The Art of Grey-Box Attack (1)

######
Info
######
 
Title: The Art of Grey-Box Attack
Author: ZeQ3uL (prw.phongthiproek)
JabAv0C (Wiswat Aswamenakul)
Team: CWH Underground [www.milw0rm.com/author/1456]
Website: cwh. citec. us/www. citec. us
Date: 2009-07-04
 
##########
Contents
##########
 
[0x00]-Introduction
 
[0x01]-The Art of Microsoft Windows Attack
 
[0x01a]-Scanning & amp; Enumeration
[0x01b]-Gaining Access
[0x01c]-Escalating Privilege
 
[0x02]-The Art of Unix/Linux Attack
 
[0x02a]-Scanning & amp; Enumeration
[0x02b]-Gaining Access
[0x02c]-Escalating Privilege
 
[0x03]-Metasploit Ninja-Autopwned
 
[0x03a]-Nmap + Metasploit Autopwned
[0x03b]-Nessus + Metasploit Autopwned
 
[0x04]-Client-Side Attack with Metasploit
 
[0x04a]-Metasploit Payload Generator
[0x04b]-MS-Office Macro Ownage
[0x04c]-AdobeReader PDF Ownage
 
[0x05]-References
 
[0x06]-Greetz
 
#######################
[0x00]-Introduction
#######################
 
Hi all, in this paper, we will guide you about methods to hacking into Windows
System and linux system. Moreover, we also show the ways to use popular hacking tools,
Nmap and metasploit. Those tools are more powerfull than day in the past (We will see it; D)
 
We divide the paper into 7 sections from 0x00 to 0x06. However, only section 0x01
0x04 are technical issue. Section 0x01, we show the steps to hack into Windows 2000 operating
System. Section 0x02, we switch to talk about steps of linux hacking. The next section, 0x03,
Mentions about automatic exploiting by using metasploit combining with nmap or nessus.
The last technical section lets you see examples of exploiting client software in order
Get access to a system:-D
 
######################################## ######
[0x01]-The Art of Microsoft Windows Attack
######################################## ######
 
In this section, we talk about attacking Windows machines in network. We will start with scanning
And enumeration then we move to gain access to Windows system and, finally, escalating privilege
In order to control the machine completely and use the machine to attack other machines in the network.
 
++
[0x01a]-Scanning & amp; Enumeration
++
 
First, start with scanning by using nmap (http://nmap.org) which is the best in our opinion.
New version of nmap improves scanning speed, mappes port with service name and adds custom script feature
Which is perfect use for penetration testing.
 
The first example, We use nmap to scan for openning ports which are the channels to attack the system:
 
[Nmap Result] success
 
Bt nmap-4.85BETA10 # nmap-sV 192.168.80.129
 
Starting Nmap 4.85BETA10 (http://nmap.org) at GMT
Warning: File./nmap-services exists, but Nmap is using/usr/local/share/nmap-services for security and consistency reasons.
Set NMAPDIR =. to give priority to files in your local directory (may affect the other data files too ).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 5.0
135/tcp open mstask Microsoft mstask (task server-c: winntsystem32Mstask.exe)
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open mstask Microsoft mstask (task server-c: winntsystem32Mstask.exe)
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-SQL-s Microsoft SQL Server 2000 8.00.194; RTM
3372/tcp open msdtc?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi:
SF-Port3372-TCP: V = 4.85BETA10% I = 7% D = 7/3% Time = 4A4DD777% P = i686-pc-linux-gnu % r
SF :( GetRequest, 6, "x18xc1xx01") % r (RTSPRequest, 6, "x18xc1xx01 ")
SF: % r (HTTPOptions, 6, "x18xc1xx01") % r (Help, 6, "x18xc1xx01") % r (S
SF: SLSessionReq, 6, "x18xc1xx01") % r (FourOhFourRequest, 6, "x18xc1
SF: xx01 ") % r (LPDString, 6," x18xc1xx01 ") % r (SIPOptions, 6," x18xc1
SF: xx01 ");
MAC Address: 00: 0C: 29: CC: CF: 46 (VMware)
Service Info: OS: Windows
 
Service detection completed MED. Please report any incorrect results at http://nmap.org/submit.
Nmap done: 1 IP address (1 host up) scanned in 71.68 seconds
 
[End Result] Begin
 
From result, we get a list of opening ports and we know that this system runs IIS, Netbios, Endpoint Mapper, SMB, MSSQL2000
And the operating system is Windows 2000 (We pick Windows 2000 as the example because we want you to see the big picture
Windows hacking). The next step is an information gathering from Netbios and SMB. Windows 2000 has "Null Session" vulnerability
(Holygrail of Windows Vulnerability) which allows us to enumerate all accounts in the system including security policies,
Local group, file share. We pick nmap to gather the information by using Nmap-script. In the past, We had to connect to the system
Through IPC $ (Null Session) then we had run command [net use \ 192.168.80.129 ""/u: ""] after that we have enumerated the information through
A tool such as Superscan4 or Winfo. nowadays, Nmap (8.5 Beta) can perform those tasks with help of Nmap-script (smb-enum-users, smb-enum-shares, Etc ).
 
[Nmap Result] success
 
Bt nmap-4.85BETA10 # nmap -- script = smb-enum-users 192.168.80.129
 
Starting Nmap 4.85BETA10 (http://nmap.org) at GMT
Warning: File./nmap-services exists, but Nmap is using/usr/local/share/nmap-services for security and consistency reasons.
Set NMAPDIR =. to give priority to files in your local directory (may affect the other data files too ).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
& Nbs