Port 135 (client-server communications)
Port 139, 445 (authentication and file sharing)
Port 137,138 (NetBIOS browser, name and lookup functions)
Look for port 135 endpoint mapping which includes, Microsoft Outlook, Exchange and Messenger Service.
Nmap server to look for port 135
Run rpcscan or epdump on server over port tcp or udp port 135
If udp port 1028, 1029 opened or tcp port 1025 opened, run rpcscan over those ports
Look for IFID 12345778-1234-abcd-ef00-0123456789ab and 12345778-1234-abcd-ef00-0123456789ac for both LSA and SAMR interface respectively. Can be found on all Windows NT OS using name pipes accessible through SMB session over TCP port 139 or 445.
Run walksam query if SMAR interface is present to glean user information.
Run rpcclient from backtrack if a valid username and password is given. LSARPC interface must be present
Compromise admin password using brute force tool WMICracker.
Use Remoxec to execute arbitrary commands.
Verify if server is vulnerable for RPC DCOM exploits. If patch MS03-026 and MS03-039 is applied, nothing can be done. Else download exploits from
http://packetstormsecurity.org/0307-exploits/dcom.c
http://packetstormsecurity.org/0307-exploits/DComExpl_UnixWin32.zip
http://packetstormsecurity.org/0307-exploits/rpcdcom.101.zip
http://packetstormsecurity.org/0307-exploits/oc192-dcom.c
http://examples.oreilly.com/networksa/tools/dcom-exploits.zip
http://www.securityfocus.com/bid/8205/exploit/
DCOM interface can be exploited through:
TCP and UDP port 135 (through RPC server service)
TCP ports 139 and 445 (through SMB and named pipes)
TCP port 593 (through COM Internet Services, if installed)
Use kaHt2 to exploit a remote shell
Use SPKIE msrpcfuzz fuzzer to do stress test.
-----------------------------------------------------------------------------------------
NetBIOS Name Service UDP port 137
Dumping NetBIOS table: Nbtstat –A 192.168.1.152
Local Area Connection:
Node IpAddress: [192.168.1.20] Scope Id: []
NetBIOS Remote Machine Name Table
Name Type Status
---------------------------------------------
CARAA <00> UNIQUE Registered
WORKGROUP <00> GROUP Registered
CARAA <20> UNIQUE Registered
WORKGROUP <1E> GROUP Registered
MAC Address = 00-0D-88-CB-30-0B
------------------------------------------------
<00> unique hostname
<00> group domain name
Sabtu, 16 Juni 2007
Hacking Old Skoolz Windows
00.11
No comments
Langganan:
Posting Komentar (Atom)
0 komentar:
Posting Komentar