Пропускане към основното съдържание

Media - USB/CD/DVD drop attack

Dropping a malicious USB key in parking is an effective attack vector, as demonstrated by my recent large-scale.


After researching and discussing with colleagues the pros and cons of the three types of malicious USB keys, this post will walk you through how to create exploit Powershell and take a full access to the victim computer, like this one who I show you "USB drop attack".


You must be in the IP range of the victim, to accomplish this attack!
Or you have to use your real IP address for a report from the victim when "he" or "she" are connected to their own computer. But this is dangerous and trackable if you use integrated network device!


The goal of the payload is to create a reverse TCP shell that connects back to a server chosen by the attacker.


For 100% successful attack you have to use a CD or DVD for this, because the antivirus of the victim can delete your payload from your USB stick in the background process! Your lure must be a very seductive, this is very nasty trick! :)


NOTE: On some systems, "Autoplay" for media - CD/DVD or USB options , are not enabled!!! For that reason you need to lure the victim to click on your exploit program!



IMPORTANT: Never use USB, CD OR DVD which you found on the street, parking, or front of your door. If this is happened immediately connect with computer specialist or your System Administrator before you decide to use this media, or contact me! ;)

About the Metasploit Meterpreter
Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers and is extended over the network at runtime. It communicates over the stager socket and provides a comprehensive client-side Ruby API. It features command history, tab completion, channels, and more. Metepreter was originally written by skape for Metasploit 2.x, common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. The server portion is implemented in plain C and is now compiled with MSVC, making it somewhat portable. The client can be written in any language but Metasploit has a full-featured Ruby client API.
- How Meterpreter Works
The target executes the initial stager. This is usually one of bind, reverse, findtag, passivex, etc. The stager loads the DLL prefixed with Reflective. The Reflective stub handles the loading/injection of the DLL. The Metepreter core initializes, establishes a TLS/1.0 link over the socket and sends a GET. Metasploit receives this GET and configures the client. Lastly, Meterpreter loads extensions. It will always load stdapi and will load priv if the module gives administrative rights. All of these extensions are loaded over TLS/1.0 using a TLV protocol.
- Meterpreter Design Goals

Stealthy
Meterpreter resides entirely in memory and writes nothing to disk. No new processes are created as Meterpreter injects itself into the compromised process and can migrate to other running processes easily. By default, Meterpreter uses encrypted communications. All of these provide limited forensic evidence and impact on the victim machine.
- Powerful
Meterpreter utilizes a channelized communication system. The TLV protocol has few limitations.
- Extensible
Features can be augmented at runtime and are loaded over the network. New features can be added to Meterpreter without having to rebuild it.
- Adding Runtime Features
New features are added to Meterpreter by loading extensions.
The client uploads the DLL over the socket. The server running on the victim loads the DLL in-memory and initializes it. The new extension registers itself with the server. The client on the attackers machine loads the local extension API and can now call the extensions functions. This entire process is seamless and takes approximately 1 second to complete.
building a your own CODE

Коментари

Popular Posts

CVE-2021-44228

REPRODUCE OF THE VULNERABILITY =): Collaboration: silentsignal

CVE-2022-21907

Donate if you are not shame!

DVWA - Brute Force (High Level) - Anti-CSRF Tokens

This is the final "how to" guide which brute focuses Damn Vulnerable Web Application (DVWA), this time on the high security level. It is an expansion from the "low" level (which is a straightforward HTTP GET form attack). The main login screen shares similar issues (brute force-able and with anti-CSRF tokens). The only other posting is the "medium" security level post (which deals with timing issues). For the final time, let's pretend we do not know any credentials for DVWA.... Let's play dumb and brute force DVWA... once and for all! TL;DR: Quick copy/paste 1: CSRF=$(curl -s -c dvwa.cookie "192.168.1.44/DVWA/login.php" | awk -F 'value=' '/user_token/ {print $2}' | cut -d "'" -f2) 2: SESSIONID=$(grep PHPSESSID dvwa.cookie | cut -d $'\t' -f7) 3: curl -s -b dvwa.cookie -d "username=admin&password=password&user_token=${CSRF}&Login=Login" "192.168.1...