ie_unsafe_scripting.rb exploit module

[lazydj98 at yahoo.com (Joshua Smith)]

Might add 
#for intranet sites usually
<orgName>web<suffix>???? ????? #e.g. metasploitweb
<orgAcronym>web<suffix>??? ? #e.g. msfweb (no pun intended)
<orgName>www<suffix>???? ??? #metasploitwww
<orgAcronym>www<suffix>??? #msfwww
also
exchange
exchangeserver

some additionaly possible recon vectors:
-some places are starting to use the google suggest feature on their intranet pages, any way to abuse? (I guess you 
could sniff the letters that are "suggested" but that wouldn't tell you the intranet host)
-most corporate users' start page is usually set to intranet page, any way of discovering?? Since you also seem to?have 
access to the wscript.shell, you could read the homepage value using vbs & wmi, send the result to the payload to use 
as the first query (if not external):

On Error Resume Next

Const HKEY_CURRENT_USER = &H80000001

strComputer = "."
Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv")
strKeyPath = "SOFTWARE\Microsoft\Internet Explorer\Main"
ValueName = "Start Page"
??? objReg.GetStringValue HKEY_CURRENT_USER, strKeyPath, ValueName, strValue

If IsNull(strValue) Then
??? Wscript.Echo "The value is either Null or could not be found in the registry."
Else
??? Wscript.Echo strValue
End If
On Error Resume Next

-Josh

H D Moore wrote:
server<suffix>
webserver<suffix>
mailserver<suffix>
client<suffix>
user<suffix>
printer<suffix>
backup<suffix>
mail<suffix>
web<suffix>
www<suffix>
intranet
hr<suffix>

With the suffix being something like:
0-9, 00-99, A-Z, AA-ZZ, -old, -new, etc


________________________________
From: H D Moore <hdm at metasploit.com>
To: framework at spool.metasploit.com
Sent: Wednesday, December 17, 2008 2:39:06 PM
Subject: Re: [framework] ie_unsafe_scripting.rb exploit module

On Wednesday 17 December 2008, natron wrote:
> So you have to know the server name. ?What are our options?
>
> 1) Just scan localhost for default apps running on default ports and
> ignore external servers. ?(Think workstation management apps, virus
> scan consoles, stuff like that.)

I agree that localhost should be included in every test, regardless of how 
we do this next part.

> 2) Discover through unknown external methods (like identifying their
> naming scheme through some webserver information disclosure, then
> generating a list of permutations... or a compromised DNS server) and
> have the mod import a file.

Makes sense, lets punt this to the user and let them specify a file 
containing a list of hosts to try.

> 3) Pre-populate a list of guessed naming schemes.

I think we should include a default file with common server names.

> How do you propose we do 3)? ?That doesn't sound easy or very
> successful. ?In most environments I see, the naming schemes are all
> over the map.

A few naming schemes seem really common and its something to start with at 
least. To get the ball rolling, I would suggest using a few base names and 
then permuting them based on common naming conventions:

server<suffix>
webserver<suffix>
mailserver<suffix>
client<suffix>
user<suffix>
printer<suffix>
backup<suffix>
mail<suffix>
web<suffix>
www<suffix>
intranet
hr<suffix>

With the suffix being something like:
0-9, 00-99, A-Z, AA-ZZ, -old, -new, etc

So the question becomes, at what number of permutations does that list 
become infeasible? 

-HD




_______________________________________________
http://spool.metasploit.com/mailman/listinfo/framework



      
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081223/b87d1b85/attachment.htm>