Metasploit mailing list archives
ie_unsafe_scripting.rb exploit module
From: lazydj98 at yahoo.com (Joshua Smith)
Date: Tue, 23 Dec 2008 14:37:04 -0800 (PST)
Might add #for intranet sites usually <orgName>web<suffix>???? ????? #e.g. metasploitweb <orgAcronym>web<suffix>??? ? #e.g. msfweb (no pun intended) <orgName>www<suffix>???? ??? #metasploitwww <orgAcronym>www<suffix>??? #msfwww also exchange exchangeserver some additionaly possible recon vectors: -some places are starting to use the google suggest feature on their intranet pages, any way to abuse? (I guess you could sniff the letters that are "suggested" but that wouldn't tell you the intranet host) -most corporate users' start page is usually set to intranet page, any way of discovering?? Since you also seem to?have access to the wscript.shell, you could read the homepage value using vbs & wmi, send the result to the payload to use as the first query (if not external): On Error Resume Next Const HKEY_CURRENT_USER = &H80000001 strComputer = "." Set objReg = GetObject("winmgmts:\\" & strComputer & "\root\default:StdRegProv") strKeyPath = "SOFTWARE\Microsoft\Internet Explorer\Main" ValueName = "Start Page" ??? objReg.GetStringValue HKEY_CURRENT_USER, strKeyPath, ValueName, strValue If IsNull(strValue) Then ??? Wscript.Echo "The value is either Null or could not be found in the registry." Else ??? Wscript.Echo strValue End If On Error Resume Next -Josh H D Moore wrote: server<suffix> webserver<suffix> mailserver<suffix> client<suffix> user<suffix> printer<suffix> backup<suffix> mail<suffix> web<suffix> www<suffix> intranet hr<suffix> With the suffix being something like: 0-9, 00-99, A-Z, AA-ZZ, -old, -new, etc ________________________________ From: H D Moore <hdm at metasploit.com> To: framework at spool.metasploit.com Sent: Wednesday, December 17, 2008 2:39:06 PM Subject: Re: [framework] ie_unsafe_scripting.rb exploit module On Wednesday 17 December 2008, natron wrote:
So you have to know the server name. ?What are our options? 1) Just scan localhost for default apps running on default ports and ignore external servers. ?(Think workstation management apps, virus scan consoles, stuff like that.)
I agree that localhost should be included in every test, regardless of how we do this next part.
2) Discover through unknown external methods (like identifying their naming scheme through some webserver information disclosure, then generating a list of permutations... or a compromised DNS server) and have the mod import a file.
Makes sense, lets punt this to the user and let them specify a file containing a list of hosts to try.
3) Pre-populate a list of guessed naming schemes.
I think we should include a default file with common server names.
How do you propose we do 3)? ?That doesn't sound easy or very successful. ?In most environments I see, the naming schemes are all over the map.
A few naming schemes seem really common and its something to start with at least. To get the ball rolling, I would suggest using a few base names and then permuting them based on common naming conventions: server<suffix> webserver<suffix> mailserver<suffix> client<suffix> user<suffix> printer<suffix> backup<suffix> mail<suffix> web<suffix> www<suffix> intranet hr<suffix> With the suffix being something like: 0-9, 00-99, A-Z, AA-ZZ, -old, -new, etc So the question becomes, at what number of permutations does that list become infeasible? -HD _______________________________________________ http://spool.metasploit.com/mailman/listinfo/framework -------------- next part -------------- An HTML attachment was scrubbed... URL: <http://mail.metasploit.com/pipermail/framework/attachments/20081223/b87d1b85/attachment.htm>
Current thread:
- ie_unsafe_scripting.rb exploit module natron (Dec 16)
- ie_unsafe_scripting.rb exploit module H D Moore (Dec 16)
- ie_unsafe_scripting.rb exploit module natron (Dec 17)
- ie_unsafe_scripting.rb exploit module H D Moore (Dec 17)
- ie_unsafe_scripting.rb exploit module Joshua Smith (Dec 23)
- ie_unsafe_scripting.rb exploit module natron (Dec 17)
- ie_unsafe_scripting.rb exploit module H D Moore (Dec 16)