Thursday, September 13, 2012

Metasploit SSH Tunneling Attack into Local Network

In this case I'll show how to attacking inside local network via Linux server, this is with a picture like this :

This is scenario of attacking in this case, Attacker is from outside network will hijacking server linux machine and force into local network (Windows), I'll try to show with blackbox hacking method, first thing we need is scanning network or Information Gathering

So now we can look service and version of target system, from this data we can search vulnerable service to gate enterance into target machine, I try to attack from samba service so I open metasploit on console and search exploit for samba on unix machine

After choose an exploit for unix machine running samba and show option for this  machine like here

I look option by type "show options" and we can look what the next option we need to fill, like LHOST as own IP, RHOST as IP Target, RPORT as Port we'll use on target machine and PAYLOAD as shellcode to get system on target here I do

And run exploit to try injecting payload and exploit into target system if that is success that will show process like this

After enterance into target machine we can try to type "ls" to look directory like this

I try to check id and who as I now in machine with command id and whoami

Now we had as root that mean we sucess get root or rooting in target system, after all we can get password hash into /etc/shadow

And now its time to crack password from this hash in /etc/shadow, I copy this into text editor and save as txt format and I save into john folder cause I use john the ripper to crack password hash like this

After we know have access to machine, with information from nmap we know this machine running service ssh now try to access from ssh service with password and user have from here

After success enter into system machine from ssh service try to look network interface active on that machine

I found 2 network interface is active that is eth0 and eth1, this can predict he system is server for local network , eth0 is for internet network access and eth1 is for local network service, so try to scanning network on eth1 from this machine like here

There 2 machine active on this server, I decide to try attacking into target IP 10.10.10.2 from my machine with tunneling technique via ssh service I do like this

After get access via tunneling I set to port 9090 and I edit proxychains channel port from 9050 to 9090 to use it for tunneling, I open metasploit with proxychains, that logic is metasploit will running on port 9090 tunnel to machine server linux target and jumping into local network

I will attacking windows system on target with information from previous gathering and I decide to attacking with samba service on windows like here

After set RHOST for IP target I use payload meterpreter bind_tcp like this

Set payload and running that exploit and this exploit
 

I try to migrate to other service in this machine, I choose explorer.exe
On this step we have access and control machine on local network via tunneling from server machine.
Posted by at 1:40 AM 1 comments
Labels:

Wednesday, August 8, 2012

Owning Root Shell via Mysql Client - Metasploitable 2

On this testing I use Backtrack 5 R3 Blackhat Edition target is Metasploitable 2, this simulation is how to get root shell via mysql vulnerable from ubuntu server (Metasploitable 2).

First step its sure scanning network, that is first step for any any hacking on network, I always remember that from my "Sensei" -first step is Information Gathering- "How you know about target without get information for first step!?"
lets open nmap and do scanning :
 
That highlight is target exploitation, Mysql and we know that version of target, that step is include "Service Enumeration" to collect data about service running and next step I search for information vulnerable for that  version of Mysql and found information here

That step is include "Vulnerable Assesment", after that we now had know information needed to starting exploitation, so lets open metasploit on console
After open metasploit I search for mysql and found few and I choose for login, cause I'll try to bruteforce login of mysql
After select or use that auxliary I type show options to get information how to use this tool and I get information like here
That I highlighted is data need to fill and fill that with information from step Information Gathering, RHOSTS is IP target and PASS_FILE is dictionary of passoword to bruteforce so lets fill it like here
After filling that options run or exploit that and need few minutes for bruteforcing that with dictionary so please be patient
Evidently that username is ROOT without password, so try to connect with mysql target on other terminal console
After enter in mysql client and get admin of mysql we can look on /etc/passwd with this command
We found data in /etc/password after that I try to get access from ssh server, back to metasploit console to search ssh login
After choose and use auxiliary do same with before show options to know how to use is it and fill with information had known by previous step
Its bruteforcing so take a minutes time to do it, so be patient, and after waiting few minute we get result like here
We found password for msfadmin and type sessions -l to view session in this step like here
There active session and try to get it out with select session by type session -i 1 mean is open session active in id 1 like here
Now we had to enter into server system, just test it with command ifconfig or something to get indentity like here
See we have IP 192.168.56.102 that is IP of target, and more to proof it is target system
And for get access from outside I'll try to access from normal console cause we have user and password already
Get real root shell.
Posted by at 1:33 AM 0 comments
Labels:

Sunday, June 17, 2012

Rooting on Metasploitable : Ubuntu Server

Now I'll show how to rooting on ubuntu server, this is vulnerable server running on ubuntu machine, and how to attacking this machine we need to powerful tool that is Metasploit, this is my favorite tools on Backtrack cause multicomplex function of ability, I called this tools "Ametasploiterasu".

For mapping network and indentification of target service use nmap
So now we can look service and version of target system, from this data we can search vulnerable service to gate enterance into target machine, now open console of Ametasploiterasu (MSFCONSOLE) on terminal

I choose to try exploiting on samba service, I choose that caused by nmap result, so when I open msf console and search exploit for samba
I choose this exploit, cause this explout is multi samba and have rank excellent, use this exploit like here
I look option by type "show options" and we can look what the next option we need to fill, like LHOST as own IP, RHOST as IP Target, RPORT as Port we'll use on target machine and PAYLOAD as shellcode to get system on target here I do
And run exploit to try injecting payload and exploit into target system if that is success that will show process like this
After enterance into target machine we can try to type "ls" to look directory like this
I try to check id and who as I now in machine with command id and whoami
Now we had as root that mean we sucess get root or rooting in target system, after all we can get password hash into /etc/shadow
And now its time to crack password from this hash in /etc/shadow, I copy this into text editor and save as txt format and I save into john folder cause I use john the ripper to crack password hash like this

Finish.
Posted by at 11:48 AM 0 comments
Labels:
Subscribe to: Posts (Atom)
 
Information Security On The Track © 2012 Blog's Shinobi | is2c