HackEire 2009
-
Upload
mark-hillick -
Category
Technology
-
view
328 -
download
0
description
Transcript of HackEire 2009
![Page 1: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/1.jpg)
http://www.hackeire.net @hackeire
HackEire 2009
by @markofu
![Page 2: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/2.jpg)
Aim of this Presentation
Ø Provide overview of how we compromised this Environment.
Ø Note this is not the only way that you can
compromise this environment. Ø There may be a number of methods that could
result in the same compromise of Data.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 2
![Page 3: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/3.jpg)
The Scope
Ø The ‘Bhratach’ company has requested a full Black-Box test.
Ø This presence is hosted within the company and is connected to the company's internal corporate LAN.
Ø Testing consists of the external DMZ and Internal LAN.
Ø Use any tools that you legally own to test this network.
Ø Identify any vulnerabilities with this environment?
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 3
![Page 4: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/4.jpg)
The Reconnaissance
Ø Identify the Network.
Ø The tools that we used for Reconnaissance:
§ NMAP § Nessus
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 4
![Page 5: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/5.jpg)
NMAP
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 5
Ø Use NMAP –sP 10.0.1.0/23
![Page 6: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/6.jpg)
NMAP
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 6
Nmap –sT –vv –A 10.0.1.25
DNS Server
![Page 7: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/7.jpg)
NMAP
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 7
Nmap –sT –vv –A 10.0.1.40
SMTP Server
![Page 8: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/8.jpg)
NMAP
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 8
Nmap –sT –vv –A 10.0.1.50
Web Server
![Page 9: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/9.jpg)
Nessus
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 9
Nessus Output
Web Server
![Page 10: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/10.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 10
DNS Server
Zone Transfer & then ‘nmap –vv –A –iL ips.txt’
![Page 11: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/11.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 11
DNS Server
Enum –u 10.0.1.25
![Page 12: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/12.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 12
Brute force the smb accounts
Hydra –t 1 –w 0 –l Lyray –p 1234 10.0.1.25 smbnt
![Page 13: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/13.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 13
Identify any potential Buffer Overflow
Server vulnerable to MS 08-067 exploit
![Page 14: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/14.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 14
Exploiting the Buffer Overflow
Server vulnerable to MS 08-067 exploit
![Page 15: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/15.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 15
Get shell & transfer netcat via ftp
![Page 16: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/16.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 16
Transfer ‘pwdump’
![Page 17: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/17.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 17
Extract new tools J
![Page 18: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/18.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 18
Setting up netcat persistent Listener
With a shell J
![Page 19: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/19.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 19
Connect via Netcat from Attacker system
![Page 20: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/20.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 20
Through netcat, now on 10.0.1.25 (see LHS)
![Page 21: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/21.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 21
Dumping the password file
![Page 22: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/22.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 22
Transferring the password dump
![Page 23: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/23.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 23
And the keyrings…..
![Page 24: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/24.jpg)
10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 24
Use ‘John’ on the Password Dump
![Page 25: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/25.jpg)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 25
Using compromised Lyray account
SSH to 3456 using username Lyray password 1234
![Page 26: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/26.jpg)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 26
Identify the Linux Kernel
Use this to identify if there are vulnerabilities with the Kernel
![Page 27: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/27.jpg)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 27
Look for the word exploit
These have been left lying around by a careless sysadmin who was testing a patch
![Page 28: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/28.jpg)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 28
Identify the exploit directory
These have been installed by a previous attacker via the FTP protocol.
![Page 29: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/29.jpg)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 29
Run the exploit
These have been installed by a previous attacker via the FTP protocol.
![Page 30: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/30.jpg)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 30
FTP to your attacker system
![Page 31: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/31.jpg)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 31
Upload the flags
Using FTP upload the Flags or you may use SCP over port 3456 (more secure)
![Page 32: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/32.jpg)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 32
Grab the Password Files
Using FTP upload the passwd and shadow file
![Page 33: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/33.jpg)
10.0.1.40
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 33
Get the ‘willy’ password
Using John ‘unshadow’ the merged password file.
![Page 34: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/34.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 34
View the front page and source code
![Page 35: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/35.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 35
Nmap show ‘webadmin’ up…what’s there?
Look for the shell directory on port 10000
![Page 36: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/36.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 36
Connect to the Website
Enumerate the directories
![Page 37: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/37.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 37
Shell vulnerability….
Create a User & SSH on as that user
![Page 38: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/38.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 38
Or use Metatron to SSH
Cd & ‘ls -la’ the directories
![Page 39: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/39.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 39
Transfer the flags - e.g. Winscp
![Page 40: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/40.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 40
ifconfig -a
4th flag & ‘pii’ file must be on 10.0.2.75
![Page 41: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/41.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 41
Identify the fourth server
Use arp to get all connected servers
![Page 42: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/42.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 42
Port scan with netcat
SQL back-end? What’s 3333? SMB, netbios – transfer files?
![Page 43: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/43.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 43
Tcpdump shows something also….
![Page 44: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/44.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 44
As root - ‘crontab -l’
Looks interesting……
![Page 45: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/45.jpg)
10.0.1.50
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 45
Ps auwx |grep asriel
Looks interesting……
![Page 46: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/46.jpg)
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 46
Identify shares on 10.0.2.75
Use a ‘valid’ account to enumerate
![Page 47: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/47.jpg)
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 47
Connecting via Asriel Share….
Transfer the keyrings to 10.0.1.50 & from there to system via scp
![Page 48: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/48.jpg)
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 48
Asriel Share?
Transfer the keyrings to 10.0.1.50 & from there to system via scp
![Page 49: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/49.jpg)
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 49
Temp Share…remember ‘Competitor Pack’
Transfer the keyrings to 10.0.1.50 & from there to system via scp
![Page 50: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/50.jpg)
10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 50
Transferring final flag to 10.0.1.50….
![Page 51: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/51.jpg)
10.0.2.75
Scheduled Netcat Listener on Port 3333
![Page 52: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/52.jpg)
Decryption
![Page 53: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/53.jpg)
What am I?
Running pii.csv
![Page 54: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/54.jpg)
Decode me?
Hydan…..
![Page 55: HackEire 2009](https://reader033.fdocuments.us/reader033/viewer/2022052900/55625283d8b42a6c368b508b/html5/thumbnails/55.jpg)
Who is Andrew Wiles?
x^n + y^n ≠ z^n where n is integer >2 & x,y,z Ε Ζ
Fermat’s Last Theorem