Mais conteúdo relacionado Semelhante a HackEire 2009 (20) HackEire 20092. Aim of this Presentation
Ø Provide overview of how we compromised this
Environment.
Ø Note this is not the only way that you can
compromise this environment.
Ø There may be a number of methods that could
result in the same compromise of Data.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 2
3. The Scope
Ø The ‘Bhratach’ company has requested a full
Black-Box test.
Ø This presence is hosted within the company and
is connected to the company's internal corporate
LAN.
Ø Testing consists of the external DMZ and Internal
LAN.
Ø Use any tools that you legally own to test this
network.
Ø Identify any vulnerabilities with this environment?
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 3
4. The Reconnaissance
Ø Identify the Network.
Ø The tools that we used for Reconnaissance:
§ NMAP
§ Nessus
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 4
6. NMAP
Nmap –sT –vv –A 10.0.1.25
DNS Server
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 6
7. NMAP
Nmap –sT –vv –A 10.0.1.40
SMTP Server
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 7
8. NMAP
Nmap –sT –vv –A 10.0.1.50
Web Server
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 8
9. Nessus
Nessus Output
Web Server
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 9
10. 10.0.1.25
DNS Server
Zone Transfer & then ‘nmap –vv –A –iL ips.txt’
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 10
11. 10.0.1.25
DNS Server
Enum –u 10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 11
12. 10.0.1.25
Brute force the smb accounts
Hydra –t 1 –w 0 –l Lyray –p 1234 10.0.1.25 smbnt
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 12
13. 10.0.1.25
Identify any potential Buffer Overflow
Server vulnerable to MS 08-067 exploit
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 13
14. 10.0.1.25
Exploiting the Buffer Overflow
Server vulnerable to MS 08-067 exploit
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 14
15. 10.0.1.25
Get shell & transfer netcat via ftp
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 15
16. 10.0.1.25
Transfer ‘pwdump’
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 16
17. 10.0.1.25
Extract new tools J
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 17
18. 10.0.1.25
Setting up netcat persistent Listener
With a shell J
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 18
19. 10.0.1.25
Connect via Netcat from Attacker system
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 19
20. 10.0.1.25
Through netcat, now on 10.0.1.25 (see LHS)
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 20
21. 10.0.1.25
Dumping the password file
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 21
22. 10.0.1.25
Transferring the password dump
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 22
23. 10.0.1.25
And the keyrings…..
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 23
24. 10.0.1.25
Use ‘John’ on the Password Dump
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 24
25. 10.0.1.40
Using compromised Lyray account
SSH to 3456 using username Lyray password 1234
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 25
26. 10.0.1.40
Identify the Linux Kernel
Use this to identify if there are vulnerabilities with the Kernel
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 26
27. 10.0.1.40
Look for the word exploit
These have been left lying around by a careless sysadmin who was
testing a patch
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 27
28. 10.0.1.40
Identify the exploit directory
These have been installed by a previous attacker via the FTP protocol.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 28
29. 10.0.1.40
Run the exploit
These have been installed by a previous attacker via the FTP protocol.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 29
30. 10.0.1.40
FTP to your attacker system
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 30
31. 10.0.1.40
Upload the flags
Using FTP upload the Flags or you may use SCP over port 3456 (more secure)
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 31
32. 10.0.1.40
Grab the Password Files
Using FTP upload the passwd and shadow file
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 32
33. 10.0.1.40
Get the ‘willy’ password
Using John ‘unshadow’ the merged password file.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 33
34. 10.0.1.50
View the front page and source code
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 34
35. 10.0.1.50
Nmap show ‘webadmin’ up…what’s there?
Look for the shell directory on port 10000
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 35
36. 10.0.1.50
Connect to the Website
Enumerate the directories
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 36
37. 10.0.1.50
Shell vulnerability….
Create a User & SSH on as that user
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 37
38. 10.0.1.50
Or use Metatron to SSH
Cd & ‘ls -la’ the directories
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 38
39. 10.0.1.50
Transfer the flags - e.g. Winscp
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 39
40. 10.0.1.50
ifconfig -a
4th flag & ‘pii’ file must be on 10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 40
41. 10.0.1.50
Identify the fourth server
Use arp to get all connected servers
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 41
42. 10.0.1.50
Port scan with netcat
SQL back-end? What’s 3333? SMB,
netbios – transfer files?
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 42
43. 10.0.1.50
Tcpdump shows something also….
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 43
44. 10.0.1.50
As root - ‘crontab -l’
Looks interesting……
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 44
45. 10.0.1.50
Ps auwx |grep asriel
Looks interesting……
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 45
46. 10.0.2.75
Identify shares on 10.0.2.75
Use a ‘valid’ account to enumerate
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 46
47. 10.0.2.75
Connecting via Asriel Share….
Transfer the keyrings to 10.0.1.50 & from there to system via scp
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 47
48. 10.0.2.75
Asriel Share?
Transfer the keyrings to 10.0.1.50 & from there to system via scp
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 48
50. 10.0.2.75
Transferring final flag to 10.0.1.50….
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 50
55. Who is Andrew Wiles?
Fermat s Last Theorem
x^n + y^n ≠ z^n
where n is integer >2
& x,y,z Ε Ζ