I'm looking for an exploit to Microsoft-IIs 6.0 and any info. I can read. I've already check the worm. i would appreciate any PMs on this subject.
And, ya, ya, I know, Google. Doing that also.
exploit help
Don't miss the forest for the tree. You need to recon what else is on the network the server is attached to. Make sure you are wardriving or using an anonymous proxy - cuz I know you got plans for the rest of your life.
I guess it all depends what you need for an end result.
DNR
I guess it all depends what you need for an end result.
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
Im going to go wardrive in a few days. I know they have a linksys wireless router in the building. Not sure if its WEP'ed or what. Little probe and I'll know. Probably not though. What should I be looking for on the network?
And i do use a proxy or two.
Thanks for looking out DNR, I appreciate it. I do have plans for life.
And i do use a proxy or two.
Thanks for looking out DNR, I appreciate it. I do have plans for life.
What you are looking for is the structure of the network, how the devices are connected, what servers are providing services, and what applications are being used as well as the OS. If you have physical access, you want to try pharming? Thats where you drop a USB stick on the premises with a trojan! Just have some tape stuck to it "Proposed Employee Layoffs"..
Someone will be dumb enough to walk it in, and plug it into a workstation on the internal network. You even look at policies and procedures, social engineering - somewhere there is a weakness to exploit. As I said, without knowing exactly what you want to do, the possibilities are endless.
The wifi is good, if you can get associated with the network you can do internal discovery - you can even impersonate a logged in user that has access to the server you wanted. Get MDK3 an wifi Dissassociation attack tool - it'll sign everyone off the wifi AP.
Now, I have only tried it on my small network - wireshark is working on Vista laptop for my wireless card. It can't inject, but I can at least read the packets, get macs, IPs, services, and sniff for cookies and reassemble HTTP convos.
I was also going to try Cain & Able, it works too, it worked on my small LAN, with the exception of enumerating remote computers that may simply have a hostbased firewall or file share setting. Cain & Able is able to recover passwords on a Vista machine
lastly do recon from afar until you determine if and where the cameras are, they are more prevalent than 7 years ago. At night - some cameras can have IR lighting for night vision, - what means would you use to detect IR lighting?
Have fun!
DNR
Someone will be dumb enough to walk it in, and plug it into a workstation on the internal network. You even look at policies and procedures, social engineering - somewhere there is a weakness to exploit. As I said, without knowing exactly what you want to do, the possibilities are endless.
The wifi is good, if you can get associated with the network you can do internal discovery - you can even impersonate a logged in user that has access to the server you wanted. Get MDK3 an wifi Dissassociation attack tool - it'll sign everyone off the wifi AP.
Now, I have only tried it on my small network - wireshark is working on Vista laptop for my wireless card. It can't inject, but I can at least read the packets, get macs, IPs, services, and sniff for cookies and reassemble HTTP convos.
I was also going to try Cain & Able, it works too, it worked on my small LAN, with the exception of enumerating remote computers that may simply have a hostbased firewall or file share setting. Cain & Able is able to recover passwords on a Vista machine
lastly do recon from afar until you determine if and where the cameras are, they are more prevalent than 7 years ago. At night - some cameras can have IR lighting for night vision, - what means would you use to detect IR lighting?
Have fun!
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
-
ebrizzlez
- Kage
- Posts: 732
- Joined: 31 Mar 2007, 16:00
- 17
- Location: Hidden in a Buffer Protection.
- Contact:
I think DNR's approach is more settle. You are going for a blind-explotation attack. Just hoping that a Microsoft IIS 6 exploit would own the server, recon should be your first step to success. A hacker doesn't attack frontend, a smart hacker looks for a backdoor. Try to do some information gathering and find some other services, normally web admins are lazy and like to go with the defaults, maybe there is a misconfigured service running on the server you can exploit and gain root on rather then just a frontend exploit. Besides that, most of them are mainly patched so it would prove useless, but smaller services aren't paid much attention to.
[img]http://i81.photobucket.com/albums/j205/ebrizzlez/4lsint1.jpg[/img]
on Tuesday I go down to my school for a final. The place is right down the street from my school. I'll drop in and say hello while I have my laptop running in the car. What should I run: Nmap? Always a good program.
I really like the idea of a USB dropped on the ground. I think I will also try that. Maybe figure out how to get it to delete certain files. Although I think a trojan would be so much more fun. Is Sub7 still around?
I really like the idea of a USB dropped on the ground. I think I will also try that. Maybe figure out how to get it to delete certain files. Although I think a trojan would be so much more fun. Is Sub7 still around?
-
ebrizzlez
- Kage
- Posts: 732
- Joined: 31 Mar 2007, 16:00
- 17
- Location: Hidden in a Buffer Protection.
- Contact:
as DNR has said, try to infiltrate the company and see if it has a wifi connection enabled. If so, what protection scheme does it have implemented, and if any?
Its uncommon for a webserver to be hosted on a wifi-connection, but then again it doesnt mean it isnt possible. Most admins perfer to host on a modem because they don't have to go through the port forwarding, but it doesnt matter, some perfer to have an open network to work with internals and have separate machines run different parts of the server.
If you would be gone away from the laptop for a little, its better if you did an ARP cast or ARP poison attack to listen onto the network, this way you can capture passwords and other information that may be provided useful. Running Wireshark and Cain And Abel would do the trick.
Such attacks like ARP poisons are noisy attacks and can trigger a Intrusion Detect System, so you have to be careful. I would Nmap the target asap and see what services are there running, and if, there are running any network-leveled-instrusion-detection-system (NDIS) or to map out the services they have.
Its uncommon for a webserver to be hosted on a wifi-connection, but then again it doesnt mean it isnt possible. Most admins perfer to host on a modem because they don't have to go through the port forwarding, but it doesnt matter, some perfer to have an open network to work with internals and have separate machines run different parts of the server.
If you would be gone away from the laptop for a little, its better if you did an ARP cast or ARP poison attack to listen onto the network, this way you can capture passwords and other information that may be provided useful. Running Wireshark and Cain And Abel would do the trick.
Such attacks like ARP poisons are noisy attacks and can trigger a Intrusion Detect System, so you have to be careful. I would Nmap the target asap and see what services are there running, and if, there are running any network-leveled-instrusion-detection-system (NDIS) or to map out the services they have.
[img]http://i81.photobucket.com/albums/j205/ebrizzlez/4lsint1.jpg[/img]
I'm running a Zenmap scan right now. I'll post whatever I find. Any advice on what type of scan I should be doing? The command section has a lot of options that I'm unfamiliar with.
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-16 01:11 US Mountain Standard Time
NSE: Loaded 30 scripts for scanning.
Initiating Ping Scan at 01:11
Scanning 174.37.35.239 [8 ports]
Completed Ping Scan at 01:11, 0.79s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:11
Completed Parallel DNS resolution of 1 host. at 01:11, 0.19s elapsed
Initiating SYN Stealth Scan at 01:11
Scanning 174.37.35.239-static.reverse.softlayer.com (174.37.35.239) [1000 ports]
Discovered open port 443/tcp on 174.37.35.239
Discovered open port 21/tcp on 174.37.35.239
Discovered open port 80/tcp on 174.37.35.239
SYN Stealth Scan Timing: About 18.90% done; ETC: 01:14 (0:02:13 remaining)
SYN Stealth Scan Timing: About 45.90% done; ETC: 01:14 (0:01:12 remaining)
SYN Stealth Scan Timing: About 65.07% done; ETC: 01:14 (0:00:55 remaining)
Completed SYN Stealth Scan at 01:13, 118.32s elapsed (1000 total ports)
Initiating Service scan at 01:13
Scanning 3 services on 174.37.35.239-static.reverse.softlayer.com (174.37.35.239)
Completed Service scan at 01:14, 18.06s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 174.37.35.239-static.reverse.softlayer.com (174.37.35.239)
Retrying OS detection (try #2) against 174.37.35.239-static.reverse.softlayer.com (174.37.35.239)
Initiating Traceroute at 01:14
174.37.35.239: guessing hop distance at 10
Completed Traceroute at 01:14, 0.20s elapsed
Initiating Parallel DNS resolution of 13 hosts. at 01:14
Completed Parallel DNS resolution of 13 hosts. at 01:14, 0.18s elapsed
NSE: Script scanning 174.37.35.239.
NSE: Starting runlevel 1 scan
Initiating NSE at 01:14
Completed NSE at 01:14, 5.43s elapsed
NSE: Script Scanning completed.
Host 174.37.35.239-static.reverse.softlayer.com (174.37.35.239) is up (0.085s latency).
Interesting ports on 174.37.35.239-static.reverse.softlayer.com (174.37.35.239):
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS webserver 6.0
| robots.txt: has 6 disallowed entries
| /checkout.asp /add_cart.asp /view_cart.asp /error.asp
|_ /shipquote.asp /rssfeed.asp
|_ html-title: Makita Bosch Fluke FLIR Infrared Camera Knipex Testo Ideal MK ...
113/tcp closed auth
443/tcp open ssl/http Microsoft IIS webserver 6.0
| robots.txt: has 1 disallowed entry
|_ /
|_ html-title: Makita Bosch Fluke FLIR Infrared Camera Knipex Testo Ideal MK ...
Device type: general purpose|WAP
Running (JUST GUESSING) : Microsoft Windows 2003|XP (97%), Apple embedded (88%)
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (97%), Microsoft Windows Server 2003 SP2 (93%), Microsoft Windows Server 2003 SP0 or Windows XP SP2 (89%), Microsoft Windows XP SP2 (89%), Microsoft Windows XP SP3 (89%), Apple AirPort Extreme WAP v7.3.2 (88%), Microsoft Windows Server 2003 SP1 (88%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Windows
Should I have scaned all the ports instead of just 1000? I doubt they are using some super high port though. And from what I gather is they are running windows 2003 and/or xp. I would guess xp is more likely on the computers. Whats up with port 113? it says 'closed auth'. Does that mean that I need authorization to access it, like user name and password type stuff? and could i access it with telnet or an ftp? and Device type: General purpose/WAP? what does that mean? Also, I have the latest wireshark but dont I have to be on their network to listen in on them?
Thanks guys.
Starting Nmap 5.00 ( http://nmap.org ) at 2009-08-16 01:11 US Mountain Standard Time
NSE: Loaded 30 scripts for scanning.
Initiating Ping Scan at 01:11
Scanning 174.37.35.239 [8 ports]
Completed Ping Scan at 01:11, 0.79s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 01:11
Completed Parallel DNS resolution of 1 host. at 01:11, 0.19s elapsed
Initiating SYN Stealth Scan at 01:11
Scanning 174.37.35.239-static.reverse.softlayer.com (174.37.35.239) [1000 ports]
Discovered open port 443/tcp on 174.37.35.239
Discovered open port 21/tcp on 174.37.35.239
Discovered open port 80/tcp on 174.37.35.239
SYN Stealth Scan Timing: About 18.90% done; ETC: 01:14 (0:02:13 remaining)
SYN Stealth Scan Timing: About 45.90% done; ETC: 01:14 (0:01:12 remaining)
SYN Stealth Scan Timing: About 65.07% done; ETC: 01:14 (0:00:55 remaining)
Completed SYN Stealth Scan at 01:13, 118.32s elapsed (1000 total ports)
Initiating Service scan at 01:13
Scanning 3 services on 174.37.35.239-static.reverse.softlayer.com (174.37.35.239)
Completed Service scan at 01:14, 18.06s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 174.37.35.239-static.reverse.softlayer.com (174.37.35.239)
Retrying OS detection (try #2) against 174.37.35.239-static.reverse.softlayer.com (174.37.35.239)
Initiating Traceroute at 01:14
174.37.35.239: guessing hop distance at 10
Completed Traceroute at 01:14, 0.20s elapsed
Initiating Parallel DNS resolution of 13 hosts. at 01:14
Completed Parallel DNS resolution of 13 hosts. at 01:14, 0.18s elapsed
NSE: Script scanning 174.37.35.239.
NSE: Starting runlevel 1 scan
Initiating NSE at 01:14
Completed NSE at 01:14, 5.43s elapsed
NSE: Script Scanning completed.
Host 174.37.35.239-static.reverse.softlayer.com (174.37.35.239) is up (0.085s latency).
Interesting ports on 174.37.35.239-static.reverse.softlayer.com (174.37.35.239):
Not shown: 996 filtered ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
80/tcp open http Microsoft IIS webserver 6.0
| robots.txt: has 6 disallowed entries
| /checkout.asp /add_cart.asp /view_cart.asp /error.asp
|_ /shipquote.asp /rssfeed.asp
|_ html-title: Makita Bosch Fluke FLIR Infrared Camera Knipex Testo Ideal MK ...
113/tcp closed auth
443/tcp open ssl/http Microsoft IIS webserver 6.0
| robots.txt: has 1 disallowed entry
|_ /
|_ html-title: Makita Bosch Fluke FLIR Infrared Camera Knipex Testo Ideal MK ...
Device type: general purpose|WAP
Running (JUST GUESSING) : Microsoft Windows 2003|XP (97%), Apple embedded (88%)
Aggressive OS guesses: Microsoft Windows Server 2003 SP1 or SP2 (97%), Microsoft Windows Server 2003 SP2 (93%), Microsoft Windows Server 2003 SP0 or Windows XP SP2 (89%), Microsoft Windows XP SP2 (89%), Microsoft Windows XP SP3 (89%), Apple AirPort Extreme WAP v7.3.2 (88%), Microsoft Windows Server 2003 SP1 (88%)
No exact OS matches for host (test conditions non-ideal).
TCP Sequence Prediction: Difficulty=265 (Good luck!)
IP ID Sequence Generation: Busy server or unknown class
Service Info: OS: Windows
Should I have scaned all the ports instead of just 1000? I doubt they are using some super high port though. And from what I gather is they are running windows 2003 and/or xp. I would guess xp is more likely on the computers. Whats up with port 113? it says 'closed auth'. Does that mean that I need authorization to access it, like user name and password type stuff? and could i access it with telnet or an ftp? and Device type: General purpose/WAP? what does that mean? Also, I have the latest wireshark but dont I have to be on their network to listen in on them?
Thanks guys.
tip: make sure your computer is 'named' in the same naming convention as the other computers on the network - it is easy to spot the one in the logs with "Intruder" or "kirk's laptop"
Without going into a complete session hijack/wireshark/injection tutorial, I just point you to the packets you look for and what needs to be changed.
Windows does not do injection (at least not my wnic) so you would need to switch over to BT. MDK2 can perform the denial of service on the computer trying to access the wifi AP, it can be set to one machine, or AMOK - to disconnect every device on a AP (its like the device is saying bye!)
Lastly - don't forget your laptop can leave its fingerprint - the HTTP packets can have your OS, browser type, its configuration, and as you see above the name of your network interface card (and mac, but you can change that too)
Eb is on the right track for infiltrating the physical location, is the server room hosted in the building or off site? Look for maps of fire exits (required by law) they might be dumb enough to have an arrow pointing to the secure server room.
If the company is small, their equipment might be stored in a closet, what kind of locks on the door? Unsecured server rooms are a big disaster waiting to happen - you could construct a device like a water bottle to disintegrate - and the water bottle is sitting at top the server or rackmount system! In the server room you might find all the backups for the server, remove them.
on and on. The idea is to make it more like an accident and with the most innocuous device or tactic (like anyone could have done it).
DNR
Without going into a complete session hijack/wireshark/injection tutorial, I just point you to the packets you look for and what needs to be changed.
You see in the packet it has the IP and MAC address to identify who is sender and reciever. If you take over the IP of Source, you need to change your nic to spoof the MAC too. Thats why you'll need a MAC changer.In Wireshark, extend the tree to display all values: in the Ethernet II section of the packets you see how the computers identify each other with MACs and IP:
Ethernet II, Src: GemtekTe_f1:f9:75 (00:90:4b:f1:f9:75),
Dst: LiteonTe_72:6e:b3 (00:22:5f:72:6e:b3)
Destination: LiteonTe_72:6e:b3 (00:22:5f:72:6e:b3)
Address: LiteonTe_72:6e:b3 (00:22:5f:72:6e:b3)
Source: GemtekTe_f1:f9:75 (00:90:4b:f1:f9:75)
Address: GemtekTe_f1:f9:75 (00:90:4b:f1:f9:75)
This is in the Internet Protocol section of the packets:
Internet Protocol, Src: 192.168.0.1 (192.168.0.1),
Dst: 192.168.0.7 (192.168.0.7)
Source: 192.168.0.1 (192.168.0.1)
Destination: 192.168.0.7 (192.168.0.7)
Further on, it has the Port information
Source port: domain (53)
Destination port: 58481 (58481)
Windows does not do injection (at least not my wnic) so you would need to switch over to BT. MDK2 can perform the denial of service on the computer trying to access the wifi AP, it can be set to one machine, or AMOK - to disconnect every device on a AP (its like the device is saying bye!)
Lastly - don't forget your laptop can leave its fingerprint - the HTTP packets can have your OS, browser type, its configuration, and as you see above the name of your network interface card (and mac, but you can change that too)
Eb is on the right track for infiltrating the physical location, is the server room hosted in the building or off site? Look for maps of fire exits (required by law) they might be dumb enough to have an arrow pointing to the secure server room.
If the company is small, their equipment might be stored in a closet, what kind of locks on the door? Unsecured server rooms are a big disaster waiting to happen - you could construct a device like a water bottle to disintegrate - and the water bottle is sitting at top the server or rackmount system! In the server room you might find all the backups for the server, remove them.
on and on. The idea is to make it more like an accident and with the most innocuous device or tactic (like anyone could have done it).
DNR
-
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.
He gives wisdom to the wise and knowledge to the discerning. He reveals deep and hidden things; he knows what lies in Darkness, and Light dwells with him.