Posted on 2 Comments

Server GUI to Server Core switching in Windows 2012

Microsoft has always been recommending the Server Core Installation for its servers over the full server installation. As is well known, Server Core Installation which is the minimal install of the server version reduces the space for attack vector by hackers. It also reduces the usage of resources. But the Server Core Installation makes administration intimidating as it requires the administrators to be a PowerShell expert.
With Windows Server 2012, Microsoft has introduced a new feature that would allow switching from Server GUI to Server Core Installation and vice versa. This enables administrators to install and configure the server in GUI and then switch to Server Core installation. Although there are many ways to switch from Server GUI to Server Core installation, the easiest way to perform this switching is by simple PowerShell commands. I am gonna show you how. For this, I have installed Windows Server 2012 standard GUI installation in Vmware workstation.

Then open PowerShell and type the command

Remove-windowsfeature Server-gui-shell,Server-gui-mgmt-infra” and hit Enter.

The process of disabling the GUI starts and the display is as same as below.

After a short time, the process is completed and it prompts you for a restart.

Restart the machine by typing “shutdown –R –T 0″ and hit ENTER.

After the reboot, the system asks for administrator password on entering which it switches to Server Core Installation.

To enable back the GUI, enter into PowerShell by typing command “powershell.exe” in the cmd and hit ENTER. In PowerShell, type the same command as above replacing Remove with Install and hit ENTER.

Install-windowsfeature server-gui-shell,server-gui-mgmt-infra”

After completing the process, the system prompts for a reboot. Reboot the system by typing command “shutdown –r  –t 0″ and hit ENTER.

The system successfully  switches over to Standard GUI installation.

Note:

Although the Server Core Installation is the preferred deployment, it does not support all roles. The roles supported by the server core installation are,

  • Active Directory Domain Services
  • Active Directory Certificate Services
  • DHCP server.
  • DNS server.
  • AD LDS
  • Hyper-V
  • Streaming Media services
  • Print and Document Services
  • Web server
  • Windows update server
  • Active Directory Rights Management Server
  • Routing and Remote Access Server.
Posted on Leave a comment

Metasploit Shellcode Injection Module

Metasploit Shellcode Injection Module is a Metasploit module which as its name suggests, injects shellcode into the target Windows system on which we already have access. In our previous article, we have learnt what is shellcode and how it is created. Shellcode is a bit assembly code or machine language. Shellcode plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing.

Let’ s see how this module works. Get a meterpreter session on a Windows system. After getting a meterpreter session, Background the current session and load the post windows shellcode inject module as shown below.

We will use Donut tool to create a shellcode of the mimikatz program. Mimikatz is a tool that is used to experiment with Windows security. Its known to extract plaintext passwords and kerberos tickets from memory. It can also perform pass-the-hash, pass-the-ticket or build Golden tickets.

Set the SESSION ID and other options given below.

Set the interactive option to TRUE otherwise you will not directly be taken to the mimikatz shell. Also set the correct target architecture.

After all the options are set, execute the module and you should directly interact with mimikatz.

That’s all about the Metasploit Shellcode Injection Module,

Posted on 1 Comment

Donut shellcode generator

Donut shellcode generator is a tool that generates shellcode from VBScript, JScript, EXE, DLL files and DOTNET assemblies. Although there are many tools that can do this, Donut does this with position independent code that enables in-memory execution of the compiled assemblies. This compiled shellcode assembly can either be staged from a HTTP server or embedded directly in the file itself. After the compiled shellcode is loaded and executed in memory, the original reference is erased immediately to avoid memory scanners.

The features supported by the Donut generator are

  1. Compression of the generated files with aPLib and LZNT1, Xpress, Xpress Huffman.
  2. Using entropy for generation of strings 128-bit symmetric encryption of files.
  3. Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).
  4. Patching command line for EXE files.
  5. Patching exit-related API to avoid termination of host process.
  6. Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.
  7. What exactly is shellcode? Shellcode is a bit assembly code or machine language. Shellcode plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing. In this article, let us learn about this awesome tool. This tool can be installed in Kali Linux by cloning it from Github as shown below. This will create a new directory named “Donut”
donut1

Navigating into the Donut directory, let’s create the shellcode of mimikatz.exe as shown.

Mimikatz.exe is a simple tool that is used to play with windows security. If you take this executable of Mimikatz into a Windows system, any antivirus or Windows Defender will detect this as malware. Just try it on your machine first before turning it into shellcode. It is found in Kali Linux. Here we copied it into the Donut folder.
When we run above command, shellcode is created as a file named “loader.bin” in the same directory of Donut.

By default, Donut creates shellcode for x86 (32bit) and amd64 (64bit). To create only a x86 shellcode, the command is as shown below.

The “-b” option is used to set the shellcode’s behavior when faced with AMSI/WLDP. Anti Malware Scan Interface and Windows Lock Down Policy are security features. These both features help in defending against malware.

By default, Donut sets the shellcode to bypass AMSI/WLDP. By setting the “-b” option to “2” as shown in the above image, it can be set to ABORT once it encounters AMSI/WLDP. Setting “1 ” will do nothing.
Entropy in general terms means the degree of randomness. It is used in malware to make detection of its code harder by Anti malware. This is called obfuscation. The more the entropy the least chances of detection of malware. Donut by default sets random names and al- so encrypts the shellcode to obfuscate the code from anti malware. It can be changed using the “-e” option. Setting it to “2” just sets random names to the payload and setting it to “1” does nothing.

Not just binaries, we can create different output formats with Donut although by default it creates a binary payload. The “-f” option is used to set different output formats. For example, set -ting “-f” option to “2” gives a base64 format. 3 creates C, 4 creates Ruby, 5 creates Python, 6 creates Powershell, 7 creates C# and 8 creates Hexadecimal shellcodes respectively.

The “-z” option is used to setting packing and compressing engines. Donut doesn’t use any compression by default. However it supports four compression engines. 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Only the aPlib compressor works in Linux. Rest of them work in windows. Compression reduces the size of the payload whereas packing is used to avoid detection by anti malware.

We have seen that by default, Donut saves the payloads it creates in the same directory. The location as to where the payload is saved can be changed with the “-o” option.

That’s all about the Donut shellcode generator, readers. We will learn more about this tool and how it is used in real world ethical hacking.

Want to learn Advanced Ethical Hacking? Try out our Monthly Magazine FREE

Posted on Leave a comment

Install Parrot OS in Virtualbox

This post shows how to install Parrot OS in Virtualbox. Kali Linux may be the most popular penetration testing distro but if there is any other operating system that can give Kali competition, that would be Parrot Security OS. It also has regular updates just like Kali Linux.

Parrot Security also sports many more tools than Kali Linux which includes software for cryptography, cloud, anonymity, digital forensics and of course programming. One of our readers has requested us to make a guide on how to install Parrot Security OS in Virtualbox.

Recently the latest version of Parrot Security OS (4.9.1) has been release. In this version, they made many changes like upgrading to new linux kernel (5.5), updates to many tools and removal of some redundant launchers.

Just like Kali Linux, the makers of Parrot Security OS are also releasing a OVA format of its OS for virtual machines. This makes installation all the simple without the clutter of virtual box guest additions not working or other related problems. Download the OVA file of Parrot Security OS.

We will install Parrot OS in the recent version of Virtual box. Once the download is successfully finished, open Virtualbox and go to the “File” Menu.

Select the option “Import Appliance”. Alternatively, the import option can also be accessed using command “CTRL+I”. The window opens as shown below.

Load the OVA file as shown in the above image and click on “Next”. The “Appliance settings” menu opens. Make changes as necessary or as you like. Here we have changed the name of the virtual machine and is allocated RAM. After the changes are done, click on “Import”.

In the Popup that comes next, Click on “Agree”.

The importing process starts as shown below. Let it go on without interruption.

After the importing process is done, you will see the virtual machine we just created in the list of virtual machines as shown below.

Start the virtual machine. The virtual machine boots as shown below.

After booting, the login screen opens as shown below. The default credentials are user : toor.

This is how we install Parrot OS in Virtualbox. See how to install Parrot OS in Vmware.

Posted on Leave a comment

Installing MATE Desktop in Kali Linux 2020

Hello readers. Today our readers will learn about installing mate desktop in Kali Linux. You all know the first release of Kali Linux this year, Kali Linux 2020.1 has been released in the month of January. The latest version brought many changes like not giving root user by default and some new tools. The most distinct change it brought is a single installer image for installation. Earlier we had different installation images for different desktop environments which include GNOME, KDE etc.
With 2020.1 release, there will be a single installation image for all these and users would have to select the desktop environment he/she needs while installing. The information about different desktop environments and their pros and cons can be seen here.

Today we will see a tutorial on how to install MATE Desktop environment in Kali Linux 2020.1. MATE Desktop although looks old fashioned is light and has a simple interface. Here’s how to install MATE desktop environment in Kali Linux 2020.1. We have performed this tutorial from a X11 terminal but all these commands can be run from any other desktop environment’s terminal. Power on the Kali 2020.1 virtual machine and login (since there is no root user you should login as a user you created or the default user:password i.e kali:kali).

Open a terminal and using nano open the file /etc/apt/sources.list. with sudo

Add these two lines of code to the file and save it.
deb http://kali.download/kali kali-rolling main non-free contrib
deb-src http://kali.download/kali kali-rolling main non-free contrib

To save the file hit CTRl+X and when it prompts select “Yes”.Run command sudo apt-get update

Now everything is ready to install MATE desktop. Run the command given below.
sudo apt-get install mate-core mate-desktop-environment-extra mate-desktop-environment-extras

When the system prompts you for permission to install MATE and its related software, type “Y”.

The installation will take some time to finish. After the installation is finished, restart the syste m (the command is sudo reboot or reboot if you are doing it from terminal). Once the system reboots and takes you to the login screen, before logging in click on the “settings” icon beside the “Signin” button. There you will see all the desktop environments present on the system right now. Select MATE and then login.

Installing MATE desktop has been successfully finished with this.

Posted on Leave a comment

Hacking ProFTPd on port 2121 and hacking the services on port 1524

In our previous article, we have seen how to exploit the rexec and remotelogin services running on ports 512 and 513 of our target Metasploitable 2 system. In this article, we will be hacking proftpd on port 2121 and the service running on port 1524 which are next in the Nmap scan report as shown below. On running a verbose scan, we can see that the service running on port 1524 is Metasploitable Root shell.

What is this Root shell? In our Metasploitable Tutorials, we have seen a number of ways to gain a shell or meterpreter session on the target system. But those shells were obtained by hacking some software present on the system. This shell is deliberately left on the system. But why would someone leave a shell deliberately on a system?
In cyber security, there is a concept called trapdoors or backdoors. As soon as hackers gain access to a system by hacking something on it, they plant an easy and quick method to once again come back into the system. This is known as trapdoor or backdoor.

The shell on port 1524 is a shell like that. Usually to prevent other hackers from gaining access to the system through their backdoor they use protection like passwords etc. Here it seems the hacker forgot to secure it. Normally backdoors like these are enabled on some common ports which evoke less suspicion from cyber security personnel. But how do we gain access to this shell? Although there are a number of ways to do this, the easiest way is telnet.
Open telnet and telnet to the port 1524 as shown below. As you can see highlighted below, we got a shell with Root access without doing much.

Try out some linux commands to verify we got a shell with some interaction.

As you can see in the above image, we have shell with ROOT privileges. We can even change the target system’s password now. Now let’s move on to hacking ProFTPd.
Verbose scan has reported that a FTP server named ProFTPd server version 1.3.1 is running on port 2121. I googled for any vulnerabilities present in the particular version but got none. If you remember, we already hacked one FTP server running on port 21.
I used banner grabbing method of telnet (we showed you in detail about this method in of our Hackercool magazine) to see if the service will reveal any more information about itself. It gave nothing except the usual one.

The usual banner grabbing was not working. But maybe we don’t require a banner.We already have it. So this time, I just tried to connect to the service using telnet (although you can also use FTP for this). When “Escape character is ‘^]’ ” message is displayed, I type command “help”. As expected, it gives me all the commands that can be used. So it seems we already have access to the target server.

To confirm this, I tried one command. It prompted me for username and password. But thanks to an excellent phase of enumeration we performed, we already have the username and password. I decided to try the username/password msfadmin/msfadmin. Voila, it worked and we have access to the system now. Typing PWD command gives me the confirmation that I am inside the system. That’s all with hacking ProFTPd.

Posted on 1 Comment

Hacking Rlogin and Rexec Services

In this post, we will be hacking rlogin (remote login) , rexec and remote shell services running on ports 512, 513 and 514 of Metasploitable 2 respectively. Performing a verbose scan on the target gives me the result as shown in the image below.

Before we exploit these services, let me explain as to what these services are. Remote execution service popularly called Rexec is a service which allows users to execute non-interactive commands on another remote system. This remote system should be running a remote exec daemon or server (rexecd) as in the case of our Metasploitable 2 target here. By default, this service requires a valid user name and password for the target system.(For your information, we already have the credentials which we acquired during enumeration).
Rlogin or Remote Login service is a remote access service which allows an authorized user to login to UNIX machines (hosts). This service allows the logged user to operate the remote machine as if he is logged into the physical machine. This service is similar to other remote services like telnet and SSH. This service by default runs on port 513.
Rsh or Remote shell is a remote access service that allows users a shell on the target system. Authentication is not required for this service. By default it runs on port 514.

Although Rsh doesn’t require a password, it requires the username belonging to the remote system. As discussed above, we already have the credentials. In case we don’t have the credentials, we have to crack the passwords as explained in one of our previous posts.
Rsh daemon can be installed in the Kali Linux machine using the command apt-get install rsh-server. Once the installation is over, the below command can be used to get a shell on the target machine. I have tried this with the username root. As you can see, we successfully got a shell on the target system.

The next service we will target is Remote Login running on port 514. The command to get remote login is given in the image below.

As you can see, we once again got a shell on the target system. Using Rexec is also almost similar to the methods shown above. That was about hacking rlogin, rexec and remote shell services. Learn how to hack ProFtpd service.

Posted on Leave a comment

Install ClearOS in Vmware

ClearOS is an UTM. For those beginners, who do not know what an UTM is, it is an Unified Threat Management software. Still no idea. It is a software with all security features bundled into one. It is based on CentOS and Red Hat and is used by many enterprises as a gateway. Its features include Stateful firewall (iptables), Intrusion detection and prevention system, virtual private networking, Web proxy with content filtering and antivirus, E-mail services, Database and web server, File and print services, Flexshares and MultiWAN. In this article, we will show you how to install clearOS in vmware.
As a penetration tester, it is very important to study about UTMs. So this installation guide. Download the open source version of ClearOS UTM from here. That would be community version. Once the iso file has finished downloading, Open Vmware Workstation (Version 12 used for this article). Hit “CTRL+N”. The below window should open.

Make sure the “Typical” option is selected, and click on “Next”. That takes us to the next window. Click on “Browse” and browse to location of the iso file we just downloaded and select it.

Now the window should look like the one shown above. Click on “Next”. The Guest operating system should be automatically selected for you, if not select Linux as OS and version as Centos. Click on “Next”. Even if you leave the default options, the installation continues.

Give a name to the virtual machine. Choose the name of virtual machine and its location as you like. I named it ClearOS. Click on “Next”.

Allocate the hard disk memory for your virtual machine. Keep the minimum as 15GB. Click on Finish.

It will show you a summary of all the selections you made. If you want to make any changes, click on Customize hardware or else click on “Finish”.

The virtual machine is created with the name you gave it. Before powering on the virtual machine, we need to add another network adapter to the virtual machine. Any gateway needs two network adapters. For reasons that will be explained later, I am adding two host only network adapters. Go to the settings of the virtual machine as shown below and click on “add” button as shown below.

You can see that the default network adapter assigned is NAT. On the right side, we can change it to Host-Only network as shown below. Vmware automatically creates one Host-only network adapter by default. We need to create the second Host-Only adapter manually Vmware Virtual Network Adapter.
To add another adapter, click on “add” button as shown below.

A new sub-window will open showing you all the types of hardware which can be added. Click on the “network adapter” as we want to add a network adapter. Click on “Next”.

In the next window,select “custom” as your type of network adapter and in the dropdown box you will find our newly created Host-only Network. For me it is Vmnet3.

As you can see below, our ClearOS virtual machine now has two network adapters. Click on OK to close the settings window.

Now Power ON the machine. After a small delay, the virtual machine will Power ON.The machine will power ON and take you to the screen as shown below. Use the option “Install ClearOS ……” using arrow keys on your keyboard. Hit on Enter. Even if you don’t hit Enter, the option you highlighted will be automatically selected after some time.

The system will prompt you to hit Enter to start the installation process. Press the “Enter” key.

Select the language in which you want to run the installation process and click on “Continue”.

Next, we will be shown the Installation summary. We can change any settings of the virtual machine from here. Let’s change the Network settings from here. Click on the highlighted area.

The “Network and Hostname” window will open. By default, both the adapters will be turned OFF. We need turn it ON by toggling the switch as shown in the image below.

In ON position, it will look like below. Do this for both the adapters. Once turned ON, click on “Done” to the top left.

This will take us back to the Installation Summary page as shown below. Configure other settings if you want.

Once all the settings are configured, click on “Begin Installation”. This will start the installation process. Don’t worry if you forgot any configuration. The system will prompt you if it needs anything to be set as shown below. In this case, I forgot to set the ROOT password.

So I click on that message and set a Root password as shown below. Once the password is set, click on “Done”.

Now it shows the message “Root password is set” as shown below.

The installation process will continue and once it is finished, you will be prompted to reboot the system. Reboot the system. It will ask for credentials. Enter them and you will be greeted with a screen as shown below.

That’s it. You have successfully installed ClearOS in Vmware. Now launch into the Graphics mode console by choosing the highlighted option. You will see something like below. You will be shown the IP address of the virtual machine we just created and also how to access it from a remote machine. That’s all for now.

This is how we install ClearOS in Vmware.

Posted on Leave a comment

Installing ClearOS UTM in Vmware

Hello aspiring hackers. In this howto, we will learn about installing ClearOS UTM in Vmware. For those beginners who do not know what an UTM is, it is an Unified Threat Management software. Still no idea. It is a software with all security features bundled into one. It is based on CentOS and Red Hat and is used by many enterprises as a gateway. Its features include Stateful firewall (iptables), Intrusion detection and prevention system, Virtual private networking, Web proxy with content filtering and antivirus, E-mail services, Database and web server, File and print services, Flexshares and MultiWAN.

As a penetration tester, it is very important to study about UTMs. So Let us start with this installation guide for ClearOS. Download the open source version of ClearOS UTM from here. That would be community version. Once the iso file has finished downloading, Open Vmware Workstation (Version 12 used for this article). Hit “CTRL+N”. The below window should open.

Make sure the “Typical” option is selected and click on “Next”. That takes us to the next window. Click on “Browse” and browse to location of the iso file we just downloaded and select it.

Now the window should look like the one shown above. Click on “Next”. The Guest operating system should be automatically selected for you, if not select Linux as OS and version as Centos. Click on “Next”. Even if you leave the default options, the installation continues.

Give a name to the virtual machine. Choose the name of virtual machine and its location as you like. I named it ClearOS. Click on “Next”.

Allocate the hard disk memory for your virtual machine. Keep the minimum as 15GB. Click on Finish.

It will show you a summary of all the selections you made. If you want to make any changes, click on Customize hardware or else click on “Finish”.

The virtual machine is created with the name you gave it. Before powering on the virtual machine, we need to add another network adapter to the virtual machine. Any gateway needs two network adapters. For reasons that will be explained later, I am adding two host only network adapters. Go to the settings of the virtual machine as shown below and click on “add” button as shown below.

You can see that the default network adapter assigned is NAT. On the right side, we can change it to Host-Only network as shown below. Vmware automatically creates one Host-only network adapter by default. We need to create the second Host-Only adapter manually Vmware Virtual Network Adapter. To add another adapter, click on “add” button as shown below.

 

A new sub-window will open showing you all the types of hardware which can be added. Click on the “network adapter” as we want to add a network adapter. Click on “Next”.

In the next window,select “custom” as your type of network adapter and in the dropdown box you will find our newly created Host-only Network. For me it is Vmnet3. Select that and click on “Finish”.

As you can see below, our ClearOS virtual machine now has two network adapters. Click on OK to close the settings window.

Now Power ON the machine. After a small delay, the virtual machine will Power ON.The machine will power ON and take you to the screen as shown below. Use the option “Install ClearOS ……” using arrow keys on your keyboard. Hit on Enter. Even if you don’t hit Enter, the option you highlighted will be automatically selected after some time.

The system will prompt you to hit Enter to start the installation process. Press the “Enter” key.

Select the language in which you want to run the installation process and click on “Continue”.

Next, we will be shown the Installation summary. We can change any settings of the virtual machine from here. Let’s change the Network settings from here. Click on the highlighted area.

The “Network and Hostname” window will open. By default, both the adapters will be turned OFF. We need turn it ON by toggling the switch as shown in the image below.

In ON position, it will look like below. Do this for both the adapters. Once turned ON, click on “Done” to the top left.

This will take us back to the Installation Summary page as shown below. Configure other settings if you want.

Once all the settings are configured, click on “Begin Installation”. This will start the installation process. Don’t worry if you forgot any configuration. The system will prompt you if it needs anything to be set as shown below. In this case, I forgot to set the ROOT password.

So I click on that message and set a Root password as shown below. Once the password is set, click on “Done”.

Now it shows the message “Root password is set” as shown below.

The installation process will continue and once it is finished, you will be prompted to reboot the system. Reboot the system. It will ask for credentials. Enter them and you will be greeted with a screen as shown below.

That’s it. You have successfully installed ClearOS in Vmware. Now launch into the Graphics mode console by choosing the highlighted option. You will see something like below. You will be shown the IP address of the virtual machine we just created and also how to access it from a remote machine. That’s all for now.

Posted on Leave a comment

Fix apt get update signature error in Kali Linux

If you are a regular user of Kali Linux or for that matter any Ubuntu or Debian machine, you should be knowing what apt get update is. It is a simple way of updating the packages of Linux systems. Frequently many users of Kali Linux faced the problem as shown in the image given below while running the update command. This is called Kali Linux apt get update signature error. Today we will see how to fix apt get update signature error in Kali Linux.

Today we will see how to fix this problem. As underlined in the given image, the error occurs when verifying the signatures. What signatures is the error referring to? Just like any software nowadays, the Debian packages are supplied with a digital signature to preserve their integrity. Before downloading the packages, these signatures are verified. If these don’t match, we get an error as shown below.

To solve this problem, we need to get the new signature. This can be done using the command

wget -q -0 – archive.kali.org/archive-key.asc | apt-key add

as shown in the image shown below.

Once this is done, apt-get update command should work fine as shown below.This is how to fix apt get update error in Kali Linux. See how to fix msfupdate error while updating Metasploit.

Posted on Leave a comment

Analysis of portable executable files with PEFRAME

These days hackers are using numerous ways to get into our systems. One of them is by sending a malicious portable executable file to us or make us download the malicious executable file and execute it on our system. We have seen one such Real World Hacking Scenario in the issue of Hackercool February 2017. In this scenario we have not only seen how hackers can make malicious executable files but also how they bypass antivirus and convince the innocent users to click on those malicious files. In this howto, we will learn how to perform analysis of portable executable files.

Analysis helps us to determine what the file was intended to do once clicked. There are two types of analysis: static analysis and dynamic analysis. In static analysis the sample is analyzed without executing it whereas in dynamic analysis the sample is executed in a controlled environment. Static analysis is performed on the source code of the sample portable executable. There are various tools which help us in static analysis of portable executables. One such tool is PEframe. PEframe reveals information about suspicious files like packers, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions and much more. PEframe is open source and can be installed in Kali Linux as shown below.

Open a terminal and type the command as shown below to clone PEFrame from Github.

After PEFrame is cloned successfully, a new directory is formed with name peframe. You are automatically taken into this directory. This tool requires simplejson (a subset of JavaScript). So install it using pip command. Next, we need to run the setup.py file from the directory. Since it is a python file, we need to run the command “python setup.py” install to install PEframe.

Once the installation is finished, type command “peframe -h” to see its simple usage

Before we analyze the portable executables, let us analyze some files we created for tutorials of our magazine. The first one is msf.pdf we created using Metasploit.

As you can see in the above image, we found not only an IP address but also an url hosting some executable file. It can be assumed that as we open this pdf file, another executable will be downloaded from the IP address and executed in our system. Let us now analyze a hta file created with Metasploit next. This file is analyzed as a HTML document with IP address and it has a library called kernel32.dll. This file probably opens a payload when clicked upon. Given below is another similar file in visual basic format.

Given below is a macro file. You can see all these files have an IP address where probably a listener is running.

Now let us analyze a portable executable file. Kali Linux has some exe files already stored in its windows-binaries folder. We will analyze the plink.exe file.

Plink.exe is a command line utility file similar to UNIX ssh. It is mostly used for automated operations. As you can see in the image given above, the program is giving more detailed information to us than the other files. The plink.exe has four sections and none of them appears to be suspicious. But the file has a packer, mutex and antidbg. The packer it used is Microsoft Visual C++ which is normally used for genuine programs.

Given above is its Antidbg and Mutex information. The dynamic link libraries it imports is also given. Given below are the apis (application programming interfaces) used by the file.

The filenames found in the portable executable are given in the image below. As you can see it has a big list of filenames.

Metadata is data about the data. Metadata reveals a lot of information about a file. Given below is the metadata of our portable executable. We can see that it is a part of Putty Suite.

Even the description of the file is given. Normally malware does not contain so much information about itself like this Plink file. Only genuine files contain so much information because they have no use to hide themselves. Now let us analyze another file. This file is also present in Kali Linux and it is a keylogger. It is klogger.exe present in the same windows-binaries folder.

As you can see in the above image, the file which has five sections has two suspicious sections and the packer it uses is ASPack v2.11. Let us have a look at its suspicious sections once.

Given below in the image are its api alerts and filenames. As you have observed, this file reveals very less information than the previous analyzed file. This in itself does not mean that the file is malicious but it gives a general idea about it. That’s all about Forensics using static analyzer PEFrame. We will be back with a new tool in our next howto.