Académique Documents
Professionnel Documents
Culture Documents
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0152
|
| MS12-020 Remote Desktop Protocol Remote Code Execution Vulnerability
|
State: VULNERABLE
|
IDs: CVE:CVE-2012-0002
|
Risk factor: High CVSSv2: 9.3 (HIGH) (AV:N/AC:M/Au:N/C:C/I:C/A:C)
|
Description:
|
Remote Desktop Protocol vulnerability that could allow remote attack
ers to execute arbitrary code on the targeted system.
|
|
Disclosure date: 2012-03-13
|
References:
|
http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2012-0002
|_
http://technet.microsoft.com/en-us/security/bulletin/ms12-020
Nmap done: 1 IP address (1 host up) scanned in 14.72 seconds
En caso de que no sea vulnerable:
[heloel@manjaro ~]$ nmap -p 3389 --script rdp-vuln-ms12-020 192.168.1.12
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-04 12:33 CDT
Nmap scan report for 192.168.1.12
Host is up (0.0055s latency).
PORT
STATE SERVICE
3389/tcp closed ms-wbt-server
Nmap done: 1 IP address (1 host up) scanned in 13.05 seconds
Nos muestra todos los plugins que corre el sitio basado en wordpress:
[heloel@manjaro ~]$ nmap -p 80 --script http-wordpress-plugins --script-args=htt
p-wordpress-enum-.basepath=/wp/ 192.168.1.66
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-04 12:44 CDT
Nmap scan report for 192.168.1.66
Host is up (0.0028s latency).
PORT STATE SERVICE
80/tcp open http
|_http-wordpress-plugins: nothing found amongst the 100 most popular plugins, us
e --script-args http-wordpress-plugins.search=<number|all> for deeper analysis)
Nmap done: 1 IP address (1 host up) scanned in 13.12 seconds
Te muerta si esta ligado a phmyadmin:
[heloel@manjaro ~]$ nmap -P0 -p 80 --script http-enum 192.168.1.66
Starting Nmap 6.47 ( http://nmap.org ) at 2015-09-04 12:52 CDT
Nmap scan report for 192.168.1.66
Host is up (0.071s latency).
PORT STATE SERVICE
80/tcp open http
| http-enum:
| /phpmyadmin/: phpMyAdmin
|_ /manual/: Potentially interesting folder
Nmap done: 1 IP address (1 host up) scanned in 14.11 seconds
=========================== Enumeration
Comment
-------
Workgroup
--------CEH03
WORKGROUP
Master
------PRUEBAS-X97KJYY
LOCALHOST
Sharename
Type
Comment
-----------------ADMIN$
Disk
Remote Admin
C$
Disk
Default share
IPC$
IPC
Remote IPC
NETLOGON
Disk
Logon server share
SYSVOL
Disk
Logon server share
Connection to 192.168.1.12 failed (Error NT_STATUS_RESOURCE_NAME_NOT_FOUND)
NetBIOS over TCP disabled -- no workgroup available
No dejamos huella de mapeo y vemos lo que hay.
[heloel@manjaro ~]$ smbclient //192.168.1.18/publico -U 'Pruebas%Pru3b45.' -c di
r
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
Domain=[CEH08] OS=[Windows Server 2008 R2 Enterprise 7601 Service Pack 1] Server
=[Windows Server 2008 R2 Enterprise 6.1]
.
D
0 Tue Aug 4 12:43:19 2015
..
D
0 Tue Aug 4 12:43:19 2015
file.txt
A
39 Sat Jun 27 15:29:35 2015
inatel
D
0 Tue Aug 4 12:42:33 2015
pdfobjflow.dot
A
282 Tue Aug 4 12:43:19 2015
yomero
D
0 Sat Jun 27 15:28:23 2015
15728127 blocks of size 4096. 13160401 blocks available
Saber si puedes escribir smbclient //192.168.1.18/publico/ -U 'Pruebas%Pru3b45.'
-c 'mkdir segmaster'
Subir arcchivo
smbclient //192.168.1.18/publico -U 'Pruebas%Pru3b45.' -c 'put heloel.txt'
bajar archivo
smbclient //192.168.1.18/publico -U 'Pruebas%Pru3b45.' -c 'get heloel.txt'
Para ver la unidad, que se supone no esta compartida
[heloel@manjaro ~]$ smbclient //192.168.1.18/c$ -U 'Pruebas%Pru3b45.' -c dir
smbclient: Can't load /etc/samba/smb.conf - run testparm to debug it
Domain=[CEH08] OS=[Windows Server 2008 R2 Enterprise 7601 Service Pack 1] Server
=[Windows Server 2008 R2 Enterprise 6.1]
$Recycle.Bin
DHS
0 Mon Jul 13 21:34:39 2009
Boot
DHS
0 Wed Feb 18 14:31:22 2015
bootmgr
AHSR 383786 Sat Nov 20 21:24:02 2010
BOOTSECT.BAK
AHSR
8192 Wed Feb 18 14:31:22 2015
brasil
D
0 Fri Feb 20 09:55:10 2015
ceh-inter
D
0 Thu Feb 19 21:33:28 2015
Documents and Settings
DHS
0 Tue Jul 14 00:06:44 2009
inatel
D
0 Tue Aug 4 12:48:13 2015
inetpub
D
0 Fri May 1 23:55:02 2015
pagefile.sys
AHS 2146881536 Fri Sep 4 13:14:08 2015
PerfLogs
D
0 Mon Jul 13 22:20:08 2009
Program Files
DR
0 Wed Feb 18 13:42:49 2015
Program Files (x86)
DR
0 Wed Feb 18 13:42:50 2015
ProgramData
DH
0 Wed Feb 18 13:58:17 2015
Recovery
DHS
0 Wed Feb 18 12:33:57 2015
System Volume Information
DHS
0 Wed Feb 18 13:42:54 2015
Users
DR
0 Wed Feb 18 13:20:51 2015
voip.log
A 2076478 Tue May 5 09:31:05 2015
Windows
D
0 Wed Feb 18 15:50:18 2015
wwww
DR
0 Wed Feb
DH
0 Wed Feb
DHS
0 Wed Feb
DHS
0 Wed Feb
DR
0 Wed Feb
A 2076478 Tue May
D
0 Wed Feb
D
0 Sat Jun
18
18
18
18
18
5
18
27
13:42:50
13:58:17
12:33:57
13:42:54
13:20:51
09:31:05
15:50:18
15:34:17
2015
2015
2015
2015
2015
2015
2015
2015
HOST-RESOURCES-MIB::hrStorageSize.1 = INTEGER: 0
HOST-RESOURCES-MIB::hrStorageSize.2 = INTEGER: 15728127
HOST-RESOURCES-MIB::hrStorageSize.3 = INTEGER: 65517
HOST-RESOURCES-MIB::hrStorageSize.4 = INTEGER: 32758
HOST-RESOURCES-MIB::hrStorageUsed.1 = INTEGER: 0
HOST-RESOURCES-MIB::hrStorageUsed.2 = INTEGER: 2568888
HOST-RESOURCES-MIB::hrStorageUsed.3 = INTEGER: 9026
HOST-RESOURCES-MIB::hrStorageUsed.4 = INTEGER: 8296
HOST-RESOURCES-MIB::hrStorageAllocationFailures.1 = Counter32:
HOST-RESOURCES-MIB::hrStorageAllocationFailures.2 = Counter32:
HOST-RESOURCES-MIB::hrStorageAllocationFailures.3 = Counter32:
HOST-RESOURCES-MIB::hrStorageAllocationFailures.4 = Counter32:
HOST-RESOURCES-MIB::hrDeviceIndex.1 = INTEGER: 1
0
0
0
0
Procesos corriendo
HOST-RESOURCES-MIB::hrSWRunName.240 = STRING: "smss.exe"
HOST-RESOURCES-MIB::hrSWRunName.320 = STRING: "csrss.exe"
HOST-RESOURCES-MIB::hrSWRunName.328 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.372 = STRING: "wininit.exe"
HOST-RESOURCES-MIB::hrSWRunName.392 = STRING: "csrss.exe"
HOST-RESOURCES-MIB::hrSWRunName.440 = STRING: "winlogon.exe"
HOST-RESOURCES-MIB::hrSWRunName.460 = STRING: "services.exe"
HOST-RESOURCES-MIB::hrSWRunName.476 = STRING: "lsass.exe"
HOST-RESOURCES-MIB::hrSWRunName.484 = STRING: "lsm.exe"
HOST-RESOURCES-MIB::hrSWRunName.672 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.748 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.772 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.800 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.844 = STRING: "LogonUI.exe"
HOST-RESOURCES-MIB::hrSWRunName.892 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.968 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.1012 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.1260 = STRING: "spoolsv.exe"
HOST-RESOURCES-MIB::hrSWRunName.1292 = STRING: "Microsoft.ActiveDirectory.WebSer
vices.exe"
HOST-RESOURCES-MIB::hrSWRunName.1324 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.1356 = STRING: "dfsrs.exe"
HOST-RESOURCES-MIB::hrSWRunName.1376 = STRING: "dns.exe"
HOST-RESOURCES-MIB::hrSWRunName.1408 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.1452 = STRING: "inetinfo.exe"
HOST-RESOURCES-MIB::hrSWRunName.1492 = STRING: "ismserv.exe"
HOST-RESOURCES-MIB::hrSWRunName.1544 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.1632 = STRING: "svchost.exe"
HOST-RESOURCES-MIB::hrSWRunName.1652 = STRING: "snmp.exe"
HOST-RESOURCES-MIB::hrSWRunName.1672 = STRING: "vmtoolsd.exe"
HOST-RESOURCES-MIB::hrSWRunName.1736 = STRING: "svchost.exe"
Procesos, sus paths y parametros
OST-RESOURCES-MIB::hrSWRunPath.1652 = STRING: "C:\\Windows\\System32\\"
HOST-RESOURCES-MIB::hrSWRunPath.1672 = STRING: "C:\\Program Files\\VMware\\VMwar
e Tools\\"
HOST-RESOURCES-MIB::hrSWRunPath.1736 = STRING: "C:\\Windows\\system32\\"
HOST-RESOURCES-MIB::hrSWRunPath.1764 = STRING: "C:\\Windows\\system32\\wlms\\"
HOST-RESOURCES-MIB::hrSWRunPath.1840 = ""
HOST-RESOURCES-MIB::hrSWRunPath.2180 = ""
HOST-RESOURCES-MIB::hrSWRunPath.2280 = ""
HOST-RESOURCES-MIB::hrSWRunPath.2336 = ""
HOST-RESOURCES-MIB::hrSWRunPath.2424 = ""
HOST-RESOURCES-MIB::hrSWRunPath.2628 = ""
HOST-RESOURCES-MIB::hrSWRunPath.2856 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.1 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.4 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.240 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.320 = STRING: "ObjectDirectory=\\Windows S
haredSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:User"
HOST-RESOURCES-MIB::hrSWRunParameters.328 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.372 = ""
HOST-RESOURCES-MIB::hrSWRunParameters.392 = STRING: "ObjectDirectory=\\Windows S
haredSection=1024,20480,768 Windows=On SubSystemType=Windows ServerDll=basesrv,1
ServerDll=winsrv:User"
Hay v1, v2c, v3 pero esta ultima casi nadie la soporta pero cifra, la mayoria so
porta la 2c y la version v1 aun es compatible.
Depende de el modelo, puese ser lynksis o cisco y asi.
El que no lo soportaria es el sistema operativo, como windows, cisco ios, etc.
DNS
Relacion, maquina - IP
Ver todos los dominios que estan bajo el nombre de itesm.mx
dnsenum --enum -f /usr/share/doc/dnsenum-1.2.4.1/dns.txt -r itesm.mx
saep.itesm.mx.
mx.
sageci.itesm.mx.
sal.itesm.mx.
.itesm.mx.
internaldns.sal.itesm.mx.
sampe.itesm.mx.
mx.
sani01.itesm.mx.
sanib01.itesm.mx.
sanipprd01.itesm.mx.
mx.
sappa.itesm.mx.
sm.mx.
sar.itesm.mx.
scanner.itesm.mx.
sce.itesm.mx.
sdm.itesm.mx.
esm.mx.
seguros.itesm.mx.
selfserviceapptest.itesm.mx.
semanai.itesm.mx.
servicioencuestas.itesm.mx.
servicios.itesm.mx.
servicios.itesm.mx.
servicios.itesm.mx.
recibircfd.pruebas.servicios.itesm.mx.
recibircfd.servicios.itesm.mx.
3600
IN
CNAME
prod58ms.itesm.
3600
3600
IN
IN
A
NS
131.178.26.34
internaldns.sal
3600
3600
IN
IN
A
CNAME
10.32.158.2
prod79ms.itesm.
3600
3600
3600
IN
IN
IN
A
A
CNAME
132.254.8.21
132.254.7.21
pprd10ws.itesm.
3600
IN
CNAME
prod025ws04.ite
3600
3600
3600
3600
IN
IN
IN
IN
A
A
A
CNAME
10.2.40.134
131.178.53.15
10.2.27.216
v19prod156ws.it
3600
3600
3600
3600
3600
3600
3600
3600
3600
IN
IN
IN
IN
IN
IN
IN
IN
IN
A
A
A
A
A
MX
MX
A
A
10.2.40.215
10.2.27.95
184.106.55.106
10.2.27.127
10.2.18.239
5
5
10.2.40.61
10.2.40.12
texts
# extended LDIF
#
# LDAPv3
# base <> with scope baseObject
# filter: (objectclass=*)
# requesting: namingContexts
#
#
dn:
namingContexts:
namingContexts:
namingContexts:
namingContexts:
namingContexts:
DC=ceh08,DC=org,DC=mx
CN=Configuration,DC=ceh08,DC=org,DC=mx
CN=Schema,CN=Configuration,DC=ceh08,DC=org,DC=mx
DC=DomainDnsZones,DC=ceh08,DC=org,DC=mx
DC=ForestDnsZones,DC=ceh08,DC=org,DC=mx
# search result
search: 2
result: 0 Success
# numResponses: 2
# numEntries: 1
ahora lo utilizamos
[heloel@manjaro ~]$ ldapsearch -LLL -H ldap://192.168.1.18:389 -b 'dc=ceh08,dc=o
rg,dc=mx' -D 'CEH08\Pruebas' -w 'Pru3b45.' > info.txt
y sacamos a archivo
Tiene usuarios y dispositivos entre muchas cosas.
La fortaleza de un password radica en la longitud, no si utilizas todos los tipo
s de caracteres.