Jump to content

News Update: Mimikatz/wce/fu.txt/find Proxys On Lan/650Kb/s Over Open Proxy/client Side Html/enum Java, Adobe Reader And Flash/nmap & Oracle


operat0r_001
 Share

Recommended Posts

Mimikatz works but I have been also useing wce.exe and wce32.exe with the -w switch

http://www.ampliasecurity.com/research/wcefaq.html#curversion

09/26/2012 - split up fu and fu ripp ... fu.txt and fu_ripp.txt. also updated masspwdumper.exe to include wce.exe (windows credential editor)

08/27/2012 - fu.txt oclHashcat-plus fu .. I know right... my fu.txt is getting out of hand.

08/19/2012 - quickkill.exe Kills all unknown processes to quickly free up memory! tested XP/Win7

BEFORE 80 .. after 48

07/3/2012 - BREAKOUT This app will atempt to BREAK OUT of protected networks by using input IP,PORT as HTTP and SOCKS proxies

06/10/2012 - 650KB/s over open proxies with downloadthemall/rmccurdy.com/scripts/proxy/proxychains.conf

I will update the proxycheck script to include thist bit later.

650KBs_proxy.jpg

05/22/2012 - some command line fu

# set power profile via command line

Powercfg.exe /SETACTIVE "Always On"

Powercfg.exe /SETACTIVE "Max Battery"

#Remove the .NET Credentials (Stored User names and Passwords)

Control keymgr.dll

04/24/2012 - Client_Enumeration_Java_Adobe_Reader_flash.zip Client side HTML/Java code to enumerate Java, Adobe Reader and Flash Versions

04/24/2012 - Openvas in Ubuntu

echo 'GSA_HTTP_ONLY=1' >> /etc/default/greenbone-security-assistant

/etc/init.d/greenbone-security-assistant

[ "$GSA_HTTP_ONLY" ] && [ "$GSA_HTTP_ONLY" = 1 ] && DAEMONOPTS="$DAEMONOPTS --http-only"

remove src from sources list along with matching the /etc/lsb-release ver too

add-apt-repository "deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.XX/ ./"

grep -ia open /etc/apt/sources.list deb http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.04/ ./ #deb-src http://download.opensuse.org/repositories/security:/OpenVAS:/STABLE:/v4/xUbuntu_11.04/ ./

if you still have issues just run 'killall gsad;sleep 5;gsad --http-only --listen=127.0.0.1 -p 9392

watch -d 'ps axuwww|grep nasl|grep -v grep'

view source omp -h 127.0.0.1 -p 9390 -u admin -w password -X "$RANDOM`cat in|sed 's/$/,/g'|tr -d '\n'`"

04/18/2012 - update_nmap_oracle_sids_userpass.exe

# sid enum using nmap and metasploits sid.txt 1307 sids in ~8 seconds

nmap -n --script=oracle-sid-brute -p 1521-1560 192.168.1.141

# try 1255 user/pass

# requires valid SID ( default is XE )

# Performed 1245 guesses in 3 seconds, average tps: 415

nmap --script oracle-brute -p 1521-1560 --script-args oracle-brute.sid=XE -n 192.168.1.141

# oracle shell using OAT Oracle Audit Tool

ose.bat -s 192.168.1.141 -u SYS -p CHANGE_ON_INSTALL -d XE -t Windows

04/17/2012 - Metasploit with Oracle !

-------------------------------------------------------------------------------------

following :http://www.metasploit.com/redmine/projects/framework/wiki/OracleUsage

2:10 PM 4/17/2012

-------------------------------------------------------------------------------------

# Remove ruby using apt or synaptic etc ..

apt-get remove ruby

# update and install 1.9.1 dev

apt-get update

apt-get install ruby1.9.1-dev -y

mkdir /opt

mkdir /opt/oracle

# copy zips to /opt/oracle

cp *.zip /opt/oracle

cd /opt/oracle

unzip basic-10.2.0.5.0-linux.zip

unzip sdk-10.2.0.5.0-linux.zip

unzip sqlplus-10.2.0.5.0-linux.zip

cd instantclient_10_2/

ln -s libclntsh.so.10.1 libclntsh.so

# add this to ~/.bashrc and also type it in current shell

export PATH=$PATH:/opt/oracle/instantclient_10_2

export SQLPATH=/opt/oracle/instantclient_10_2

export TNS_ADMIN=/opt/oracle/instantclient_10_2

export LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2

export ORACLE_HOME=/opt/oracle/instantclient_10_2

# wget http://rubyforge.org/frs/download.php/65896/ruby-oci8-2.0.3.tar.gz

tar xvzf ruby-oci8-2.0.3.tar.gz

cd ruby-oci8-2.0.3/

LD_LIBRARY_PATH=/opt/oracle/instantclient_10_2/

export LD_LIBRARY_PATH

make

make install

# download msf .run bin installer

# I had to edit the /pentest/exploits/framework/.svn/entries and add www. to the file so you could run svn update

cd /pentest/exploits/framework/

svn update

# run MSFconsole from /pentest/exploits/framework/ not the init scipt this will allow for use of YOUR env and not the static one for MSF binary

cd /pentest/exploits/framework/

./msfconsole

#from msfconsole install ruby-oci8 gem

gem install ruby-oci8

If you still get the missing OCI error it is all ruby the oracle client loads after

# oracle_login needs nmap > 5.50 !

wget http://nmap.org/dist/nmap-5.51.tgz

tar -xvf nmap-5.51.tgzm

cd nmap-5.51

./configure

make

make install

ln -s /usr/local/bin/nmap /usr/bin/nmap

--------------- msf stuff ---------

# as always you can spool log.log to save logfile or use screen -L

# brutes ~576 sids will eat targets file

use auxiliary/scanner/oracle/sid_brute

set RHOSTS file://home/rmccurdy/oracle

run

back

# This module attempts to authenticate 568 line USERPASS_FILE list

# requires SID

use auxiliary/scanner/oracle/oracle_login

set RPORTS 1521

set RHOSTS file://home/rmccurdy/oracle

set SID XE

run

back

# needs oci !!!

# This module uses a ~598 line list of well known default authentication credentials to discover easily guessed accounts.

use auxiliary/admin/oracle/oracle_login

set RHOSTS file://home/rmccurdy/oracle

set RPORTS 1521

run

back

# needs oci !!!

# needs full login/password/sid audits database and or user

# https://github.com/rapid7/metasploit-framework/blob/master/modules/auxiliary/admin/oracle/oraenum.rb

use auxiliary/admin/oracle/oraenum

set RHOST 127.0.0.1

set DBPASS TIGER

set DBUSER SCOTT

set SID ORCL

run

back

04/17/2012 - Configuring the Scrollback Buffer

By default, the scrollback buffer only keeps the last 100 lines of text, which is not enough for my typical interaction with Screen. I’ve found a setting of 5000 lines to be more than adequate for my usage. The number of scrollback lines can be configured in your $HOME/.screenrc file, by adding the following line:

defscrollback 5000

04/16/2012 - Block Facebook with Adblock Plus! :

Make new custom filter and add these three filters:

||facebook.com$domain=~www.facebook.com

||facebook.net$domain=~www.facebook.com

||fbcdn.net$domain=~www.facebook.com

Link to comment
Share on other sites

Join the conversation

You can post now and register later. If you have an account, sign in now to post with your account.

Guest
Reply to this topic...

×   Pasted as rich text.   Paste as plain text instead

  Only 75 emoji are allowed.

×   Your link has been automatically embedded.   Display as a link instead

×   Your previous content has been restored.   Clear editor

×   You cannot paste images directly. Upload or insert images from URL.

 Share

  • Recently Browsing   0 members

    • No registered users viewing this page.
×
×
  • Create New...