operat0r_001 Posted October 24, 2012 Posted October 24, 2012 Mimikatz works but I have been also useing wce.exe and wce32.exe with the -w switch http://www.ampliasecurity.com/research/wcefaq.html#curversion 09/26/2012 - split up fu and fu ripp ... fu.txt and fu_ripp.txt. also updated masspwdumper.exe to include wce.exe (windows credential editor) 08/27/2012 - fu.txt oclHashcat-plus fu .. I know right... my fu.txt is getting out of hand. 08/19/2012 - quickkill.exe Kills all unknown processes to quickly free up memory! tested XP/Win7 BEFORE 80 .. after 48 07/3/2012 - BREAKOUT This app will atempt to BREAK OUT of protected networks by using input IP,PORT as HTTP and SOCKS proxies 06/10/2012 - 650KB/s over open proxies with downloadthemall/rmccurdy.com/scripts/proxy/proxychains.conf I will update the proxycheck script to include thist bit later. 05/22/2012 - some command line fu # set power profile via command line Powercfg.exe /SETACTIVE "Always On" Powercfg.exe /SETACTIVE "Max Battery" #Remove the .NET Credentials (Stored User names and Passwords) Control keymgr.dll 04/24/2012 - Client_Enumeration_Java_Adobe_Reader_flash.zip Client side HTML/Java code to enumerate Java, Adobe Reader and Flash Versions 04/24/2012 - Openvas in Ubuntu echo 'GSA_HTTP_ONLY=1' >> /etc/default/greenbone-security-assistant /etc/init.d/greenbone-security-assistant [ "$GSA_HTTP_ONLY" ] && [ "$GSA_HTTP_ONLY" = 1 ] && DAEMONOPTS="$DAEMONOPTS --http-only" remove src from sources list along with matching the /etc/lsb-release ver too add-apt-repository "deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.XX/ ./" grep -ia open /etc/apt/sources.list deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.04/ ./ #deb-src http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.04/ ./ if you still have issues just run 'killall gsad;sleep 5;gsad --http-only --listen=127.0.0.1 -p 9392 watch -d 'ps axuwww|grep nasl|grep -v grep' view source omp -h 127.0.0.1 -p 9390 -u admin -w password -X "$RANDOM`cat in|sed 's/$/,/g'|tr -d '\n'`" 04/18/2012 - update_nmap_oracle_sids_userpass.exe # sid enum using nmap and metasploits sid.txt 1307 sids in ~8 seconds nmap -n --script=oracle-sid-brute -p 1521-1560 192.168.1.141 # try 1255 user/pass # requires valid SID ( default is XE ) # Performed 1245 guesses in 3 seconds, average tps: 415 nmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n 192.168.1.141 # oracle shell using OAT Oracle Audit Tool ose.bat -s 192.168.1.141 -u SYS -p CHANGE_ON_INSTALL -d XE -t Windows 04/17/2012 - Metasploit with Oracle ! ------------------------------------------------------------------------------------- following :http://www.metasploit.com/redmine/projects/framework/wiki/OracleUsage 2:10 PM 4/17/2012 ------------------------------------------------------------------------------------- # Remove ruby using apt or synaptic etc .. apt-get remove ruby # update and install 1.9.1 dev apt-get update apt-get install ruby1.9.1-dev -y mkdir /opt mkdir /opt/oracle # copy zips to /opt/oracle cp *.zip /opt/oracle cd /opt/oracle unzip basic-10.2.0.5.0-linux.zip unzip sdk-10.2.0.5.0-linux.zip unzip sqlplus-10.2.0.5.0-linux.zip cd instantclient_10_2/ ln -s libclntsh.so.10.1 libclntsh.so # add this to ~/.bashrc and also type it in current shell export PATH=$PATH:/opt/oracle/instantclient_10_2 export SQLPATH=/opt/oracle/instantclient_10_2 export TNS_ADMIN=/opt/oracle/instantclient_10_2 export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2 export ORACLE_HOME=/opt/oracle/instantclient_10_2 # wget http://rubyforge.org/frs/download.php/65896/ruby-oci8-2.0.3.tar.gz tar xvzf ruby-oci8-2.0.3.tar.gz cd ruby-oci8-2.0.3/ LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/ export LD_LIBRARY_PATH make make install # download msf .run bin installer # I had to edit the /pentest/exploits/framework/.svn/entries and add www. to the file so you could run svn update cd /pentest/exploits/framework/ svn update # run MSFconsole from /pentest/exploits/framework/ not the init scipt this will allow for use of YOUR env and not the static one for MSF binary cd /pentest/exploits/framework/ ./msfconsole #from msfconsole install ruby-oci8 gem gem install ruby-oci8 If you still get the missing OCI error it is all ruby the oracle client loads after # oracle_login needs nmap > 5.50 ! wget http://nmap.org/dist/nmap-5.51.tgz tar -xvf nmap-5.51.tgzm cd nmap-5.51 ./configure make make install ln -s /usr/local/bin/nmap /usr/bin/nmap --------------- msf stuff --------- # as always you can spool log.log to save logfile or use screen -L # brutes ~576 sids will eat targets file use auxiliary/scanner/oracle/sid_brute set RHOSTS file://home/rmccurdy/oracle run back # This module attempts to authenticate 568 line USERPASS_FILE list # requires SID use auxiliary/scanner/oracle/oracle_login set RPORTS 1521 set RHOSTS file://home/rmccurdy/oracle set SID XE run back # needs oci !!! # This module uses a ~598 line list of well known default authentication credentials to discover easily guessed accounts. use auxiliary/admin/oracle/oracle_login set RHOSTS file://home/rmccurdy/oracle set RPORTS 1521 run back # needs oci !!! # needs full login/password/sid audits database and or user # https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/oracle/oraenum.rb use auxiliary/admin/oracle/oraenum set RHOST 127.0.0.1 set DBPASS TIGER set DBUSER SCOTT set SID ORCL run back 04/17/2012 - Configuring the Scrollback Buffer By default, the scrollback buffer only keeps the last 100 lines of text, which is not enough for my typical interaction with Screen. I’ve found a setting of 5000 lines to be more than adequate for my usage. The number of scrollback lines can be configured in your $HOME/.screenrc file, by adding the following line: defscrollback 5000 04/16/2012 - Block Facebook with Adblock Plus! : Make new custom filter and add these three filters: ||facebook.com$domain=~www.facebook.com ||facebook.net$domain=~www.facebook.com ||fbcdn.net$domain=~www.facebook.com Quote
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.