• Result:DHost HTTP Server

Downloaded a milw0rm script, used it but now im wanting to have a shell or something to input code, i can now go to [edit] removed IP, and added 10 warn to your account[/edit]

http://milw0rm.com/exploits/2671

C:\>2671.pl "Novell eDirectory 8.8 NDS Server" Remote Stack Overflow Exploit

[+] Connected. [+] Trying to overwrite RETurn address… [+] Done. Now check for bind shell on [edit]removed[/edit]!

¶Result: DHost HTTP Server

DHost Console NDS DS Trace NDS iMonitor

First of all, you're not supposed to post the addresses to sites you've hacked or plan on hacking.

This just looks like you found a site that's vulnerable to that exploit, downloaded the exploit, and used it (which is something that any idiot can do). It also looks like you don't know what you're doing. It tells you that your hacked site/server has a bindshell port open on 8029 now, so open up netcat and connect to it.

Or go read some more about rooting so that when you come across a vulnerability, you know how to exploit said vulnerability without getting busted. :)

(Oh, and I'm not exactly a rooting expert, so if you want legitimate help with rooting, you'll have to ask someone else.) :P

people like you really make me mad, first, know the ranges its an INTERNAL pen test, besides that youd better just dont say anything if the only thing you want to do is blaming around. Sorry but you made me a little bit upset

I'm sorry if I made you upset. Regardless of how you feel about my post, the point is the same: Learn more.

Until you know everything, you should always want to learn more. ;)

well this is just another step of learning for me and i guess there is not such thing as "knowing everything" but could you maybe still give me advise on how to do it because if i now connect to it with netcat it does like

#nc ip_address port

¶

it immidiatly disconnects :/

Maybe read up on netcat. Try to learn how it deals with connections and what causes it to close unexpectedly. Pretty much, if you want an answer, you can find it. All it requires is effort and patience on your part. :)

ok, cant you just tell me where to look in the man pages :p

"I have said: 'Blow out the lamp! Day is here!' And you keep saying: 'Give me a lamp so I can find the day.'" – Frank Herbert

jelmer wrote: if i now connect to it with netcat it immidiatly disconnects :/ Post what you're actually trying… not just that you're trying it. Also, go ahead and try telnet with the optional port argument to connect to that address. Example:

telnet ip_address port

Post the full results of each command or, if you can't do that, take screenshots of what you see when the command fails.

Oh, and internal IP address ranges are okay, I agree… They wouldn't do any good to anyone outside of the network, anyways. Internal ranges:

10.x.x.x 127.x.x.x (loopback) 172.16.x.x - 172.32.x.x 192.168.x.x

Though I like the bickering back and forth here I will chip in here.

This looks like an internal pen test yes. Your problem lays within your method. You are sitting in a box looking out. Try it from the other perspective. Look at what you want to achieve, think of ways to get there, pick one of the paths you come up with. If that fails try another one. Again as Skunk has stated, patience is needed in testing for security holes.

Also learn what the milw0rm script is actually doing. This will help you learn what you need to do next. Learn how it is making this exploit happen. Once you know how this is happening you will then be able to draw conclusions into how to make it work to your favour. If you do not have the patience to complete this then you should go to www.skoty.org and nominate yourself for an award.

Also please note that I am not here to tell you how to do shit. That is how people learn in school. This is not school. I will guide you and I will help you along the way with help and tips. I will not give you an answer. Research, learn, prove that you need guidance. If you do you will get some. Otherwise, read read read as it states all over this site. To learn the most of anything you must pick it apart and learn from it. If all you want to do is learn to hack and be able to exploit things then you are not in it for the right reasons.

Please read up on exactly what you are attempting to do an then you will learn (or come up with) ways to finish your thoughts and get things done. Without wisdom you are nothing but a poorly written book.

yes i also agree with skunk if your doing an internal pentest and you have to ask for help you dont belong doing it have someone who knows more do it i mean shit u wanted to add a shellcode to an exploit that quite obviously already spit you a shell

im not saying that your dumb! im not saying your a n00b

i am saying that you must google everything read learn to program a little but seriously leave the actually pen tests up to a professional

fuck i didnt even perform our tests at work i let someone way better than me do it even though my ego said i know i can do it

i may have missed something then im responsible

so good luck in rooting its fun :ninja:

– Fixed quadruple post. MoshBat

Ok, well basicly i did everything you guys did, yea im new to rooting and im learning alot every day again, now from my house i cant connect to the ldap server because its internet i really like it that you guys want to help me. I tried everything over that specific port but nothing turned out to really work, it did something on the server and you said to me that it threw me in a shell but i dont see more than 3 links, im learning more netcat to see if i can connect that way to it, if i connect to it through telnet or netcat it will close immidiatly im also trying to do something over port 389 its ldap and it says (anonymous bind OK) and in the log files i can see how it connects to it. i think im going to write something so it will commit a dictionary attack on it. I am a noob at pen testing i know but all help will be appreciated :D

I also installed Consoleone on my pc, this way i was able to see all kind of users on the server and i found out that after cracking the password of 1 helpdesk guy that they all use the same password. I earlyer found the admin account with what it was able to become god on the network but i reported it and they changed it. That password was the same.

The network also stores the password locally after getting then from a server. It saves them in 2 parts, nt and lm or something and they are really easy to crack. Unless the passwords are bigger than 14 characters, not sure how this works but it makes it a so called NTLM hash

Read Private Message (inbox) From: Site Owner Date: January 23 2009 - 18:19:37 Subject: Warn Level: 10 You have been warned because: posting links to places you want to hack

but it was internal!! :(

ok listen i get in trouble alot don't post the targets period

and if you want ldap you can use a nice tool coded in perl its at sourceforge

and if its windows 2000 letting you do a null bind you can use a tool from microsoft to view the different nodes

and actually u can also enumerate users on 2000 and figure out if their passwords are blank or not theres also a nice bruteforce function

much like xss ldap is viewed a non writable which isnt entirely true so admins usually over look it that and snmp

so this tool basically eats up misconfigured domain contollers and then u move on to the next step gaining access then elevating your privleges

i'm not gonna go in my repository and get the tool names and commands beacuse i'm not spoon feeding you

pm me with the portscan results and ill tell you what u need to do:ninja:

jelmer wrote: You have been warned because: posting links to places you want to hack

but it was internal!! :(

moshbat wrote: Well, politely argue your case. Not to me, to Cheese. It was his decision. And by the way, as the Site Owner, his word is final. Zephyr_Pure wrote: Oh, and internal IP address ranges are okay, I agree… They wouldn't do any good to anyone outside of the network, anyways. Internal ranges:

10.x.x.x, 127.x.x.x (loopback), 172.16.x.x - 172.32.x.x, 192.168.x.x

There are times that people should be warned, and there are times that they should not. Judgment must be made on what is and is not proper behavior by staff… however, some sensibility would help in the decision. I already pleaded the case for why it was not a warnable offense earlier in the thread, and that still holds true.

In no way, shape, or form can an internal IP address be a viable target for anyone on this site to pursue other than the person that is actually on the network.

In that respect, the rule is invalid here and he should've never been warned. I'm removing his warn because, ultimately, the Site Owner is not always right. if he wants to reverse it, that is his choice. I do what I know is right.

good one zeph i like to see when you are fair i knew you werent just an evil dictator lol!!!:ninja::ninja:

Zephyr's always fair. Usually people who get punished a lot tend to think that the punishments aren't fair… :P

All these guys are absolutely right, and I still stand by my advice: Go learn. When you actually learn about how vulnerabilities work, then it's generally pretty easy for you to exploit that vulnerability in more than one way.

And if you're trying to learn about rooting, hit me up on MSN cause I think I'm about to start learning more about it too. :)

yay, thx for undoing the warning :) here are the nmap results you can open it with zenmap with file -> open

thx for your time and i really like the responses

–– ldap1.xml ––

Do not post something that reveals the external domain of your target. That IS against the rules. - Zeph

www.leerling.ijsselschool [d o t ] nl/ldap1.xml

Broken link? - Zeph

What the fuck is this? His Nmap revealed his target. This shit should be locked. If the OP wishes to learn, he needs to come back -WITHOUT- script kiddie shit. A decent question deserves a decent response. This deserves a lock.

Script kiddie. A kid who uses script without knowing what it exactly does, how it does it and what happens when it runs. A script kiddie. This is what it means.

Edit: Oh and THANK YOU, HBH, for introducing a stupid filter. Way to remove the capital letter "S" from script using that idiotic excuse of a filter. Just saying.

@Spy: He didn't reveal his target. If you read the whole thread then you'd know that it's an internal ip.

@OP: Still though, maybe you shouldn't have posted all that nmap bullshit in the thread. The link was a much better idea. Go edit your nmap output post and tell people to view the link instead.

Skunkfoot wrote: @Spy: He didn't reveal his target. If you read the whole thread then you'd know that it's an internal ip.

TRACEROUTE (using port 21/tcp) HOP RTT ADDRESS 1 0.00 10.150.108.3 2 … 5 no response 6 0.00 Edited when you mentioned it in your first post in this thread. - Zeph

I read things.