Metasploit MS08_067 Scanner Version 2

Following on from the previous post, I’ve improved the MS08_067 scanner by removing the sledge-hammer approach, ie scan everything, to a more defined and controlled approach, ie get some hosts, work out if they might be a windows box and then scan.

Here is the script;

<ruby>
###########################################################
#Must set Global RHOSTS via setg RHOSTS xxx.xxx.xxx.xxx/xx#
###########################################################
#Check to see if RHOSTS is set Globally
if (framework.datastore['RHOSTS'] == nil)
print_line("Please set RHOSTS globally with this command setg RHOSTS xxx.xxx.xxx.xxx/xx...exiting")
return
end

#Populate the datastore with some Hosts
#######################################

#Setup NMAP Options
nmapopts = "-O -T 5"
run_single("db_nmap #{nmapopts} #{framework.datastore['RHOSTS']}")

#Remove RHOSTS
run_single("unsetg RHOSTS")

framework.db.workspace.hosts.each do |host|
host.services.each do |serv|
next if not serv.host
next if (serv.state != ServiceState::Open)
if (serv.name =~ /smb/ or serv.name =~ /microsoft-ds/ or serv.name =~ /netbios/ or serv.port == 445 or serv.port == 139 or serv.port == 137)
if(serv.port == 445)
run_single("use exploit/windows/smb/ms08_067_netapi")
run_single("set RHOST #{host.address}")
run_single("check")
end
end
end
end
</ruby>

Some changes to the way the resource script works, first we need to set the Global variable RHOSTS, this can be set via the ‘setg RHOSTS xxx.xxx.xxx.xxx/xx’ command.

Then we just fire up the resource script as before, but this time you will get a bunch of nmap output.

I used a db_nmap scan to populate the database

Then, if there are any Windows hosts on the network with the correct services listening, you will see this;

And the rest is down to you…Enjoy

Credit to the MSF guys, as a couple of lines of code were taken from the default resource scripts that ship with the framework and of course to @mubix for the initial rapid psexec script that this was based upon.

Advertisement

Metasploit MS08_067 Scanner Resource Script

Today I’ve been messing around with Metasploit and came up with this, its not rocket science and uses a bit of code from another resource script written by @mubix, you can find it here http://www.room362.com/blog/2010/9/12/rapid-fire-psexec-for-metasploit.html

Any ways I thought why not try and write some resource scripts that look for ‘low hanging fruit’ to kinda speed up the pwnage on big network penetration tests.

The ms08_067 exploit module supports the ‘check’ function which we use to find our vulnerable hosts, there are more exploits with this function but not all.

Here’s the code its pretty self explanitory, just set the rhosts variable in the script.

################################################
# MS08_067 Vulnerability Checker Resource Script
################################################
use exploit/windows/smb/ms08_067_netapi

require 'rex/socket/range_walker'
#################################################
#Set rhosts to be network range you want to check
#################################################
rhosts = &quot;192.168.0.0/24&quot;
iplist = Rex::Socket::RangeWalker.new(rhosts)
iplist.each do |rhost|
self.run_single(&quot;set RHOST #{rhost}&quot;)
self.run_single(&quot;check&quot;)
end

Copy the code into a file called ms08_067_checker.rc and save it here /root/.msf4/scripts/resource or /yourusername/.msf4/scripts/resource, to be able to use it directly from msfconsole.
The resource script output is as below:

Unlucky…

Woot, we’re in luck.

The rest is simple,   Happy hunting.

Easily Find Domain Controllers – More Active Directory Kung-Fu

Following on from the previous Active Directory Kung-Fu post, I thought I would add a few more things that could be useful on a Pentest.

The tools used are not installed on a standard XP build and will have to be downloaded from Microsoft and installed.

First off get the 2 new tools, AdminPack and Group Policy Management.

http://www.microsoft.com/en-us/download/details.aspx?id=16770 – Admin Pack for XP

http://www.microsoft.com/en-us/download/details.aspx?id=21895 – Group Policy Management for XP

Extract and install the Admin Pack and install gpmc.msi

Once these 2 tools are installed you will find that there are new gui tools.

Continue reading “Easily Find Domain Controllers – More Active Directory Kung-Fu”

Metasploit POST Module – Interesting Documents Finder

I wrote this metasploit post module to search and download files from compromised hosts.

Initial credit to @3vilJohn whose module inspired this. http://johnbabio.wordpress.com

It searches open Metasploit SESSIONS for file types Word, Excel, Pdf and user specified types.

It can enumerate and search specified drives too using a bit of Railgun Kung-Fu from Mubix, aka http://www.room362.com

You can set the dump location for the downloaded files and even attempt to elevate privileges with a Get_System function, useful for when you’re in as a un priv user.

Here’s some screenshots of it in action,

Continue reading “Metasploit POST Module – Interesting Documents Finder”

Active Directory KungFu – Messing With Users & Computers

Recently on an internal Pentest, I needed to get a new user into the Domain Admins group, which I couldn’t manage to accomplish with the usual net localgroup group username /add /domain command, I had managed to add a user to the domain – daveisahacker – using net user daveisahacker Password123 /add /domain.

I really need to get a user into Domain Admin, and as I had a token impersonation of domain admin, but couldn’t sign on to a DC because I had no password.

So I thinks what about the Directory services commands – DSQUERY, DSMOD, and all of the other DS commands, I might be able to add a user to the Domain Admins group that way.

DSQUERY Command @ Technet

http://technet.microsoft.com/en-us/library/cc732952(WS.10).aspx

DSMOD Command @ Technet

http://technet.microsoft.com/en-us/library/cc732406(WS.10).aspx

So, OK lets have a look at these command and what to do with them.

Continue reading “Active Directory KungFu – Messing With Users & Computers”

Web Form Password Brute Force with FireForce

I spent many hours today playing around with DVWA – (Damn Vulnerable Web App), from Randomstorm, brushing up on my web app pentesting skills, to be honest its been a long time and I really need to get back on top of this.

Anyways, after going through all the usual SQL injection, XSS stuff I thought I’d have a go at the brute forcing part of the app.

Well after what seemed like days I gave up, with little or no success – I’d tried the usual suspect for ‘bruting’ the password – Hydra.

Until I Googled around and found a Firefox addon called ‘Fireforce’ the article that I found is here Dark Reading

The website for the tool is here SCRT ,there is a manual in english too. Continue reading “Web Form Password Brute Force with FireForce”