carnal0wnage [Shared Reader]

Friday, December 17, 2010

Metasploit and VNC Password Bruteforcing

You probably missed it but jduck recently snuck in a VNC mixin and vnc_login module to the trunk.

This is awesome because before that I had to use Immunity's VAAseline to do VNC bruteforcing. But now you can just use vnc_login.

So the scenario is you find yourself on the other end of a VNC server.

Its tedious to password guess like this

Instead let's use the metasploit module

and throw a dictionary attack against the VNC server

Looks like the VNC no auth module had been ported and stuck in there too :-)


Thursday, December 16, 2010

Conducting a Phishing Campaign in Metasploit Pro

So new job gets me new fun toys. Figured i'd try the fancy shmancy tools and do a phish campaign with metasploit pro.

1. Go click on campaigns and star filling stuff out like what you want to call it

2. Set up your web campaign. With the web campaign you can actually host a webpage along with your exploit instead of just getting the typical "please wait" stuff.

3. Fill out your name of the template and the html of what you want it to say

4. By default it will run browser autopwn

5. Lets just pick an exploit to throw at them instead of all of them

6. Once you click save, it should look something like this:

7. After that you can set up the email portion of the phish

8. Fill out the sending server options

9. Then fill out the text for the body of your email

10. After you click save, you'll go to the add email addresses section where you can import a list, or type them in

11. Kinda looks like this when its all filled out. To start click the start campaign button

12. You can see the status of your sent emails and as people click them the percentage will change

13. I guess what the email could look like if you werent trying too hard :-)

14. And the web page serving up the exploit

15. You can now see that a user clicked the link and our percentage has changed

I'll cover hosts and sessions later. Only gripe is the lack of configuration ability in the exploit payload section. I've been told this will be addressed shortly even though a lot of work has been put into smart defaults the ability to change it when necessary would be nice.