Home page logo
/

pen-test logo Penetration Testing mailing list archives

Exploiting IPC$
From: "Adrian Puente Z." <apuente () hackarandas com>
Date: Tue, 05 Jan 2010 22:48:35 -0600

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I recommend the SuperScan4 thar runs on windows.

http://www.foundstone.com/us/resources/proddesc/superscan.htm

I also use this bash script that runs with Nmap Version 5.00 or later in
backrack.


function nmapenumsmb
{
        if [ $# -eq 0 ]
        then
                echo -e "Sintaxis: nmapenumsmb <IP>"
                exit 1
        fi

        `which nmap` -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.$1 $1
        echo Getting users
        echo "Login;Type;Domain;RID;Full Name;Description;Flags;Source"
nmap.enum.users.notdisabled.$1.csv
        grep -B1 -A6 -e 'Type: User' nmap.enum.$1.nmap | tee
nmap.enum.usuarios.$1.txt \
                | tr -d '\n'  | sed 's/|\ \ [a-zA-Z0-9]/\n&/g;s/^|\ \
//g;s/|\ \ \ \ |_\ /;/g' | grep -v "Account disabled" \
                | sed 's/^|\ \ //g;s/|\ \ \ \ |_\ /;/g;s/:\ /;/g' | cut
- -d\; -f1,3,5,7,9,11,13,15,17 \
                | grep \;User\; | tee -a
nmap.enum.users.notdisabled.$1.csv \
                | grep -ve '\$'
nmap.enum.users.notdisabled.notmachines.$1.csv
}

You add it to your ~/.bashrc and run it as nmapenumsmb IP and generate
some pretty CSV files with the enumeration information.

Or just nmap -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.IP IP

You can also use Cain from www.toxid.it to make the SID brute force user
enumeration.

Then  I use the hydra to test the users for same or null password . It
always works. Then you can use Super Scan to know who's Admin.

hydra -w 10 -V -L lst.users.1.per.line  -es -o passwods.hydra.txt IP
smbnt -m GROUP:Domain.com.mx -m D

If you get Admin I recommend Metasploit with the smbpsexec module or
fgdump from foofus to get control/hashes of the machine. Have fun


On Wed, Dec 30, 2009 at 5:38 AM, Halley Souza <souza.halley () gmail com>
wrote:
Try nmap scripts smb-enum-shares and smb-brute, always result =)

Halley


2009/12/29 Jerome Athias <jerome.athias () free fr>

scan/check for administrative shares
Admin$
C$

(you can find a ton of tools for this task)

then you can try a bruteforce attack
https://www.securinfos.info/outils-securite-hacking/ipc$crack.rar
THCHydra
...

RPC/DCOM sploits
Metasploit Framework

G00D L\_/CK
And Happy New Hacking Y3aR!

/JA

Le 28/12/2009 12:11, Himanshu Goyal a écrit :

Hello,

Can somebody share how to exploit port 445. I am doing a VA and found
port 445 open.

When I try to connect IPC$, it says access denied.

Thanks

Cheers-
Himanshu


- ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification
Review Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org

- ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification
Review Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




- --
Adrián Puente Z.
[www.hackarandas.com]
Donde las ideas se dispersan en bytes...

"... ruego a mi orgullo que se acompañe siempre de mi prudencia,
y si algún día mi prudencia se echara a volar, que al menos
pueda volar junto con mi locura"
        --Nietzche

Huella: FBD6 4C36 2557 C64C 1318  70A8 F561 CB6F 4E40 5AFB
http://www.hackarandas.com/apuente_at_hackarandas.com.asc.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktEFiMACgkQW2tF/eN2yfaeKgCeO7VBfCiOIBKVNk7s3pkbKB+l
KyEAn3rnu6rd1tZTj5LLV6Ap6j8z1crk
=mJ0x
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT 
and CEPT certs require a full practical examination in order to become certified. 

http://www.iacertification.org
------------------------------------------------------------------------


  By Date           By Thread  

Current thread:
  • Re: Exploiting IPC$ Halley Souza (Jan 04)
    • <Possible follow-ups>
    • Exploiting IPC$ Adrian Puente Z. (Jan 07)
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]
AlienVault