Posted on

Hackers guide to shellcode

Hello, aspiring ethical hackers. In our previous article, you learnt everything about a payload. In this article, you will learn what is shellcode.

What is Shellcode?

In hacking, Shellcode is a small piece of code that is used as a payload during exploitation of a vulnerability. Differentiating it form a payload, shellcode is commonly written in machine or assembly language. It is known as shell code because it commonly starts a command shell on the target machine.

Let’s see what is shellcode. For this we are using Kali Linux but you can use any operating system that can run C programs and the related compilers. Kali Linux already has GCC compiler installed by default. Here, I write a simple C program for printing out “Hello world”.

Shellcode 1

Then I compile this C program using gcc as shown below and check its result.

Shellcode 2
Shellcode 3

The program works fine. GCC compiler also allows us to view the program in assembly code format with the “-S” option.

Shellcode 4

Running this command creates a new file with same name but with “.s” extension (test.s in our case). Opening that file with any text editor reveals the shellcode of that particular program as shown below.

Shellcode 5
Shellcode 6
Shellcode 7

Types of Shell code

There are different types of shell codes in hacking. They are,

1. Remote shellcode:

Remote shell code is used by hackers while targeting a remote machine. This is usually done by exploiting a vulnerable software on the target machine to get a shell back.

2. Local shell code:

This type of shell code is used on the local system on which the hacker already has access to. It is usually used when the hacker has limited privileges on the target system but can exploit a vulnerability in a software to elevate privileges.

3. Download and execute shell code:

This type of shell code, instead of spawning a shell, downloads another payload and executes it on the target system.

4. Staged shell code:

This type of shell code is used when the amount of data that can be injected into process or a software is limited. This shell code downloads additional shellcode and executes it on the target software or system.

Posted on

How to create a virus

Hello, aspiring ethical hackers. In our previous blogpost of Computer virus, you have learnt what is a virus, its functions and about different types of viruses. In this article, you will learn how to create a Virus manually.

However, note that it is only for educational and knowledge purposes and not for performing any malicious purpose. The aim of this article is to give you a basic understanding on how to create a virus. Let’s begin.

Creation of a computer virus consists of six steps. They are,

  1. Decide the function you want your virus to perform.
  2. Select a programming language in which you want to code your virus.
  3. Code the virus.
  4. Compiling the virus.
  5. Testing.
  6. Sharing the Virus.

Let’s learn about each step in detail.

1. Function of a virus:

Before you even start coding a virus, you need to decide what exactly you want your virus to do. In real-world, computer viruses perform many functions that include downloading and installing additional viruses, wiping data from the infected system and even taking complete control of the system. For example, I decide that my virus should open a Firefox browser when executed.

2. Choose your language:

After deciding the function of your virus, next thing you have to do is choose a programming language to code this virus. Computer viruses can be written in many programming languages like C, Deslphi, Visual Basic, C#, C++, Cobol, Ruby, Python etc. They can also be created using scripting languages like JavaScript, Batch script, Bash, PowerShell etc. Choose the programming or scripting language of your choice. For example, I want to write my virus in Batch scripting.

3. Write code:

Once you select the programming language or scripting language, you need to code the virus. To code a batch script, all I have to do is open a notepad, add the code shown below and save the file as Batch file (with extension .bat)

How To Create A Virus 1
@echo off
start firefox.exe
How To Create A Virus 2
How To Create A Virus 3

4. Compile (if necessary):

Compile the virus. Compiling is a process of converting source code into machine-readable code so that a computer can execute it. Since we have written our code in Batch, it doesn’t need any compilation. But programs written in C,C++, Python need compiling. Compiled programs are usually fast.

5. Test the virus:

Once you have finished coding the virus and compiling it, test its working by executing the virus. I execute the Batch virus I created and it open Firefox browser as shown below.

How To Create A Virus 4

6. Share the virus:

The last step is to share the virus to make your target user execute it. Normally hackers use social engineering or phishing schemes to spread the virus.

Posted on

Beginners guide to ARP poisoning

Hello aspiring ethical hackers. In our previous article on Data Link layer attacks, you have learnt what is a LAN, what is a Network Hub and network Switch and their uses, what is a MAC address, what is a CAM table and various types of attacks that take place in LAN. In this article, you will learn about one of the attacks taking place on the LAN known as ARP poisoning.

ARP Poisoning 1 1024x555

What is ARP Poisoning?

ARP poisoning or ARP spoofing or ARP cache poisoning is an hacking attack in which malicious ARP reply packets are sent to the default gateway. This packets are sent to change the MAC address value corresponding to a specific IP address.

ARP Poisoning 2 1024x553

ARP protocol translates IP addresses to MAC addresses. ARP spoofing is usually performed by sending a malicious ARP reply to the network gateway, asking it to associate its MAC address with the IP address of the machine the hacker wants to target. Once the default gateway saves this message and broadcasts it to all the machines on the network, all the traffic of the target system passes through the attacker controlled machine.

ARP Poisoning 3 1024x584

This allows hacker to perform packet sniffing, password sniffing and other MiTM attacks after successful ARP spoofing attack. ARP poisoning attack is performed after the hacker has finished gaining access on the target network. This attack is very difficult to detect as the common users will not find anything suspicious while the attack is going on.

Real-world examples of ARP spoofing

In 2008, a Chinese hacker performed ARP spoofing attack and redirected the website of none other than Metasploit to a Chinese forum where he kept on sale an exploit for a zero-day vulnerability. It is assumed he did this by targeting a router at the Internet Service Provider (ISP) level.

Posted on

Beginners guide to Payload generators

Hello, aspiring ethical hackers. In our previous blogpost, you have learnt about types of Metasploit payloads, what is a payload etc. In this blogpost you will learn what is a payload generator and popular payload generators.

What is a payload?

A payload in cyber security is a piece of code that is executed after successfully running an exploit to take advantage of a vulnerability. When a Proof Of Concept (POC) for a vulnerability is disclosed, this allows most hackers around the world to execute their chosen payloads. This payload can be anything from malware, reverse shell, RAT, ransomware etc or their own custom payload.

For example, ms08_067 vulnerability was exploited in real-world to deploy Conficker worm payload, but while pen testing with Metasploit, meterpreter is used as payload. Although payloads can be created manually, it would be very simple to make payloads with payload generators.

What is a payload generator?

Any software or application that helps us to automatically create a payload to be used in a pen test is known as a payload generator. Payloads can be a simple one liner or multiple lines of complex code. Whatever it is, it is payload generator makes our work very simple. Let’s learn about some of the popular payload generators.

1. MSF venom:

MSF venom is a payload generator fromMetasploitframework that can be pretty useful in generating payloads forwindows hacking,Linux hacking, web applicationhackingand even mobile hacking. MSF venom is a replacement to MSF payload earlier. Learn more about msfvenom.

Msfvenom 1

2. Veil-Framework:

Veil-Framework is a tool that can generateMetasploit payloadsthat bypass common anti-virus solutions. Veil-framework is officially supported by Debian 8 and Kali Linux rolling 2018+. It may also be run on Arch Linux, Manjaro Linux, Black Arch Linux, Deepin 15+, Elementary, Fedora 22+, Linux Mint, Parrot Security, Ubuntu 15.10+ and Void Linux. Learn more about Veil Framework.

Veil Framework 6

3. Msfpc:

MSFvenom Payload Creator (MSFPC) is a wrapper that can generate multiple types of payloads, based on users choice. The idea is to be assimple as possible(only requiring one input) to produce their payload.

4. WinPayloads:

This tool can generate undetectable Windows payloads.

5. Arcanus Framework:

ARCANUS is a customized payload generator/handler for penetration testing that can generate both Linux and Windows payloads. Learn more about Arcanus Framework.

Arcanus4

6. Hercule’s Framework:

HERCULES is a customizable payload generator to generate Windows and Linux payloads that bypass antivirus software.

2hercules3

Posted on

Metasploit Framework: Beginners guide

Hello, aspiring ethical hackers. In our previous blogpost, you learnt in detail about Pen testing. In this blogpost you will learn about the perhaps the most popular penetration testing software suite, Metasploit Framework. Metasploit Framework (MSF) is free, open-source pen-testing suite that is used to execute exploits and develop code against a remote target machine. Although it sis made for penetration testers, it is also used by Black Hat Hackers around the world.

History

Metasploit was originally written by H.D.Moore, an American network security expert, open-source programmer and hacker. He has been the chief Architect of Metasploit Framework until his departure from Rapid7 company in 2016. Originally written in Perl, Metasploit was rewritten in Ruby programming language by 2007. In 2009, it was acquired by Rapid7. Metasploit is available for Windows, Mac and Linux. Metasploit is so widely used that it is included in every ethical hacker os like Kali and Parrot Security.

Structure of Metasploit

Metasploit Framework is the name given to the free version of Metasploit. The role of Metasploit in penetration testing comes after the stage of port scanning and vulnerability scanning (Information from tools such as NMap, Nessus and OpenVAS etc can even be imported into Metasploit). Metasploit is built with a modular approach. For beginners, Metasploit can be complex and a bit difficult to understand. Let’s learn in detail how to run Metasploit.

Let’s start with Metasploit modules. The most important modules of Metasploit are Exploit, Payloads, POST, Auxiliary, Evasion and Encoder modules. Let’s learn about each one of them now.

1. Auxiliary modules:

Auxiliary modules in Metasploit perform simple functions like scanning, enumeration, gathering information, logging in into services etc. They have single function. At the time of writing this article, there are over 1267 auxiliary modules in Metasploit.

2. Exploit modules:

Exploit modules are exploit codes written in Ruby. They exploit the vulnerabilities to execute arbitrary code on the target system. At the time of writing this article, there are over 2461 exploit modules in Metasploit.

3. Payload modules:

The arbitrary code that is executed by the exploit modules of Metasploit is known as payload. At the time of writing this article, there are over 1468 payload modules in Metasploit.

4. Encoder modules:

As the name of the module suggests, Encoder modules of Metasploit take raw bytes of a payload as input and run some sort of a encoding algorithm like XOR, Bitwise XOR on the payload code. At the time of writing this article, there are over 49 encoder modules in Metasploit.

5. Evasion modules:

Evasion modules are used to generate payloads that evade Antivirus. At the time of writing this article, there are over 9 evasion modules in Metasploit.

6. POST modules:

POST modules are those modules of Metasploit that are useful during POST exploitation phase of the pen test. At the time of writing this article, there are 431 POST modules in Metasploit.

How to use Metasploit Framework?

Let’s see how to use Metasploit for beginners. We will be using Metasploit in Kali Linux as it is already installed. To start Metasploit, open a terminal and type command shown below.

msfconsole
Metasploit Framework 1
Metasploit Framework 2

To see all the auxiliary modules of Metasploit, use the command shown below.

show auxiliary
Metasploit Framework 3

Similarly all the exploits in Metasploit can be seen using the command shown below,

show exploits
Metasploit Framework 0

To view all the payloads in Metasploit, you can use the “show payloads” command.

show payloads
Metasploit Framework 4

The same commands can be used to view all the encoder, evasion and POST modules of Metasploit respectively.

Metasploit Framework 5
Metasploit Framework 6
Metasploit Framework 7

Now, let’s come to the realistic use of Metasploit. As I already told you at the beginning of this blogpost that the use of Metasploit comes after the stage of footprinting and scanning. As part of vulnerability scanning, we happen to find that one of the devices in the target network is vulnerable to Bluekeep vulnerability.

Now, let’s see how to exploit this vulnerability with Metasploit. The first to do after starting Metasploit is to use the search function of Metasploit to search for the exploit we need. For example, “bluekeep” as shown below.

Metasploit Framework 8

Metasploit has a very versatile search function. You can also search using the CVE ID of vulnerability as shown below.

Metasploit Framework 9

No matter how you search, Metasploit will show all the modules related to particular vulnerability you searched for. Since, I already know the target machine is vulnerable to Bluekeep vulnerability, I select the exploit module for this vulnerability. To load this module, we can use (literally) and load the module using the entire name of the module or its serial number given at the begining.

Metasploit Framework 11
Metasploit Framework 12

A payload most probably METERPRETER payload is assigned by default as soon as you load the exploit module. If you want to set a different payload other than the default one, you can use “show payloads” command to see all the payloads supported by the selected module. Unlike earlier this will not show all the payloads of Metasploit but only the ones supported by this exploit module.

Metasploit Framework 16
Metasploit Framework 17

To assign a new payload, we use the “set” command in the same way as we used the “USE” command earlier.

Metasploit Framework 18

Then we use the “show options” command to see all the options required for this module to work after selecting the payload. The required options are marked with “yes” in the required column.

Metasploit Framework 13
Metasploit Framework 14
Metasploit Framework 19

This module required the RHOSTS option which is the IP address of the target system. All the required options can be set with the SET command as shown below.

Metasploit Framework 20

After all the required options are set, all we need to do is execute the module using “run” command or “execute” command. You can see Metasploit module in action in our blogpost on exploiting ms08_067 vulnerability.

Learn how to upgrade a normal command shell to meterpreter session.