28 Jun 2011 – How does one say the years in Spanish? … Spanish to English

Way back in the day “The Insane Ramblings” was a way for me to blow my top, learn how to write and make myself feel better. In fact it worked. In the last few

root@bt:~# nmap -sS -sC IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 201-02-22 10:49 BST
Nmap scan report for IP-Address
Host is up (0.00043s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet

25/tcp   open  smtp
| smtp-commands: 1.PC.com Hello [IP-ADDRESS], SIZE 2097152, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT VRFY

80/tcp   open  http
|_http-title: 1
| http-methods: Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_See http://nmap.org/nsedoc/scripts/http-methods.html

135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1028/tcp open  unknown
3389/tcp open  ms-term-serv

MAC Address: 00:00:10:90:26:41 (Micky Mouse Computer Systems)

Host script results:
|_nbstat: NetBIOS name: 1, NetBIOS user: <unknown>, NetBIOS MAC: 00:00:10:90:26:41 (Micky Computer Systems)
|_smbv2-enabled: Server doesn’t support SMBv2 protocol
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: 1
|   Domain name: PC.com
|   Forest name: PC.com
|   FQDN: 1.PC.com
|   NetBIOS computer name: 1
|   NetBIOS domain name: PC
|_  System time: 201-02-22 10:49:18 UTC+1

| ms-sql-info:
|   Windows server name: 1
|   [IP-Address\SQLEXPRESS]
|     Instance name: SQLEXPRESS
|     Version: Microsoft SQL Server 2005 RTM
|       Version number: 9.00.1399.00
|       Product: Microsoft SQL Server 2005
|       Service pack level: RTM
|       Post-SP patches applied: No
|     TCP port: 1894
|_    Clustered: No

Where do you start?
1. OS: Windows XP + 445/tcp open microsoft-ds = MS08-067 http://www.myexploit.wordpress.com/control-metasploit-ms08_067_netapi Dull. Dull, Dull we want to exploit the app. SMB buffer overflow is far to easy so we ignore.

yet just to prove it was vulnerable to it
To test that it is VULNERABLE via nmap use –script smb-check-vulns.nse

root@bt:~# nmap -sU -sS –script smb-check-vulns.nse -p U:137,T:139  IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 201-02-22 11:05 BST
Nmap scan report for IP-Address
Host is up (0.00043s latency).
PORT    STATE SERVICE
139/tcp open  netbios-ssn
137/udp open  netbios-ns
MAC Address: 00:00:10:90:26:41 (Micky Computer Systems)

Host script results:
| smb-check-vulns:
|   MS08-067: VULNERABLE
|   Conficker: Likely CLEAN
|   regsvc DoS: CHECK DISABLED (add ‘–script-args=unsafe=1’ to run)
|   SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add ‘–script-args=unsafe=1’ to run)
|   MS06-025: CHECK DISABLED (remove ‘safe=1’ argument to run)
|_  MS07-029: CHECK DISABLED (remove ‘safe=1’ argument to run)

Nmap done: 1 IP address (1 host up) scanned in 0.37 seconds

2. 80/tcp   open  http
|_http-title: 1
| http-methods: Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_See http://nmap.org/nsedoc/scripts/http-methods.html

so off to http://nmap.org/nsedoc/scripts/http-methods.html I went and got

Object not found!

The requested URL was not found on this server. If you entered the URL manually please check your spelling and try again.

If you think this is a server error, please contact the webmaster.

Error 404

quick url frig http://nmap.org/nsedoc/scripts/ to look for http-methods lots of interesting http pages.
wondering at this point what version of IIS does it use so to find telnet on port 80 and type GET command.

3. root@bt:~# telnet IP-Address 80
Trying IP-Address…
Connected to IP-Address.
Escape character is ‘^]’.
GET
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.1
Date: Thu, 22 Feb 2011 10:19:43 GMT
Content-Type: text/html
Content-Length: 87

<html><head><title>Error</title></head><body>The parameter is incorrect. </body></html>Connection closed by foreign host.

OK so back to http://nmap.org/nsedoc/scripts/ and look for any IIS goodies.

–script=http-date
Gets the date from HTTP-like services. Also prints how much the date differs from local time.
Local time is the time the HTTP request was sent, so the difference includes at least the duration of one RTT.

root@bt:~# nmap -sV –script=http-date -p80 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2011-05-24 11:30 BST
Nmap scan report for IP-Address
Host is up (0.00072s latency).
PORT   STATE SERVICE VERSION
80/tcp open  http    Microsoft IIS httpd 5.1
|_http-date: Thu, 10 Jan 2011 10:30:42 GMT; 52s from local time.

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.44 seconds

OK I got bored of Nmap plugins so thought would pull in the big guns then come back to nmap

4.Nikto

http://www.myexploit.wordpress.com/information-gathering-nikto/

root@bt:~# cd /pentest/web/nikto
root@bt:/pentest/web/nikto# ./nikto.pl -h IP-Address
– Nikto v2.1.5
—————————————————————————
+ Target IP:          IP-Address
+ Target Hostname:    IP-Address
+ Target Port:        80
+ Start Time:         2011-04-22 11:34:05 (GMT1)
—————————————————————————
+ Server: Microsoft-IIS/5.1
+ Retrieved x-powered-by header: ASP.NET
+ Retrieved x-aspnet-version header: 1.1.4322
+ Retrieved dasl header: <DAV:sql>
+ Retrieved dav header: 1, 2
+ Retrieved ms-author-via header: DAV
+ Allowed HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH

+ OSVDB-5646: HTTP method (‘Allow’ Header): ‘DELETE’ may allow clients to remove files on the web server.

+ OSVDB-397: HTTP method (‘Allow’ Header): ‘PUT’ method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method (‘Allow’ Header): ‘MOVE’ may allow clients to change file locations on the web server.
+ Public HTTP Methods: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
+ OSVDB-5646: HTTP method (‘Public’ Header): ‘DELETE’ may allow clients to remove files on the web server.
+ OSVDB-397: HTTP method (‘Public’ Header): ‘PUT’ method could allow clients to save files on the web server.
+ OSVDB-5647: HTTP method (‘Public’ Header): ‘MOVE’ may allow clients to change file locations on the web server.
+ WebDAV enabled (SEARCH UNLOCK LOCK MKCOL COPY PROPPATCH PROPFIND listed as allowed)
+ OSVDB-13431: PROPFIND HTTP verb may show the server’s internal IP address: http://IP-Address/
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ OSVDB-877: HTTP TRACK method is active, suggesting the host is vulnerable to XST
+ Default account found for ‘IP-Address’ at /localstart.asp (ID ‘Administrator’, PW ”). Generic account discovered.
+ OSVDB-3092: /iishelp/iis/misc/default.asp: Default IIS page found.
+ 6474 items checked: 0 error(s) and 19 item(s) reported on remote host
+ End Time:           2011-05-24 11:34:43 (GMT1) (38 seconds)
—————————————————————————
+ 1 host(s) tested
So many finds not sure were to start. Ok after some toying webdav seemed like a good place to start.

5. Metaspliot
http://www.myexploit.wordpress.com/control-metasploit-auxiliary_scanner_http

msf  auxiliary(pcanywhere_udp) > use auxiliary/scanner/http/dir_webdav_unicode_bypass
set rhosts IP-Address
rhosts => IP-Address
msf  auxiliary(dir_webdav_unicode_bypass) > run

[*] Using code ‘404’ as not found.
[*] Found protected folder http://IP-Address:80/printers/ 401 (IP-Address)
[*]     Testing for unicode bypass in IIS6 with WebDAV enabled using PROPFIND request.
[*]     Found vulnerable WebDAV Unicode bypass target http://IP-Address:80/%c0%afprinters/ 207 (IP-Address)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Great found vulnerable to WebDAV Unicode bypass target http://IP-Address:80/%c0%afprinters/ quick browse to this shows -2146893039 (0x80090311)
What does it mean? quick google SSPI handshake failed with error code 0x80090311 while establishing a connection with integrated security; the connection has been closed.

trying all from http://www.myexploit.wordpress.com/control-metasploit-auxiliary_scanner_http and found an intresting result for mssql_ping

msf  auxiliary(dir_scanner) > use auxiliary/scanner/mssql/mssql_ping
msf  auxiliary(mssql_ping) > set rhosts IP-Address
rhosts => IP-Address
msf  auxiliary(mssql_ping) > run

[*] SQL Server information for IP-Address:
[+]    ServerName      = PC
[+]    InstanceName    = SQLEXPRESS
[+]    IsClustered     = No
[+]    Version         = 9.00.1399.06
[+]    tcp             = 1894
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

I thought I would try Burp to try and DELETE or PUT
root@bt:/pentest/web/burpsuite# java -jar burpsuite_v1.4.01.jar

proxy up 127.0.0.1 port 8080 on firefox access the site.
Then on Repeater tab

host = IP-Address
port = 80

request raw – type in
DELETE /1.html HTTP/1.1

Go

responce raw
HTTP/1.1 400 Bad Request
Server: Microsoft-IIS/5.1
Date: Thu, 24 May 2011 11:43:38 GMT
Connection: close

No good kept getting Bad Request so back to Nmap and a time to use a script again

–script=http-methods.nse

root@bt:~# nmap –script=http-methods.nse –script-args http-methods.retest=1 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2011-02-22 12:45 BST
Nmap scan report for IP-Address
Host is up (0.00047s latency).
Not shown: 991 closed ports
PORT     STATE SERVICE
23/tcp   open  telnet
25/tcp   open  smtp
80/tcp   open  http
| http-methods: OPTIONS TRACE GET HEAD COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT POST MOVE MKCOL PROPPATCH
| Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
| See http://nmap.org/nsedoc/scripts/http-methods.html
| OPTIONS / -> HTTP/1.1 200 OK
|
| TRACE / -> HTTP/1.1 200 OK
|
| GET / -> HTTP/1.1 200 OK
|
| HEAD / -> HTTP/1.1 200 OK
|
| COPY / -> HTTP/1.1 400 Bad Request
|
| PROPFIND / -> HTTP/1.1 411 Length Required
|
| SEARCH / -> HTTP/1.1 411 Length Required
|
| LOCK / -> HTTP/1.1 403 Forbidden
|
| UNLOCK / -> HTTP/1.1 400 Bad Request
|
| DELETE / -> HTTP/1.1 403 Forbidden
|
| PUT / -> HTTP/1.1 403 Forbidden
|
| POST / -> HTTP/1.1 405 Method not allowed
|
| MOVE / -> HTTP/1.1 403 Forbidden
|
| MKCOL / -> HTTP/1.1 403 Forbidden
|
|_PROPPATCH / -> HTTP/1.1 403 Forbidden
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
443/tcp  open  https
445/tcp  open  microsoft-ds
1027/tcp open  IIS
3389/tcp open  ms-term-serv

Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds

So only options it looks like are

| OPTIONS / -> HTTP/1.1 200 OK
|
| TRACE / -> HTTP/1.1 200 OK
|
| GET / -> HTTP/1.1 200 OK
|
| HEAD / -> HTTP/1.1 200 OK

thats why all bad!!!!!!! Should have nmap it 1st!
6.restclient firefox plugin
On this travel i found out about restclient plugin very nice!

Back to burp

repeater tab

request raw
TRACE /HacmeBank_v2_Website/aspx/images/ HTTP/1.1
Host: IP-Address
Content-Length: 184

TRACE simply returns any string that is sent to the web server.
As we can see, the response body is exactly a copy of our original request, meaning that our target allows this method

response raw
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Thu, 24 May 2011 12:23:53 GMT
X-Powered-By: ASP.NET
Content-Type: message/http
Content-Length: 327

TRACE /HacmeBank_v2_Website/aspx/images/ HTTP/1.1
Host: IP-Address
Content-Length: 184
Authorization: Basic MTE6MjNPY3RvYmVyMTk3OA==

TRACE simply returns any string that is sent to the web server.
As we can see, the response body is exactly a copy of our original request, meaning that our target allows this method.
Look it also returns Authorization: Basic MTE6MjNPY3RvYmVyMTk3OA==

Testing for arbitrary HTTP methods

Find a page you’d like to visit that has a security constraint such that it would normally force a 302 redirect to a login page or forces a login directly. The test URL in this example works like this – as do many web applications. However, if you obtain a “200” response that is not a login page, it is possible to bypass authentication and thus authorization.

root@bt:~# nc IP-Address 80
JEFF / HTTP/1.1
Host: http://www.example.com

HTTP/1.1 501 Not Implemented
Server: Microsoft-IIS/5.1
Date: Thu, 22 Jan 2011 12:31:54 GMT
X-Powered-By: ASP.NET
Connection: close
Content-Type: text/html
Content-Length: 50

<body><h2>HTTP/1.1 501 Not Implemented</h2></body>root@bt:~#

If your framework or firewall or application does not support the “JEFF” method, it should issue an error page (or preferably a 405 Not Allowed or 501 Not implemented error page). If it services the request by going you a
HTTP/1.1 200 OK
Date: Mon, 18 Aug 2008 22:38:40 GMT
Server: Apache
Set-Cookie: PHPSESSID=K53QW…

it is vulnerable to this issue.

Back using restclient firefox plugin

GET http://IP-Address/Default.htm Send
Under Response
Response Body (Raw) shows great example of Path Disclosre
src=”file:///C:/Documents%20and%20Settings/All%20Users/Documents/My%20Pictures/Sample%20Pictures/Blue%20hills.jpg”></a><br>

Full Path Disclosure by itself is not very powerful, but is very effective when trying to find out more information about the target server while performing other hacks, such as LFI (refer to prior article). Basically, a full path disclosure is displaying to the attacker the exact location of the current file, which in turn could be used to better navigate through the site or server.

root@bt:/pentest/web/vega

MyExploitHQ

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s