Installing Metasploit Framework on OS X El Capitan

This Guide is adapted from Carlos Perez’s Blog (http://www.darkoperator.com/installing-metasploit-framewor/) (which is a must read) with some additions and fixes to make the setup work on OS X El Capitan. This post should help to alleviate some common issues with installing ruby and the Metasploit Framework on OS X. The main issues being that OS X ships with a newer version of Ruby that is not compatible with Metasploit and the version of libiconv installed with OS X causes issues installing the Nokogiri gem.

Xcode and Command Line Development Tools

The first step is to ensure that Software Update has been run and that OS X is updated. Once OS X has been updated, It is time to install Xcode.

Mac App Store – Xcode

Once Xcode has been installed launch Xcode from Applications and agree to the SDK License Agreement.

Install Xcode developer tools  by typing:

xcode-select --install

Click Install in the dialog box that pops up and the package will be … read more

Installing Metasploit Framework on OS X Yosemite (Updated April 2015)

EDIT: The installation guide for OSX El Capitan can be found here: http://hackerforhire.com.au/installing-metasploit-framework-on-os-x-el-capitan/

This Guide is adapted from Carlos Perez’s Blog (http://www.darkoperator.com/installing-metasploit-framewor/) (which is a must read) with some additions and fixes to make the setup work on OS X Yosemite. This post should help to alleviate some common issues with installing ruby and the Metasploit Framework on OS X. The main issues being that OS X ships with a newer version of Ruby that is not compatible with Metasploit and the version of libiconv installed with OS X causes issues installing the Nokogiri gem.

Xcode and Command Line Development Tools

The first step is to ensure that Software Update has been run and that OS X is updated. Once OS X has been updated, It is time to install Xcode.

Mac App Store – Xcode

Once Xcode has been installed launch Xcode from Applications and agree to the SDK License Agreement.

Install Xcode developer tools  by typing:

xcode-select --install

Click … read more

installing unicornscan on debian/ubuntu

Looking back, I can’t remember a time where I used Nmap to perform UDP port scans. Pentesters are far too impatient to spend hours waiting for a UDP scan to finish in the hope of finding some badly configured service. Which is why I found it odd when I received a message saying “why do UDP scans take hours?

It never occurred to me that this poor dude was staring at the screen, Nmap torturing him every 30 seconds by telling him he won’t be done with this machine any time this week. I told him about this gem of a payload transmitter that just also happened to be an epic UDP port scanner, largely forgotten since the sad departure of the late Jack C. Louis. And seeing as this was a client supplied ‘jump-box’ and not something handy like Kali, I decided to take a crack at installing and showing the tester good ol’ unicornscan. (I didn’t realise installing unicornscan would take longer than the Nmap UDP … read more

data exfiltration over SSL with srvdir

Every now and then I come across some application that may or may not have been developed with penetration testing in mind but it ends up being damn helpful all the same. Yesterday I found a post about ‘srvdir‘ (surv~durr?) which is designed to share content over SSL/TLS via a public site.

When trying to exfiltrate data from a client site I normally spend a lot of time setting up tunnels, using disposable A records from afraid.org and one of my boxes in some east-european cave just so I can get the damn ‘payroll-summary-june-2014.pdf’ trophy off some box that is swimming in ssh-tunnel-fu. srvdir is the perfect answer to this problem and testing it has been awesome and full of those “Why didn’t I think of this?!!” rants.

Essentially, what srvdir does is to create a SSL tunnel to the mothership ‘srvdir.net’ and issue a subdomain that can be accessed externally to siphon the files off. Grabbing files is relatively painless with the odd 404 for the permission snobs. … read more

part 3: cleaning and optimising shellcode

In Part 2: Building the shellcode, we created a bind shell on port 4444 which accepts connections from any host and then interacts with “/bin/sh” to facilitate remote code execution. Our shellcode however was littered with null bytes and would probably not be very useful if embedding in any exploit code.

In this final part, we will clean our code and remove any null bytes from our shellcode. We will also look at removing unnecessary instruction to make our shellcode smaller if possible. Lets get started.

Step one, lets take a look at our shellcode using objdump:

part 2: building the shellcode

In Part 1: Disassembling and Understanding Shellcode we disassembled some shellcode and found out the steps required to create a bind shell. In Part 2, we will take each of these 6 steps, understand them and write assembly instructions to call them.

The steps we need to follow to create our bind shell are:
1. Socket
2. Bind
3. Listen
4. Accept
5. Dup2
6. Execve

We are going to spend a lot of time working with NASM (The Netwide Assembler). To install NASM, run the following command: