you.

  2. #12
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    A tool i found on another site, it makes it harder for exe to be detected.
    Author, is the person at the top of program.

    http://rapidshare.com/files/223893866/_crypter.exe.html

  3. #13
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default

    Quote Originally Posted by compaq View Post
    A tool i found on another site, it makes it harder for exe to be detected.
    Author, is the person at the top of program.

    http://rapidshare.com/files/223893866/_crypter.exe.html
    Is this the site that you got it from? I'm just wondering because I think that the rapid share download is just an executable without a help file or anything. http://sandsprite.com/CodeStuff/Buil...e_crypter.html In any case I'm going to read about it on the site and will try it out.

  4. #14
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    Windows GUI,Create the metasploit payload exe, then run the above program and select the metasploit file, it will edit the binary code, to stop signature based AV.

    Is this the site that you got it from?
    No, can't remember were I found it.

  5. #15
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default

    I've been doing some research and found exactly what I am looking for. Thanks to darkoperator's blog Shell Is Only The Beginning, specifically "Abusing the scheduler with the meterpreter" I've been able to *almost* kill multiple birds with one stone with his script scheduleme.rb Link: http://www.darkoperator.com/

    I say almost because although I feel like I've made progress by finding this information, implementing it has proven harder than I thought. I've tried just about every combination of commands to try and get to my goal.

    Goal:

    Get a windows/meterpreter/reverse_tcp converted to an executable that has already been installed on the "victim's" computer to execute remotely every 15 minutes -1 hour. The reason I am trying to do this is because if the meterpreter session is lost its nice to know that I only have to wait another *insert chosen time here* minutes for the executable to run again and thus send me a meterpreter session.This method I believe goes along the lines of what both hate and KMDave were talking about because it stays "either under the privileges under which Meterpreter is running or a username and password provided each report per host saved in a different file and location for later analysis. (darkoperator)"

    Problem:

    I just can't seem to get the syntax correct; it is also difficult to find information on how to use darkoperator's script because it seems that he is one of the few people who knows about it (or at least writes about it) except for a site called Laramies Corner which just brushes over it in a couple lines.

    Attempts:

    These are several of my documented attempts at getting the script to run properly. Note: I am trying to get an executable that has already been installed on the "victim's" computer to run on a schedule that is specified by me.

    Code:
    meterpreter > run scheduleme -m 1 -c "C:\system\windows\vn.exe"[*] Scheduling command C:systemwindowsvn.exe to run minute.....[*] Failed to create scheduled task!!
    meterpreter >
    Code:
    meterpreter > run scheduleme -m 1 -c C:\system\windows\vn.exe[*] Scheduling command C:systemwindowsvn.exe to run minute.....[*] Failed to create scheduled task!!
    Code:
    meterpreter > run scheduleme -m 1 -r -c C:\system\windows\vn.exe[*] Scheduling command C:systemwindowsvn.exe to run minute.....[*] Failed to create scheduled task!!
    Code:
    meterpreter > run scheduleme -m 1 -r -t C:\system\windows\vn.exe
    This is just read as completley wrong and goes to the help file...
    The list goes on but none have achieved the desired goal.

    Hypothesis:

    1. Probably the most likely is that my syntax is just plain wrong I have a couple theories about where it could be wrong:
    - The -c is for a "command" but I'm just putting in a "file" however I don't really know what the proper "command" is to execute the right "file"
    - I'm mixing up what exactly darkoperator means by "remote"
    I'm hoping this is the problem which would lead to a quick fix with the correct advice/information/hint. I'm already sure that the script is compatible with XP because it clearly states it at the top of the script so I'm sure that the problem is purely on the end of the user (me).

    I'd really appreciate a nudge in the right direction from the community on this one. As always thanks for taking the time to read.

  6. #16
    Good friend of the forums
    Join Date
    Jun 2008
    Posts
    425

    Default

    HKLM/software/microsoft/currentversion/run
    Key : at
    value :at 00:30 cmd.exe && at 01:00 cmd.exe && at 01:30 cmd.exe...etc

    at boot it will load the commands ever 30mins

    Hope it helps

  7. #17
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default How-To: Dual Boot

    HowTo: Dual Boot Backtrack3 Final and Ubuntu 9.04 and keep Lilo

    What you will need:
    -Ubuntu 9.04 (or earlier) as the only OS installed on your hard drive
    -A Ubuntu 9.04 (or earlier) Live CD
    -A Backtrack3 Final Live CD

    Credit:
    All the authors of the links that are posted below are responsible for this How-to. I highly recommend reading (or at least skimming) through all the links posted below. After that you may not even need to read this.

    Links:
    http://www.offensive-security.com/mo.../dualboot.html
    http://infinityexists.com/videos/ins...g-backtrack-3/
    http://forums.remote-exploit.org/sho...=14751&page=16
    The mysterious lilo configuration: http://forum.vectorlinux.com/index.p...3Btopic=9154.0
    Fstab configuration: Here and Here

    Introduction:
    Dual booting Backtrack3 with Ubuntu (or any other OS for that matter) does not have to be a painful process. The biggest mistakes I made was a combination of rushing through steps and not fully reading/understanding the tutorials I followed. Whether you read this how-to a different one remember: always read through the the how-to several times before you actually try anything, make sure the how-to you are following meets your needs, and finally when in doubt use Google.

    Reasons why this How-to Might be Different from Others:

    -I assume Ubuntu is your only OS.
    -I use Gparted instead of of Qtparted.
    -I keep the Lilo boot loader.

    Partitioning Hard Drive with Gparted:
    Step1: Boot into your Ubuntu Live CD (I actually used the 8.10 live cd because I had it laying around) open a terminal, become root, unmount your Ubuntu partition and start gparted.
    Note: You should not have to type in a password to become root if you are using the live cd but if you do you can set the password by using the "sudo passwd" command.
    Code:
    user@linuxbox:~$ su
    root@linuxbox:/home/user# umount /dev/sda1
    root@linuxbox:/home/user# gparted
    ======================
    libparted : 1.8.8
    ======================
    Step 2: The Gparted GUI should have started up. The GUI is pretty intuitive you can resize, create, delete partitions. At this point the partition with Ubuntu and all your files on it should be /dev/sda1 this is really the only one you need. You can delete everything else EXCEPT /dev/sda1. (DO NOT press apply yet)

    Step 3: You should now only have /dev/sda1 in your partition table with a little bit of unallocated space. We now want to cut /dev/sda1 in half to make room for our other partitions (one for Backtrack and another for the swap). Right click on /dev/sda1 and resize it: Drag the left arrow so that it is at about half. Also drag it all the way to the right or left so that the only unallocated space is either to right or left or /dev/sda1: you can do this by simply clicking in between the two arrows and dragging the partition over.

    Step 4: Your partition table should now have about half /dev/sda1 and half unallocated free space. Right click on the free space and select new: Drag the right arrow a little bit to the left to free up some space for our swap. then select the File System drop down menu and select "reiserfs" you can now label it whatever you want. Now you should still have a little bit of unallocated space: Right click on this and select New: Go to file system and select linux-swap.

    Step 5: You should now have about half as /dev/sda1 a little bit less than half as a reserfs File System and a little bit as a linux-swap File System. Count them 3 entries in your partition table. Select Apply. This is going to take a pretty long time so just go to sleep if its 1 in the morning or go outside but it will take a pretty long time.

    Step 6: When gparted is finished right click on you swap and select swap on from the drop down.

    You should see a /dev/sda2 as a reiserfs File System, a /dev/sda3 as a linux-swap File System, and a /dev/sda1 as a ext3 File System. You can check this also with fdisk by going into the terminal and typing the following command:
    Code:
     sudo fdisk /dev/sda
    Mine looks like this:
    Code:
       Device Boot      Start         End      Blocks   Id  System
    /dev/sda1   *        4879        9726    38941560   83  Linux
    /dev/sda2               1        4371    35110026   83  Linux
    /dev/sda3            4372        4878     4072477+  82  Linux swap / Solaris
    If this works for you then congratulations you've now partitioned your hard drive.

    Copying Backtrack3 Important Files to /dev/sda2:
    Step1: Boot into Backtrack3 Final from the live CD.

    At this point lets take a moment to think about what we are doing: We need to copy all the important files (such as applications, boot information, and other files needed to run Backtrack3) that are on the live cd to our new partition /dev/sda2. Keep this in mind as you copy/mount/mkdir/chroot with the following commands.
    Note: when you copy the bin, home, pentest, .... files over this step will take probably about 10 minutes so just sit back and don't touch anything while this is happening. Also note that if at any point you get a message saying that something about settings being saved when the computer is restarted DO NOT ignore this, simply reboot back into Backtrack3 from the live CD and continue where you left off.
    Code:
    mkdir /mnt/backtrack
    mount /dev/sda2 /mnt/backtrack/
    mkdir /mnt/backtrack/boot
    mount /dev/sda2 /mnt/backtrack3/boot
    cp --preserve -R /{bin,dev,home,pentest,root,usr,boot,etc,lib,opt,sbin,var} /mnt/backtrack/
    mkdir /mnt/backtrack/{mnt,tmp,proc,sys}
    mount --bind /dev/ /mnt/backtrack/dev/
    mount -t proc proc /mnt/backtrack/proc/
    cp /boot/vmlinuz /mnt/backtrack/boot
    chroot /mnt/backtrack/ /bin/bash
    DO NOT RESTART or exit out of the terminal

    Configuring the LILO boot loader for Ubuntu and Backtrack3:
    Step 1: Issue the following command into you terminal:
    Code:
     nano /etc/lilo.conf
    Now remove everything in the lilo.conf file so that it looks like the one below.
    Code:
    lba32
    boot=/dev/sda
    prompt
    timeout=60
    change-rules
    reset
    vga=791
    image = /boot/vmlinuz
    root = /dev/sda2
    label = Backtrack
    Step 2: The above lilo.conf file will allow you to boot only Backtrack3 Final. We also want to be able to boot into Ubuntu which is on /dev/sda1. To do this add the following to the bottom of your lilo.conf:
    Code:
    image = /mnt/sda1/vmlinuz
        root = /dev/sda1
        label = ubuntu
        initrd = /mnt/sda1/initrd.img
    exit (cntl+X)
    save(y)
    save to /etc/lilo.conf (<enter>)

    Step 3:Now run the below command and make sure that there aren't any errors; if you do get errors try copying and pasting them into Google and see what you find.
    Code:
     lilo -v
    Add Swap to /etc/fstab in Ubuntu:
    Step 1:
    Find the UUID of the swap drive using the following command:
    Code:
    sudo blkid
    Note: Remember that our swap drive is /dev/sda3. the UUID should look something like this: e2e7c11f-7cb5-4748-b7a4-3ab729f73f53

    Step 2: Back up your /etc/fstab file just in case something goes wrong:
    Code:
    sudo cp /etc/fstab /etc/fstab~
    Step 3: Open up /etc/fstab in your favorite text edit (I chose gedit):
    Code:
    gksudo gedit /etc/fstab
    Step 4: Now add the following line to to the /etc/fstab file:
    Code:
    UUID=**your UUID**   swap    swap   defaults   0   0
    reboot.

    Conclusion:
    If all has been installed, modified, and configured properly you should now be able to reboot your computer and be able to choose whether you want to boot into Backtrack3 Final or Ubuntu 9.04. I hope this helped you, thank you for reading.

  8. #18
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default

    Over the last couple days I've put aside my previous goals to work on figuring out which pentesting lab setup I like the best. I didn't think this would take that long but the adventure has been much harder than I anticipated, which is not to say I didn't learn a lot.

    Goal: Try out all of the well known methods for using backtrack including: vmware, hard drive install, live cd, *soon to have usb but I want a bigger flash drive first*

    Live CD: This one is pretty obvious.

    VMware:
    Specs: Installing VMware-Workstation in Ubuntu 9.04.

    After a little bit of googling i found a video by kivi12k it very clearly discribes how to set everything up and run it. If you do follow this tut you can priv message him or me to help you register you VMware-Workstation.

    Link: http://kivi12k.blip.tv/file/1829074/

    Problems encountered: I'm not sure what exactly is it with that particular video but it really does not like Ubuntu. You have to install some codecs but they don't really work. I suggest you watch it from a windows partition if you have one. If not try and install the packages but you won't be able to fast-forward or rewind which was pretty frustrating.

    I like the Vmware setup because it was very easy to get working, and I got to use Backtrack4 beta. Also its nice to not have to worry about having to reboot every time I want to use Backtrack

    The initial reason why I didn't like VMware was because the up and down arrow keys don't work and instead invoke certain shortcuts, I'm sure there is a way around this but then my Vmware-worstation froze and then crashed which I really didn't like. Also I'm not sure if this is because of Vmware or because of BT4 Beta but I can't seem to get the framework to update properly with "svn update"; its because of this I think that some of the functionality or the meterpreter is missing: mainly the ones used to sniff for keystrokes.

    Dual-Boot/HDD install:

    This is probably the method that is hated most by both Veterans and Newbies. Veterans probably hate it more than Newbies for the very reason that when Newbies hate something they post it all over the Internet/this forum. This setup method took me about the last 3 days to get working properly. I also decided to go back to Backtrack 3 for my dual boot just because I liked it more.

    I like the hard install because it does not freeze or lag out, it is easy to save files/configuration changes, and because it was such an awesome adventure to get it working I feel as if I'm almost obligated to use it.

    I don't like it because I have to reboot but I don't think it is that big of a deal.

    Conclusion: I'm going to be using Backtrack3 final on my /dev/sda2 partition to do my pentesting, but will explore vmware (which is still on my /dev/sda1 Ubuntu partition) in the future.

    I hope that my little how-to will help some people I will copy and paste it into the How-To section of the forum if people think it would be useful but I'm keeping it here for now just in case there are some problems with it. That being said please let me know if there is a problem with the how-to so I can fix it or let me know if you (someone with more experience) thinks that its worth putting in the how-to section.

    I'm really happy that I can finally get back to working on some of the other projects that I have started, thanks for reading.

  9. #19
    Junior Member AnActivist's Avatar
    Join Date
    Apr 2009
    Posts
    77

    Default

    Questions:
    -Why, while in a meterpreter session on a victim's computer can i sniff keystrokes without going through the other steps laid out in other blogs (specifically migrating processes and issuing the "grabdesktop" command)? Everything works fine for me if I simply issue the command keyscan_start.

    -Where can I find information about how to use the API documentation provided by the Metasploit team on their website to write my own scripts?

    Some Updates:
    -Darkoperator was helping me out with his scheduleme script; after a little bit of testing he discovered that the reason why the scrip was not working was because I am testing on a windows XP Home Edition SP2. The home ed is the most important part because it is missing schtasks.exe which allows tasks to be scheduled from the command line. Luckily there is another laptop in my house that runs the Professional Edition (which does have schtasks.exe) so I will be testing it on that soon. Thanks very much to Darkoperator; he put in a lot of time writing e-mails to explain to me what was happening.

    -I am still able to sniff keys via only using the keyscan_start command (in a meterpreter session) and when I last addressed this I was left with the conclusion that the metasploit team had updated something. I still haven't really been able to a credible answer on either the Metasploit website or the closely related blogs. However I added another hypothesis: Perhaps windows XP home doesn't have an added layer of security that would normally have to subverted if it were XP Professional. I'm not sure if this would explain why commands like "grabdesktop" are missing from the meterpreter sessions though; maybe someone can clarify this for me?

    -I've been doing a lot of reading about the scripting functionality with Metasploit and it confirms that all the goals laid out in a previous post I made can be automated using Ruby scripting.
    3. Use scripting to automate all of the following:
    -Interact with sessions
    -Kill processes
    -Delete/Move files
    -Modify registry (in particular I want to try to modify the registry so that it will execute a payload at scheduled intervals Note: I've already read up a bit on the Windows Task Scheduler but I'm still trying to find out what Reg Keys it modifies so I can automate the process)
    -Sweep LAN and install other files/payloads on computers on the "victim's" LAN: this one interests me a lot but I think its more down the road.
    The problem I am having, is that I can't really find any info for how to write the scripts. I have some experience with programming but I'm just not sure how to use the API documentation on the Metasploit website to learn how to use the scripts/functionality that is available.

    -Finally I'm very interested in using the keylogrecorder.rb script (also written by DO). I should have a bit of a report on that soon.

    I realize that some of these posts are long winded so I decided to put my questions at the beginning just in case a more experienced reader in reading and already has the answers. Thanks for reading.

    Edit: If anyone has time check out the How-To and see if its accurate/makes sense. It would be my first one so I didn't want to just throw it out there without it being reviewed first.

  10. #20
    Just burned his ISO
    Join Date
    Apr 2009
    Posts
    1

    Default

    wow this is so cool can you send me a pm on how to hack computers

Page 2 of 13 FirstFirst 123412 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •