PDA

View Full Version : Post Exploitation Strategys Here - by b0nd



fb1h2s
07-07-2010, 11:22 PM
Post Exploitation
Orginal Link:http://www.orkut.co.in/Main#CommMsgs?cmm=26420310&tid=5293885614295746335
(Imported from our old Orkut community Hackers Garage)

Post Exploitation
Guys, scenario is that you have gotta interactive shell on remote machine (linux/windows) with admin privileges (not semi interactive like c99, r57 etc. i.e. suppose you have got the command prompt / console)

Now what do you think you would be doing as "POST EXPLOITATION" to have complete control over the server.

"And it would be good if you answer first before reading other people ideas"...so plz don't look at others reply...first you tell your strategy and then read other posts.

You can make 2 categories, one for each (linux and windows).

start...

fb1h2s
07-07-2010, 11:24 PM
by - neo

read reply
I have posted my reply on blog since orkut was not allowing good formatting options
Read it at
http://infosec-neo.blogspot.com/2009/01/post-exploitation.html

fb1h2s
07-07-2010, 11:25 PM
by - b0nd

Configuring Windows XP firewall
As i said, "suppose we have already got admin access", so we are in the position to do what ever we want.

Point 1: VNC
As Austin advised for VNC. Depending on the dumbness of admin/user of machine it could be used.
Offcourse this should not be used in its default manner otherwise its icon would be present there in "task bar"
Checkout "metacab" in packetstorm. Its a good post exploitation tool having:
1. VNC
2. Netcat
3. NMap
4. Map (To map the network, NMap is capable of doing that anyways)
5. Two windows exploits
It's a beautiful collection of tools. The question which might me cropping up in your mind would be "Installation of VNC, NMap is through GUI i.e. next-->yes-->finish kinda stuff, so how would we achieve it through command prompt"
So here is the beauty of this tool. It comes with a install.bat and read me file as well. Everything would be done in a hidden manner.
Only issue is, VNC icon remains there in task bar.
For that lookout for "disabletrayicon" registry stuff on google or here
http://www.realvnc.com/pipermail/vnc-list/2003-February/037208.html

Point 2: Netcat
Its just a matter of time to lookout the Antivirus running on remote machine and compile the netcat at your end so that it won't be detected by that particular AV.
And my dear bro, its netcat only which plays the major role in compromising the machine at initial stage when you don't have admin privileges.
c99, r57 are semi-interactive, you have to have a full interactive shell to execute your commands properly. Here comes the utility and beauty of netcat.
Its advisable to all my friends to go through "netcat power tools" book. Its really a swiss army knife.
Point 3: Adding User
Checkout before adding a new user to remote machine:
If its XP, your user name will appear at the login time where the remote user will have to make a choice among different accounts.
There are ways of making it hidden, i come across it months back. Search google

fb1h2s
07-07-2010, 11:25 PM
by - b0nd

BTW following commands could be used to make a Admin level user:

Net user <User name> password /add
Net localgroup User <User name> /delete
Net localgroup Administrators <User name> /add


Point 4: Again some tips running netcat and VNC

Considering firwall is running on remote host. Outbound connection is generally not blocked. But with O/S like XP, as soon as some service tries to go out of machine, the firewall waring pops up.

So before running netcat for reverse connect or let VNC open port 5800 and 5900 you must make settings in the firewall rules (We have admin previleges)

For netcat

# netsh firewall add portopening TCP 54321 "Windows Firewall Service Agent" enable all

For VNC server
# netsh firewall add portopening TCP 5800 "WinVNC HTTP" enable all
# netsh firewall add portopening TCP 5900 "WinVNC" enable all

Here the string between the " " would appear in the "exception" tab of firewall, so please choose some legitimate service name. E.g. for net cat i've chosen "Windows firewall Service Agent".

Rest you are l33ts...


Now lets talk a bit about Linux:

The commands /dev/tcp suggested by Neo are amazing. I never knew about them.

The benefit of compromising linux is that it itself have loads of options to use as tools. And now a days "nmap" and netcat is part of many linux flavors. One more good thing is...linux softwares, utilities mostly comes to be installed from console.

will have more on linux later on as now a days m working on a rooted linux machine.

Soon will have thread on "erasing logs and saving ASS" as well.

Happy hacking!!!

fb1h2s
07-08-2010, 01:40 AM
How would you connect to RDP anonymously? - by B0ND

It's a question for all you guys....

Suppose you've the credentials of Terminal Services for a remote windows server...off course you can connect directly, but this way your IP will get locked there....

So how can you evade this and connect to it anonymously ?

To proceed this...suppose yr shell is running on remote machine, it has RDP open but for internal LAN only, you don't have control over organizations firewall. Now would you be able to get RDP ?

... I've answers for these question for different scenarios...a request to members to give it a shot...hopefully we'll have some healthy discussion


OK,

Connecting to RDP anonymously is as simple as using TOR/proxies for it :)

Get to BT, open up your console and type

#proxychains rdesktop <target_IP>

Off course your Privoxy, Tor and proxychains need to be configured in advance.

To get better speed you can state just a single proxy IP in proxychains conf file instead of addressing TOR in that.

I tried it and its working fine, no trace in remote machines netstat.

Probably WiPu has another way of doing it...would like to listen from him...


And regarding the second scenario, instead of spoon feeding I'll tell you the prerequisites.

1. SSH Tunneling
2. plink.exe
3. port redirector/forwarder like fpipe.exe

3rd point is required if you want some intermediate machine for connection so that your IP would not be logged in target machine, otherwise point 1 and 2 are enough.

b0nd !!!