Penetration testing with Metasploit

Penetration testing is one of the ways to identify the security holes of your system and Metasploit is great free and open source tool to launch your attack.

Here I have two machines in my virtual environment and I am using my favorite Kali to launch the attack. We will use browser_autopwn2 which is a hack packaged within Metasploit.

Before doing anything, please ensure that firewall in your windows system is disabled and then ping from both systems.

1

Great!! Now launch your “weapon” Metasploit framework from kali Linux. It is one with “M” icon on the sidebar. To start any exploit, we use keyword “use”. Since we are using browser_autopwn2 we start typing path for it which is auxiliary/server/browser_autopwn2

Then hit enter to move to next step. To find LISTENER address, type run next.

2

After a number of lines, we will see the address and this is the address which we have to copy down and type into the browser of victim system (WindowsXP).

3Go to internet explorer of Window XP, and type the URL. You will notice changes on your terminal in kali. This opened two sessions which can be used to interact with the victim system.

4Type “sessions –i 1” to use ‘meterpreter’ DLL. Type help to see all the fun stuff you can do with this.

5The ‘help’ command will introduce you to a number of commands with their functions. You can use hashdump to collect usernames and hashes.

This is one of the commands, I used here to shutdown the Victim System.Try other commands too and  Enjoy your hack!! 😉

6

Install Havij in Ubuntu 12.04

Havij is SQL Injection tool and provides us with features for exploiting the SQL vulnerability.By using this software user can perform back-end database fingerprint, retrieve DBMS users and password hashes, dump tables and columns, fetching data from the database, running SQL statements and even accessing the underlying file system and executing commands on the operating system.

Havij runs on windows based operating system. However you can use Wine to get havij in Linux.Here are few steps for installation of havij on your ununtu machine.

Open your terminal and give a command to install wine.

            sudo apt-get install wine

Then, download Havij using command:

          wget http://itsecteam.com/files/havij/Havij1.15Free.rar

You can also download it from http://www.itsecteam.com/products/havij-v116-advanced-sql-injection/index.html.Now, Untar the file using:

           unrar x Havij1.15Free.rar

Right click on the Havij .exe file and Choose Open with Wine Windows Program Loader and install it.

Havij

Screenshot from 2014-03-03 11:45:37

hh

Free version of Havij is limited in some features, one can purchase the commerical version at http://itsecteam.com