Category: Hacking Tools

Posted on by 1 Comment

Donut shellcode generator

Donut shellcode generator is a tool that generates shellcode from VBScript, JScript, EXE, DLL files and DOTNET assemblies. Although there are many tools that can do this, Donut does this with position independent code that enables in-memory execution of the compiled assemblies. This compiled shellcode assembly can either be staged from a HTTP server or embedded directly in the file itself. After the compiled shellcode is loaded and executed in memory, the original reference is erased immediately to avoid memory scanners.

The features supported by the Donut generator are

  1. Compression of the generated files with aPLib and LZNT1, Xpress, Xpress Huffman.
  2. Using entropy for generation of strings 128-bit symmetric encryption of files.
  3. Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).
  4. Patching command line for EXE files.
  5. Patching exit-related API to avoid termination of host process.
  6. Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.
  7. What exactly is shellcode? Shellcode is a bit assembly code or machine language. Shellcode plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing. In this article, let us learn about this awesome tool. This tool can be installed in Kali Linux by cloning it from Github as shown below. This will create a new directory named “Donut”
donut1

Navigating into the Donut shellcode generator directory, let’s create the shellcode of mimikatz.exe as shown.

How to use donut shellcode generator

Mimikatz.exe is a simple tool that is used to play with windows security. If you take this executable of Mimikatz into a Windows system, any antivirus or Windows Defender will detect this as malware. Just try it on your machine first before turning it into shellcode. It is found in Kali Linux. Here we copied it into the Donut folder.
When we run above command, shellcode is created as a file named “loader.bin” in the same directory of Donut.

By default, Donut creates shellcode for x86 (32bit) and amd64 (64bit). To create only a x86 shellcode, the command is as shown below.

The “-b” option is used to set the shellcode’s behavior when faced with AMSI/WLDP. Anti Malware Scan Interface and Windows Lock Down Policy are security features. These both features help in defending against malware.

By default, Donut sets the shellcode to bypass AMSI/WLDP. By setting the “-b” option to “2” as shown in the above image, it can be set to ABORT once it encounters AMSI/WLDP. Setting “1 ” will do nothing.
Entropy in general terms means the degree of randomness. It is used in malware to make detection of its code harder by Anti malware. This is called obfuscation. The more the entropy the least chances of detection of malware. Donut by default sets random names and al- so encrypts the shellcode to obfuscate the code from anti malware. It can be changed using the “-e” option. Setting it to “2” just sets random names to the payload and setting it to “1” does nothing.

Not just binaries, we can create different output formats with Donut although by default it creates a binary payload. The “-f” option is used to set different output formats. For example, set -ting “-f” option to “2” gives a base64 format. 3 creates C, 4 creates Ruby, 5 creates Python, 6 creates Powershell, 7 creates C# and 8 creates Hexadecimal shellcodes respectively.

The “-z” option is used to setting packing and compressing engines. Donut doesn’t use any compression by default. However it supports four compression engines. 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Only the aPlib compressor works in Linux. Rest of them work in windows. Compression reduces the size of the payload whereas packing is used to avoid detection by anti malware.

We have seen that by default, Donut saves the payloads it creates in the same directory. The location as to where the payload is saved can be changed with the “-o” option.

That’s all about the Donut shellcode generator, readers. We will learn more about this tool and how it is used in real world ethical hacking.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on by

PEframe : Analysis of portable executable files

Hi Readers today we will see a PEframe Tutorial. These days hackers are using numerous ways to get into our systems. One of them is by sending a malicious portable executable file to us or make us download the malicious executable file and execute it on our system. We have seen one such Real World Hacking Scenario in the issue of Hackercool February 2017. In this scenario we have not only seen how hackers can make malicious executable files but also how they bypass antivirus and convince the innocent users to click on those malicious files. In this howto, we will learn how to perform analysis of portable executable files.

Analysis helps us to determine what the file was intended to do once clicked. There are two types of analysis: static analysis and dynamic analysis. In static analysis the sample is analyzed without executing it whereas in dynamic analysis the sample is executed in a controlled environment. Static analysis is performed on the source code of the sample portable executable. There are various tools which help us in static analysis of portable executables. One such tool is PEframe. PEframe reveals information about suspicious files like packers, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions and much more. PEframe is open source and can be installed in Kali Linux as shown below.

Open a terminal and type the command as shown below to clone PEFrame from Github.

After PEFrame is cloned successfully, a new directory is formed with name peframe. You are automatically taken into this directory. This tool requires simplejson (a subset of JavaScript). So install it using pip command. Next, we need to run the setup.py file from the directory. Since it is a python file, we need to run the command “python setup.py” install to install PEframe.

Once the installation is finished, type command “peframe -h” to see its simple usage

Before we analyze the portable executables, let us analyze some files we created for tutorials of our magazine. The first one is msf.pdf we created using Metasploit.

As you can see in the above image, we found not only an IP address but also an url hosting some executable file. It can be assumed that as we open this pdf file, another executable will be downloaded from the IP address and executed in our system. Let us now analyze a hta file created with Metasploit next. This file is analyzed as a HTML document with IP address and it has a library called kernel32.dll. This file probably opens a payload when clicked upon. Given below is another similar file in visual basic format.

Given below is a macro file. You can see all these files have an IP address where probably a listener is running.

Now let us analyze a portable executable file. Kali Linux has some exe files already stored in its windows-binaries folder. We will analyze the plink.exe file.

Plink.exe is a command line utility file similar to UNIX ssh. It is mostly used for automated operations. As you can see in the image given above, the program is giving more detailed information to us than the other files. The plink.exe has four sections and none of them appears to be suspicious. But the file has a packer, mutex and antidbg. The packer it used is Microsoft Visual C++ which is normally used for genuine programs.

Given above is its Antidbg and Mutex information. The dynamic link libraries it imports is also given. Given below are the apis (application programming interfaces) used by the file.

The filenames found in the portable executable are given in the image below. As you can see it has a big list of filenames.

Metadata is data about the data. Metadata reveals a lot of information about a file. Given below is the metadata of our portable executable. We can see that it is a part of Putty Suite.

Even the description of the file is given. Normally malware does not contain so much information about itself like this Plink file. Only genuine files contain so much information because they have no use to hide themselves. Now let us analyze another file. This file is also present in Kali Linux and it is a keylogger. It is klogger.exe present in the same windows-binaries folder.

As you can see in the above image, the file which has five sections has two suspicious sections and the packer it uses is ASPack v2.11. Let us have a look at its suspicious sections once.

Given below in the image are its api alerts and filenames. As you have observed, this file reveals very less information than the previous analyzed file. This in itself does not mean that the file is malicious but it gives a general idea about it. That’s all about Forensics using static analyzer PEFrame. We will be back with a new tool in our next howto.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on by 2 Comments

How to phish with Weeman HTTP Server

Good morning friends. Today I will go back to the topic which sparked my interest in the starting days of blogging: phishing. Phishing is one of the most popular hacking attacks even today. Earlier we have seen howto’s on phishing and Desktop phishing. Today we will see how to phish with Weeman Http server.

Weeman Http server is a simple server for phishing written in Python. So let us see how to phish with Weeman HTTP server. We will use Kali Linux as our attacker system. Download Weeman HTTP server from Github in Kali.

Go to the directory where the server is installed and check its contents. There should be a python script named weeman.py.

Now start the server by typing command “./weeman.py“. It should look like below.

Check all the options by typing command “help“.

We will use the default settings for this how to. Type command “show“. You can see all the options required for phishing.

Set the url option as the website you want to phish. For this howto, I am using Facebook (sorry Mark). Set the port appropriately( but use 80 ). The action_url option sets the page you want the victim to redirect after entering his credentials. This sis shown below.

Type command “run” to run our server. The server will start as shown below.

Now find out your IP address, obfuscate it, shorten it( this is shown in the video ) and send the link to the victim. When the user clicks on the link, he will get to our phishing page as shown below.

When the user enters his credentials and clicks on Login, he will be redirected to the original website.

While on our attacker system, we can see the credentials of our victim. Happy hacking.

Posted on by

OpenVAS Vulnerability Scanner : Tutorial

Hello aspiring hackers. This article is a tutorial about OpenVAS vulnerability scanner. In one of our previous howto’s, we saw how to install OpenVAS in Kali Linux. Today we will see how to perform a vulnerability assessment with OpenVAS. The target on which I have performed this vulnerability assessment is Metasploitable. Start Kali Linux ( The system on which we have installed OpenVAS,,, obviously). Open a terminal and type the following commands as underlined below.

Then  open a browser and direct the browser to port no 9392 as shown below. You should get the following interface.

We will perform a quick scan. In the blank given, enter the IP address of our target as shown below and click on “Start Scan” as shown below.

openvas vulnerability scanner

The scan will run as shown below. It will take quite a bit of a long time. So I would suggest you go and eat some pani puri and come back.

Once you are back, the scan should be finished and will look as shown below. Click on the link shown below.

You should get a general summary of the scan.

Now let us see the scan report. Go to “Scan Management” tab and click on Reports as shown below. It will show you a list of scans we performed. In our case, there is only one scan.

Now click on the scan as shown below.

This is our entire scan report with all the vulnerabilities existing in our target classified from high to low.

This was about how to perform vulnerability scanning with OpenVAS Vulnerability Scanner.  See how hackers perform vulnerability scanning

Posted on by 2 Comments

WordPress vulnerability assessment with WPscan

Good Evening friends. Hope you’re fine. After focusing on Joomla for some time, with this howto I have decided to focus on another popular CMS, that is WordPress. This howto is a pre-prequel to one of my articles on how to hack WordPress. This howto will have two other sequels and watch out for some easter eggs in this howto. ( Mind my talk about sequels, prequels and easter eggs, but did I tell you I am a big Marvel fan). Ok, ok, ok. Now let’s begin. The tool we will use here is called WPscan. WPScan is a black box WordPress vulnerability scanner that can be used to scan remote WordPress installations to find security issues and also for enumeration. It is by default installed in Kali Linux Sana. Now open a terminal and update our tool by typing command as shown below.

To scan a wordpress website, you have to give the url as shown below. For this howto, I am using a local installation of wordpress as target.  Assign the target as shown below. The scan will start as shown below.

Here are the screenshots of result of this scan. . As you can see we have  13 vulnerabilities in the present installation and the vulnerabilities are given below.

One of the easiest ways to hack a wordpress site is to exploit the plugins installed in the target as most of the wordpress vulnerabilities nowadays exist in the plugins installed on it. So it is very important to enumerate the plugins installed on our wordpress target. We can enumerate the plugins using the “enumerate” option as shown below.

The scan result will be as shown below.( And there you have the first Easter egg). So totally we found four plugins. The first one is Ajax Load More Plugin. As the red exclamation mark shows, it is vulnerable.

wpscan

The second plugin is the vulnerable version of Akismet.

The third vulnerable plugin is the WordPress Slider revolution plugin. We will see more about this in our next howto.

Another important aspect to find vulnerabilities in the wordpress is its theme.  Now let’s enumerate the theme as shown below. The vulnerabilities present in the theme are given below.

After that let’s enumerate the users in our remote target as shown below.

We can see that the only username in our target. That’s WPscan for you. Hope it was helpful to you and wait for the sequels.