:: Abstinence Surrender ::: Lab 2 : Pentesting On Lab DIsk #1.100 v1.0

1. Information Gathering and Service Enumeration
First step to pentesting is gathering information from target. In here I gathering information with scanning using nmap.

On above was shown two ip address namely 192.168.1.12 (our ip address) and 192.168.1.100 (target ip address). also shown services that run on system target.

If you confused about service that run you can see the description with scanning again using other options like below :

We can see on above, there are description of service that run and open/close port like :

20/tcp closed ftp-data => This port closed
21/tcp open ftp => ftp server is open
22/tcp open ssh => showing version op ssh version (OpenSSH 4.3)
25/tcp open smtp => smtp used by client email to sending email out using port 25
80/tcp open http => showing version of apache ( Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
110/tcp open pop3 => pop3 is protocol e-mail same with smtp
143/tcp open imap => is standard protocol to access/put the e-mail from server
443/tcp closed https => this port was closed

3. Vulnerabillity Assesment
Capital from Information and Service Enumeration, we was find vulnerabillty like on above. In here I can use http and ssh.
To access the http, we just open ip address target to browser and see the content

See on above, on bottom of page there are more list of name and email.

4. Exploit
From the list username and email we can bruteforcing the ssh services. But we must crack first to find the password from username. Then put the username on text editor like below.

In here I'm using hydra, before starting crack we must have a wordlist. You can obtain the wordlist from pentest directory or you can search on the web. In here I using wordlist from pentest directory.

root@bt:~# cd /pentest/passwords/wordlists/
root@bt:/pentest/passwords/wordlists# ls
darkc0de.lst rockyou.txt

I use darkc0de.lst then I filtered content of wordlist, because the content very large and very much, while the username that we will crack just a few. is intended that the crack is not too heavy, considering my system less qualified for it.

Lets crack using hydra.

Ok, now we was got the username and password to login

Let's login using username : bbanter and password : bbanter like the result above.

root@bt:~# ssh bbanter@192.168.1.100
bbanter@192.168.56.101's password:
Linux 2.6.16.

On above we was succes login into ssh, but not root. then check on /etc/passwd to look for other users

bbanter@slax:~$ cat /etc/passwd

root:x:0:0:DO NOT CHANGE PASSWORD - WILL BREAK FTP ENCRYPTION:/root:/bin/bash

bin:x:1:1:bin:/bin:

daemon:x:2:2:daemon:/sbin:

adm:x:3:4:adm:/var/log:

lp:x:4:7:lp:/var/spool/lpd:

sync:x:5:0:sync:/sbin:/bin/sync

shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown

halt:x:7:0:halt:/sbin:/sbin/halt

mail:x:8:12:mail:/:

news:x:9:13:news:/usr/lib/news:

uucp:x:10:14:uucp:/var/spool/uucppublic:

operator:x:11:0:operator:/root:/bin/bash

games:x:12:100:games:/usr/games:

ftp:x:14:50::/home/ftp:

smmsp:x:25:25:smmsp:/var/spool/clientmqueue:

mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash

rpc:x:32:32:RPC portmap user:/:/bin/false

sshd:x:33:33:sshd:/:

gdm:x:42:42:GDM:/var/state/gdm:/bin/bash

pop:x:90:90:POP:/:

nobody:x:99:99:nobody:/:

aadams:x:1000:10:,,,:/home/aadams:/bin/bash

bbanter:x:1001:100:,,,:/home/bbanter:/bin/bash

ccoffee:x:1002:100:,,,:/home/ccoffee:/bin/bash

Then check on /etc/shadow

bbanter@slax:~$ cat /etc/shadow

cat: /etc/shadow: Permission denied

bbanter@slax:~$

Hufft.. we have a problem on the permissions, it turns out bbanter does not have access to a higher. but on bottom of the result we find three username like (aadams, bbanter, ccoffee).

Delete more username in userlist.txt except username that listed on etc/passwd.

The next, crack again list of user that find from /etc/passwd. In here I using hydra-gtk (GUI) because more than simple :D