IS2C DOJO

Sabtu, 15 Maret 2014

Pentesting pWnOS [1]

Information Gathering & Service Enumeration

Tool : NMAP


Port Opened :
  • 22/tcp ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
  • 80/tcp http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
  • 139/tcp netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
  • 445/tcp netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
  • 10000/tcp http MiniServ 0.01 (Webmin httpd)

Other Info :
  • Mac Address : 08:00:27:E4:D5:34 (Cadmus Computer System)
  • OS : Linux 2.6.22


Vulnerability Assessment

Tool : Nessus


Vulnerabilities :
  • Debian OpenSSH/OpenSSL Package Random Number Generator Weakness
    • Attackers can exploit this issue to predict random data used to generate encryption keys by certain applications. This may help attackers compromise encryption keys and gain access to sensitive data. 
  • Samba 'AndX' Request Heap-Based Buffer Overflow
    • A vulnerability has been reported in Samba, which can be exploited by malicious people to compromise a vulnerable system. The vulnerability is caused due to an error in process.c when handling Any Batched (AndX) request packets and can be exploited to cause a heap-based buffer overflow. Successful exploitation may allow execution of arbitrary code. The vulnerability is reported in versions prior to 3.4.0.
  • Apache HTTP Server httpOnly Cookie Information Disclosure
    • Apache HTTP Server could allow a remote attacker to obtain sensitive information, caused by an error in the default error response for status code 400. If no custom ErrorDocument is specified, a remote attacker could exploit this vulnerability to disclose httpOnly cookies and other sensitive information.
  • HTTP TRACE / TRACK Methods Allowed
    • Trace is a function and a utility of Apache to troubleshoot webpages. It can be used to discover why pages are not working and potentially could be used to fix issues. As explained in the news from the Apache Foundation, the same information exposed in the attack for which this CVE is crafted can be garnered in other more typical ways. Thus, the CVE is a pretty weak representation of a real problem.
  • SMB Signing Required
    • SMB signing and security signatures can be configured for the Workstation service and for the Server service. The Workstation service is used for outgoing connections. The Server service is used for incoming connections. When SMB signing is enabled, it is possible for clients that support SMB signing to connect and it is also possible for clients that do not support SMB signing to connect. When SMB signing is required, both computers in the SMB connection must support SMB signing. The SMB connection is not successful if one computer does not support SMB signing.
  • Webmin / Usermin Null Byte Filtering Vulnerabilities
    • Webmin and Usermin both come with the Perl script 'miniserv.pl' to provide basic web services, and the version of 'miniserv.pl' installed on the remote host fails to properly filter null characters from URLs. An attacker may be able to exploit this to reveal the source code of CGI scripts, obtain directory listings, or launch cross-site scripting attacks against the affected application.

Exploit

From the lists above I will try to exploit the Webmin. I will using Metasploit to exploit Webmin.

First, I search the exploit for webmin in metasploit.


Yes, I got some exploit for webmin and I choose File Disclosure vulnerabilities to get the system informations (/etc/passwd).


We got the lists of users in the server. Now I'll try to grab the shadow.


Yes we got the users and passwords. We can use that lists and crack the hashes using John.
But, lets try to grab the other files.


From index1.php, I can see (include function) there is another vulnerabilities (LFI). Lets try to access the apache log and put a web shell on the server.

Update : I failed to include the apache access log because of lacks permissions from the server.

Now, I will start to crack the Password using John...


to be continued.....

Kamis, 13 Maret 2014

Exploiting Freefloat FTP 1.0 using Metasploit

Lets try exploit this service.

1st, scan the target using nmap to make sure the service is running.



Yes we got FreeFloat FTP service running on port 21. The version is 1.0

Lets try to find the exploit in metasploit.


Now setting up the options before starting to exploit.


Check first..



Yes its vulnerable..

Exploiting..


Pwned!!!

Information Gathering & Exploiting MS06-067 using Nmap & Metasploit

Today i'm gonna try to exploit Windows machine which vulnerable with Remote Code Execution on SMB services.

Lets begin..



Yes, we got SMB service running on those machine (192.168.56.101). Lets check the vulnerability using nmap (again).




Yes its likely vulnerable. Now lets try to exploit it using Metasploit.


There are 1 exploit available in metasploit for this vulnerability.

Lets begin the setup...


Exploiting...


Voila.. We got meterpreter opened..

Lets check the system..



Yes.. we got the system.. :)


How to Fix :
  • Block access to 139/TCP and 445/TCP ports
  • Install updates from vendor’s site

Rabu, 12 Maret 2014

Installing Nessus

Now Im trying to install Nessus on VM

1. Download nessus deb on this link :
www.tenable.com/products/nessus/select-your-operating-system
2. After download finished, open terminal and type this.
$ dpkg -i [Nessusfile.deb]

Note: change Nessusfile.deb into the filename of Nessus.
3. Now its time to start nessus service.
$ service nessusd start
4. Open up your browser and go to :
https://127.0.0.1:8834
You have to register your nessus registration code, username and password before you can start scanning.

Thats all..

Have a nice scan. :)

Senin, 10 Maret 2014

What is Vulnerability

Based on wikipediaVulnerability refers to the inability to withstand the effects of a hostile environment. A window of vulnerability (WoV) is a time frame within which defensive measures are reduced, compromised or lacking. But, this explanation is a general sense.In computer security, a vulnerability is a weakness which allows an attacker to reduce a system's information assurance. Vulnerability is the intersection of three elements: a system susceptibility or flaw, attacker access to the flaw, and attacker capability to exploit the flaw. To exploit a vulnerability, an attacker must have at least one applicable tool or technique that can connect to a system weakness. In this frame, vulnerability is also known as the attack surface. -- Wikipedia

In a simple words,
A security vulnerability is a weakness in a product that could allow an attacker to compromise the integrity, availability, or confidentiality of that product. -- Microsoft

Information Gathering :: spentera.com


The second task from my Sensei is getting information related to spentera.com. And i will using the same technique from the last one.

1. NMAP



From the information above I got an information that the Name Server using Cloudflare. Its difficult to get the real information about the server. But, now I will try another way.


2. Brute_Ns.php

I made this tool to check subdomains associated with the services running on the server.


Hoorah! I got possible real IP from the server. Now, I'm trying to rescan the IP using Nmap.


Now, I got some possible services and OS running on the server.

20/tcp   closed ftp-data
21/tcp   open   ftp        Pure-FTPd
53/tcp   open   domain     ISC BIND 9.3.6-20.P1.el5_8.6
80/tcp   open   http       Apache httpd
110/tcp  open   pop3       Dovecot pop3d
143/tcp  open   imap       Dovecot imapd
443/tcp  open   ssl/https?
587/tcp  open   smtp       Exim smtpd 4.82
993/tcp  open   ssl/imap   Dovecot imapd
995/tcp  open   ssl/pop3   Dovecot pop3d
5666/tcp open   tcpwrapped
Service Info: Host: server28.web-hosting.com; OS: Red Hat Enterprise Linux; CPE: cpe:/o:redhat:enterprise_linux

3. Netcat

Now, i'm trying to grab information using netcat.



And the server didnt allow me to grab any information.


4. Reverse IP
Same with my last post, I'm using my tool to get another website which is hosted on teh same server.




I got 134 websites hosted on the server. Lets look in a deep scan.


5. Deep_Scan.php
I made this tool to grab possible folders from the lists which is captured by reverse_ip.php.

The results cannot be shown here because of some Sensitive Information


6. Get Information From Robots.txt



Got no information...


7. Checking DNS using dnsenum

DNSenum is a pentesting tool that enumerates as much DNS information about domains as possible. -- Aldeid



All subdomains are considered as active subdomain and from this result, I do not allow to search for subdomains using tools that do not include unique results.

7. Whois spentera.com

I tried to get information about the owner of domain spentera.com using whois. here is the results :







I can get information about this domain. The domain hosted in : enom.com but all the information has been set in private.



8. Grabbing Email on spentera.com

I'm using my own tool. Here is the results : 




I think we cannot use those informations.


=================== EOF ===================

Information Garthering :: is2c-dojo.com


Today, I got a task from my sensei to gather information related to the website http://is2c-dojo.com.

Here are some of my results last night until this morning:

1. NMAP

Nmap (Network Mapper) is a security scanner originally written by Gordon Lyon (also known by his pseudonym Fyodor Vaskovich)[1] used to discover hosts and services on a computer network, thus creating a "map" of the network. To accomplish its goal, Nmap sends specially craftedpackets to the target host and then analyzes the responses. -- Wikipedia

NMAP
From the results of nmap I get informations such as:
  • Found 9 open port :
  • 21/tcp  open  ftp      Pure-FTPd 
  • 53/tcp  open  domain   ISC BIND 9.3.6-20.P1.el5_8.6
  • 80/tcp  open  http     Apache httpd 2.2.26 ((Unix) mod_ssl/2.2.26 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4)
  • 110/tcp open  pop3     Dovecot pop3d
  • 143/tcp open  imap     Dovecot imapd
  • 443/tcp open  http     Apache httpd 2.2.26 ((Unix) mod_ssl/2.2.26 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4)
  • 587/tcp open  smtp     Exim smtpd 4.82
  • 993/tcp open  ssl/imap Dovecot imapd
  • 995/tcp open  pop3s?


  •  Host Info :
  • Nmap scan report for is2c-dojo.com (192.111.155.74) 
  • Host: gudeg.partnerit.us 
  • OS: Red Hat Enterprise Linux; CPE: cpe:/o:redhat:enterprise_linux


2. Netcat

I use netcat to find the date it was last updated by admin, look for a web service that is used by the admin and get another info from 404 responses (forced to access the data that does not exist) .




From the results of Netcat I get informations such as:

  • Server: Apache/2.2.26 (Unix) mod_ssl/2.2.26 OpenSSL/0.9.8e-fips-rhel5 mod_bwlimited/1.4
  • Last-Modified: Tue, 21 Jan 2014 17:28:13 GMT
  • Possible admin's email : mailto:adi88nugroho@gmail.com
From those informations above, I tried to find further information about the Admin from the Google :


I got lots of information related to the Admin's email and Admin's phone number ( +- 8,300 results ).


3. reverse_ip.php

I made this tool to search for some possibilities other websites hosted on the server with the target website. And, here is the results :


I found 81 possible website hosted on this ip : 192.111.155.74

4. deep_scan.php

I made this tool to grab possible folders from the lists which is captured by reverse_ip.php.

The results cannot be shown here because of some Sensitive Information


5. Checking robots.txt

The Robot Exclusion Standard, also known as the Robots Exclusion Protocol or robots.txt protocol, is a convention to advising cooperating web crawlers and other web robots about accessing all or part of a website which is otherwise publicly viewable. Robots are often used by search engines to categorize and archive web sites, or by webmasters to proofread source code. The standard is different from, but can be used in conjunction with, Sitemaps, a robot inclusion standard for websites. -- Wikipedia

I got no information from robots.txt.

6. Checking DNS using dnsenum


DNSenum is a pentesting tool that enumerates as much DNS information about domains as possible. -- Aldeid

 
I got some information from dnsenum.
All subdomains are considered as active subdomain and from this result, I do not allow to search for subdomains using tools that do not include unique results.




7. Whois & Dig is2c-dojo.com

I tried to dig up the data domain owner is2c-dojo.com using whois and dig. here is the results :





I didnt get any information about this domain. But, this domain registered on JogjaCamp.com or resellercamp.com. All the information has been set in private.


8. Finding Emails
Again, I'm using my own tool. Here is the results :



Too bad, There is no email typed on the website.




=================== EOF ===================