exploiting with it

8/6/2019 Exploiting With it

http://slidepdf.com/reader/full/exploiting-with-it 1/11

Exploiting with Metasploit - Hacking

Windows XP Box

Exploit

Hacking Remote Windows

Art of exploitation – Mastering PC in the net Distribution: Backtrack 2Final Wi-Fi: CM9, Yagi 17dB (driver: patched madwifi) Aplication: Aircrack, Kismet, Nmap, Ettercap, Metasploit Box: PI, 233MHz, 160MBRAM. Comes in useful: 1 piece active downloader on p2p net. Note: This

is a description of a true situation. The critical moments are shonw in the promo.

The Internet is full of Wi-Fi hardware offers, rules and regulation. But.. Informationabout chipset, wattage regulation and security problems are considered as useless.Wireless commercial providers (most of them) sell internet connection which can beeasily overheard. Nobody is interested that your communication can be easily overheardor manipulated.

The text describes how this situation happens. Looking for information about"what I buy“ and "what I risk" = 1/2+0. When the Access Point is the gate into internet there isno difference between the countryside ant the city centre. The user is extremly interestedin the wattage, shaping or TTL. Wireless is the last mile. But at the same time the firstmile for the uninvited guests. Many factors and facts help this situation. Firstly it is a trap

sacred by the regulation. Public and related administrative institutions are using anddistributing into schools win$. Results? A teenagers first OS is a commercial operatingsystém. 80% of PC's in the Czech Republic will run on Administrator Account at least for5 years. Is this the first or the last mile?

1. Inventarization Scan & research. Kismet is undetectable and its potentiality is limitedonly by ones understanding. For non-Linux users who are willing to test their ownvulnerability is an old PI with wireless and ethernet card the right solution. Backtrack distribution will run on CPU 233MHz and 128MB RAM. Navi box with Kismet andAirodump can be overruned even from windows with the help of SSH console whichexists under the name SSH Secure Shell Client. [It is then not necessary to have your ownmonitor, keyboard and PC mouse] The login is direct as well as the control. Login

[email protected] and password.

http://airdump.net/category/exploit


http://airdump.net/category/hacking


http://airdump.net/category/remote


http://airdump.net/category/windows








The Linux Box instalation and konfiguration requires at least a basic knowledge.Backtrack contains a lot of applications and will serve also as an educational linux server.What is not included can be instaleted additionaly.

1.2 Log analysis. Every log can be saved for future examination. If you don't want tospent ages a casual log screening will provide you with basic information.

1.3 Code vs. open. It depends how many cups of coffee you had and in what mood you

are. A team of downloaders solve the situation.

1.4 Control your own distribution. It is possible to learn from a manual. But it is difficultto do things with your nose in tons of paper.

2. Detection Few clicks and Kismet detected an unknown name and a lot of traffic. Youcan find out the producer in the database. In the manual you can find out the maximalcode power or maximal password lenght into the administration.



On the net where the traffic is in mbps, Airdump catches enough of packets withoutAireplay use (packet injection) The S WEP key Aircrack solved in 20 minutes. Details inextensive reading (Aircarck, Kismet usage etc.) which is in the text Hacking Wifi

3. In the net. Server DHCP is active on the net. Reset cards. The address is assignedautomatically.

After getting IP just set off the sniffer. Ettercap on the net detects 3 active PCs.

http://airdump.net/papers/hacking-wifi-ultimate-ubuntu-guide






Traffic: Non-coded icq commucation. Ping on AP and serfing fellow :) dc++(87.236.197.192:411 thats the place for downloaders)

One scan is enough for MITM launching (man in the middle attack). Every password onthe net will appear in the login window. By net slow-down or redirection and packetthrow away it is possible to force the user to visit WEB management AP for restart. Its upto your fantasy. Ping death in wireless net will charge fully the AP. If the AP is not soonrestarted the success is contaproductive.

Default pass at AP Compex is "password". The list of default logins and passwords is forexample here. If the AP can be controled by telnet you can use the same password.

http://defaultpassword.com/






Overview. From used addressed range the administrators skillz can be extracted[10.0.120.5 is not same as 192.168.0.20]. Leaving out some IP addresses by DHCP servermeans rezervation – maybe frequent administrators presence or running service (HTTP,FTP) which can not be changed due to accessibility (port forwardu) . The mentioned netis small (home?). The user is a laic.

When restarting AP it is good to restart also the sniffer. This way you can get all non-coded passwords on WWW, FTP, ICQ, telnet, pop3.

4. Net and service examination

nmap -sS -P0 -f -n -O -T 3 192.......

Firewall with generated serial works the same. It is only neccesary to know the rightprocess and #... Users friendly interface evokes the ilusion of easy service. It does notforce the user to know the rules or to use the packet filter. And to make it more difficultwhen problems arise (for example functionless services) in 99% the solution is firewalturn-off.Nmap detects ports 135, 139, 445 a 44434. The last port is firewall Kerio instalated inlearning mode? on which the user clicked every learn question as OK :) Maybe first



second or third? It is not important, it is the firewall software and most of the users runson the administrator's account.

Overview. There is at least one PC in the net which communicates on critical ports. Inthe case that the operating systém will not be patched the known exploits can be tested.

4.1 Vulnerability examination. On the net where the database or server is present anutility in backtrack distribution can be used.

4.2 Automatization utility "Ninja" [combination of nmap and metasploit console

framework] will scan the whole address range and in the case that it finds interestingports it will use every exploit that is available in its own local database. [databaze bt &millw0rm can be easily update by command ]

4.3 Backtrack 2 Final includes even the last version of framework Metasploit 3 with shelland web interface.



5. 0wn th3 b0x. Colected data from previous scaning are for expoitation enough. Afterchoosing the right exploit configurate IP address distant PC and port.



After exploitation a virtual window is sent on a PC that serves Metasploit (accsessaquirement).

The vulnerability can be tested before the set up. If everything goes well the VNCwindow returns in which the distant PC can be controled. There are more possibilities butfor this demonstration this method is the best. Succesful exploit set off.



Exploitation was succesful. In the virtual window there is the desktop of the mastered PC.On the PC runs („firewall“ Kerio, ICQ client, antivir NOD32 and dc++ client.



When the code on distant PC succesfuly set off the attacker gets scaning of the distantdesktop by VNC and also complete administative access and can fully control the PC.For example on the distant PC you can instale another application by which you cannameless access the net internet.



When the PC runs on Administrator account, after exploitation this PC can be controledabsolutely.

The time for finding the sufficient net, breaking the WEP key and the pentest took lessthan a hour.

Do you also turn on the p2p downloader during the night? :)

exploiting with it

Documents