Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-12 04:49 EST
Nmap scan report for 192.168.2.100
Host is up (0.0011s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
25/tcp open smtp Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.2.105], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
|_pop3-capabilities: capa
143/tcp open imap UW imapd 2004.357
|_imap-capabilities: LOGIN-REFERRALS THREAD=ORDEREDSUBJECT UNSELECT SCAN AUTH=LOGINA0001 MAILBOX-REFERRALS BINARY IMAP4REV1 completed THREAD=REFERENCES SASL-IR OK CAPABILITY SORT STARTTLS LITERAL+ IDLE NAMESPACE MULTIAPPEND
443/tcp closed https
MAC Address: 08:00:27:E7:A0:2B (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host: slax.example.net; OS: Unix
TRACEROUTE
HOP RTT ADDRESS
1 1.13 ms 192.168.2.100
In address 192.168.2.100:80 I have found some credential information about developer and marketer.
# Service Enumeration
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
25/tcp open smtp Sendmail 8.13.7/8.13.7
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357
# Vulnerability Assesment
1. FTP Login Anonymous allowed
2. OpenSSH Denial of Service
3. Directory Listing
# Exploitation
First, I'm interesting with FTP login but I dont't get anything in the ftp.
Second, I have try on openSSH with vulnerable DOS. Try using this exploit and the ssh service temporary down. /pentest/exploits/exploitdb# platforms/multiple/dos/2444.sh
Third, I'm trying to directory listing on http service. this part separated into 3 step :
Create userlisting from available info in their web site.
Create file listing for common user in linux syste,
Combination userlisting and filelisting with dirb, dirb available in backtrack.
---- Entering directory: http://192.168.2.101/~havisham/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.2.101/~havisham/.
(FOUND: 200 [Ok] - Size: 570)
+ http://192.168.2.101/~havisham/..
(FOUND: 200 [Ok] - Size: 579)
---- Entering directory: http://192.168.2.101/~magwitch/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.2.101/~magwitch/.
(FOUND: 200 [Ok] - Size: 570)
+ http://192.168.2.101/~magwitch/..
(FOUND: 200 [Ok] - Size: 579)
---- Entering directory: http://192.168.2.101/~pirrip/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.2.101/~pirrip/.
(FOUND: 200 [Ok] - Size: 566)
+ http://192.168.2.101/~pirrip/..
(FOUND: 200 [Ok] - Size: 579)
+ http://192.168.2.101/~pirrip/.ssh/
==> DIRECTORY
---- Entering directory: http://192.168.2.101/~pirrip/.ssh/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.2.101/~pirrip/.ssh/.
(FOUND: 200 [Ok] - Size: 816)
+ http://192.168.2.101/~pirrip/.ssh/..
(FOUND: 200 [Ok] - Size: 566)
-----------------
DOWNLOADED: 1740 - FOUND: 10
From the dirb, you can see ~pirrip/.ssh/ listing. Then open it from your browser and download the id_rsa and id_rsa.pub. Two files is ssh key authentication. Now connect to the machine target with ssh.
# ssh -i id_rsa pirrip@192.168.2.100
Well, we have connected into target machine. But we don't know what is the password of pirrip.
Finally I'm using grep to find string with password.
# grep -r "Password" /
For the long time, I got the password of pirrip -> 0l1v3rtw1st
In this part, I will IG the target using Nmap with the command :
# nmap -sS -A 192.168.1.110
and return the result ->
# Service Enumeration
FTP (vsftpd)
SSH
CUPS Print
HTTPd
# Vulnerability Assesment
From the Information Gathering and Service Enumeration result, we know that FTP are allowed the user to login anonymously. May be we can get some interesting file inside.
Before, I have trial to get each file on it. But I'm intersting with core file.
Download it and open it, I'm opened it using cat, look scream...
Try to open it with 'strings' command, w00t we got the string of shadow file.
Now separated the shadow string and the other, copy the shadow string and copy it into text editor.
# Exploitation
Now time to crack the shadow, I used John THe Ripper to do this job. And finally, we got it. Enjoy!
Yesterday I was learn about Network Forensic, and my case is captured paket using Wireshark. You can download the capture file here.
After download the capture. We can open it wid DD and then capture it.
For short tutor we can use the dumb way. In this case I will pulling data named "recovery.docx" So, we need to know what is the header / magic number of docx files.
If you don't know about magic number, you can browse it on Google with keyword magic number programming. The magic number of docx file is 504B. Ok, you got the key now.
Now I will use tcpflow to split the each packet on the capture file.
# tcpflow -r evidence.pcap
and some split is 192.168.001.158.05190-192.168.001.159-01272. For short tuts, I have select the splited file that contain receipe.docx
The captured file is contains hexa. With DD you can see the hexa of captured file. I used the dumb trick method to pull up the captured file. First I will convert the file into raw.
Open the raw.txt with text editor like gEdit or Kate. Then search word 504B, at the first time of returned result. Please remove the line/text before 504B, and then save it.
Back to DD, and convert the raw.txt into binary.
#xdd -r -ps raw.txt > receipe.docx
Finally, open the receipe.docx with Word Processor like MS Office or Libre Office.
Today I was learn about Memory Forensic. My target is windows xp, before I have been dump memory from windows xp using AccessData FTK. After dumping memory, I copied the dump memory into backtrack, and then open it using Volatile.
# ./vol.py -f /path/of/memorydump.mem imageinfo
after run the command above, you will see some information about memory info.
Using volatile you can see proccess,networking, and much more.
The image above will show some feature of Volatile tool.
I think we can dump password for windows machine using volatile. You can use hashdump and havelist.
Images below show me how many connections in my windows machine. We can see that someone with ip address 192.168.56.102 connected to my machine with port 6660 and 4444 in the same PID. May be someone was attack my machine using vulnerability on BigAnt and connect back with opening port 4444.
In this case, we can see history of cmd command typed by user before memory dumped using FTK.
