Izakod Bekai Izakod Kai

Friday, November 09, 2012

Lab 2 De-ICE v1.0 (1.100)

Information Gathering

Service Enumeration

based on the picture, i found 2 host 192.168.1.20 that's my ip and 192.168.1.100 is ip target, and I also found some port open, such as port ftp (but the ftp is broken), ssh, smtp, http, pop3, and imap. And some vulner of PHP, etc.

-->

Vulnerability Assasement

So I try to use exploit db to search exploit for the vulnerability and I found 1 exploit for ssh 4.3 but it not works to enter into the system.

and i've also tried to enter through ftp but it not works, because the ftp is broken.

-->

Then, open the web page to get more information.

Exploit

In the web page, I found some names, so I will try to make a list of users and I will use it to brute force the ssh. Here I use hydra to brute force the ssh service.

I found username and password for ssh.

then enter into the system use user bbanter and password bbanter via ssh.

I try to see the /etc/shadow because I'm not on the root but I have a problem with the permission so I try to see the /etc/passwd to see the users.

I founds some user and save it. Then I will brute force the ssh using hydra again to gain high permissoin because on user bbanter I can't do many thing.

then save the output. Here I found password nostradamus for user aadams.

Try to connect via ssh again using aadams and password nostradamus.

Then I try to see the /etc/shadow/

then, crack the password using jtr.

Here I found the password tarot for root, so gain the high access

until here I successfully gain high access (on root). But the hint on the web page, we have to get the CEO's bank account information.

Friday, November 02, 2012

Memory Forensic

first, running some process on windows.

after that i will exploit the windows via software warftp using metasploit. so open metasploit.
and search warftp.
here i use warftpd_165_user then show option to see what should we fill...

then set RPORT and PAYLOAD
here i use payload meterpreter bind tcp

then choose target and exploit it.

after we got the meterpreter, type ps to see the process....

so it's time to capture the memory on windows..
here i use the Forensic toolkit imager.
then capture the memory.

and after we capture the memory, copy it into backtrack on folder /var/www/ptk/images/

then running the volatility tools or ptk tools (on menu forensics --> RAM forensics tools --> ptk), whatever you want.
here i use volatility tool. then use the plugin pslist to see the process.

so we can see all process that are running on win xp (such as firefox, cmd, warftp, mmplayer, vuplayer, taskmanager, etc)

then, try to check the connctions.

based on the picture above, we can see that there are some connection include remote connection from ip 192.168.56.1 via port 4444. so we can conclude that there was a computer with ip 192.168.56.1 that's being remote the computer via port 4444.