• My Book

    Mastering Metasploit Book By Nipun Jaswal

  • My Course

    WAPT Course By Nipun Jaswal

  • My Exploits

    MSF Modules

  • My Projects

    Wireless Forensics Framework

  • Monday, 27 October 2014

    Hey folks,
    i have been thinking for so long to start a noob friendly series on exploit writing but never got that much time. Anyways, let's talk about exploit writing-

    So, what is an exploit?
    an exploit is a piece of code that takes the advantage of a vulnerable system.

    However, keeping this a noob friendly tutorial let's make some things very clear. Firstly, an exploit may or may not work on two different application versions, may not work on two different operating systems.
    Secondly, if you think you already know basics, you can leave the website immediately.

    Well, Throughout this series we will start from the very basic (I Mean it :P) this means we will take up things as soon as they appear. So, you don't have to worry about ASM, Comp. Architecture etc.

    Pre-requisites
    i already mentioned that we will take up things as soon as they appear. However, for this tutorial you should have a lil knowledge about C Programming.

    So, let's take up the most basic "Stack based Buffer Overflows" at the very first stage-

    Now, what is a stack?
    we can see in the above picture that we organized every book one above the other. However, we can collectively say that this is a stack of books. Now, to build this stack, we placed the first book, then the other on top of it and so on until we run out of books.

    Exactly, what follows in Computer systems. We can put operands and operators one above the other to form a stack. This is called the "Push" operation. This also means that the first book is now at the bottom and the last one is at the top. This is why stack is called Last-in-First-Out. So, when we need to remove a book, we first need to remove the book at the top, this is called the "Pop" operation.

    So, What is Buffer Overflow?
    A buffer is a region which stores data temporarily and when more data than its capacity is supplied, it gets overflowed.

    Let's see an example-
    #include<stdio.h>
    #include<string.h>
    #include<stdlib.h>
    void noexec()
    {
    printf("this never executes");
    exit(0);
    }

    void main(int argc, char** argv)
    {
    char buffer[50];
    strcpy(buffer,argv[1]);
    printf(buffer);
    }
    In the above program, we have two different functions- main and noexec. When we run this program, it simply receives the command line argument, copies it into the buffer variable and simply prints it. Now, you might ask, why do we have noexec() function if we are not calling it any where in the program? this is because in order to work out the simplest buffer overflow, we will try to execute this function by exploiting it.

    Let's compile this program using the following command-
    #gcc -ggdb -o rofl -fno-stack-protector expl1.c -mpreferred-stack-boundary=2
    To compile a C program in linux, we use gcc, -ggdb option allows the code to be executed and listed in debugger by supplying enough information to the debugger, about the program, -fno-stack-protector option turns off stack protection mechanisms in Linux while compiling the program and -mpreferred-stack-boundary=2 option aligns the stack on a 4-byte boundary and will be susceptible to crash as well. However, by default it's on 16-byte boundary.

    (You can Skip the above paragraph, for now we just need to focus on compiling the application program)

    Let's execute the program, and supply 50 A's, we can see that it gets printed, Let's try with 51 A's, 52 A's and 53 A's. We can see that program exited normally after outputting the supplied input. However, as soon as we provide 54 A's we get Segmentation Fault which denotes crashing of the program or we can say the buffer just overflowed. You might ask, we had the buffer for 50 characters but it still got executed at 51,52,53. This is because the input didn't overwrote the EIP initially and may have overwrote other registers which didn't affected the program's execution.

    What is EIP?
    A register which stores the address of the next instruction. Therefore, if we overwrite this EIP register with the address of our choice, our choice will be the next instruction to be executed by the program. This potentially means that we can redirect the flow of a program to anywhere we want.

    Let's open this program in GDB-
    GDB is a debugger which can allow us to view the state of the registers, stack, memory locations etc throughout the execution of a program(I Know this is the most basic tutorial and introducing GDB may not be the correct idea right now, but for the sake of running the noexec function we need its memory address).

    #gdb ./rofl

    the above command will run the program in GDB. To find the starting address of the noexec() function we need to input a simple command which is "disassemble" followed by the name of the function


    (gdb) disas noexec

    this command will output the following-
    Don't get scared! for Now, we only need the address of the first instruction which is 0x0804847c.

    Next, we simply need to input this address after 54 A characters and this will overwrite the current address in EIP resulting in altering the flow of the program according to our needs.

    Let's test it out-
    Keeping it simple, we will supply 54 A's and the address in Little endian format which is to reverse the bytes(ex- split the bytes 08 04 84 7c to 7c 84 04 08.
    We can see that after outputting the input, noexec function runs thus outputting "This Function Does Not Execute".

    This tutorial is purely for the newbies in exploit writing. If You liked this tutorial, comment your feedback and suggestions.

    For exploiting the same on x64 based architecture, refer to Adhokshaj Mishra's Website.

    See you Next week.

    Exploit Writing Series Tutorial 1: Buffer Overflow on Linux

    Posted at  21:05  |  in  linux exploit writing  |  Read More»

    Hey folks,
    i have been thinking for so long to start a noob friendly series on exploit writing but never got that much time. Anyways, let's talk about exploit writing-

    So, what is an exploit?
    an exploit is a piece of code that takes the advantage of a vulnerable system.

    However, keeping this a noob friendly tutorial let's make some things very clear. Firstly, an exploit may or may not work on two different application versions, may not work on two different operating systems.
    Secondly, if you think you already know basics, you can leave the website immediately.

    Well, Throughout this series we will start from the very basic (I Mean it :P) this means we will take up things as soon as they appear. So, you don't have to worry about ASM, Comp. Architecture etc.

    Pre-requisites
    i already mentioned that we will take up things as soon as they appear. However, for this tutorial you should have a lil knowledge about C Programming.

    So, let's take up the most basic "Stack based Buffer Overflows" at the very first stage-

    Now, what is a stack?
    we can see in the above picture that we organized every book one above the other. However, we can collectively say that this is a stack of books. Now, to build this stack, we placed the first book, then the other on top of it and so on until we run out of books.

    Exactly, what follows in Computer systems. We can put operands and operators one above the other to form a stack. This is called the "Push" operation. This also means that the first book is now at the bottom and the last one is at the top. This is why stack is called Last-in-First-Out. So, when we need to remove a book, we first need to remove the book at the top, this is called the "Pop" operation.

    So, What is Buffer Overflow?
    A buffer is a region which stores data temporarily and when more data than its capacity is supplied, it gets overflowed.

    Let's see an example-
    #include<stdio.h>
    #include<string.h>
    #include<stdlib.h>
    void noexec()
    {
    printf("this never executes");
    exit(0);
    }

    void main(int argc, char** argv)
    {
    char buffer[50];
    strcpy(buffer,argv[1]);
    printf(buffer);
    }
    In the above program, we have two different functions- main and noexec. When we run this program, it simply receives the command line argument, copies it into the buffer variable and simply prints it. Now, you might ask, why do we have noexec() function if we are not calling it any where in the program? this is because in order to work out the simplest buffer overflow, we will try to execute this function by exploiting it.

    Let's compile this program using the following command-
    #gcc -ggdb -o rofl -fno-stack-protector expl1.c -mpreferred-stack-boundary=2
    To compile a C program in linux, we use gcc, -ggdb option allows the code to be executed and listed in debugger by supplying enough information to the debugger, about the program, -fno-stack-protector option turns off stack protection mechanisms in Linux while compiling the program and -mpreferred-stack-boundary=2 option aligns the stack on a 4-byte boundary and will be susceptible to crash as well. However, by default it's on 16-byte boundary.

    (You can Skip the above paragraph, for now we just need to focus on compiling the application program)

    Let's execute the program, and supply 50 A's, we can see that it gets printed, Let's try with 51 A's, 52 A's and 53 A's. We can see that program exited normally after outputting the supplied input. However, as soon as we provide 54 A's we get Segmentation Fault which denotes crashing of the program or we can say the buffer just overflowed. You might ask, we had the buffer for 50 characters but it still got executed at 51,52,53. This is because the input didn't overwrote the EIP initially and may have overwrote other registers which didn't affected the program's execution.

    What is EIP?
    A register which stores the address of the next instruction. Therefore, if we overwrite this EIP register with the address of our choice, our choice will be the next instruction to be executed by the program. This potentially means that we can redirect the flow of a program to anywhere we want.

    Let's open this program in GDB-
    GDB is a debugger which can allow us to view the state of the registers, stack, memory locations etc throughout the execution of a program(I Know this is the most basic tutorial and introducing GDB may not be the correct idea right now, but for the sake of running the noexec function we need its memory address).

    #gdb ./rofl

    the above command will run the program in GDB. To find the starting address of the noexec() function we need to input a simple command which is "disassemble" followed by the name of the function


    (gdb) disas noexec

    this command will output the following-
    Don't get scared! for Now, we only need the address of the first instruction which is 0x0804847c.

    Next, we simply need to input this address after 54 A characters and this will overwrite the current address in EIP resulting in altering the flow of the program according to our needs.

    Let's test it out-
    Keeping it simple, we will supply 54 A's and the address in Little endian format which is to reverse the bytes(ex- split the bytes 08 04 84 7c to 7c 84 04 08.
    We can see that after outputting the input, noexec function runs thus outputting "This Function Does Not Execute".

    This tutorial is purely for the newbies in exploit writing. If You liked this tutorial, comment your feedback and suggestions.

    For exploiting the same on x64 based architecture, refer to Adhokshaj Mishra's Website.

    See you Next week.

    Saturday, 27 September 2014

    SickFuzz is a fuzzer for web applications and has always been a script which i miss the most on Kali linux. Let us see how we can fix it to run on Kali Systems-

    Download the script from this link and try to execute it.
    The First Error would be:
    And probably the second one would be:


    To Fix these errors, we need to make the following changes in the spike and the fpath variables. However, fpath variable is the path of the sickfuzz.py file.

    As soon as you fix and restart sickfuzz.py, it works like charm-
    Happy Fuzzing :)
     

    Fixing SickFuzz for Kali Linux

    Posted at  15:05  |  in  sickfuzz on kali linux  |  Read More»

    SickFuzz is a fuzzer for web applications and has always been a script which i miss the most on Kali linux. Let us see how we can fix it to run on Kali Systems-

    Download the script from this link and try to execute it.
    The First Error would be:
    And probably the second one would be:


    To Fix these errors, we need to make the following changes in the spike and the fpath variables. However, fpath variable is the path of the sickfuzz.py file.

    As soon as you fix and restart sickfuzz.py, it works like charm-
    Happy Fuzzing :)
     

    Friday, 26 September 2014

    Today we will discuss how we can easily capture network SSIDs from the various devices around you.

    This will help you find previously connected networks from various devices due to the fact that any wireless enabled device will keep looking for previously connected network after a certain period of time.

    To keep it simple we will simply use 'tshark' the command line sequel for wireshark.

    The first step is to put your wireless card in monitor mode-

    airmon-ng start wlan0 
    Next, issue the following command-
    tshark -i mon0 -R wlan.fc.type_subtype==0x04 -T fields -E separator=- -e wlan.sa -e wlan_mgt.ssid

    Lets understand this command, -i denotes the interface to capture packets from and since we have put our wireless card in monitor mode, we will use mon0.

    -R denotes the filter to use, wlan.fc.type_subtype==0x04 denotes the 'Probe Request' packet which is used for seeking a network actively, by the device. we used Hex notation of probe packet that is 0x04. Next, to list only the information which we require rather than the entire packet we use -T fields. -E separator denotes the character separator between two fields. -e denotes the actual fields which we want to display.

    Therefore, our command should display something like-

    XX:XX:XX:XX:XX:XX-[Network Name]
     running this command will output something similar to the following-

    This was a simple tutorial but i thought it will be helpful for few people who wants to get information about previously connected networks from certain devices.


    Simplest Command to Fetch SSIDs Around You

    Posted at  19:26  |  in  wireless sniffing  |  Read More»

    Today we will discuss how we can easily capture network SSIDs from the various devices around you.

    This will help you find previously connected networks from various devices due to the fact that any wireless enabled device will keep looking for previously connected network after a certain period of time.

    To keep it simple we will simply use 'tshark' the command line sequel for wireshark.

    The first step is to put your wireless card in monitor mode-

    airmon-ng start wlan0 
    Next, issue the following command-
    tshark -i mon0 -R wlan.fc.type_subtype==0x04 -T fields -E separator=- -e wlan.sa -e wlan_mgt.ssid

    Lets understand this command, -i denotes the interface to capture packets from and since we have put our wireless card in monitor mode, we will use mon0.

    -R denotes the filter to use, wlan.fc.type_subtype==0x04 denotes the 'Probe Request' packet which is used for seeking a network actively, by the device. we used Hex notation of probe packet that is 0x04. Next, to list only the information which we require rather than the entire packet we use -T fields. -E separator denotes the character separator between two fields. -e denotes the actual fields which we want to display.

    Therefore, our command should display something like-

    XX:XX:XX:XX:XX:XX-[Network Name]
     running this command will output something similar to the following-

    This was a simple tutorial but i thought it will be helpful for few people who wants to get information about previously connected networks from certain devices.


    Sunday, 29 June 2014

    In the Previous tutorial, we discussed about evading windows 7 firewall rules. Today, let us discuss about another great capability of Nmap that is decoys. To evade detection and network presence, Nmap decoys can be used effectively to lessen the chances of being caught. Decoys are those fake IP bots which pretends to be scanning the network and hence, confusing the security administrators to find the real culprit. So, today let us see how we can scan a target using Decoys in Nmap. For this tutorial we will use the target operating system as Windows 7 and we will run Snort to detect network packets. Snort is a common open source IDS implementation-
    we just performed a service scan with nmap on the target with two decoys that are 192.134.122.133 and 192.134.55.66 on port 21. We can see the port open but let us see on the target side that what amount of traffic we generated-
    As we can clearly see that we have the decoys who are scanning the target. But, we also have our original IP address listed there. However, this lessens the chances of getting caught but not a complete evade. Also, an important thing to mention here is that in a Service discovery scan, Nmap will try to fetch the banner of the target port from the original IP address which makes it more catchy. Therefore, let us see another approach of using Nmap decoys with IP Spoofing and analyze the results-
    Let us now check the target Snort logs and see if the original IP address is listed there or not-
    Bang! we can see that there is no listing of our original IP address there. Hence, evading the catch completely. Therefore, decoys lessens the chances of being caught and does it even better when used in conjunction with IP spoofing. This tutorial is recommended to use under a LAN environment or on an onsite testing project.





    Using Decoys but not only decoys in scanning networks using Nmap

    Posted at  18:41  |  in  snort evasion techniques  |  Read More»

    In the Previous tutorial, we discussed about evading windows 7 firewall rules. Today, let us discuss about another great capability of Nmap that is decoys. To evade detection and network presence, Nmap decoys can be used effectively to lessen the chances of being caught. Decoys are those fake IP bots which pretends to be scanning the network and hence, confusing the security administrators to find the real culprit. So, today let us see how we can scan a target using Decoys in Nmap. For this tutorial we will use the target operating system as Windows 7 and we will run Snort to detect network packets. Snort is a common open source IDS implementation-
    we just performed a service scan with nmap on the target with two decoys that are 192.134.122.133 and 192.134.55.66 on port 21. We can see the port open but let us see on the target side that what amount of traffic we generated-
    As we can clearly see that we have the decoys who are scanning the target. But, we also have our original IP address listed there. However, this lessens the chances of getting caught but not a complete evade. Also, an important thing to mention here is that in a Service discovery scan, Nmap will try to fetch the banner of the target port from the original IP address which makes it more catchy. Therefore, let us see another approach of using Nmap decoys with IP Spoofing and analyze the results-
    Let us now check the target Snort logs and see if the original IP address is listed there or not-
    Bang! we can see that there is no listing of our original IP address there. Hence, evading the catch completely. Therefore, decoys lessens the chances of being caught and does it even better when used in conjunction with IP spoofing. This tutorial is recommended to use under a LAN environment or on an onsite testing project.





    Friday, 27 June 2014


    Today, let us talk about Firewall rules and how we can evade them. However, i will be producing more advanced and complex tutorials for ninja scanning as well.OK, let us talk about a basic ninja scan which is required in the following scenario-
    Target is a colleague in the neighborhood who is running on Windows 7, Runs a Version of an FTP server on port 21 and 990(secured) and lastly has blocked our IP address as well. Our task is to evade the protection mechanisms that are the Windows 7 firewall based rules.

    To create a self test environment, you need-

    • Windows 7 up and running in VMware or on a different machine
    • A Firewall rule in "Inbound Connections" which Blocks our IP address
    • Any Linux configured with Nmap

    OK! So let us first run a simple Nmap scan without any rule in the firewall and check what is the output:-

    Providing the simple command nmap 192.168.193.128 shows the output in the above screenshot. Everything seems to be OK! we are able to make a connection with ease. let us now create a firewall rule to block the remote address 192.168.193.1(Attacker's OS IP/Our IP) -

    The first rule blocks our IP address which is 192.168.193.1 Let us now re-scan the target and see that if the firewall is blocking us now or not?

    "All 1000 ports are filtered" firewall is working pretty well huh? :P let us also check what Wireshark denotes running this scan-

    All SYN packets from the very first packet till the end of the scan.... so what this means? yeah you guessed it right no ACKs. Therefore, Nmap shows all ports filtered.

    Let us now overcome this situation by using -S switch in Nmap which helps in spoofing the originating address as follows-

    Let us analyze the above command, we used -sS to denote a Stealth Scan/Half open Scan. Next, we used -e to denote the interface name which in my case was vmnet8 because i used it in VMware Player(eth0 in case of machine being a different one). Next, -S to supply an address to spoof and 21,990 using -p switch to denote the port numbers. we can see that some error messages are generated but its alright, it works fine. let us cross check its functioning using Wireshark-

    Bingo! we were able to spoof the address with ease and we can also see the SYN-ACKs sent back from the target to the spoofed address which doesn't exist actually :P

    This concludes our most basic ninja scanning tutorial to evade a firewall rule of Windows 7. Stay tuned for more tutorials. Additionally, Refer to my book Mastering Metasploit to learn how to scan a hidden network using a compromised host.  

    Evading Windows 7 Firewall rules with Basic Ninja Scanning using Nmap

    Posted at  03:19  |  in  windows 7 firewall unblocking scans  |  Read More»


    Today, let us talk about Firewall rules and how we can evade them. However, i will be producing more advanced and complex tutorials for ninja scanning as well.OK, let us talk about a basic ninja scan which is required in the following scenario-
    Target is a colleague in the neighborhood who is running on Windows 7, Runs a Version of an FTP server on port 21 and 990(secured) and lastly has blocked our IP address as well. Our task is to evade the protection mechanisms that are the Windows 7 firewall based rules.

    To create a self test environment, you need-

    • Windows 7 up and running in VMware or on a different machine
    • A Firewall rule in "Inbound Connections" which Blocks our IP address
    • Any Linux configured with Nmap

    OK! So let us first run a simple Nmap scan without any rule in the firewall and check what is the output:-

    Providing the simple command nmap 192.168.193.128 shows the output in the above screenshot. Everything seems to be OK! we are able to make a connection with ease. let us now create a firewall rule to block the remote address 192.168.193.1(Attacker's OS IP/Our IP) -

    The first rule blocks our IP address which is 192.168.193.1 Let us now re-scan the target and see that if the firewall is blocking us now or not?

    "All 1000 ports are filtered" firewall is working pretty well huh? :P let us also check what Wireshark denotes running this scan-

    All SYN packets from the very first packet till the end of the scan.... so what this means? yeah you guessed it right no ACKs. Therefore, Nmap shows all ports filtered.

    Let us now overcome this situation by using -S switch in Nmap which helps in spoofing the originating address as follows-

    Let us analyze the above command, we used -sS to denote a Stealth Scan/Half open Scan. Next, we used -e to denote the interface name which in my case was vmnet8 because i used it in VMware Player(eth0 in case of machine being a different one). Next, -S to supply an address to spoof and 21,990 using -p switch to denote the port numbers. we can see that some error messages are generated but its alright, it works fine. let us cross check its functioning using Wireshark-

    Bingo! we were able to spoof the address with ease and we can also see the SYN-ACKs sent back from the target to the spoofed address which doesn't exist actually :P

    This concludes our most basic ninja scanning tutorial to evade a firewall rule of Windows 7. Stay tuned for more tutorials. Additionally, Refer to my book Mastering Metasploit to learn how to scan a hidden network using a compromised host.  

    Learn Exploitation by Mastering Metasploit, Buy Now!

    About-WAPT Course-Contact Me
    Copyright © 2013 Nipun Jaswal's Security Blog. Blogger Template by Bloggertheme9
    Proudly Powered by Blogger.
    back to top