Windows 2008 SP1 – Ways to exploit?

Viewing 18 reply threads
  • Author
    Posts
    • #7489
      r00tinflux
      Participant

      Hi All

      I have registered for OSCP and have been enjoying the labs/modules for two weeks now. Recently, I have been stuck at exploiting a win 2008 server sp1 which is Master server in the lab domain. I have got shell on the Win 2003 Slave server and a few other XP flavors.

      Just wondering whether anyone who is currently registered/finished OSCP can throw some light on ways to exploit the 2008 Master server? ASFAIK, there is no remote buffer overflow for the win 2008 server(atleast not reported to public).

      Cheers,

    • #46683
      cd1zz
      Participant

      Just checked my notes. It’s possible to pwn that box and my notes also had a star by them that says, “Try Harder”

    • #46684
      TheXero
      Participant

      Good advice cd1zz xD

      Just remember that with OSCP you are on your own, you just need to try a few things and think outside the box in order to achieve specific goals.

    • #46685
      r00tinflux
      Participant

      Agreed with the “Try Harder ” approach ..there is no fun in spoon fed solution  😉

      I have been trying various approaches and wanted to confirm whether it is pwnable via remote exploit or not..

      Cheers..

    • #46686
      r00tinflux
      Participant

      W00t W00t! Must be the magic of this forum..Pwnd 2008 box  ;D

    • #46687
      cd1zz
      Participant

      SO much more rewarding to do it that way then have it given to you.

    • #46688
      triznut
      Participant

      Damn. I’m in the same rut on the 2008 sp1 box. Guess I’ve got to try harder!

    • #46689
      impelse
      Participant

      Come on guys, I’ve been studying this training for the last 2 /12 weeks and I am still beginning the smtp (My record show me 19 hours)

      How fast do you move with the material? I am trying to assimilate all the info and do all the labs and extra miles but I am not sure if 90 days will be enough.

    • #46690
      dynamik
      Participant

      @impelse wrote:

      Come on guys, I’ve been studying this training for the last 2 /12 weeks and I am still beginning the smtp (My record show me 19 hours)

      How fast do you move with the material? I am trying to assimilate all the info and do all the labs and extra miles but I am not sure if 90 days will be enough.

      I don’t think there’s a good answer for that because it’s totally going to depend on your background. I thought v2 was pretty serious when I got it a few years ago, but I went through the v3 material a couple months ago and was able to skim through most of it. The most difficult part for me is apparently to stop procrastinating and schedule the exam 😉

    • #46691
      sil
      Participant

      @impelse wrote:

      Come on guys, I’ve been studying this training for the last 2 /12 weeks and I am still beginning the smtp (My record show me 19 hours)

      How fast do you move with the material? I am trying to assimilate all the info and do all the labs and extra miles but I am not sure if 90 days will be enough.

      Here is something I will give a tip on concerning the OCSP and others like it: If you’re machine is doing only one thing, and your focused on one thing… You’re doing it wrong.

      You’re capable of opening up the amount of terminals allowed by the amount of memory on your machine to perform functions. If you’re doing the exam or others like it using a Unix based system, I suggest creating desktops for specific tasks, e.g:

      Desktop 1 – Scanning and Enumeration
      Desktop 2 – brute forcing / password cracking
      Desktop 3 – Web applications
      etc
      etc

      This allows you to go back and forth and perform multiple tasks without getting lost. Scripting helps, e.g.:

      nmap -sS -sV -O this.block/24 -oX this.block-scan.xml ; printf “nnDone”|wall

      You don’t necessarily have to wait for nmap to finish to perform another task. You can move on and do what you need to do. Let’s better this example:

      [root@kenji ~]# uname -a
      FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012    root@kenji:/usr/obj/usr/src/sys/SARU  i386
      [root@kenji ~]# nmap -sS -sV -p 80 -v 10.4.64.89

      Starting Nmap 5.61TEST5 ( http://nmap.org ) at 2012-04-05 08:47 EDT
      NSE: Loaded 16 scripts for scanning.
      Initiating Ping Scan at 08:47
      Scanning 10.4.64.89 [4 ports]
      Completed Ping Scan at 08:47, 0.20s elapsed (1 total hosts)
      Initiating Parallel DNS resolution of 1 host. at 08:47
      Completed Parallel DNS resolution of 1 host. at 08:47, 0.08s elapsed
      Initiating SYN Stealth Scan at 08:47
      Scanning 89.64.4.10.in-addr.arpa (10.4.64.89) [1 port]
      Discovered open port 80/tcp on 10.4.64.89
      Completed SYN Stealth Scan at 08:47, 0.21s elapsed (1 total ports)
      Initiating Service scan at 08:47
      Scanning 1 service on 89.64.4.10.in-addr.arpa (10.4.64.89)
      Completed Service scan at 08:47, 6.00s elapsed (1 service on 1 host)
      NSE: Script scanning 10.4.64.89.
      Nmap scan report for 89.64.4.10.in-addr.arpa (10.4.64.89)
      Host is up (0.0010s latency).
      PORT  STATE SERVICE VERSION
      80/tcp open  http    VMware Server 2 http config
      Service Info: Host: 89.vonworldwide.com

      Read data files from: /usr/local/share/nmap
      Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
      Nmap done: 1 IP address (1 host up) scanned in 6.72 seconds
                Raw packets sent: 6 (240B) | Rcvd: 2 (72B)

      This is fine, but a waste of time. My goal is to find whether or not this host was running a webserver. Simply because I needed to enumerate it after the fact. Maybe with dirbuster or Nikto. I know that I need to do something AFTER the fact, and I don’t want to sit around waiting for this to finish to get to the next stage.

      [root@kenji ~]# uname -a
      FreeBSD kenji 9.0-RELEASE FreeBSD 9.0-RELEASE #0: Tue Mar 20 10:42:10 EDT 2012    root@kenji:/usr/obj/usr/src/sys/SARU  i386
      [root@kenji ~]# nmap -sS -sV -p 80 -v 10.4.64.89 | awk '/open/ {
      >  print a[NR%2] "n" a[(NR+1)%2]
      >  print;getline;print;getline;exit
      > }
      > {a[NR%2]=$0}
      > '|awk '/open port/{print $6}'
      10.4.64.89
      [root@kenji ~]#

      Now that this solves one problem, I can create a script that does something like:

      if [ this server runs http ]

      then

      run nikto using this directory list I created

      fi

      Let’s see it in action:

      [root@kenji ~]# nmap -sS -sV -p 80 -v 10.4.64.89 | awk '/open/ {
        print a[NR%2] "n" a[(NR+1)%2]
        print;getline;print;getline;exit
      }
      {a[NR%2]=$0}
      '|awk '/open port/{print "nikto -host "$6}'|sh
      - Nikto v2.1.4
      + Target IP:          10.4.64.89
      + Target Hostname:    10.4.64.89
      + Target Port:        80
      + Start Time:        2012-04-06 08:53:41
      + Server: No banner retrieved
      + Root page / redirects to: https://10.4.64.89/
      + No CGI Directories found (use '-C all' to force check all possible dirs)
      ^C[root@kenji ~]#

      I killed it as it was only an example. In exams like this where time is a factor, don’t get bogged down with waiting on anything. There is nothing stopping you from automating a lot of tasks to narrow down the information you will need. This applies in the REAL world of penetration testing. Most times, I have automated scripts ready to roll the minute I pop a sessions. The reason for this is to allow me to get in and out and get as much data as quickly and silently as possible. When I say silent, if you’ve read any of my posts before, I use a LOT of decoys 😉 I also tend to use alternative means for extracting data. E.g., I will use DNS, ICMP UDP, SSL tunnels at a rate limited speed. I will throw data into comments on a webpage, then view the webpage and parse out the comments. Think outside the box. For some of these exams, its not always about an 0day either. There is escalation and so forth. Config files, sniffing the wire from one machine to another. I would add: “Try DIFFERENTLY” to their Try Harder motto

    • #46692
      impelse
      Participant

      Sil I like your post, I was thinking something like that, how to speed it up the process, last night I was enumerating snmp and I was using two terminal with differents ip addresses trying to speed it up.

      Also when in the extra mile they ask: create an script to do some scanning, after I make it work i try to modify like if other person will use it only typing the filename + ip-address.

      Now to mix scripts with tools I like to speed it up the process..  Good…..

    • #46693
      sil
      Participant

      When I did my exam, I created literally a script to do the entire thing and at the last minute, many of my machines were firewalled, bastille linux’d, etc., so I have to modify it and parse out sections on the fly. I submitted the script to them as well and explained what it was I did and why. Unsure if that gave me brownie points heh….

      So an approach would be something like:

      if [ this scan shows http ]

      then

      run these http based tools against those

      else

      if [ this scan show snmp ]

      then

      run these snmp based tools

      else

      if [ this scan shows http login forms ]

      then

      run hydra using this wordlist and dictionary list

      fi
      fi
      fi

      I would throw in wall’s after each command so you’ll know step X was finished

    • #46694
      dynamik
      Participant

      @sil wrote:

      nmap -sS -sV -O this.block/24 -oX this.block-scan.xml ; printf “nnDone”|wall

      What, you can’t hear “a” over all that KMFDM? 😉

      @sil wrote:

      Most times, I have automated scripts ready to roll the minute I pop a sessions. The reason for this is to allow me to get in and out and get as much data as quickly and silently as possible. When I say silent, if you’ve read any of my posts before, I use a LOT of decoys 😉

      Do you ever find yourself testing on networks that have NAC? Most decoy / noise activities typically get you shut down quickly. Beyond low-and-slow, do you have alternate strategies for those situations?

    • #46695
      sil
      Participant

      @ajohnson wrote:

      Do you ever find yourself testing on networks that have NAC? Most decoy / noise activities typically get you shut down quickly. Beyond low-and-slow, do you have alternate strategies for those situations?

      Client sides. I am a stickler for spelling things out from the jump. When we meet with clients, I often take the time to explain to them the differences in attacks and attackers. I always explain to them the realities and costs associated with an attack because there is a cost for an attacker, and there are different types of attackers.

      Once a client understands the differences (an INTENT attacker – someone who wants in no matter what the cost) they almost always allow me to try anything and everything. So most of the times I perform 4 types of tests. I’ve documented those different tests in the document I wrote for the RWSP (outside attacker, outside attacker w/creds, insider, insider w/creds). By insider, it does not solely mean: “Joe who works for the IT department” it extends to the social engineerer who’ll find a way onto the environment and work blindly as well as that same social engineerer who managed to get credentials.

      It all boils down to your SOW and your presentation way beforehand to get your client to agree to full blown testing

    • #46696
      dynamik
      Participant

      @sil wrote:

      By insider, it does not solely mean: “Joe who works for the IT department” it extends to the social engineerer who’ll find a way onto the environment and work blindly as well as that same social engineerer who managed to get credentials.

      This can be a surprisingly difficult point to get across. People are still fixated on the idea of a firmly defined perimeter between “us” and “them,” and that hasn’t been the case for a decade+. Sorry, your users will click on links, documents, and executables and disclose information with reckless abandon.

      @sil wrote:

      It all boils down to your SOW and your presentation way beforehand to get your client to agree to full blown testing

      Absolutely. I was specifically speaking from a technical perspective where they wanted to leave NAC in place during an engagement.

    • #46697
      sil
      Participant

      Depends on what they’re using for NAC. If its something stupid like MAC addresses, I may try to fire something on the wire to check for someone elses MAC if possible, spoof that, it all depends. To fiddle around and tamper with NAC, it all depends on what I’m doing, what they’re using for NAC and so forth. I have PacketFence lying around on a VM machine and have fiddled with it a but have never had to attack this head on… I look for workarounds all the time though 😉 Same applies for VLANs (VLAN hopping, trunkspotting (you read it here first from me ;))

    • #46698
      knwminus
      Participant

      @sil wrote:

      I have PacketFence lying around on a VM machine and have fiddled with it a but have never had to attack this head on… I look for workarounds all the time though 😉 Same applies for VLANs (VLAN hopping, trunkspotting (you read it here first from me ;))

      Um, what?

      I have always been curious about the number of companies that actually deploy NAC. I have never seen one in production.

    • #46699
      lorddicranius
      Participant

      @sil wrote:

      …trunkspotting (you read it here first from me ;))

      Indeed.  Never heard the term before and Google only has one result for “trunkspotting vlan”: this thread haha

    • #46700
      sil
      Participant

      @lorddicranius wrote:

      @sil wrote:

      …trunkspotting (you read it here first from me ;))

      Indeed.  Never heard the term before and Google only has one result for “trunkspotting vlan”: this thread haha

      I make crap up as I go along. VLANSPOTTING to me is the ability to determine the VLANs used in a network, and which machines in the network are trunked into other VLANs. 😉 Those are the ones I like… Trunked VLAN access especially when there is no port security or filtering 😉

Viewing 18 reply threads
  • You must be logged in to reply to this topic.

Copyright ©2021 Caendra, Inc.

Contact Us

Thoughts, suggestions, issues? Send us an email, and we'll get back to you.

Sending

Sign in with Caendra

Forgot password?Sign up

Forgot your details?