FUD (Fully Un Detectable) Payload with CUSTOM-meterpreter

This payload can’t be detected by TrendMicro
# apt-get install mingw-w64
# cd /root
****************************************************************
    Automatic C source code generator – FOR METASPLOIT
           Based on rsmudge metasploit-loader
****************************************************************
Metasploit server IP : 10.0.1.12
Metasploit port number : 4444
(+) Compiling binary ..
-rw-r–r– 1 root root 2180 Feb 27 00:50 temp.c
(+) -rwxr-xr-x 1 root root 13312 Feb 27 00:50 payload.exe

Installing FireFox on Debian

# echo “deb http://mozilla.debian.net/ jessie-backports firefox-release” >> /etc/apt/sources.list.d/mozilla-firefox.list
# cat /etc/apt/preferences.d/mozilla-firefox
Package: *
Pin: origin mozilla.debian.net
Pin-Priority: 501

# apt-get update
# apt-cache policy firefox
firefox:
  Installed: 51.0.1-3
  Candidate: 51.0.1-3
  Version table:
 *** 51.0.1-3 1001
       1001 http://mirrordirector.archive.parrotsec.org/parrot stable/main amd64 Packages
        100 /var/lib/dpkg/status
     51.0.1-3~bpo80+1 501
        501 http://mozilla.debian.net jessie-backports/firefox-release amd64 Packages

# apt-get install firefox -y

Installing Kali tool on Debian

We need katoolin for that purpose

# cd /root
# cd katoolin
# ln -s katoolin.py katoolin
# chmod +x katoolin
# ./katoolin
1) Add Kali repositories & Update
2) View Categories
3) Install classicmenu indicator
4) Install Kali menu
5) Help
kat > 1
1) Add kali linux repositories
2) Update
3) Remove all kali linux repositories
4) View the contents of sources.list file
What do you want to do ?> 1

1) Add kali linux repositories
2) Update
3) Remove all kali linux repositories
4) View the contents of sources.list file
What do you want to do ?> 2

1) Add kali linux repositories
2) Update
3) Remove all kali linux repositories
4) View the contents of sources.list file
What do you want to do ?> back

1) Add Kali repositories & Update
2) View Categories
3) Install classicmenu indicator
4) Install Kali menu
5) Help
kat > 2

1) Information Gathering                        8) Exploitation Tools
2) Vulnerability Analysis                       9) Forensics Tools
3) Wireless Attacks                             10) Stress Testing
4) Web Applications                             11) Password Attacks
5) Sniffing & Spoofing                          12) Reverse Engineering
6) Maintaining Access                           13) Hardware Hacking
7) Reporting Tools                              14) Extra
0) All
Select a category or press (0) to install all Kali linux tools .
kat > 0
Do you want to continue? [Y/n]

1) Add Kali repositories & Update
2) View Categories
3) Install classicmenu indicator
4) Install Kali menu
5) Help
kat > 3
Do you want to install classicmenu indicator ? [y/n]> y

1) Add Kali repositories & Update
2) View Categories
3) Install classicmenu indicator
4) Install Kali menu
5) Help
kat > 4
Do you want to install Kali menu ? [y/n]> y

Installing RDP Server on Linux

In my example, I’ll use Debian 8 as my example.
But you can install it on other linux too

-install xrdp server and xfce desktop
# apt-get install xrdp xfce4 -y

-enable xrdp on every reboot
# systemctl enable xrdp.service
# systemctl restart xrdp.service

-enable xfce on every rdp connection
# echo “xfce4-session” > /root/.xsession
# echo “xfce4-session” >> /etc/xrdp/startwm.sh

Installing Vulnerable bWAPP, DVWA, Joomla, Mutillidae2, SQLi-Labs, XAMPP, WordPress on TurnKey LAMP

Download and install TurnKey LAMP ova from
set VBox Settings/Display/Screen/Video Memory to 6MB
set NIC1 to Bridge in VBox
Image.png
Set NIC2 to Host only
Image.png
click Advanced Menu
Image.png
select Networking, click Select
Image.png
Set eth0 to dhcp and eth1 to static

Image.png

XAMPP
# cd /root
# apt list –installed
find apache and mysql packages name there
# service mysql stop
# apt-get purge mysql-server mysql-client mysql-common
# apache2ctl stop
# apt-get purge apache2 apache2-utils apache2.2-bin
# apt-get autoremove

# apt-get autoclean

-download xampp
# chmod 755 xampp-linux-x64-5.6.30-0-installer.run
# ./xampp-linux-x64-5.6.30-0-installer.run
————————————————————————–
Welcome to the XAMPP Setup Wizard.
————————————————————————–
Select the components you want to install; clear the components you do not want
to install. Click Next when you are ready to continue.
   XAMPP Core Files : Y (Cannot be edited)
   XAMPP Developer Files [Y/n] :
   Is the selection above correct? [Y/n]:
Installation Directory
   XAMPP will be installed to /opt/lampp
   Press [Enter] to continue:
Setup is now ready to begin installing XAMPP on your computer.

   Do you want to continue? [Y/n]:

# cd /opt/lampp
# sed -i s/’local’/’all granted’/ etc/extra/httpd-xampp.conf
# lampp start
NOTE:
-to restart apache only
# /opt/lampp/bin/apachectl restart

-apache docs location on /opt/lampp/htdocs

bWAPP (Buggy Web Application)
# cd /root
# mkdir -p /opt/lampp/htdocs/bwapp
# mv download?source=files bwapp/bWAPP_latest.zip /opt/lampp/htdocs/bwapp/bwapp.zip
# cd /opt/lampp/htdocs/bwapp
# unzip bwapp.zip
# rm bwapp.zip
# vi bWAPP/admin/settings.php
set this part

$db_password = “”;

# cd bWAPP
# chmod 777 documents images passwords
-open your browser and go to http://10.0.1.44/bwapp/bWAPP/install.php
click on here
L: bee
P: bug

Image.png

DVWA
-download dvwa
# cd /root
# mv DVWA /opt/lampp/htdocs/dvwa
# cd /opt/lampp/htdocs/dvwa
# chmod 766 hackable/uploads
# chown root:root hackable/uploads
# chmod 766 external/phpids/0.6/lib/IDS/tmp/phpids_log.txt
Sign-in with your gmail account
click Continue
click Get reCAPTCHA
on Label and Domains type your domain i.e: domain.com
click Register
You will get Site and Secret key
# cd /opt/lampp/htdocs/dvwa/config
# cp -p config.inc.php config.inc.php.bak
# vi config.inc.php
-set your mysql root password
$_DVWA[ ‘db_password’ ] = ‘Passw0rd’;
-insert Site > public key and Secret > private key into this part
$_DVWA[ ‘recaptcha_public_key’ ]  = ‘6LdaMRYUAAAAAGH_Wjgn15xUmdcXTMP9YpBJ7y3n1’;

$_DVWA[ ‘recaptcha_private_key’ ] = ‘6LdaMRYUAAAAALsTFuYgrGbeozX2efE3EOz11T5x1’;

Set “allow_url_include = On”
# sed -i s/’allow_url_include=Off’/’allow_url_include=On’/ /opt/lampp/etc/php.ini
# /opt/lampp/bin/apachectl restart
go to http://10.0.1.44/dvwa/
click Create/Reset Database
go to http://10.0.1.44/dvwa/login.php
L: admin

P: password

JOOMLA
# cd /root
# mv joomla_3-6-5-stable-full_package-zip\?format\=zip joomla-3.6.5.zip
# unzip joomla-3.6.5.zip -d joomla
# mv joomla /opt/lampp/htdocs
# cd /opt/lampp
# sed -i s/’display_errors=On’/’display_errors=Off’/ etc/php.ini
# sed -i s/’output_buffering=4096’/’output_buffering=Off’/ etc/php.ini
# cd /opt/lampp/htdocs/joomla/
# cp installation/model/configuration.php .
# chmod 777 configuration.php
# /opt/lampp/bin/apachectl restart
go to http://10.0.1.44/joomla/installation/index.php
Configuration
Select Langunage: English (United States)
Site Name: joomla
Description:
Site Offline: Yes
Administrator Email: admin@gmail.com
Administrator Username: root
Administrator Password:
Confirm Administrator Password:
click Next
Database
Database Type: MySQLi
Host Name: localhost
Username: root
Password:
Database Name: joomla
Table Prefix: j00mla_
Old Database Process: Backup
click Next
FTP
click Next
Overview
Install Sample Data: Learn Joomla English (GB) Sample Data
Email Configuration: No
click Install
click Remove installation folder
if you got error
# cd /opt/lampp/htdocs/joomla
# rm -rf installation
# chmod 644 configuration.php
go to http://10.0.1.44/joomla/
L: root

P:

NOWASP Mutillidae 2
# cd /root
# apt-get install software-properties-common python-software-properties php5-curl -y
# mv download\?source\=files mutillidae.zip
# unzip mutillidae.zip
# mv mutillidae /opt/lampp/htdocs/
# cd /opt/lampp/htdocs/mutillidae
# vi classes/MySQLHandler.php
set your MySQL password here
        static public $mMySQLDatabasePassword = “”;
-only allow access from your network
# vi .htaccess
Allow from 10.0.1.0/24
# /opt/lampp/bin/apachectl restart
go to http://10.0.1.44/mutillidae
click setup/reset the DB
Image.png
click OK

Image.png

SQLi-Labs
# cd /root
# unzip master.zip
# mv sqli-labs-master /opt/lampp/htdocs/sqli
# cd /opt/lampp/htdocs/sqli
# vi sql-connections/db-creds.inc
set mysql password i.e.
$dbpass =”;
open browser and go to http://10.0.1.44/sqli
click Setup/reset Database for labs

Image.png

WORDPRESS
NOTE:
UBUNTU
-because TurnKey LAMPP doesn’t have required gcc for compiling pcre lib, we need to do this in other Ubuntu server.
After compiling then copy the lib into 10.0.1.44 TurnKey LAMPP
download pcre
# cd /root
# tar xf pcre-8.40.tar
# cd /pcre-8.40
# ./configure –prefix=/tmp –enable-utf8 –enable-unicode-properties ; make ; make install
# cd /tmp
# tar cf lib.tar lib

# scp lib.tar root@10.0.1.44/tmp

TURNKEY LAMPP
-copy lib into /opt/lampp/lib
# cd /opt/lampp/lib
# cp /tmp/lib/* .

-create empty wordpress db
go to http://10.0.1.44/phpmyadmin
click New on top left
Create database: wordpress

click Create

# mv WordPress /opt/lampp/htdocs/
# cd /opt/lampp/htdocs
# mv WordPress wordpress
# cd /opt/lampp/htdocs/wordpress
go to http://10.0.1.44/wordpress

click Let’s go!

Database Name: wordpress
Username: root
Password: Passw0rd
Database Host: localhost
Table Prefix: wp_
click Submit
You will get warning “Sorry, but I can’t write the wp-config.php file”.
Paste the content shown into wp-config.php
# vi wp-config.php

click  “Run the install”

Information needed
Site Title: wordpress
Username: root
Password: Passw0rd
Your Email:
Search Engine Visibility:
click Install WordPress
NOTE:

-you can go to http://10.0.1.44/wordpress/wp-admin/ for admin purposes

Create xampp startup script
# cat /etc/init.d/lampp
#! /bin/sh
### BEGIN INIT INFO
# Provides:             xampp
# Required-Start:       $remote_fs $syslog
# Required-Stop:        $remote_fs $syslog
# Default-Start:        2 3 4 5
# Default-Stop:         0 1 6
# Short-Description: Execute the xampp command.
# Description:
### END INIT INFO
PATH=/sbin:/usr/sbin:/bin:/usr/bin
case “$1” in
  start)
        /opt/lampp/lampp start
        ;;
  restart|reload|force-reload)
        /opt/lampp/lampp restart
        ;;
  stop)
        /opt/lampp/lampp stop
        ;;
  status)
        /opt/lampp/lampp status
        ;;
  *)
        echo “Usage: $0 start|stop|restart|status”
        ;;
esac

# chmod 755 /etc/init.d/lampp
# insserv -d /etc/init.d/lampp
# systemctl enable lampp

Port Knocking

BY using port knocking, we can open or close the port if we know the knock order

VM: KALI2 (Server) KALI2 (Client)

KALI2 (Server)
# apt-get install knockd -y
# cat /etc/default/knockd
START_KNOCKD=1

# cat /etc/knockd.conf
[options]
UseSyslog
Interface=eth1
#change eth1 accordingly
[openSSH]
sequence = 7000,8000,9000
seq_timeout = 5
command = /sbin/iptables -I INPUT -s %IP% -p tcp –dport 22 -j ACCEPT
tcpflags = syn
[closeSSH]
sequence = 9000,8000,7000
seq_timeout = 5
command = /sbin/iptables -D INPUT -s %IP% -p tcp –dport 22 -j ACCEPT
tcpflags = syn

# iptables -A INPUT -i lo -j ACCEPT
# iptables -A INPUT -m conntrack –ctstate ESTABLISHED,RELATED -j ACCEPT
# iptables -A INPUT -p tcp –dport 22 -j REJECT
# iptables -S
# mkdir /etc/iptables
# iptables-save > /etc/iptables/rules.v4
# iptables-restore < /etc/iptables/rules.v4
-if using ip6
# ip6tables-save > /etc/iptables/rules.v6
# ip6tables-restore < /etc/iptables/rules.v6
# service knockd start

KALI2 (Client)
-nmap shown ssh port filtered
# nmap 10.0.1.12
PORT STATE SERVICE
22/tcp filtered ssh
80/tcp open http
111/tcp open rpcbind
139/tcp open netbios-ssn
445/tcp open microsoft-ds

# apt-get install knockd -y
# ssh root@ 10.0.1.12
connection refused
# knock 10.0.1.12 7000 8000 9000
# ssh root@ 10.0.1.12
connection successful
# knock 10.0.1.12 9000 8000 7000
# ssh root@ 10.0.1.12
connection refused

Cowrie SSH Honeypot

# cd root
# vi /etc/ssh/sshd_config
change
Port 22
to
Port 2222
# service ssh reload

# apt-get install git python-dev python-openssl openssh-server python-pyasn1 python-twisted authbind

# adduser –disabled-password cowrie
Adding user `cowrie’ …
Adding new group `cowrie’ (1002) …
Adding new user `cowrie’ (1002) with group `cowrie’ …
Changing the user information for cowrie
Enter the new value, or press ENTER for the default
Full Name []:
Room Number []:
Work Phone []:
Home Phone []:
Other []:
Is the information correct? [Y/n]
# touch /etc/authbind/byport/22
# chown cowrie:cowrie /etc/authbind/byport/22 && chmod 777 /etc/authbind/byport/22

# su – cowrie
$ cd  cowrie
$ virtualenv cowrie-env
Running virtualenv with interpreter /usr/bin/python2
New python executable in /home/cowrie/cowrie/cowrie-env/bin/python2
Also creating executable in /home/cowrie/cowrie/cowrie-env/bin/python
Installing setuptools, pkg_resources, pip, wheel…done.

$ source cowrie-env/bin/activate
(cowrie-env) $ pip install pycrypto Crypto
(cowrie-env) $ pip install -r requirements.txt
$ cp cowrie.cfg.dist cowrie.cfg
$ pico cowrie.cfg cowrie.cfg
hostname = svr01
listen_port = 22
$ cd data
$ ssh-keygen -t dsa -b 1024 -f ssh_host_dsa_key
$ cd ..
$ export PYTHONPATH=/home/cowrie/cowrie
$ pico start.sh

-set
AUTHBIND_ENABLED=yes
$ ./start.sh

-to start cowrie using root a/c
need to find out

-to stop cowrie
# /home/cowrie/cowrie/stop.sh