Public exploit for CVE-2017-0199

There is a public exploit for CVE-2017-0199 which leverage Microsoft Office vulnerability which need to be on priority on patching. Hacker can create a crafted Exploit in form of a document using Metasploit and send it as an email or using the Watering hole attack technique to infect the remote victim user. Hackers used this vulnerability to breach the email account of the minitry of Foreing Affairs in the Turkish Republic of Northern Cyprus. The compromised account was used to send out a weaponized document to foreign affairs ministries in various countries around the world. Vulnerability Details: This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a olelink object can make a http(s) request, and execute hta code in response. This bug was originally seen being exploited in the wild starting in Oct 2016. This module was created by reversing a public malware sample. Microsoft has issued Security Patch Advisory on April. Please kindly check if the bellow affected products are existed in your environment and expedite patching this vulnerability as soon as possible. Note: For critical systems perform testing and validation and for non-critical systems role out the patch please. Affected Products:

  • Microsoft Office 2007 Service Pack 3
  • Microsoft Office 2010 Service Pack 2 (32-bit editions)
  • Microsoft Office 2010 Service Pack 2 (64-bit editions)
  • Microsoft Office 2013 Service Pack 1 (32-bit editions)
  • Microsoft Office 2013 Service Pack 1 (64-bit editions)
  • Microsoft Office 2016 (32-bit edition) Microsoft Office 2016 (64-bit edition) References:
  • 1. 2.



    How to Disable Windows Defender in Windows 10:

    Windows Defender

    Microsoft introduced a built-in pre-installed Antivirus called Windows Defender since Windows Vista and 7. In the beginning days, Windows Defender worked as Adware and Spyware detection.  By passing the time it becomes more advanced and joined the Microsoft Security Essential application since Windows 8.0 onward to provide a higher detection rate within malware detection and better protection.

    Why we should disable

    So far everything seems to be good, until you find your daily tasks as Penetration Tester and Digital Forensics Investigation. Running several hacking tools on your host machine such as Nexpose, Exploit Pack, Nessus, Acunetix and any other Windows based tools. I rather to use such as scanners on the host machine to take advantage more CPU and RAM resources rather than on VMs.

    The problem raises up when you find out that, Windows Defender detects the scanners payloads and exploits during the Windows Defender scanning process as well as while my hacking tools are running and it deletes them one by one. I tried several times to turn it off from but still Windows Defender is working behind the scene and you can find it out on running services and process and detecting my exploits and deleting them. This is not pleasant at all when it deletes the files without asking me. Hey AV, make some respect to the user.


    How to Disable the Windows Defender in Windows 10:

     First of all, if you are running Windows 10 Home Edition, you cannot make significant changes in Windows Group Policy. Else, you need to upgrade from Home version to Enterprise or Professional version.

    In case you use a different Machine for Penetration Testing (as I do), feel free to disable all the security mechanism, such as Firewall, IDS, AVs…etc. The best way is to disable the Windows Defender from Group Policy. So far it works good for me with our any detection and deleting problem. You can open the group policy using the Run. Type gpedit.msc and press Enter.

    run gpedit

    Then explore Computer Configuration Administrator Templates Windows Components Windows Defender and then select the Turn Off Windows Defender.

    turn off

    Set it on Enable mode, and press OK. You can do the same configuration using the Registry Editor (regedit). I think this is simpler. Now you are good to go.


    Please write comments or reach me via My LinkedIn profile or @sinamanavi

    How to fix “Lua: Error during loading” in Loading Wireshark on Kali Linux

    Lua: Error during loading

    Wireshark is very handy tool among Network Engineers, Pen-testers and anyone who cares about network traffic. You may install it on your Windows OS as well as Mac and Linux. Since it is installed by default on Kali Linux so you don’t need to install it on your Pentest machine.

    Usually during my classes, participant complain a warning message during the initialization of the Wireshark. In this short tutorial I am showing you how to get rid of the following warning:


    Lua: Error during loading:

    [string “/usr/share/wireshark/init.lua”]:46: dofile has been disabled due to running Wireshark as superuser. See for help in running Wireshark as an unprivileged user.


    Lua: Error during loading

    Open your terminal and type the following command to

    Command: gedit /usr/share/wireshark/init.lua

    Set the “disable_lua” paramter into the True value. Save the file and relaunch the Wireshark. You are good to go without any warning message.


    How to avoid IDS/Firewall Blocks your IP during Web Penetration Testing

    This is very common during the Penetration testing, since we send an unexpected/payload request toward the servers, the subject web server may pick our IP address and sometimes they block our address. There are many ways such as TOR, VPN (Free/Commercial). Personally, I don’t like to setup the VPN or TOR, since there are other applications that running against the target which I prefer to run on normal network to avoid any slow connections due to VPNs. Although sometimes Spiders and Fuzzers may also alert servers and consequently they block my IP address. In addition, prefer to not send all my laptop traffic through the VPN and Proxies into the network. There are many personal data and application running on my Pentest machine as well.

    Please keep in mind that, the only reason I recommend them is to easily change your IP to easily bypass firewall/IDS restriction during penetration testing progress. So you don’t need to call Admin to unblock your IP, or provide a new IP for you. Obviously I don’t have any personal account on my FireFox/Chrome to protect myself about data leakage and privacy issues.

    Note: A hacker has none of the aforementioned ability to request Server administrator to unblock him, right? 🙂 Act Real.

    I usually use the following two VPNs for  Firefox/Chrome adds-on during Web Penetration Testing.

    Firefox:ZenMate Security, Privacy & Unblock VPN

    This is an Adds-on that you can easily install and ready to go on the FireFox/Chrome browser to change your IP constantly whenever it is required. Although in free version you may only use four country’s IPs (Romania,Hong Kong, Germany and USA), in premium version you may use IP address of other countries as well. but I think these four are enough in this context.


    Chrome: DOTVPN:

    DotVPN is a Chrome based Adds-on extension that works perfectly. just install on your chrome browser and create a username/password and go for bug hunting.


    so next time, if your connection become so slow to access to the target website, or they blocked  your access, just use these VPNs and you may change your IP easily time to time.

    There are some other free VPNs such as Hotspot Shield VPN, ProxMate, Hola Unblocker, CyberGhost VPN, AWB Proxy, AutoProxy, which I use the DotVPN and ZenMate to change my IP on demand.

    Kali Linux Version 2 Released.

    In old days, computer users were always waiting for Microsoft or Apple release the latest OS. We all grow up, and now as security evangelist and penetration tester, we are looking forward to see the latest version of Kali Linux v2. You can download ISO image file from Kali Website or you may download the VMware version from Offensive-Security website.

    EnJoY Hunting….

    Windows Critical Security Update- Remote Code Execution

    A new vulnerability has been discovered that allows remote code execution by opening specially crafted documents or untrusted web pages which the OpenType fonts has been embedded. The target of this vulnerability are Windows Vista (SP2), Windows Server (2008 & 2012, Core Installation) and windows server (2008 & 2012) R2 (32/64), windows 7 (32/64), as well as Windows 8 and 8.1 and RT 8.0 and RT 8.1.

    Metasploit Lovers:

    Metasploit hasn’t updated their exploits for this vulnerability yet.

    For more information refer to the following link:

    writing script to Automate running Metasploit services, and call it from anywhere

    Hi guys, that’s been a while I didn’t have time to update my blog. I would like to write a simple post about how to automate some works and run them easily any time. Many of us, during our playing time with the Penguin, run some tasks and commands repeatedly. Writing bash scripts is my hobbies and I like to automate things, even automating Eat-Rave-Linux  process 🙂 . So I am writing a simple script and show you how to call it from anywhere, similar to other Linux tools and commands such as ifconfig or ls …etc.

    Today I had a call from a friend of mine, about running Metasploit. His problem was that, sometimes some services such as Apache2 or prostgresql are not running which cause might cause the Metasploit malfunction or slow running. So it’s better to check if these services are running before running the msfconsole. What I do is, I wrote a very simple bash script that restart the services, update the Metasploit, and finally run the Metasploit automatically. I have a “my-scripts” directory that I put my scripts there and hence, you may call them from anywhere. So here is my Metasploit script.

    #! /bin/bash

    service postgresql stop

    service postgresql start

    service apache2 stop

    service apache2 start

    service metasploit stop

    service metasploit start



    Once you created your script, just save it as a bash file. You may call it to avoid any confliction with msfconsole. Then just make this file as a executable program using: Chmod 755 In the next step, I move this script in “my-scripts” directory which I located it  in the root directory. I have added this directory to my variables $path. So I can call my script anytime from anywhere by just simply call its name. Do to so, you may use the following command.

    now edit your .bashrc file and add the following line at the end of .bashrc file to make it as  permanent parameter. you may need  to reboot your system to apply the changes. so now you may call your Metasploit from anywhere.

    nano /root/.bashrc

    add the following after the last line:

    export PATH=$PATH:~/my-scripts   

    Good Luck and let me know if you have any alternative way to do so.

    Stay Annoumoys while Black-box Penetration Testing (Tor and Proxychain)

    During the black-box penetration testing sometimes we need  to hide our identity and stay anonymous, sometimes some firewalls and IDPS detect us while we are testing the machine, and might block our IP address. In this manner we need to keep changing the IP. So if the firewall blocks the companies IP so, then even if you change the local IP you may not have access to the website again. So the best way to hide the identity, is to you Tor and proxychain.

    Install tor:

    Apt-get install tor

     Then you just need to run tor service.

     Service tor start

    So then you need to modify your proxychain configuration and polish it a little bit. So open the proxychain and uncomment the dynamic, comment the static, and at the end of the file you may find the socks4 9050.0.

    You need to add the following code as well.

    socks5 9050


    The file should be look like bellow after editing.

    # proxychains.conf  VER 3.1


    #        HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.


    # The option below identifies how the ProxyList is treated.

    # only one option should be uncommented at time,

    # otherwise the last appearing option will be accepted




    # Dynamic – Each connection will be done via chained proxies

    # all proxies chained in the order as they appear in the list

    # at least one proxy must be online to play in chain

    # (dead proxies are skipped)

    # otherwise EINTR is returned to the app




    # Strict – Each connection will be done via chained proxies

    # all proxies chained in the order as they appear in the list

    # all proxies must be online to play in chain

    # otherwise EINTR is returned to the app




    # Random – Each connection will be done via random proxy

    # (or proxy chain, see  chain_len) from the list.

    # this option is good to test your IDS 🙂

    # Make sense only if random_chain

    #chain_len = 2

    # Quiet mode (no output from library)


    # Proxy DNS requests – no leak for DNS data


    # Some timeouts in milliseconds

    tcp_read_time_out 15000

    tcp_connect_time_out 8000

    # ProxyList format

    #       type  host  port [user pass]

    #       (values separated by ‘tab’ or ‘blank’)



    #        Examples:


    #                    socks5        1080        lamer        secret

    #                http        8080        justu        hidden

    #                 socks4        1080

    #                http        8080



    #       proxy types: http, socks4, socks5

    #        ( auth types supported: “basic”-http  “user/pass”-socks )



    # add proxy here

    # meanwile

    # defaults set to “tor”

    socks4 9050

    socks5 9050

    And the restart your tor service:

    Service tor restart

    Now you can open any application or browser using proxychain with the following command:

    proxychains iceweasel


    Proxychain nmap yourtargetip

    Enjoy the anonymous surfing and penetration testing

    Please let me know how do you keep your identity anonymous during penetration testing.

    Enjoy the anonymous surfing and penetration testing

    Android Hacking and Pentesting

    Today we have discussed about

    Basic Android OS security mechanism,

    Basic malware definition

    Attacking Android platform with

    Malware, Remote access, File is stealing and Social Engeering attack is methods have been done discussing in the class.

    Attacking the Android:

    Installing Kali Linux on android to perform attacks

    Installing Dsploit for running attack with android (MITM, XSS, traffic sniffing…. Etc.)


    you can find the presentation on my slideshare home page as well.