- Joined
- 11 yrs. 8 mth. 23 days
- Messages
- 5,010
- Reaction score
- 11,818
- Wallet
- 13,191$
- [email protected]
Exploitation Ubuntu – Windows Services
Fotis Liatsis June 27, 2013
This tutorial describes the basic principles of gathering information to exploit vulnerable machines like Ubuntu Server and Windows XP. On both systems (Ubuntu and Windows) are installed some vulnerable services like Tomcat Java / Samba File Server or vulnerable Databases like PostgreSQL for Ubuntu machine and MySQL for Windows respectively.
This tutorial outlines many of the security flaws on both OS machines, such as:
Gathering information
Identify open network services
Exploit vulnerable services
(Note: For the Purpose of this tutorial BackBox (Based on Ubuntu) as OS, the latest installation package of Oracle VM Box, and Ubuntu 9.04 / Windows XP SP2 OS’s will be used)
Setting Up VM – Manual ifconfig
Before starting our Penetration Testing on the VM’s, we’ll setup and configure a couple of things on the VM machine system. After we have created our OS machine (Both Ubuntu and Windows OS) click the “Settings” button and navigate to the “Network” tab once more. At network interface, choose the “Host-only Adapter” and automatically the vboxnet0 option will be set.
If you would like to have the network information statically assigned without having to manually enter this information each time, you can edit the /etc/network/ interfaces file for the appropriate Ethernet device.
(Note: Be sure to restart the network service after modifying this file (/etc/init.d/ networking restart).)
Next you will set up the Windows Network Interface. On the command prompt type cmd and click “OK”.
Then Navigate to the Network Connections Panel.
Next at the properties panel choose “Internet Protocol(TCP/IP)” and click “Properties”. On the “General” tab choose the “Use the following IP address” and add the appropriate network information (see below):
Next at the command prompt write the following command to verify the adapter options:
Verifying connectivity
We will attempt to ping the machines to verify connectivity. If everything is configured correctly, you should see something along the lines of the following commands:
Ubuntu Machine:
And
root@ubuntu:~$ ping 192.168.56.1
PING 192.168.56.1 (192.168.56.1) 56(84) bytes of data.
64 bytes from 192.168.56.1: icmp_req=1 ttl=64 time=0.251 ms
64 bytes from 192.168.56.1: icmp_req=2 ttl=64 time=0.306 ms
^C
--- 192.168.56.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.251/0.278/0.306/0.032 ms
Windows Machine:
And
Gathering Information – Ubuntu Machine
We’ll begin by trying some basic scans against our VM (Ubuntu) machine at 192.168.56.102. Here we will perform a simple scan to determine what ports are open on our target system using the -p option.
Looking at the highlighted results, we can determine that there are many open ports. So let’s use another tool to identify a little bit more on our machine.
Exploit Vulnerable Backdoors
By reviewing the highlighted code closely we can see that the port 8180/tcp runs an Apache Tomcat Server. We can identify the Version of Apache Tomcat Server once more using Metasploit.
As we can see, Apache Tomcat/5.5 is used. So once more using Metasploit we’ll try to connect to the Apache Tomcat Server according to some default user/pass options:
Reviewing the result we can identify that Apache Tomcat Server accepts as username/password the “tomcat” string, so according to this result, let’s exploit it:
Vulnerable Web Service
Open a browser and type in the field, the IP of the VM and specify the port of Apache Tomcat server (IP
ort)
Next click on “Tomcat Manager” from the Administration Panel at the left and type as username/password the “tomcat” string.
Next we’ll create and upload a vulnerable .war file which will give us access to execute a vulnerable code. So create a cmd_shell.jsp file, which will contain the following code:
Then compress the file using the jar command as follows:
(Note: .war format is the acceptable file type for deploy at Apache Tomcat Manager)
Next Browse the .war file and then deploy it. As we can see the /cmd path was added.
Click this path and then on the navigation bar to complete the path adding cmd_shell.jsp:
At this point we can type any Unix/Windows command like running a command prompt window.
Gathering Information – Windows XP Machine
We’ll begin by trying some basic scan as previews against our VM (Windows XP) machine at 192.168.56.103.
Looking at the highlighted results, we can determine that there are many open ports. So let’s focus on port 445. Using the nmap tool once more we’ll add a couple of parameters to discover a little bit more of the specific port.
-A: Aggressive initiates many options at once such as version and script scanning. Use with caution.
-T (0-5): Timing options Determines how aggressive you want the scan to be.
-Pn: We stop this action for sending out a pingrequest
-p: Only scan specified ports
Identify network services – Exploit Vulnerable Backdoors
By reviewing the highlighted code closely we can see that the port 445/tcp runs a SMB Server. We can identify the OS environment which the SMB server runs by typing:
As we can see, the SMB Server runs on the Windows XP SP2 environment. So once more using Metasploit will try to exploit it.
Conclusion
There are a lot of ways and things we can do to enumerate and exploit vulnerable web-apps or services. This tutorial describes the basic things we can do to gather important information and exploit the most known vulnerable services using a couple of ways. The best secure way is to try every parameter on a virtual environment, before proceeding to run every of the above example, to real machine Servers with authorized access by the admin.
sursa:
Fotis Liatsis June 27, 2013
This tutorial describes the basic principles of gathering information to exploit vulnerable machines like Ubuntu Server and Windows XP. On both systems (Ubuntu and Windows) are installed some vulnerable services like Tomcat Java / Samba File Server or vulnerable Databases like PostgreSQL for Ubuntu machine and MySQL for Windows respectively.
This tutorial outlines many of the security flaws on both OS machines, such as:
Gathering information
Identify open network services
Exploit vulnerable services
(Note: For the Purpose of this tutorial BackBox (Based on Ubuntu) as OS, the latest installation package of Oracle VM Box, and Ubuntu 9.04 / Windows XP SP2 OS’s will be used)
Setting Up VM – Manual ifconfig
Before starting our Penetration Testing on the VM’s, we’ll setup and configure a couple of things on the VM machine system. After we have created our OS machine (Both Ubuntu and Windows OS) click the “Settings” button and navigate to the “Network” tab once more. At network interface, choose the “Host-only Adapter” and automatically the vboxnet0 option will be set.
If you would like to have the network information statically assigned without having to manually enter this information each time, you can edit the /etc/network/ interfaces file for the appropriate Ethernet device.
(Note: Be sure to restart the network service after modifying this file (/etc/init.d/ networking restart).)
Next you will set up the Windows Network Interface. On the command prompt type cmd and click “OK”.
Then Navigate to the Network Connections Panel.
Next at the properties panel choose “Internet Protocol(TCP/IP)” and click “Properties”. On the “General” tab choose the “Use the following IP address” and add the appropriate network information (see below):
Next at the command prompt write the following command to verify the adapter options:
Verifying connectivity
We will attempt to ping the machines to verify connectivity. If everything is configured correctly, you should see something along the lines of the following commands:
Ubuntu Machine:
And
root@ubuntu:~$ ping 192.168.56.1
PING 192.168.56.1 (192.168.56.1) 56(84) bytes of data.
64 bytes from 192.168.56.1: icmp_req=1 ttl=64 time=0.251 ms
64 bytes from 192.168.56.1: icmp_req=2 ttl=64 time=0.306 ms
^C
--- 192.168.56.1 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1001ms
rtt min/avg/max/mdev = 0.251/0.278/0.306/0.032 ms
Windows Machine:
And
Gathering Information – Ubuntu Machine
We’ll begin by trying some basic scans against our VM (Ubuntu) machine at 192.168.56.102. Here we will perform a simple scan to determine what ports are open on our target system using the -p option.
Looking at the highlighted results, we can determine that there are many open ports. So let’s use another tool to identify a little bit more on our machine.
Exploit Vulnerable Backdoors
By reviewing the highlighted code closely we can see that the port 8180/tcp runs an Apache Tomcat Server. We can identify the Version of Apache Tomcat Server once more using Metasploit.
As we can see, Apache Tomcat/5.5 is used. So once more using Metasploit we’ll try to connect to the Apache Tomcat Server according to some default user/pass options:
Reviewing the result we can identify that Apache Tomcat Server accepts as username/password the “tomcat” string, so according to this result, let’s exploit it:
Vulnerable Web Service
Open a browser and type in the field, the IP of the VM and specify the port of Apache Tomcat server (IP
ort)
Next click on “Tomcat Manager” from the Administration Panel at the left and type as username/password the “tomcat” string.
Next we’ll create and upload a vulnerable .war file which will give us access to execute a vulnerable code. So create a cmd_shell.jsp file, which will contain the following code:
Then compress the file using the jar command as follows:
(Note: .war format is the acceptable file type for deploy at Apache Tomcat Manager)
Next Browse the .war file and then deploy it. As we can see the /cmd path was added.
Click this path and then on the navigation bar to complete the path adding cmd_shell.jsp:
At this point we can type any Unix/Windows command like running a command prompt window.
Gathering Information – Windows XP Machine
We’ll begin by trying some basic scan as previews against our VM (Windows XP) machine at 192.168.56.103.
Looking at the highlighted results, we can determine that there are many open ports. So let’s focus on port 445. Using the nmap tool once more we’ll add a couple of parameters to discover a little bit more of the specific port.
-A: Aggressive initiates many options at once such as version and script scanning. Use with caution.
-T (0-5): Timing options Determines how aggressive you want the scan to be.
-Pn: We stop this action for sending out a pingrequest
-p: Only scan specified ports
Identify network services – Exploit Vulnerable Backdoors
By reviewing the highlighted code closely we can see that the port 445/tcp runs a SMB Server. We can identify the OS environment which the SMB server runs by typing:
As we can see, the SMB Server runs on the Windows XP SP2 environment. So once more using Metasploit will try to exploit it.
Conclusion
There are a lot of ways and things we can do to enumerate and exploit vulnerable web-apps or services. This tutorial describes the basic things we can do to gather important information and exploit the most known vulnerable services using a couple of ways. The best secure way is to try every parameter on a virtual environment, before proceeding to run every of the above example, to real machine Servers with authorized access by the admin.
sursa:
Verified & Trusted WesternUnion | MoneyGram | Bank - Transferring [299$ BTC for 2000$ WU]
Verified & Trusted Electronics Carding, Carding iPhone, Samsung Carding, MacBook Carding, Laptops Carding