Posted on

Linux Configuration Enumeration POST Exploit

Hello aspiring hackers. Today we will learn about Linux Configuration Enumeration POST Exploit. After getting a successful meterpreter session on the target Linux system (as shown  here), the next logical step is to perform some enumeration on the target Linux machine. Metasploit has many POST exploits corresponding to Linux enumeration.

The first module we will see is Linux configuration enumeration. The enum_configs module is used to collect information from the configuration files found of applications commonly installed in the system. These applications may include Apache, Nginx, Snort, MySQL, Samba, Sendmail, sysctl, cups, lampp and SNMP etc. This POST module searches for a config file in the application’s default path and if the application exists on the target system, the module will download the files and store it.

If the application doesn’t exist or the config file is moved from its default location, this module will display the “file not found” message. (Just like any POST exploit or as shown in the shell_to_meterpreter exploit, we need to background the current session and load the POST module as shown above. Then set the session id and run the exploit). Here is the enum configs module in action as shown below.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on 1 Comment

Hack Remote PC with Git Submodule

Hello aspiring hackers. In this howto, we will learn how to hack remote PC with Git Submodule. If you are a developer, cyber security enthusiast or at least a computer user, you should have definitely used (or heard about) Github. Git is an open source version control system developed by none other than the awesome Linus Trovalds (yes the same guy who created Linux).

It is a system designed to keep in touch with constant changes made to the code of software by developers. GitHub is a popular hub where developers store their projects and network with like minded people. Github stores information in a data structure called a repository. The particular module exploits a vulnerability in Git submodule.

Git submodules allow users to attach an external repository inside another repository at a specific path. This vulnerability in the Git submodule can be exploited by an attacker who can change the URL of a sub- module in a repository. This URL in the submodule can be changed to point towards a malicious link.

This module is a local exploit and works on Git versions 2.7.5 and lower. Now let us see how this module works. Start Metasploit and load the exploit as shown below. Type command “show options” to see all the options we need for this module to run.

First, we need to configure the malicious Git server. Set the options : LHOST, git_uri and Iport options as shown below. The git_uri option sets the malicious git submodule. Use command “run” to start our Git server. As the user git clones from our URL, we will get a command session on the target.

Now we need to send this malicious Git url to our intended victims. Probably it should be set as a software to convince the users to clone into their machine. Here we are testing this on KaIi Linux 2016 machine which has the vulnerable version of Git installed. We need to instruct the user to update the submodule just cloned. Let us see what happens on the victim machine.

As this happens in our victim system, we will already get a command shell on our attacker system as shown below.

We can see the active sessions using the command “sessions”.

That is how we hack remote pc with Git Submodule.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on 2 Comments

HTA web server exploit for hacking Windows

Hello aspiring hackers. There’s been a loooong (forgive the grammatical error) gap  in updating the blog. Well, blame it on 70% hectic schedule and 30% procrastination. But today we will learn how to use HTA web server exploit for hacking windows.

First things first. What is HTA web server? HTA stands for HTML application. So this server hosts a HTA file, which when opened will execute a payload via powershell. Ofcourse, the browser warns the user before executing the payload.

Now let’s see how this works. We will use this exploit to hack Windows 10. Start Metasploit and load the module as shown below.

Set the reverse meterpreter payload as it is a local exploit.

Type command “show options” to see the options we need to set for this exploit. Set the required options and type command “run” to start the exploit.

Image explaining about usage of hta web server exploit

As you can see, it has generated an url. We need to make the victim click on this particular url for our exploit to work. We have already seen in our previous howto’s, how to make that happen. When the victim clicks on the url we sent him as shown below

the browser prompts a warning about the payload as shown below.

When the user ignores the user and clicks on “run”,  a meterpreter session is opened as shown below.

This session can be viewed and opened as shown below. 

That’s all in HTA web server exploit. Learn how to hack windows with Hercules.

Posted on

Arcanus Framework : Hacking Linux OS Part 1

Hello aspiring hackers, till now we have only seen hacking windows operating systems with customized payload generators. Today we will see hacking Linux OS with Arcanus framework.

Although not as great as Windows, people using Linux OS are growing day by day. In my opinion, Linux OS is a bit easy to hack with payload generators as there is a general myth that Linux is immune to malware. Some of my friends use Linux as dual boot to keep themselves safe from virus.

Ok, now let us see how to hack Linux OS with Arcanus Framework. Start and select the option 3 since we are generating a Linux payload. If you are new to Arcanus Framework, go here.

Hit Enter. Enter your IP address (Kali Linux in this case) and the listening port as shown below.

Hit Enter. It will generate the payload in the same directory start to automatically listen for a reverse shell as shown below.

Send the generated payload to our victim. When he runs it, we should get a shell on his system as shown below.

Image explaining about usage of Arcanus framework
Posted on

Windows hacking with Hercules Framework : Part1

Good afternoon friends. Recently our have learnt about windows hacking with Arcanus framework. Today we will learn about another payload generator that helps us in bypassing antivirus ( till date) during pentest of Windows machines. That is Hercules framework.

Let’s start by cloning Hercules framework from github as shown below.

After cloning, a new directory with name HERCULES will be created. Move into that directory and do a “ls”. We should see a file named “Setup”. First change the permissions of this file using chmod as shown below. Once we get execute permissions on the Setup file, execute the file using command “./Setup“.

The setup automatically installs Hercules as shown below and

successfully ends as shown below. You have successfully installed Hercules framework in Kali Linux.

Type command “HERCULES” to start the framework. It’s interface looks like below. In this part, let’s generate a payload. Enter option “1”.

Image explaining about the usage of Hercules Framework for Windows exploitation

Select what type of payload you want to create. There are four payloads as shown below. I am choosing the first one. You can choose appropriately.

After we select the type of payload we want to create, we need to enter some options. Let us see the options it provides. LHOST and LPORT are self explanatory.  Choosing Persistence function adds our running binary to Windows startup registry so that we can have persistent access to the target.  Since we have already know how to create a persistent backdoor we will not enable it here.

Migration function triggers a loop that tries to migrate to a remote process. UPX ( Ultimate Packer for executables ) is an open source executable packer. To those newbies who have no idea what packers are, they are used to compress the executables. Software vendors also use them to obfuscate the code. We will see more about packers in our future howtos.

Concerning this howto, remember that enabling migration, persistence and UPX functions may increase the chances of your payload being detected by Antivirus.

Here I have only enabled the UPX function so the packing process begins as shown below.

Once the packing process is over, your final binary file is stored with the name you have given to it. I named it as “res”.

Next start the listener on Metasploit as shown below and send the  binary file to our target. Once he clicks on our executable file, we will get the meterpreter session as shown below.

In our part2 of this howto, we will see how to bind our payload to other executables.