operat0r_001 Posted October 24, 2012 Share Posted October 24, 2012 Mimikatz works but I have been also useing wce.exe and wce32.exe with the -w switch http://www.ampliasecurity.com/research/wcefaq.html#curversion 09/26/2012 - split up fu and fu ripp ... fu.txt and fu_ripp.txt. also updated masspwdumper.exe to include wce.exe (windows credential editor) 08/27/2012 - fu.txt oclHashcat-plus fu .. I know right... my fu.txt is getting out of hand. 08/19/2012 - quickkill.exe Kills all unknown processes to quickly free up memory! tested XP/Win7 BEFORE 80 .. after 48 07/3/2012 - BREAKOUT This app will atempt to BREAK OUT of protected networks by using input IP,PORT as HTTP and SOCKS proxies 06/10/2012 - 650KB/s over open proxies with downloadthemall/rmccurdy.com/scripts/proxy/proxychains.conf I will update the proxycheck script to include thist bit later. 05/22/2012 - some command line fu # set power profile via command line Powercfg.exe /SETACTIVE "Always On" Powercfg.exe /SETACTIVE "Max Battery" #Remove the .NET Credentials (Stored User names and Passwords) Control keymgr.dll 04/24/2012 - Client_Enumeration_Java_Adobe_Reader_flash.zip Client side HTML/Java code to enumerate Java, Adobe Reader and Flash Versions 04/24/2012 - Openvas in Ubuntu echo 'GSA_HTTP_ONLY=1' >> /etc/default/greenbone-security-assistant /etc/init.d/greenbone-security-assistant [ "$GSA_HTTP_ONLY" ] && [ "$GSA_HTTP_ONLY" = 1 ] && DAEMONOPTS="$DAEMONOPTS --http-only" remove src from sources list along with matching the /etc/lsb-release ver too add-apt-repository "deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.XX/ ./" grep -ia open /etc/apt/sources.list deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.04/ ./ #deb-src http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.04/ ./ if you still have issues just run 'killall gsad;sleep 5;gsad --http-only --listen=127.0.0.1 -p 9392 watch -d 'ps axuwww|grep nasl|grep -v grep' view source omp -h 127.0.0.1 -p 9390 -u admin -w password -X "$RANDOM`cat in|sed 's/$/,/g'|tr -d '\n'`" 04/18/2012 - update_nmap_oracle_sids_userpass.exe # sid enum using nmap and metasploits sid.txt 1307 sids in ~8 seconds nmap -n --script=oracle-sid-brute -p 1521-1560 192.168.1.141 # try 1255 user/pass # requires valid SID ( default is XE ) # Performed 1245 guesses in 3 seconds, average tps: 415 nmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n 192.168.1.141 # oracle shell using OAT Oracle Audit Tool ose.bat -s 192.168.1.141 -u SYS -p CHANGE_ON_INSTALL -d XE -t Windows 04/17/2012 - Metasploit with Oracle ! ------------------------------------------------------------------------------------- following :http://www.metasploit.com/redmine/projects/framework/wiki/OracleUsage 2:10 PM 4/17/2012 ------------------------------------------------------------------------------------- # Remove ruby using apt or synaptic etc .. apt-get remove ruby # update and install 1.9.1 dev apt-get update apt-get install ruby1.9.1-dev -y mkdir /opt mkdir /opt/oracle # copy zips to /opt/oracle cp *.zip /opt/oracle cd /opt/oracle unzip basic-10.2.0.5.0-linux.zip unzip sdk-10.2.0.5.0-linux.zip unzip sqlplus-10.2.0.5.0-linux.zip cd instantclient_10_2/ ln -s libclntsh.so.10.1 libclntsh.so # add this to ~/.bashrc and also type it in current shell export PATH=$PATH:/opt/oracle/instantclient_10_2 export SQLPATH=/opt/oracle/instantclient_10_2 export TNS_ADMIN=/opt/oracle/instantclient_10_2 export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2 export ORACLE_HOME=/opt/oracle/instantclient_10_2 # wget http://rubyforge.org/frs/download.php/65896/ruby-oci8-2.0.3.tar.gz tar xvzf ruby-oci8-2.0.3.tar.gz cd ruby-oci8-2.0.3/ LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/ export LD_LIBRARY_PATH make make install # download msf .run bin installer # I had to edit the /pentest/exploits/framework/.svn/entries and add www. to the file so you could run svn update cd /pentest/exploits/framework/ svn update # run MSFconsole from /pentest/exploits/framework/ not the init scipt this will allow for use of YOUR env and not the static one for MSF binary cd /pentest/exploits/framework/ ./msfconsole #from msfconsole install ruby-oci8 gem gem install ruby-oci8 If you still get the missing OCI error it is all ruby the oracle client loads after # oracle_login needs nmap > 5.50 ! wget http://nmap.org/dist/nmap-5.51.tgz tar -xvf nmap-5.51.tgzm cd nmap-5.51 ./configure make make install ln -s /usr/local/bin/nmap /usr/bin/nmap --------------- msf stuff --------- # as always you can spool log.log to save logfile or use screen -L # brutes ~576 sids will eat targets file use auxiliary/scanner/oracle/sid_brute set RHOSTS file://home/rmccurdy/oracle run back # This module attempts to authenticate 568 line USERPASS_FILE list # requires SID use auxiliary/scanner/oracle/oracle_login set RPORTS 1521 set RHOSTS file://home/rmccurdy/oracle set SID XE run back # needs oci !!! # This module uses a ~598 line list of well known default authentication credentials to discover easily guessed accounts. use auxiliary/admin/oracle/oracle_login set RHOSTS file://home/rmccurdy/oracle set RPORTS 1521 run back # needs oci !!! # needs full login/password/sid audits database and or user # https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/oracle/oraenum.rb use auxiliary/admin/oracle/oraenum set RHOST 127.0.0.1 set DBPASS TIGER set DBUSER SCOTT set SID ORCL run back 04/17/2012 - Configuring the Scrollback Buffer By default, the scrollback buffer only keeps the last 100 lines of text, which is not enough for my typical interaction with Screen. I’ve found a setting of 5000 lines to be more than adequate for my usage. The number of scrollback lines can be configured in your $HOME/.screenrc file, by adding the following line: defscrollback 5000 04/16/2012 - Block Facebook with Adblock Plus! : Make new custom filter and add these three filters: ||facebook.com$domain=~www.facebook.com ||facebook.net$domain=~www.facebook.com ||fbcdn.net$domain=~www.facebook.com Quote Link to comment Share on other sites More sharing options...
Recommended Posts
Join the conversation
You can post now and register later. If you have an account, sign in now to post with your account.