Posted on

Windows POST Exploitation: Koadic

Hello aspiring Ethical Hackers. In this article you will learn about a Windows POST Exploitation tool named Koadic. Koadic, or COM command and control is a Rootkit tool that is used for Windows POST exploitation. It is similar to Meterpreter and Powershell Empire except that it performs most of its operations using Windows Script Host. i.e JScript and Visual Basic Script.

The good thing about Koadic is that it is compatible with almost all the versions of Windows from Windows 2000 to windows 10. It also has the ability to serve payloads in memory and is updated to run with newly released Python 3. Koadic can be cloned from Github as shown below.

Apr 2021 Rwhs 41

Once the repository is cloned, we can navigate into that directory and install the requirements needed for using koadic.

Apr 2021 Rwhs 43

Once the requirements are all installed, koadic can be started. It can be started using the command shown below.

./koadic

windows post exploitation

Koadic has two important components. They are,

  1. Stagers
  2. Implants.

Stagers are used to get initial sessions which are called as Zombies. Once Koadic is started, we can have a look at various stagers of koadic using command shown below.

use stager <tab> <tab>

Apr 2021 Rwhs 46

Let’s use the Java script mshta stager. This stager serves payloads in memory using MSHTA.exe Html applications.

Apr 2021 Rwhs 4748

Set the SRVHOST, SRVPORT and ENDPOINT (name of the stager we create) options and execute the stager using run command.

Apr 2021 Rwhs 49

As you can see in the above image, the payload is ready. Once victims visit this link, the virus_scanner.hta payload starts downloading on the target machine. Once the victim executes it, we get a ZOMBIE on a attacker machine as shown in the image below. Zombie in Koadic is just like a session in Metasploit.

Apr 2021 Rwhs 63

The “zombies” command can be used to view all the sessions we have.

Apr 2021 Rwhs 64

Every zombie session is given a session id starting from 0 which can be used for interacting with it. For example, the zombie session I got has been assigned ID “0”. Let’s interact with it.

Apr 2021 Rwhs 6566

Readers will learn more about this tool in Part 2 of this article.

Posted on

Tomcat War Deployer : A tool to hack Tomcat

Hello aspiring Ethical Hackers. In this article you will learn about Tomcat War Deployer a tool used to pen test a Apache Tomcat system.

In the Real World Hacking Scenario of our HackercoolMag May2020 Issue, you will see how Hackercool exploits a Apache Tomcat system that is placed behind a Router. In that scenario, once Apache Tomcat credentials are compromised, he makes a war payload with Metasploit. Once the payload executes, he gets a shell on the target.

However, Metasploit is not the only tool that is used to make malicious WAR payloads. The Tomcat War Deployer is another tool that can be used to make WAR payloads which can be used for penetration testing. A WAR stands for Web Archive. It can include servlet, xml , jsp, image, html, css and js files etc. This files are created in Java.
The Tomcat War Deployer can be used from Kali Linux and can be cloned from this Github link as shown below.

Wardeployer1

Once the cloning is done, you should see a new directory named tomcatWarDeployer in the directory from which you cloned. Move into that directory and type the command highlighted in the image given below. The “-h” option is help and it displays all the commands that can be used with this tool.

how to use tomcat war deployer to hack tomcat targets
Wardeployer3
Wardeployer4

Now, let’s see how to create a payload with Tomcat WarDeployer.

Wardeployer5a
Wardeployer5

The “-H” option is used to specify the host IP address to which we want our shell to be connected (i.e the attacker system’s IP address). The “-p” option specifies the port on which the shell should connect to (we specified port 4646 here). The “-G” option is used to specify the name of the output file. We named it tomcat_shell for this article.

Wardeployer6

Let’s upload this shell to the target. We are using the same target that we have used in the Real World Hacking Scenario of the Hackercool Magazine May 2020 Issue.

Wardeployer7 1024x399
Wardeployer8 1024x463

Before executing it, let’s start a Netcat listener on port 4646.

Wardeployer9

When you click on the payload on the target, you will see something as shown below. Your payload is protected with a password to prevent its misuse from others (read hackers). However this password is randomly generated and even you will lose access if you don’t know it.

Wardeployer10 1024x327

The “-X” option is used to set the password for our payload. Setting it to “None” as shown below will not set any password for our payload.

Wardeployer11

You can set any password you want as shown below. Here, we set it to “hcool”.

Wardeployer12

The “-v” option is used to set the verbose mode. This gives more clear details about the creation of payloads. You can see it below.

Wardeployer13
Wardeployer14

Now, let’s create a payload named “tomcat_shell.war” without any password.

Wardeployer15

Here’s how its looks.

Wardeployer16 1024x325
Wardeployer17 1024x349

Let’s create the payload with password “123456”. It is wise to generate a payload with a password while penetration testing to avoid misuse.

Wardeployer18
Wardeployer19 1024x335

The “-s” option simulates the breach without performing any offensive actions.

Wardeployer20

Simulation helps us to verify if the attack works without changing anything on the target system. The “-U” option is used to set the username and “-P” option is used to set the password. These are the credentials we need to login into the target.

Wardeployer21
Wardeployer22

In the above image, the simulations says that it reached the target, validated the credentials and did everything to prove that the attack works. But it did not deploy the payload.
The “-C” option specifies not to connect to the spawned shell immediately. By default, it connects to the spawned shell immediately. This option stops that letting us use other handlers like Metasploit or Netcat. Since we already started a Netcat listener, we will use this option for now. We can specify the target IP address and port at the end of the command as shown below.

Wardeployer23
Wardeployer25

At our Netcat listener, we already have a shell as you can see in the image below.

Wardeployer28

If you don’t specify the “-C” option, shell will be automatically spawned as shown below.

Wardeploy29 1
Wardeploy31

Finally, after the penetration test is completed, you can delete the uploaded payload using the “-R” option. You need to specify the name of the payload with the “-n” option. The example is shown below.

Wardeploy32

Posted on 1 Comment

GNU Debugger : Step By step Guide

Hello aspiring ethical hackers. In this howto, you will learn about GNU Debugger, step by step, A debugger is a computer program used to test the working of and debug other programs. Debugging means breaking down the program to see if it has any bugs or working glitches. These bugs can also be vulnerabilities although most of the times they are random behavior or unexpected behavior of the program (like crashing).

A debugger does debugging by running the target program under controlled conditions. GNU debugger more popular as GDB, is one such debugger. It can do four main things for us : Starting the program we want to test, Stop the program at certain points, examine what has happened when the program has stopped and change things in the target program allowing us to experiment. It is a portable debugger and runs on Windows, UNIX and Mac OS X. It can be used to debug programs of the given programming languages below.


1. Ada 2. Assembly 3. C 4. C++ 5. D 6. Fortran 7. Go 8. Objective-C 9. OpenCL 10. Modula-2 11. Pascal 12. Rust

Now let’s learn about this tool practically. We are doing this on Kali Linux OS (any version) as GNU debugger is provided by default in it. We create a new directory named “C” and move into that directory.

Gdb1

In that folder, use your favorite text editor to create a script named “first.c” and code a C program as shown below (Type it, don’t copy, you will thank us later).

Gdb2

As can be seen, it is a simple C program that adds two numbers given to it. Once the program is finished, save the file and compile the program using GCC compiler as shown below. Compiling the program is the process of turning it into machine language. This can be done using command gcc first.c -g -o first.

The “-g” option enables debugging. Once it is in machine code, we can execute it and see if it is working. It can be done in Linux as ./first. As we coded it, the program first asks the user to enter the first number. Once it is over, it asks user to enter the second umber. When both numbers are entered, it will ad -d them both and print the result after adding them both.

Gdb6a

The program is running smoothly as intended. Now, let’s load this in the gdb debugger as shown below.

How to use GNU Debugger

Now let’s run the program once again inside the debugger. This can be done either using command r or run.

Gdb7
Gdb11

Now, in case you forgot the code of the program and can’t remember what it does you have no need to go out of the debugger. Using “l” or “list” command will show the first 10 lines of the code as shown below.

Gdb9
Gdb10

Now let’s add a break point at a certain line of the program. Break points allow us to stop the program at a certain point we want. A break point can be added using command “break” or “b“. Run the program again to see if the program stops at the intended point.

Gdb12

It stops exactly at line 9. The disable command disables the latest break point.

Gdb13

Now we set a break point at line 10 and want to see something. As the program stops at line 10, we can only enter one value that of variable “a”. We can use the print command to see the values of variables we have assigned.

Gdb14

While the value of “a” is something we set and it displaying correctly, we did not yet set the value for variable “b”. But it is still showing some random value. We can change the values we already set using the “set” command as shown below.

Gdb15

We set another break point and all the breakpoints set to the program can be seen using command “info b“.

Gdb16

Although there are three breakpoints, see that only two of them are active as we disabled one already. Let’s run the program again.

Gdb17

It stops at the break point which is at line 10. To completely remove the breakpoint use command “clear“.

Gdb18

Now there are only two breakpoints. To continue running the program from this point, use command “continue“. This will run the program from the exact point where it stopped. The program exited normally. “clear” command can be used to delete break points using their line number as shown below.

Gdb20

Let’s run the program again after removing all the break points .

Gdb21

Now, let’s set three new break points again on lines 9, 11 and 16. We will assign the values as the program executes.

Gdb22

At the first break point, I set the value of variable “a” to 19.5 and continue the program. I use the print command to see the value of variable “a”.

Gdb23

As you can see, it is printed as 19 and not 19.5. Our first bug. Similarly the “b” variable is 17 whereas we gave it the value of 17.6.

Gdb24

When we continue the program as it is, the answer we got is 32786 which is definitely wrong. Here we detected that the program is behaving abnormally when decimal numbers are given as input.

Gdb25

Here’ s another example.

Gdb26

Seeing this we can conclude that this program is only suitable for non decimal numbers and result goes wrong even if one of them is a decimal number. Using gdb we found out our first bug in a program. We can even see the assembly code of this program using the “disass” command.

Gdb28

But more about this in our future articles, That was all about Gnu debugger.

Posted on 1 Comment

Donut shellcode generator

Donut shellcode generator is a tool that generates shellcode from VBScript, JScript, EXE, DLL files and DOTNET assemblies. Although there are many tools that can do this, Donut does this with position independent code that enables in-memory execution of the compiled assemblies. This compiled shellcode assembly can either be staged from a HTTP server or embedded directly in the file itself. After the compiled shellcode is loaded and executed in memory, the original reference is erased immediately to avoid memory scanners.

The features supported by the Donut generator are

  1. Compression of the generated files with aPLib and LZNT1, Xpress, Xpress Huffman.
  2. Using entropy for generation of strings 128-bit symmetric encryption of files.
  3. Patching Antimalware Scan Interface (AMSI) and Windows Lockdown Policy (WLDP).
  4. Patching command line for EXE files.
  5. Patching exit-related API to avoid termination of host process.
  6. Multiple output formats: C, Ruby, Python, PowerShell, Base64, C#, Hexadecimal.
  7. What exactly is shellcode? Shellcode is a bit assembly code or machine language. Shellcode plays a very important role in cyber security. Typically shellcode is used in offensive penetration testing. In this article, let us learn about this awesome tool. This tool can be installed in Kali Linux by cloning it from Github as shown below. This will create a new directory named “Donut”
donut1

Navigating into the Donut shellcode generator directory, let’s create the shellcode of mimikatz.exe as shown.

How to use donut shellcode generator

Mimikatz.exe is a simple tool that is used to play with windows security. If you take this executable of Mimikatz into a Windows system, any antivirus or Windows Defender will detect this as malware. Just try it on your machine first before turning it into shellcode. It is found in Kali Linux. Here we copied it into the Donut folder.
When we run above command, shellcode is created as a file named “loader.bin” in the same directory of Donut.

Donut4

By default, Donut creates shellcode for x86 (32bit) and amd64 (64bit). To create only a x86 shellcode, the command is as shown below.

Donut3

The “-b” option is used to set the shellcode’s behavior when faced with AMSI/WLDP. Anti Malware Scan Interface and Windows Lock Down Policy are security features. These both features help in defending against malware.

Donut5

By default, Donut sets the shellcode to bypass AMSI/WLDP. By setting the “-b” option to “2” as shown in the above image, it can be set to ABORT once it encounters AMSI/WLDP. Setting “1 ” will do nothing.
Entropy in general terms means the degree of randomness. It is used in malware to make detection of its code harder by Anti malware. This is called obfuscation. The more the entropy the least chances of detection of malware. Donut by default sets random names and al- so encrypts the shellcode to obfuscate the code from anti malware. It can be changed using the “-e” option. Setting it to “2” just sets random names to the payload and setting it to “1” does nothing.

Donut6

Not just binaries, we can create different output formats with Donut although by default it creates a binary payload. The “-f” option is used to set different output formats. For example, set -ting “-f” option to “2” gives a base64 format. 3 creates C, 4 creates Ruby, 5 creates Python, 6 creates Powershell, 7 creates C# and 8 creates Hexadecimal shellcodes respectively.

Donut7
Donut8
Donut9

The “-z” option is used to setting packing and compressing engines. Donut doesn’t use any compression by default. However it supports four compression engines. 2=aPLib, 3=LZNT1, 4=Xpress, 5=Xpress Huffman. Only the aPlib compressor works in Linux. Rest of them work in windows. Compression reduces the size of the payload whereas packing is used to avoid detection by anti malware.

Donut11

We have seen that by default, Donut saves the payloads it creates in the same directory. The location as to where the payload is saved can be changed with the “-o” option.

Donut12

That’s all about the Donut shellcode generator, readers. We will learn more about this tool and how it is used in real world ethical hacking.

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.

Posted on

PEframe : Analysis of portable executable files

Hi Readers today we will see a PEframe Tutorial. These days hackers are using numerous ways to get into our systems. One of them is by sending a malicious portable executable file to us or make us download the malicious executable file and execute it on our system. We have seen one such Real World Hacking Scenario in the issue of Hackercool February 2017. In this scenario we have not only seen how hackers can make malicious executable files but also how they bypass antivirus and convince the innocent users to click on those malicious files. In this howto, we will learn how to perform analysis of portable executable files.

Analysis helps us to determine what the file was intended to do once clicked. There are two types of analysis: static analysis and dynamic analysis. In static analysis the sample is analyzed without executing it whereas in dynamic analysis the sample is executed in a controlled environment. Static analysis is performed on the source code of the sample portable executable. There are various tools which help us in static analysis of portable executables. One such tool is PEframe. PEframe reveals information about suspicious files like packers, xor, digital signature, mutex, anti debug, anti virtual machine, suspicious sections and functions and much more. PEframe is open source and can be installed in Kali Linux as shown below.

Open a terminal and type the command as shown below to clone PEFrame from Github.

Peframe1

After PEFrame is cloned successfully, a new directory is formed with name peframe. You are automatically taken into this directory. This tool requires simplejson (a subset of JavaScript). So install it using pip command. Next, we need to run the setup.py file from the directory. Since it is a python file, we need to run the command “python setup.py” install to install PEframe.

Peframe2

Once the installation is finished, type command “peframe -h” to see its simple usage

Peframe3

Before we analyze the portable executables, let us analyze some files we created for tutorials of our magazine. The first one is msf.pdf we created using Metasploit.

Peframe4
Peframe5

As you can see in the above image, we found not only an IP address but also an url hosting some executable file. It can be assumed that as we open this pdf file, another executable will be downloaded from the IP address and executed in our system. Let us now analyze a hta file created with Metasploit next. This file is analyzed as a HTML document with IP address and it has a library called kernel32.dll. This file probably opens a payload when clicked upon. Given below is another similar file in visual basic format.

Peframe6

Given below is a macro file. You can see all these files have an IP address where probably a listener is running.

Peframe7

Now let us analyze a portable executable file. Kali Linux has some exe files already stored in its windows-binaries folder. We will analyze the plink.exe file.

Peframe8

Plink.exe is a command line utility file similar to UNIX ssh. It is mostly used for automated operations. As you can see in the image given above, the program is giving more detailed information to us than the other files. The plink.exe has four sections and none of them appears to be suspicious. But the file has a packer, mutex and antidbg. The packer it used is Microsoft Visual C++ which is normally used for genuine programs.

Peframe9

Given above is its Antidbg and Mutex information. The dynamic link libraries it imports is also given. Given below are the apis (application programming interfaces) used by the file.

Peframe10

The filenames found in the portable executable are given in the image below. As you can see it has a big list of filenames.

Peframe11

Metadata is data about the data. Metadata reveals a lot of information about a file. Given below is the metadata of our portable executable. We can see that it is a part of Putty Suite.

Peframe12

Even the description of the file is given. Normally malware does not contain so much information about itself like this Plink file. Only genuine files contain so much information because they have no use to hide themselves. Now let us analyze another file. This file is also present in Kali Linux and it is a keylogger. It is klogger.exe present in the same windows-binaries folder.

Peframe13

As you can see in the above image, the file which has five sections has two suspicious sections and the packer it uses is ASPack v2.11. Let us have a look at its suspicious sections once.

Given below in the image are its api alerts and filenames. As you have observed, this file reveals very less information than the previous analyzed file. This in itself does not mean that the file is malicious but it gives a general idea about it. That’s all about Forensics using static analyzer PEFrame. We will be back with a new tool in our next howto.

Peframe14

Liked this article? Learn advanced ethical hacking tutorials in our Monthly Magazine. Enjoy Free for 3 months.