diff options
| author | mo khan <mo@mokhan.ca> | 2016-02-12 08:38:26 -0700 |
|---|---|---|
| committer | mo khan <mo@mokhan.ca> | 2016-02-12 08:38:26 -0700 |
| commit | 9fc7e6c1cc5754bec8a508102f07a7d569820374 (patch) | |
| tree | deb3d4bc7ac7846f24b93deb83f7a8b78a0ba58d | |
| parent | fee17d55dc762ac93f95ade689b7616de3cca023 (diff) | |
complete recon.
| -rw-r--r-- | report/hosts.csv | 20 | ||||
| -rw-r--r-- | report/ports.csv | 64 | ||||
| -rw-r--r-- | report/template.tex | 108 |
3 files changed, 134 insertions, 58 deletions
diff --git a/report/hosts.csv b/report/hosts.csv index 88fd0c9..9f5d4a7 100644 --- a/report/hosts.csv +++ b/report/hosts.csv @@ -1,10 +1,10 @@ -ip address,hostname -10.2.1.1,metasploitable.sait230.ca -10.2.1.2,websecdojo.sait230.ca -10.2.1.3,ultimatelamp.sait230.ca -10.2.1.4,samurai.sait230.ca -10.2.1.5,nessus.sait230.ca -10.2.1.6,tomcat-apache.sait230.ca -10.2.1.7,dvwa.sait230.ca -10.2.1.8,bwa.sait230.ca -10.2.1.30,bt5r3-was.sait230.ca +ip address,hostname,operating system +10.2.1.1,metasploitable.sait230.ca,Linux 2.6.x +10.2.1.2,websecdojo.sait230.ca,Linux 2.6.x +10.2.1.3,ultimatelamp.sait230.ca,Linux 2.6.x +10.2.1.4,samurai.sait230.ca,Linux 2.6.x +10.2.1.5,nessus.sait230.ca,Linux 2.6.x +10.2.1.6,tomcat-apache.sait230.ca,Linux 2.6.x +10.2.1.7,dvwa.sait230.ca,Linux 2.6.x +10.2.1.8,bwa.sait230.ca,Linux 2.6.x +10.2.1.30,bt5r3-was.sait230.ca,Linux 2.6.x diff --git a/report/ports.csv b/report/ports.csv index b77c106..2f4e5eb 100644 --- a/report/ports.csv +++ b/report/ports.csv @@ -1,32 +1,32 @@ -HOST,PORT,SERVICE,VERSION -bwa,139,netbios-ssn,Samba smbd 3.X (workgroup: WORKGROUP) -bwa,143,imap,Courier Imapd (released 2008) -bwa,22,ssh,OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0) -bwa,445,netbios-ssn,Samba smbd 3.X (workgroup: WORKGROUP) -bwa,5001,ovm-manager,Oracle VM Manager -bwa,8080,http,Apache Tomcat/Coyote JSP engine 1.1 -metasploitable,1099,rmiregistry,GNU Classpath grmiregistry -metasploitable,111,rpcbind,(rpcbind V2) 2 (rpc 100000) -metasploitable,139,netbios-ssn,Samba smbd 3.X (workgroup: WORKGROUP) -metasploitable,1524,, -metasploitable,2049,nfs,(nfs V2-4) -metasploitable,21,ftp,vsftpd 2.3.4 -metasploitable,2121,ftp,ProFTPD 1.3.1 -metasploitable,22,ssh,OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) -metasploitable,23,telnet,Linux telnetd -metasploitable,25,smtp,Postfix smtpd -metasploitable,3306,mysql,MySQL 5.0.51a-3ubuntu5 -metasploitable,445,netbios-ssn,Samba smbd 3.X (workgroup: WORKGROUP) -metasploitable,512,, -metasploitable,513,, -metasploitable,514,tcpwrapped, -metasploitable,53,domain,ISC BIND 9.4.2 -metasploitable,5432,postgresql,PostgreSQL DB 8.3.0 - 8.3.7 -metasploitable,5900,vnc,VNC (protocol 3.3) -metasploitable,6000,X11, -metasploitable,6667,irc,Unreal ircd -metasploitable,80,http,Apache httpd 2.2.8 ((Ubuntu) DAV/2) -tomcat-apache,22,ssh,OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0) -tomcat-apache,443,ssl/http,Apache httpd 2.2.16 ((Debian)) -tomcat-apache,80,http,Apache httpd 2.2.16 ((Debian)) -ultimatelamp,80,http,Apache httpd 2.0.54 ((Ubuntu) PHP/5.0.5-2ubuntu1.2) +Hostname,IP,PORT,SERVICE,VERSION +bwa,10.2.1.8,139,netbios-ssn,Samba smbd 3.X (workgroup: WORKGROUP) +bwa,10.2.1.8,143,imap,Courier Imapd (released 2008) +bwa,10.2.1.8,22,ssh,OpenSSH 5.3p1 Debian 3ubuntu4 (protocol 2.0) +bwa,10.2.1.8,445,netbios-ssn,Samba smbd 3.X (workgroup: WORKGROUP) +bwa,10.2.1.8,5001,ovm-manager,Oracle VM Manager +bwa,10.2.1.8,8080,http,Apache Tomcat/Coyote JSP engine 1.1 +metasploitable,10.2.1.1,1099,rmiregistry,GNU Classpath grmiregistry +metasploitable,10.2.1.1,111,rpcbind,(rpcbind V2) 2 (rpc 100000) +metasploitable,10.2.1.1,139,netbios-ssn,Samba smbd 3.X (workgroup: WORKGROUP) +metasploitable,10.2.1.1,1524,, +metasploitable,10.2.1.1,2049,nfs,(nfs V2-4) +metasploitable,10.2.1.1,21,ftp,vsftpd 2.3.4 +metasploitable,10.2.1.1,2121,ftp,ProFTPD 1.3.1 +metasploitable,10.2.1.1,22,ssh,OpenSSH 4.7p1 Debian 8ubuntu1 (protocol 2.0) +metasploitable,10.2.1.1,23,telnet,Linux telnetd +metasploitable,10.2.1.1,25,smtp,Postfix smtpd +metasploitable,10.2.1.1,3306,mysql,MySQL 5.0.51a-3ubuntu5 +metasploitable,10.2.1.1,445,netbios-ssn,Samba smbd 3.X (workgroup: WORKGROUP) +metasploitable,10.2.1.1,512,, +metasploitable,10.2.1.1,513,, +metasploitable,10.2.1.1,514,tcpwrapped, +metasploitable,10.2.1.1,53,domain,ISC BIND 9.4.2 +metasploitable,10.2.1.1,5432,postgresql,PostgreSQL DB 8.3.0 - 8.3.7 +metasploitable,10.2.1.1,5900,vnc,VNC (protocol 3.3) +metasploitable,10.2.1.1,6000,X11, +metasploitable,10.2.1.1,6667,irc,Unreal ircd +metasploitable,10.2.1.1,80,http,Apache httpd 2.2.8 ((Ubuntu) DAV/2) +tomcat-apache,10.2.1.6,22,ssh,OpenSSH 5.5p1 Debian 6+squeeze2 (protocol 2.0) +tomcat-apache,10.2.1.6,443,ssl/http,Apache httpd 2.2.16 ((Debian)) +tomcat-apache,10.2.1.6,80,http,Apache httpd 2.2.16 ((Debian)) +ultimatelamp,10.2.1.3,80,http,Apache httpd 2.0.54 ((Ubuntu) PHP/5.0.5-2ubuntu1.2) diff --git a/report/template.tex b/report/template.tex index bdc755c..da296ff 100644 --- a/report/template.tex +++ b/report/template.tex @@ -62,22 +62,92 @@ Some more text. Even more text. -\newpage -\section{Attack Narrative} -\subsection{Wordpress Exploitation} -\subsection{Wordpress Plugin Unintended File Type Upload} -\subsection{Linux Local Privilege Escalation} -\subsection{Maintaining Access to Compromised Webserver} -\subsection{Vulnerable Splunk Installation} -\subsection{Domain Privilege Escalation} -\subsection{Attacker Control of Archmake Transactions} +%\newpage +%\section{Attack Narrative} +%\subsection{Wordpress Exploitation} +%\subsection{Wordpress Plugin Unintended File Type Upload} +%\subsection{Linux Local Privilege Escalation} +%\subsection{Maintaining Access to Compromised Webserver} +%\subsection{Vulnerable Splunk Installation} +%\subsection{Domain Privilege Escalation} +%\subsection{Attacker Control of Archmake Transactions} \newpage \section{Recon} \subsection{Information} + +In order to get an understanding of what hosts are active on the network the first step +I took was to find out what ip address the DHCP server assigned to my backtrack host using +ifconfig\footnote{\label{ifconfig}ifconfig -- configure network interface parameters} + +\begin{lstlisting}[language=Bash, firstline=1, lastline=3] +root@bt-was:~/# ifconfig eth0 +eth0 Link encap:Ethernet HWaddr 00:0c:29:4b:5c:be + inet addr:10.2.1.30 Bcast:10.2.1.31 Mask:255.255.255.224 + inet6 addr: fe80::20c:29ff:fe4b:5cbe/64 Scope:Link + UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1 + RX packets:472581 errors:0 dropped:0 overruns:0 frame:0 + TX packets:435725 errors:0 dropped:0 overruns:0 carrier:0 + collisions:0 txqueuelen:1000 + RX bytes:258604722 (258.6 MB) TX bytes:92862199 (92.8 MB) + Interrupt:19 Base address:0x2000 +\end{lstlisting} + \subsubsection{DNS} -List out entries found in the /etc/hosts file. +I used nmap\footnote{\label{nmap}nmap - Network exploration tool and security / port scanner} +to do a ping sweep of the active hosts in the +10.2.1.0/24 CIDR range. + +\begin{lstlisting}[language=Bash, firstline=1, lastline=1] +root@bt-was:~/scans# nmap -sP 10.2.1.0/24 + +Starting Nmap 6.01 ( http://nmap.org ) at 2016-02-12 09:51 EST +Nmap scan report for metasploitable.sait230.ca (10.2.1.1) +Host is up (0.00029s latency). +MAC Address: 00:0C:29:B8:82:E1 (VMware) +Nmap scan report for websecdojo.sait230.ca (10.2.1.2) +Host is up (0.00027s latency). +MAC Address: 00:0C:29:2A:C8:AF (VMware) +Nmap scan report for ultimatelamp.sait230.ca (10.2.1.3) +Host is up (0.00016s latency). +MAC Address: 00:0C:29:23:94:3C (VMware) +Nmap scan report for samurai.sait230.ca (10.2.1.4) +Host is up (0.00038s latency). +MAC Address: 00:0C:29:A9:4F:36 (VMware) +Nmap scan report for nessus.sait230.ca (10.2.1.5) +Host is up (0.00022s latency). +MAC Address: 00:0C:29:90:C9:6F (VMware) +Nmap scan report for tomcat-apache.sait230.ca (10.2.1.6) +Host is up (0.00015s latency). +MAC Address: 00:0C:29:72:36:2B (VMware) +Nmap scan report for bwa.sait230.ca (10.2.1.8) +Host is up (0.00028s latency). +MAC Address: 00:0C:29:4C:6D:F9 (VMware) +Nmap scan report for bt5r3-was.sait230.ca (10.2.1.30) +Host is up. +nexthost: failed to determine route to 10.2.1.32 +QUITTING! +\end{lstlisting} + +In total I discovered 9 active hosts on the network. All hosts were +located in the 10.2.1.0/24 subnet. + +Next, I used fping\footnote{\label{fping}fping - fping - send ICMP ECHO\_REQUEST packets to network hosts} +to make sure these hosts were active on the network + +\begin{lstlisting} +root@bt-was:~/scans# fping 10.2.1.1 10.2.1.2 10.2.1.3 10.2.1.4 10.2.1.5 10.2.1.6 10.2.1.8 +10.2.1.1 is alive +10.2.1.2 is alive +10.2.1.3 is alive +10.2.1.4 is alive +10.2.1.5 is alive +10.2.1.6 is alive +10.2.1.8 is alive +\end{lstlisting} + +\csvautotabular{hosts.csv} \subsubsection{IP Ranges} @@ -91,18 +161,19 @@ Use genlist to generate a list of ip addresses found. \subsection{Diagrams and spreadsheets} \subsection{Tools} -* nikto -* sqlmap -* wget -R -* httpprint +* nmap +* ifconfig \newpage \section{Mapping} -\subsection{Open Ports} -\subsection{Service version} +\subsection{Open Ports/Services} + +Below is a list of open ports and services running. This list was put together using nmap. \csvautotabular{ports.csv} +\newpage + \noindent The following command : \begin{lstlisting}[language=bash] $ nmap -sV localhost @@ -131,6 +202,11 @@ Nmap done: 1 IP address (1 host up) scanned in 8.78 seconds \subsection{Vulnerabilities for ultimatelamp.sait230.ca} \subsection{Tools} +* nikto +* sqlmap +* wget -R +* httpprint + \newpage \section{Exploitation} \subsection{Exploits for metasploitable.sait230.ca} |