For a "hack it yourself" workshop I am giving I would like to show the (not to technical) audience how easy it is to hack. I'm going to use a simple W7 VM with a vulnerable application to spawn a reverse shell on my Kali machine.
I then have full system privileges on the machine, but as these are not technical people I want to show some sparkle etc. So what I want to do is either:
Open browser navigate to a youtube "you got hacked!" video (this might be difficult)
Open a video that I already put on the machine
Open calc.exe in the foreground.
So my problem here is that I don't know how to open an application that shows in the foreground of the victim machine. So that it actually shows up on the screen!
Can anyone help me with this?
So to answer the question (just for clarity instead in the comments).
Thanks to Maximilian Gerhardt who gave the answer (I will set you as best answer if you want but I can't just from the comments!).
There are two ways that are good for this:
Download psexec.exe onto the "victim" pc and use that with psexec.exe -s -d -i [here the session token "1" works for me] calc.exe
If using a meterpreter shell you can use incognito mode (offensive-security.com/metasploit-unleashed/fun-incognito). And then use the impersonate_token method. This works great, but I cannot go back to being SYSTEM (getsystem doesn't work as there are no privilege escalation vulnerabilities present). So I have to exit and reuse the exploit. But for the workshop this works beautifully!
For those interested I use SLMail 5.5 on a W7 machine to show how easy "hacking" can be and what a hacker then can do with a computer. This for an awareness workshop, which is bigger then just this "show and tell" part.
steps:
nmap scan on port 110 with version detection to see "hey what is this? SLMail?"
google SLMail to find "Oh noes a buffer overflow, hmmmmm let's look into that!"
this is metasploit a tool hackers can use to exploit know systems (I have the manually made exploit with more explanation for interested people after the workshop with buffer overflow explained)
search in metasploit for SLMail, we find it and say use
"it works how cool! What can we do with it?" show webcam capture! (that is scary stuff :D).
Go to shell and show with whoami for the tech people that we are indeed system. then go to incognito mode and steal the token from the user that we see on the screen.
open up youtube with "hackerman" video (well had to choose one :D)
explain a bit that it is that easy for a script kiddy to get in if you don't update etc. etc. etc.
let awareness kick in and next time they do something dumb they might think: "o wait let's not do that!"
Cheers!
Related
I am using Docker Compose, which will run on a Linux tablet in production. I have a container serving up a web GUI. The user will click a "print" button in the GUI, which will result in some kind of request (probably HTTP to Flask in another container, which will maybe forward it to some other container), and that request will result in some data being sent to the printer.
My first step, I can only imagine, is to be able to send data to the printer from inside a Docker container. Any Docker container. I can then use that knowledge, of how to send something to the printer from Docker, to incorporate the printing into my system.
So, that's the infrastructure I'm working with. It can be simplified as simply "I want to print to a printer from a Docker container." I'm working on a Mac, and I can print from the Mac using lp. So I know the connection to the printer is working.
I've tried a few containers, including olbat/cupsd. lpstat -r pretty much always says the Scheduler is running, but lpstat -v always shows that no destinations are set up.
My DevOps guy and I have been banging our heads against the wall all day on this. There are various articles and repos about setting of CUPS in Docker, but they all have holes somewhere, where they say "Use the fooglesplatter to connect to the printer" without telling you what a fooglesplatter is. Or (for a more concrete example) they'll talk about how you set up the CUPS dashboard to add your printer on your local machine, and then say "Voila! You can print!" without telling you what to do in the container. Or they'll refer to a conf file that doesn't exist on my machine. Or something else that leaves us completely baffled.
Can someone who has accomplished this please post (or direct me to) a step-by-step guide that basically treats me like I've never touched a computer before? That assumes no knowledge whatsoever and spells out every step? We are wise Docker users, and my DevOps guy is a much smarter guy than I am, but we are both at a loss.
I know this is a crazy request. Maybe it's not an SO appropriate question. Close it if you must. But we are incredibly stuck and I really hope someone can help us.
I have done a jailbreak on old iPad 1, using redsn0w. Has worked really well. Installed OpenSSH, and I can use Putty on Windows or SSH on Linux to login to my iPad, and of course, pscp or scp to migrate files to/from using Windows or Linux. Installed DOSbox (using DOSpad.deb file), and it works fine. But there was no "ping" on the basic jailbreak version, so I installed "inetutils", which provides all the GNU inet stuff (ping, ftp, inetd, rlogin, telnet) and then found "arp iconfig netstat route traceroute" in Network Commands. This makes an old tablet very, very useful. Really fine stuff, but I notice now that the iPad network access times out quickly. This is new behaviour, since the Cydia "inetutils" install. If I set the iPad down, after a few minutes, I cannot ping it from any machine on my LAN. I could, before I installed the networking utilities. Maybe a security feature? If so, can I back out the network stuff, and just have ssh access, and have it not timeout? I want to to be "alive" all the time.
Ok, found it. When you jailbreak an iPad ver. 1, running iOS 5.1.1, using Redsn0w, the initial install of the code that provides root access does not include standard inetutils. The original behaviour of the iPad 1, if configured with static ip values, meant that if was on, and the wifi was enabled, it would respond to a "ping", even if the screen was "asleep".
This ping-response was useful for diagnostic purposes. Initial install of the jailbreak code did not change this behaviour. But I could not "ping" out from the iPad to other machines since there was no ping.exe available, even after the jailbreak (this contrasts to Blackberry Playbooks, which had a "ping" utility, and would also respond to pings, even if "asleep").
So I downloaded the "inetutils" package from Cydia source Telesphoreo, and that provide a ping.exe, which could be used in console mode on the iPad. It worked fine, and is a very useful program.
But, if you set the iPad aside, after about 5 minutes, it would time out. It appears the wifi transmit function is just shutdown, and response to "ping" is explicitly disabled.
After much research and experiment, I've determined that you can re-activate the iPad "ping" response - remotely - by sending it an SSH query. Example:
[your_id#Linbox ~]$ ssh mobile#xxx.yyy.zzz.aaa
where xxx.yyy.zzz.aaa is your IPV4 address,
assuming you have configured your iPad with a static ip value. (I own a couple of class C ip ranges, so I have been using these for many years, in my work). The two defined userids after jailbreak are "mobile" and "root".
The new behaviour appears after you download and install all the newer "inetutils" utilities, and the "Network Commands" utilities, from the Telesphoreo source repository.
This behaviour change is actually a pretty good idea, as it discourages inappropriate usage of ping, and probably also saves battery life. But it is a change from previous operational characteristic. Another fellow went down this same rabbit-hole, and documented the solution on the "jailbreakqa.com" site, url below:
http://www.jailbreakqa.com/questions/192379/persistent-wi-fi-when-locked
Hope this info is useful.
Curious to see this query downvoted.. Lemmie say, having this old iPad run as a full-blown remote-accessable Linux box is very useful. Once jailbroken, one can scp files back and forth, install custom computational code locally, and basically have all your office on a small, thin, light tablet in a little briefcase. Most useful.
Very interesting post... just what i am looking for. I use an ipad 1/16g/3G for a display on my kitchen wall for displaying domotica info. This works well and using ssh i can have it turn on, display something and turn off.
I got myself another ipad 1/16gb wifi only and this one had the sleeping wifi problem. My first thought was that it had to do with the 3g chip.. that maybe this keeps the ipad alive while the other one goes to sleep. The 3G model doesn't have inetutils installed and still doesnt go to sleep. So there seems some merrit to my line of thoughts.
I installed the inetutils on the wifi only ipad and it seems like this solved this trick. I can ssh into it just fine.. even when it is in sleep mode. Thanks for your update.
The link in your post doesn't work anymore..
I need to slow down (simulate bad) internet connection, I found some documentation where it was achieved by "ipfw pipe" command , the thing is that in latest MAC OS versions , ipfw was deprecated (and removed)...
I was wondering if there are any alternative to the ipfw API ?
Does anyone know how latest Network Link Conditioner achieves it?
The original previous way which enabled to slow down an internet connection :
sudo ipfw pipe 1 config bw 56Kbit/s delay 200 plr 0.2
and to clear the pipe :
sudo ipfw delete 1
Thanks.
I don't know much about Mac OS (I use Linux myself), but I'll give this a shot.
A bunch of digging established that ipfw seems unavailable, as you say.
I was also unable to find a way to use the Network Link Conditioner from the command line. Everything should be usable from the command line, so that's stupid.
One work around would be to try to access the NLC from within AppleScript. The following will get you started on toggling the NLC:
property thePane : "com.apple.Network-Link-Conditioner"
tell application "System Preferences"
activate
set the current pane to pane id thePane
--delay 2
end tell
---
tell application "System Events"
tell application process "System Preferences"
try
click ((checkboxes of window "Network Link Conditioner") whose description is "enable switch")
on error
click ((checkboxes of window "Network Link Conditioner") whose description is "enable switch")
end try
end tell
end tell
I think that you can run a script from the terminal with osascript <SCRIPT>.
As an alternative, Charles Proxy is a pay-to-use program that can be used to perform throttling, provided you can convince the software you are testing to connect to the proxy's port rather than directly to the internet. Maybe there are free proxy solutions out there somewhere?
Perhaps Squid would work in that regard. SquidMan seems to be an easy-ish way to install it for Mac. It looks as though DelayPools and or Client Bandwidth Limits might be useful for simulating a low speed connection, though I can't find evidence of people having used them for such.
I found several solutions that might work. They come from some old threads, but they might help:
How to simulate slow internet connections on the mac
Apple has made a very handy official tool to slow down the network connections on you Mac for testing purposes.
The Network Link Conditioner preference is a free download from within Xcode (for Lion and later OS). Additionally, iOS has similar function accessible from within Xcode and iOS 6 or later.
How do I simulate a bad Wi-Fi connection on my iPad?
There are a few ways you can do this, depending on your situation:
Move further away from your router. While this may seem a bit obvious, I realize that it isn't always possible while testing/debugging (for example, if you are working on a desktop computer).
Put aluminum foil around the router and/or antenna. This will (partially) block some or all of the radio signals by creating a makeshift Faraday cage. The results you get will depend on the strength of your router signal, distance from the router, and other environmental factors.
Set your router's wireless signal power to a lower setting. The method for doing this is different for each router, so you will have to look at the user guide for instructions on how to do this.
Slow down internet for iOS simulator
You can set the network to slow characteristic by testing on devices. Go to Settings -> Developer Settings -> Network Link Conditioner -> Enable. This is for iPhone/iPad running iOS 6
I don't know if the last one you can still do.
I've used many methods in the past for slowing down network connections, among them:
performing a parallel download of some massive Linux ISO file;
physically pulling out the Ethernet cable (at one point, I actually toyed with the idea of building a push-button device that would sit between two cat5 cables and do this without having to physically disconnect the whole cable).
using ifconfig eth0 down ; sleep 1 ; ifconfig eth0 up.
Hopefully one or more of those methods will help.
If you're looking to slow down your network connection because you're doing testing/profiling work, one option is to get a specific device that can create network latency/noise.
For example Apposite Tech's mini2 WAN emulator allows you to change values for bandwidth and packet loss. You can roll your own device too using something like: http://wanem.sourceforge.net/ . It just depends on your needs, time and budget.
I am writing device software for a PC and for that, I want the PC to be usable as a device. When power is supplied, it should switch on without requiring to press the power button. There are power options in BIOS settings but it starts the PC only when its uncleanly shutdown. The other concern I have is how would unclean shutdown affect the hard disk, filesystem and the OS (XP or Linux).
What you need is another PC and one of these devices attached to it.
http://www.relaypros.com/mm5/merchant.mvc?Screen=CTGY&Store_Code=NCD&Category_Code=RS-232_Relay_Boards&gclid=CMna8_yOo5wCFQxM5QodWjoflQ
What you do is send this some RS232 commands for a quick closure on one of the relays. The relay is connected to the Power On pins of the computer you want to control.
You possibly could find another relay contact closure for AC current that allows you to close a relay when AC is flowing, but you would only want to for a brief second.
Unsafe shut downs can be quite detrimental depending where the filesystem state is in. It would be quite hard on the hardware too.
There is also the alternative of booting from the network device. A quick search led to some information on wikipedia. Also, there is something related called preboot execution environment which seem to be something like what you are looking for.
Some software options - these aren't exactly what you asked for, but they might help
Mac OS X: In the energy saver control pane's options tab, select "Restart automatically after a power failue. shutdown -hu now should then bring the system down but give you 5 minutes to remove power to simulate a dirty shutdown, and have the computer reboot automatically when power is restored. It's a slightly dirty shutdown anyway, I think. (ie, it doesn't log you off first)
Windows:
I don't have a windows machine so I can't try this, but you used to be able to tell windows not to power down the computer when you select shut down, but rather to put it in a safe state and display "It is now safe to turn off your computer". Perhaps you could then remove the power and have the bios believe it was a non-clean shutdown, and turn the machine on again when power is restored. There are some instructions on how to do this in Windows Server 2003 at the bottom of this microsoft help document. This forum discussion seems to suggest it might work on XP.
Linux: Not sure about this one, but maybe this website can help.
I haven't tried any of these, so no guarantees that they'll work or work safely.
I'm using the UPS service to monitor the state of my UPS from an application -- the key at HKLM\SYSTEM\CCS\Services\UPS\Status has all the information you can get from the Power control panel. BUT -- I'd like to be able to tell the UPS to shut down from my app as well. I know that the service can tell the UPS to shut down -- for instance, after running a set number of minutes on battery -- and I'm wondering if there's some kind of command I can send to the service to initiate a shutdown manually.
I'm having trouble searching for this information -- people tend to misspell "Uninterruptible" (hrm, Firefox red-lined that but doesn't have an alternative) and "UPS" just gets hits for the shipping service. Maybe I can do something through System.ServiceController, or WMI?
CLARIFICATION: Yes, I am talking about powering down the physical UPS device. I know how to stop the service. I figured it would be a common problem -- I want my UPS to turn off with the PC. I had an idea I'm going to try, based on this page. You see, APC (and everybody else) has to supply a DLL for the UPS service to call, and since the function calls are well documented, there's no reason I shouldn't be able to P/Invoke them. I'll re-edit this once I know whether or not it worked.
Update: I tried invoking UPSInit, then UPSTurnOff, and nothing happens. I'll tinker with it some more, but the direct call to apcups.dll might be a dead end.
Check my comments to Herman, you want to shut the UPS down, not the UPS SERVICE, correct? I mean, you want that thing to shut off, kill the power, etc, right?
If so, you are looking it on a UPS by UPS model. I doubt two of them would work the same.
In your searches, instead of UPS, try "APC", or "battery". I think a lot of the code is what runs on laptops to deal with being on battery, etc...
Some place hidden in some dusty old files I have protocol information for APC UPS's, and the commands they respond to, and what they send to the PC etc. But this was WAY back in the day when we used to connect our UPS's to our computers with SERIAL cables... You could actually talk to a UPS with Qmodem or Hyperterm...
Learned it from talking to the guys at APC. They are very nice, and helpful. Now-a-days, I think you just post a URL coming from your Powerchute software, and it will talk directly to the UPS, and carry out your commands.
OK, I have the answer (tested!), but it's not pretty. My APC UPS communicates using the APC "Smart" protocol (more here). What you need in my case is a "soft shutdown", "S" command. But first you need to make sure it's in "Smart" mode ("Y"). Now, if you want to let the Windows UPS service monitor state, the service will have an iron grip on the COM port. So you can either a) let the Windows service turn the UPS off, or b) kill the service and turn the UPS off yourself.
The UPS itself has a "grace period" after it gets the "S" command, giving you time to shut down your OS. This means that to do (a) above, you have to:
Kill utility (mains) power
Wait for the Windows UPS Service timeout (default and minimum 2 minutes)
Wait for Windows to shut down -- right near the end, it will send the "S" command
Wait for the UPS grace period, after which it will actually turn itself off
I think we're going to opt for (a), just because (b) involves extra work killing the service and implementing the serial comms.
Please, tell in what language are you trying to do that... if you're using .NET you can do that with ServiceController class (read the docs).
For controlling services in Win32 API using C/C++, Service Functions (Windows).
For example to stop a service you can use ControlService function as follows (this is a quick and dirty example):
OpenService (hServMgr, TEXT("\\UPS_SERVICE_0"), SC_MANAGER_ALL_ACCESS);
SERVICE_STATUS stat;
ControlService (hUpsService, SERVICE_CONTROL_STOP, &stat)
Note that you need to provide a Service Manager handle in hServMgr and the \\UPS_SERVICE_0 name is the name that must match with your desired UPS service (either the Windows built-in or another).
Remember that to stop a service you need the proper security rights. This is not a problem with an Adminstration account, but keep in mind what happens when logging with a non-admin account.
Hope that helps.
About shutting down the physical UPS device, I remember back in WIn98 days I was able to poweroff the device talking with the UPS through the COM port, altough I don't remember the brand or how the programming interface was.