Thursday 12 April 2012

How to bypass antivirus with Metasploit

How do you bypass an antivirus?  This is not a new question; everyone who are belongs to ethical hacking and penetration testing groups discuss this issue often. Even new users (script kiddies) are anxious to learn ways to overcome their keyloggers, stealer’s and RAT (remote administrator tools). Clearly, there is a pressing and widespread need by everyone need to bypass an anti-virus, even while in the process of penetration testing and ethical hacking anti-viruses in attempts to create a robust defense for an operating system. Let’s consider a simple example: suppose a company hired you to conduct a vulnerability assessment on their network. They give you a black box test but you aren’t equipped with much information about the network. If they are using an end-to-end anti-virus solution for their network, whenever you launch a test, the anti-virus system in place will defend it. So the first obstacle you’ll need to overcome is bypassing the anti-virus. It is very easy to discuss a tool that can hide any file from the eye of anti-virus systems, but it is probably more effective to understand the story behind the tools or techniques in order to best implement them. In this article we will cover :
  • How Anti-virus works
  • What are the ways (techniques) to bypass an Anti-virus
  • Metasploit tutorial to bypass an anti-virus

How Anti-virus Works

It is very important to discuss the working mechanism and phenomena of anti-viruses, because if you don’t know how an anti-virus works or how an anti-virus system detects viruses, you will limit your ability to effectively cheat or bypass an anti-virus. There are many companies that create their anti-virus in their own way, but they each share two main approaches to detecting a virus:
  • Signature based detection
  • Suspicious Behavior
Signature based detection is the most common and widely used technique. In it, an anti-virus system compares the content of the file to its database. Signature based detection – while a fast and effective technique – is limited in that it can only detect known viruses. The other technique is based on monitoring suspicious activities and behavior. With this technique, an anti-virus continuously observes (in real time) the behavior of a file. If any file overwrites itself and steals data without user permission, than this file treat as a virus.
Example:

Here’s an example to best understand the working mechanism of an anti-virus: let’s say you have installed an anti-virus on your computer. When you plug-in your flash drive (USB), there are two options:
  • Anti-virus will automatically detect viruses (based  suspicious activities)
  • You will launch a scan against your USB and then the anti-virus finds some virus (Signature based detection)
This is how an anti-virus works; now we need to discuss the file format. PE, or portable executive, is the default file format for windows binary. Most of the viruses and malware hide in the PE file. So what is the structure of portable executive file and how does an anti-virus read the signature?
------------------
    | DOS-stub          |
    +-------------------+
    |PE file-header     |
    +-------------------+
    | optional header   |
    |- - - - - - - - - -|
    |                   |
    | data directories  |
    |                   |
    +-------------------+
    |                   |
    |   Image pages     |
    |                   |
    +-------------------+
    |                   |
    | section tables    |
    |                   |
    +-------------------+
    |                   |
    | section 1         |
    |                   |
   +----------------+
    |                   |
    | ...               |
    |                   |
    +-------------------+
    |                   |
    | section n         |
    |                   |
    +-------------------+

This is the typical structure of the portable executive file. Each section can be divided into multiple sub-sections, but in this article we’ll discuss this with respect to the anti-virus detection methodology. PE (portable executive) file header is the most important section, containing:


  • Signature bytes
  • Time and date stamp
  • Image base and image size
  • Stack reverse size
  • Debug table
  • Fixup table
  • Security table
  • and more
So the PE file header is the one that contains the signature and other important values of any executable file. In the signature file, the first number usually represents a microprocessor type. The typical  microprocessor types are 16-bit, 32-bit and 64-bit. For example, the 80386 processor has a value of 0x14c.
Let’s take an example of a typical netcat backdoor listener, which bind cmd on port number 99 for connecting to the server. By doing a little analysis, we can see that the signature is located on offset E77E.

Now just imagine the importance of the signature in any portable executive file. There are different tools available to find it. If you want to bypass an anti-virus, then you’ll need to modify this signature so that the anti-virus treats it as a normal file.
Below is the list of some utilities that are based on netcat and have the ability to bypass anti-viruses.
  • Cryptcat Project: This is an advanced utility based on netcat and one that uses an encryption technique with the ports of Windows, BSD and Linux.
  • MOCAT backdoor: This one is based on the cryptcat project and works on client and server phenomena, meaning it has two executables: one for windows and the other for Linux. All  communications of MOCAT are encrypted.
  • Ncat : Ncat is a wonderful tool that has been designed by the nmap community. It works on both TCP and UDP ports and on Ipv4 as well as Ipv6.

Bypass an Anti-virus – Metasploit Tutorial


The first part of our discussion focused on the importance of encoding to bypass an anti-virus. Metasploit is wonderful tool with many encoders to bypass the anti-viruses. Some of the encoders are based on polymorphic code (polymorphic virus). Polymorphic code changes the signature everytime it infects a new file. Shikata_ga_nai seems to be the best encoder to encode a virus so that your file easily bypass most of the anti-viruses. According to a wonderful blog post published on secmaniac, the best combinations to bypass almost 85 % of the anti-viruses are:
  • Shikata encoding 5 times
  • Alpha_Upper encoding 2 times
  • Shikata encoding 5 times
  • Countdown encoding 5 times

Within the social engineering toolkit encoder list, shikata_ga_nai is a particularly good encoder. Take a look at the picture below:

You can find a list of available encoders on metasploit. Please follow the commands below:
root@bt:~# msfencode -h 

    Usage: /opt/framework/msf3/msfencode

OPTIONS: 

    -a   The architecture to encode as
    -b   The list of characters to avoid: '\x00\xff'
    -c   The number of times to encode the data
    -d   Specify the directory in which to look for EXE templates
    -e   The encoder to use
    -h        Help banner
    -i   Encode the contents of the supplied file path
    -k        Keep template working; run payload in new thread (use with -x)
    -l        List available encoders
    -m   Specifies an additional module search path
    -n        Dump encoder information
    -o   The output file
    -p   The platform to encode for
    -s   The maximum size of the encoded data
    -t   The output format: raw,ruby,rb,perl,pl,c,js_be,js_le,java,dll,exe,exe-small,elf,macho,vba,vbs,loop-vbs,asp,war
    -v        Increase verbosity
    -x   Specify an alternate executable template 

---------------------------------------------------------------------------------------------------------------------------
root@bt:~# msfencode -l 

Framework Encoders
================== 

    Name                    Rank       Description
    ----                    ----       -----------
    cmd/generic_sh          good       Generic Shell Variable Substitution Command Encoder
    cmd/ifs                 low        Generic ${IFS} Substitution Command Encoder
    cmd/printf_php_mq       manual     printf(1) via PHP magic_quotes Utility Command Encoder
    generic/none            normal     The "none" Encoder
    mipsbe/longxor          normal     XOR Encoder
    mipsle/longxor          normal     XOR Encoder
    php/base64              great      PHP Base64 encoder
    ppc/longxor             normal     PPC LongXOR Encoder
    ppc/longxor_tag         normal     PPC LongXOR Encoder
    sparc/longxor_tag       normal     SPARC DWORD XOR Encoder
    x64/xor                 normal     XOR Encoder
    x86/alpha_mixed         low        Alpha2 Alphanumeric Mixedcase Encoder
    x86/alpha_upper         low        Alpha2 Alphanumeric Uppercase Encoder
    x86/avoid_utf8_tolower  manual     Avoid UTF8/tolower
    x86/call4_dword_xor     normal     Call+4 Dword XOR Encoder
    x86/context_cpuid       manual     CPUID-based Context Keyed Payload Encoder
    x86/context_stat        manual     stat(2)-based Context Keyed Payload Encoder
    x86/context_time        manual     time(2)-based Context Keyed Payload Encoder
    x86/countdown           normal     Single-byte XOR Countdown Encoder
    x86/fnstenv_mov         normal     Variable-length Fnstenv/mov Dword XOR Encoder
    x86/jmp_call_additive   normal     Jump/Call XOR Additive Feedback Encoder
    x86/nonalpha            low        Non-Alpha Encoder
    x86/nonupper            low        Non-Upper Encoder
    x86/shikata_ga_nai      excellent  Polymorphic XOR Additive Feedback Encoder

Wednesday 29 June 2011

Know The Latest Scams And Rumors On The Internet.

The number of Internet users has been increasing exponentially and due to this the fraudsters are seeing a whole new playground to play their tricks. Thousands of new scams are created everyday, most of them are foolish and very less people may fall prey to it but some are very complicated and well constructed. Even a very precautious and well informed Internet user may fall prey to it. So every netizen should have some knowledge of the latest scams and rumours even if it doesn't concern them. Here is a site which informs the people of the latest threats and scams.

WWW.SNOPES.COM


Snopes is a very popular site for knowing the latest threats and scams making rounds of the cyberspace. Every scam and rumor is studied and checked for authenticity. The users can also suggest or inform about the scams and rumors.

HISTORY OF HACKING (discovery channel documentary)

HISTORY OF HACKING (discovery channel documentary)

This is a discovery channel documentary on "history of hacking" giving a brief account of the development of Hacking and tells about the new trends and techniques evolved with time.

It is focused on three legendary hacker personalities.
1) John Draper ( also known as Captain Crunch) :- The story of evolution of Phreaking is told using John Draper's experiences, a famous figure in Phreaking.

2)Steve Wozniak :- The co-founder of APPLE also famously known as "The other Steve" . Steve Wozniak made the first apple computer in his garage, which is widely considered as the first successful personal computer. 

3) Kevin Mitnick :-Last but not the least is the famous celebrity in hacking Kevin Mitnick. He represents the modern face of hacking. Famous for penetrating networks of famous companies like Nokia, Motorola etc.

its a bit old documentary but a sure watch one.

it is available on YOU TUBE here is the link   go to the video

you can also download it from here

DOWNLOAD (files tube)
DOWNLOAD (torrent link)

Tuesday 28 June 2011

CRACKING WINDOWS USER PASSWORD USING "CAIN AND ABEL"

Cain & Abel is a password recovery tool for Microsoft Operating Systems. It allows easy recovery of various kind of passwords by sniffing the network, cracking encrypted passwords using Dictionary, Brute-Force and Cryptanalysis attacks,
recording VoIP conversations, decoding scrambled passwords, recovering wireless network keys, revealing password boxes, uncovering cached passwords and analyzing routing protocols. The program does not exploit any software vulnerabilities or bugs that could not be fixed with little effort. It covers some security aspects/weakness present in protocol's standards, authentication methods and caching mechanisms; its main purpose is the simplified recovery of passwords and credentials from various sources, however it also ships some "non standard" utilities for Microsoft Windows users.


STEP 1) DOWNLOAD THE SOFTWARE "CAIN AND ABEL"
here is the link DOWNLOAD
                 DOWNLOAD ( mirror )

STEP 2) INSTALL AND START IT.

STEP 3) CLICK ON THE CRACKER TAB


STEP 4) IN THE SIDEBAR CLICK ON "LM & NTLM HASHES" OPTION AND THEN CLICK ON THE POSITIVE SIGN.

STEP 5) THEN A WINDOW APPEARS SELECT "IMPORT HASHES FROM LOCAL SYSTEM" OPTION AND THEN CLICK NEXT.

STEP 6) RIGHT CLICK THE OPTION WHICH REMAINS AFTER EXCLUDING THE ADMINISTRATOR AND GUEST OPTION AND THEN CLICK ON DICTIONARY ATTACK
AND THEN ON NTLM HASHES  (it will check all dictionary words for the password).


STEP 7) IF THE PASSWORD IS NOT CRACKED BY DICTIONARY ATTACK SELECT BRUTE FORCE ATTACK AND THEN NTLM HASHES.

 *HERE IS THE RESULT*




RESET WINDOWS XP PASSWORD IN 5 MINUTES

Did your parents or some elder brother set a login password to prevent you from using computer or you think they may in future then here is a way to reset windows XP password in five minutes

*MAKING THE PASSWORD RESET CD*

Step 1) Download this cd image DOWNLOAD.

Step 2) Burn this cd image to a cd using NERO.
 

*RESETING THE PASSWORD*

Step 1) On the pc and put the password reset cd in the cd drive.
Step 2) Go to bios setup of your computer by clicking the appropriate button while the computer boots ( it is different for different computer but mostly it is "delete" button.)----> then go to advanced bios setup----->there change the bios boot sequence making CDROM to boot first.
Step 3) Then the password reset cd will boot the screen will appear as if the windows xp installation cd is booting do not panic. 

Step 4) A menu will appear select the first option by  pressing  key "1" and enter.

Step 5) Then you will be asked to select the name of the account of which you want to reset the password.select the acount and confirm.

Step 6) thats it! your password is reset, now remove the cd and restart the pc the password will be gone.
NOTE:- the procedure is tested by me and works perfectly.
enjoy!!!!!!

Wednesday 22 June 2011

HACK FACEBOOK PASSWORD USING EASY METHODS

Facebook is the latest teenage craze all around the world. I have seen many people wasting hours for finding different methods and ways for hacking their friend's or enemy's facebook account. Most of the sites claiming to teach easy facebook hacking methods are spam and try to sell you useless hacking ebooks or other senseless softwares.Some even claim to hack the facebook passwords for free for you. Wake up people and think logically. First let me make something clear to you, there is no such software or tool which will hack the Facebook account password for you, while you sit back and enjoy your cappuccino and don't even think of hacking into the facebook databases to get the passwords. But hacking facebook accounts is not completely impossible, i would say it can be done rather very easily if you decide to give your time and have some patience. There are may be hundreds of ways of hacking facebook accounts but here i am providing you some, which i am familiar with. This is a long post and i have tried to provide all the methods in great detail so bear with me.Now let us begin.


1) KEYLOGGING

Type:- software and hardware
Tools needed:- Keylogger software or keylogger device
Special skills needed:- no special skills needed but some commonsense , some prior knowledge of the target and convincing power.
Main enemy:- Antivirus software and Firewalls.



Keylogging is one of the easiest and most widely used hacking method for hacking Facebook passwords. The word keylogging means to keep a track / log of the keys pressed on the computer.There are mainly two ways of keylogging, Software and hardware.

1) Hardware:- Special computer devices for keylogging are available. They are connected to the keyboard wire and then to the CPU. It looks like the keyboard wire's part and cant be easily detected.When needed the device can be disconnected and the logs can be viewed.
*Bad points:- This method is mostly not preferred for hacking facebook passwords, as the devices are costly and need physical access to the computer.

2) Software :- There are thousands of different keylogger software which provide the user with a wide range of options.From them the keylogger which can be remotely installed is preferred for hacking Facebook passwords.They keep log of the keys pressed on the target's computer while remaining hidden and after some specific time send it as a email to the user without the target's knowledge..
*Bad points :-Most of the keyloggers are detected by the Antivirus and Firewall softwares, but some keyloggers are able to bypass the Antivirus and Firewall software. You also have to convince the target to install the keylogger while remote installing it.

Personal Tip:- Try the keyloggers which come under the parental control category which are used by parents to keep an eye on the child's online activities. This keylogger are mostly Antivirus and Firewall friendly. The AV and firewall wont detect them because if they did detect it then the child will come to know about it and it will be of no use. The only short coming of these keylogger is that they dont have remote installation feature.


2) PHISHING

Special skills needed:- no special skills needed but some convincing power.
Many enemy:- Intelligent targets.

Phishing is the most widely used hacking method for hacking Facebook passwords. In phishing the attacker sends the target a link. When the target clicks on the link, it takes the target to a fake website which looks same as the real Facebook login page. The attacker convinces the target to log in through that page. When the target types his password and clicks the log in button, the password is instead send to attacker and the target is again redirected to the real website.

Here is a tutorial about phishing.

Step 1) First you must sign for a free webhosting service like www.byethost.com
And register your subdomain.
after signing you will have a subdomain like www.yourname.byethost.com

Step 2) Now login to your account go to "control panel" then in site management option go to "online file manager" and open the folder "htdocs".

Step 3) Now DOWNLOAD THIS FILE to your computer add extract the files inside it you will see folders named facebook, orkut etc choose which account you want to hack and open the folder, inside the folder you will find two files index.htm and pass.php.

Step 4) Now replace the index.htm file in the "htdocs" of the "online file manager" with the file index.htm of the phisher folder in your computer and also upload pass.php file in "htdocs" thats it! you are done.

Step 5) Now your homepage www.yourname.byethost.com has become a phisher. open it, you will see that your page www.yourname.byethost.com has become the login page of the site you want to hack.now all you have to do is send this link to the person whose account you want to hack.when he tries to login through it you will receive a file password.html in your "htdocs" folder of your phpnet.us account which contains the username and password of your victim.

Personal Note:- The attacker must have a very good convincing power to hack the facebook password with this method. Please try this method carefully as now it is widely known and the target may soon guess the attacker's intentions. The target may report the fake site and you may get in trouble.


3) HTTP SESSION HIJACKING (Cookie Stealing)

Tools needed:- FIRESHEEP software and a laptop, as this is a wireless Internet vulnerability.
Special skills needed:- No special skills is needed.
Main enemy :- Blacksheep 

This method is a bit less known but in recent months it has become widely popular due to the introduction of the software 'FIRESHEEP'. When you log in to your account at a website, your web browser sends your username and password to the website server. The password is first encrypted and then send over the network. Then the server checks the username and password against the database and if they both match then sends to the user's browser a "cookie" (a text which the browser uses for further requests to the web server) but unlike the password the cookies are not encrypted and are sent as it is over the network, this cookies can be easily captured as they travel through the network or a busy WI-FI. The newly released Firefox extension "FIRESHEEP" makes it more easy. Actually so easy that even a total nube can capture this cookies. For a detailed tutorial on Firesheep

PERSONAL NOTE:- The addon Firesheep had become very popular recently so software Blacksheep was developed which stops Firesheep.


4) SOCIAL ENGINEERING

Type :-Psychological
Special skills :- Patience and Confidence.
Main enemy:- intelligent target.


This is not a sure way of hacking facebook passwords but given the time and Patience can yield pretty interesting results.Social engineering attack means to gather information from the target or by using the prior knowledge of the target and then use it to hack the target's facebook password by guessing the password or resetting the password. Gather basic information about the target like 
  • Birth date
  • Mobile number
  • The skill he is good at.
  • favourite historical personality etc
and from this information try to guess the target password you will be surprised to see how many people have such guessable passwords.


Personal Note:- Though this is a effective method don't waste too much time in it as there are other aspects of social engineering which i am know presenting in front of you try them.


FORGOT PASSWORD HACK
Type:- it is a type of social engineering.
Special skills needed:- Logic.
Main enemy :- Intelligent targets.


Every social networking site has a password retrieval system to help the user in case he or she forget their password. Facebook also has a password retrieval system which can be wisely used to hack facebook accounts.

OPEN LETTER TO A WANNABE HACKER

by Elf Qrin - June, 4th 2000

I often receive e-mails from kids that ask me how to become a hacker. The same type of message can be read with the same frequency on the webboards of the hacking related websites.
This letter is addressed to them all.


Dear friend,

Hacking is something that must come from inside you. But is more than a simple instinct. Curiosity, and will to know, must be the engine that drives you. Read everything you find and try to put it into practice (within the limits of your and anyone else's safety). This is a good start.
When I was a kid myself, in the second half of the '80s, things were somehow better (not easier, anyway) for the ones who wanted to learn. Computer were just out from scientific and military labs to reach the homes of the common people, yet there were excellent little encyclopaedias that teached the basics of the way to work and to "think" of the computers. Every computer magazines used to teach how to program, including techniques so advanced that we'd call it "hacking", nowadays. That's because at that time only a few people knew how computer work, and that magazines were written by computer lovers for computer lovers. Or in other words, by almost hackers for almost wannabe hackers.
Today things are changed. The business grew, and the available information became more "commercial". Yet still there are many good books, especially about programming, but they only cover very specific subjects and they are very expensive (unless you live in India or in the Asian subcontinent). Thus, the information you may find for free on the Internet, is probably the only good way to learn.
The first thing for a hacker is to know his system. How it works. How information is stored. If you don't know those things, you'll only learn the rest superficially, and you will not able to adapt your knowledge to different situations, or to make new discoveries by yourself. It would be like a lesson learned by heart.
Another thing I consider necessary is to learn to program. Not just because you'll be able to write your own programs (and in a certain way you can... instruct the computer to your will), but mostly because programming will help you to learn how computers really work.
The most popular language is currently C, or better its derivate C++. But you'd better learn at least a little of everything, especially the new languages like Java, and may be a bit of machine language. But for a start, even the dear good Basic is fine, which is enough to learn the fundamental things. However is not the language which makes the programmer. A language can be learned in a few weeks, but programming techniques require years of experience.
Look for websites dedicated to programming, and download some listings (as we used to call the "source code"), study them to see how do they work, and modify them to get new effects or add new features.
See how other programs work. Find a better way to do a certain operation, and you have learned how to optimize.
And when in real life you'll get stuck with any problem, think if you can solve it with your computer, and if you are able to write a program to do that.

It can looks like a lot of things to you, but you are young, and you have time. Anyway, you need time to make your own experience. You can always ask advices on webboards or via e-mail about something you can't understand, but you'll have to learn the most of it by yourself. You can make things more exciting if you start learn hacking with a friend who shares your interests, so that you can "grow up" together, and swap ideas and new discovers.
Slowly, while your knowledge increases, you'll be able to find holes in the system by yourself, and may be think how to exploit those holes to your advantage.

Remember that the whole concept of hacking is to explore the boundaries and create something new, and possibly amazing. The fact that something has never been done before shouldn't stop you. On the contrary, you should take it as a challenge. Whenever you are wondering if something is possible, the correct answer is: "Just try it".
Believe me, we all learned this way, and I don't think there's a better way.

Elf Qrin