Nessus + Metasploit = db_autopwn


Have you ever wanted to use 1 line of code that can do all the wonders of hacking for you, eg. entering the remote computer in your network without the target knowing?  Or remotely install a program into the computer and start running that program without their consent?  Wondering which exploit exists in Metasploit that is similar to the vulnerability you have found using Nessus?

Enter the world of combination between Metasploit and Nessus.  By linking both of them together, you can now run a simple code in Metasploit to do both of it at the same time!

Advertisements

DLL Injection | What it is


In computer programming, DLL injection is a technique used to run code within the address space of another process by forcing it to load a dynamic-link library.[1] DLL injection is often used by third-party developers to influence the behavior of a program in a way its authors did not anticipate or intend.[1][2][3] For example, the injected code could trap system function calls,[4][5] or read the contents of password textboxes, which cannot be done the usual way.[6]

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[5][7][8][9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][10][11][12][13]
    1. Get a handle to the target process. This can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable’s filename.[18]
    2. Allocate some memory in the target process,[19] and the name of the DLL to be injected is written to it.[10][20]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. Create a new thread in the target process[22] with the thread’s start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[10][23]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[10][24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][25][26][27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][28][29]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are immune from DLL Injection.[30]

Source: Wikipedia

Approaches on Microsoft Windows

There are at least four ways to force a program to load a DLL on Microsoft Windows:

  • DLLs listed under the registry key HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Windows\AppInit_DLLs will be loaded into every process that links to User32.dll as that DLL attaches itself to the process.[5][7][8][9]
  • Process manipulation functions such as CreateRemoteThread can be used to inject a DLL into a program after it has started.[5][6][10][11][12][13]
    1. Get a handle to the target process. This can be done by spawning the process[14][15] or by keying off something created by that process that is known to exist – for instance, a window with a predictable title,[16] or by obtaining a list of running processes[17] and scanning for the target executable’s filename.[18]
    2. Allocate some memory in the target process,[19] and the name of the DLL to be injected is written to it.[10][20]
      This step can be skipped if a suitable DLL name is already available in the target process. For example, if a process links to ‘User32.dll’, ‘GDI32.dll’, ‘Kernel32.dll’ or any other library whose name ends in ‘32.dll’, it would be possible to load a library named ‘32.dll’. This technique has in the past been demonstrated to be effective against a method of guarding processes against DLL injection.[21]
    3. Create a new thread in the target process[22] with the thread’s start address set to be the address of LoadLibrary and the argument set to the address of the string just uploaded into the target.[10][23]
      Instead of writing the name of a DLL-to-load to the target and starting the new thread at LoadLibrary, one can write the code-to-be-executed to the target and start the thread at that code.[6]
    4. The operating system will now call DllMain in the injected DLL.[10][24]
    Note that without precautions, this approach can be detected by the target process due to the DLL_THREAD_ATTACH notifications sent to every loaded module as a thread starts.[24]
  • Windows hooking calls such as SetWindowsHookEx.[2][5][6][25][26][27]
  • Use the debugging functions to pause all threads, and then hijack an existing thread in the application to execute injected code, that in turn could load a DLL.[4][28][29]

In Windows Vista, Microsoft introduced the notion of a protected process. Such processes are immune from DLL Injection.[30]

How useful an iPod can be!


Today i decided to try out TeamViewer via iPod.  I ended up finding fascinating adventures with it.  Below are some of the unthinkable ideas i had.

Cookie 1

Imagine that you are sitting in Starbucks and your friend urgently needs a document from you that you have at home which is half an hour away.  No worries for TeamViewer is here; with your iPod or iPhone in your hand, connect to Starbucks wireless connection and run TeamViewer’s app (Download).  Connect to TeamViewer software which you have run earlier at home (either Mac, Linux or Windows) and open up your e-mail service and send it to your friend! Voila, problem solved!

Cookie 2

I was so lazy lying on my bed and i wanted to see what is going on on my laptop.  Maybe some friend of mine dropped me a message at Windows Live Messenger / aMSN.  Luckily i had my iPod with me, i simply connected to my home network and launched TeamViewer and connect to my Ubuntu.  My friend Esther dropped me a message so i decided to let her know how great this application was and i decided to communicate this way (it was a new experience) although there is a lot of messaging tool that i know of.  I though of checking what’s up with my virtual machine that i have left running and i found nothing much so i decided to shut it down to save processes.  Oh well, finally nothing much to do i just press the “Shut Down…” menu option.  Let’s get back to Fruit Ninja!

Cookie 3

Wao, if you have an iPhone and you need to do anything anywhere… it’s even greater!  Do you know what i thought of… Imagine i’m on the transit while rushing to university which i left my computer on with my current project (programming some silly software again).  I can simply remotely connect to it with TeamViewer and continue debug or turn it off otherwise.  This is one of the most exciting feature i could think off: programming remotely!!