:: vBspiders Professional Network :: - الاختراق بالميتا سبوليت والشرح من قبل الهكر الاجنبي

السلام عليكم ورحمة الله وبركاته

اولا

جميع الحقوق لدى الهكر الاجنبي

حبيت انقله لتعم الفائده لأخواني اصحاب الهكر الاخلاقي

طبعا من شروط الاختراق

تركيبة الباك تراك

بسم الله وعلى بركة الله

Part 1: Set up and configure a unpatched Windows XP machine using VMware.

A XPup virtual machine folder, which contains the virtual hard drive files and configuration files, was created for you in your public_html/vmware/ direcotry on the bilbo.uccs.edu

We will use vmware server on bilbo.uccs.edu to configure and run these virtual machines. You access vmware server on bilbo using the vmware server client console application. You can download the vmware server client console software from vmware.com http://vmware.com/download/server/. Select VMware Server Windows client package if you are running windows system. Select VMware Server Linux client package if you are running Linux system. cick the "Binary" link on the right column to start the download.

http://cs.uccs.edu/%7Ecs591/hw/hw2/v...entPackage.png

Note that most major softare package download site will have md5sum of the download file, which allows the user to double check if the download image is complete. You can use utiliy such as md5summer to regenerate the md5sum and compare with the one posted.

http://cs.uccs.edu/%7Ecs591/hw/hw2/md5summer.png

you can also run md5sum command on a unix shell, such as cygwin in the attached example.

$ cd "C:\work\software\vmware"

chow@EN186-01 /cygdrive/c/work/software/vmware
$ md5sum VMware-server-installer-1.0.7-108231.exe
2e2ee5ebe08ae48eac5e661cad01acf6 *VMware-server-installer-1.0.7-108231.exe

2e2ee5ebe08ae48eac5e661cad01acf6
12345678901234567890123456789012

32 hexadecimal digits: 4bit each --> 4*32=128 bits.
MD5sum is 128 bits.

Start VMWare server client console on EN138 PCs or on your laptop. Click "Connect to Host". Enter the server (bilbo.uccs.edu) and the account info (your ufp account name)

http://cs.uccs.edu/%7Ecs591/hw/hw2/v...nectToHost.png

Use home tab, select "open existing virtual machine". Click browse button and select the XPup.vmx configuration file in /home/<your login>/public_html/vmware/xpup.

http://cs.uccs.edu/%7Ecs591/hw/hw2/selectVM.png

You will see a chow_XPup label shows up on the left side inventory panel. There could be other chow_xpup labels. Yours should be on the bottom of the list. You can also verify the right panel and see if the configuration file is in your /home/<login> directory.

On the left side Inventory panel, change the label of the virtual machine from chow_XPup to <login>_XPup. Where <login> is your ufp login name. Note that it changes the tab and name on the right panel also.

http://cs.uccs.edu/%7Ecs591/hw/hw2/v...hangeLabel.png

Click "start this virtual machine" button to start the virtual machine.

Select create new UUID option for the virtual machine so that the virtual machine from the same copy of the XPup image will be assigned with different peripheral ID/address such as Ethernet MAC address.

http://cs.uccs.edu/%7Ecs591/hw/hw2/createNewID.png

After XPup started, enter hack078 as username and hack078 as password.

Bring up Network Connections applet (Start | Control Panel | Netowrk Connections). Change the local network connnections 4 and 5 with the above IP addresses. For Chris Anderson, 10.0.37.2 and netmask 255.0.0.0 for local network connections 4; 172.16.37.2 and netmask 255.255.0.0 for local network connections 5.
- Click the Local network connecitons 4. Click "properties" button. Click/highlight "Internet Protocol (TCP/IP) then click the "Properties" button. This should bring up the Internet Protocol TCP/IP Properties dialog windows.
- Change the IP address and Subnet mask, and Preferred DNS server as follows.

http://cs.uccs.edu/%7Ecs591/hw/hw2/setTCP_IP.png

Click OK and Close buttons to conclude the settings.

Repeat for Local Network Connections 5.

http://cs.uccs.edu/%7Ecs591/hw/hw2/s...onnection5.png

Using Ping to see you can ping 10.0.0.1 or 172.16.0.1.

http://cs.uccs.edu/%7Ecs591/hw/hw2/pingResults.png

From bilbo, see if you can ping the two IP addresses.
[canders2@bilbo ~]$ ping 10.0.37.2
PING 10.0.37.2 (10.0.37.2) 56(84) bytes of data.
64 bytes from 10.0.37.2: icmp_seq=1 ttl=128 time=0.370 ms
64 bytes from 10.0.37.2: icmp_seq=2 ttl=128 time=0.156 ms
64 bytes from 10.0.37.2: icmp_seq=3 ttl=128 time=0.184 ms
^C
--- 10.0.37.2 ping statistics ---
3 packets transmitted, 3 received, 0% packet loss, time 2581ms
rtt min/avg/max/mdev = 0.156/0.236/0.370/0.096 ms
[canders2@bilbo ~]$ ping 172.16.37.2
PING 172.16.37.2 (172.16.37.2) 56(84) bytes of data.
64 bytes from 172.16.37.2: icmp_seq=1 ttl=128 time=0.282 ms
64 bytes from 172.16.37.2: icmp_seq=2 ttl=128 time=0.145 ms
^C
--- 172.16.37.2 ping statistics ---
2 packets transmitted, 2 received, 0% packet loss, time 1717ms
rtt min/avg/max/mdev = 0.145/0.213/0.282/0.070 ms

The ping results make sure the network interfaces are connected properly.

Submit the bilbo ping resutls as your part 1 deliverable of hw2.

Part 2: Using Metasploit Framework 3 in Backtrack 3 to penetrate XPup.

In this exercise, we will learn how the metasploit framework 3 can be used to penetrate the unpatched XP we just set up.
"BackTrack is the most Top rated linux live distribution focused on penetration testing. With no installation whatsoever, the analysis platform is started directly from the CD-Rom and is fully accessible within minutes. It's evolved from the merge of the two wide spread distributions - Whax and Auditor Security Collection. By joining forces and replacing these distributions, BackTrack has gained massive popularity and was voted in 2006 as the #1 Security Live Distribution by insecure.org. Security professionals as well as new comers are using BackTrack as their favorite toolset all over the globe. "

A copy of the recent bt3-final.iso is avaible in ~cs591/public_html/iso for our part 2 exercise.

http://www.remote-exploit.org/backtrack.html

To learn more the Metasploit Framework 3.1, study its user guide.

Study how to create new exploits or payloads for Metasploit Framework can be an excellent semester project.

Setup a VMware virtual machine to run Backtrack LiveCD.
From the home tab of the VMware server console, click the "New Virtual Machine" icon to create a new virtual machine for running Backtrack LiveCD which contains popular security tools

Click "Next"; Select "Custom" option for Virtual machine configuration. Click "Next".

Choose "Linux" as Guest Operating System. In Version Section, select "Other Linux".

http://cs.uccs.edu/%7Ecs591/hw/hw2/selectOS.png

Enter <login>_bt3 as Virtual machine name. Set location to be /home/<login>/public_html/vmware. Create a subdirectory bt3 under vmware. then select bt3 as folder for containing all related files for the virtual machine. Click "Next".

http://cs.uccs.edu/%7Ecs591/hw/hw2/nameVMLocation.png
http://cs.uccs.edu/%7Ecs591/hw/hw2/nameVMLocation1.png

Uncheck "Make this virtual machine private. With private setting, others including me will not be able to see the console images. For education purpose, we uncheck this settings and allow any one with bilbo access to be able to share-viewing the console images, remotely. Click "next".

http://cs.uccs.edu/%7Ecs591/hw/hw2/setAccessRight.png

On Startup/Shutdown Option. Select the default On host startup, "Don't power on virtual machine". On host shutdown "Power off virtual machine" setting. Click "Next".

On Processor Configuration, select "One" for the number of processors. This allows the virtual machine to be run on older machine with single processor.

On Memory for the Virtual Machine, Enter 256MB. Note that all virtual machines share the same main memory. Therefore it is important to suspend the virtual machines when not used and configure with the right amount of main memory for each virtual machine, since we have 20 students sharing the same 32GB memory on bilbo. You may also want to use the other Windows hosts set up for you to spread the load.

http://cs.uccs.edu/%7Ecs591/hw/hw2/vmMemory.png

On Network Type, select "Use Bridged Networking" as the default for connecting the first Network Interface Card. The setting can be changed dynamically later.

Use bridged networking to assign external IP address to NIC and connect to external network through the NIC of host machine. This allows outside machines to communicate with the virtual machines. This external IP address is different from those configured on host NIC.

Use network address translation (NAT) to share the host NIC to access external network. It allows virtual machine to hide behind host NIC with private LAN address. Outside machines can not communicate directly with the virtual machine. It is good idea to use NAT during initial configuration and software update period to avoid being hacked when its sofware still not up to date. It was served by VMNet8.

Use host-only networking, when the virtual machine does not need to communicate directly to external network or runs dangerous software. All virtual machines with the same host-only network connection can communicate among themselves and the host. By default, this option is served by VMNet1.

From the host machine, you can run ifconfig (Linux) and ipconfig (Windows) to find out the subnet and gateway IP address (associated with the host) associated with each VMnet.

http://cs.uccs.edu/%7Ecs591/hw/hw2/vmNetType.png

On Select I/O Adapter Types, choose the default option "BusLogic". Click "Next".

On Select a Disk, choose the default option "Create a new virtual disk". Click "Next".

On Select a Disk Type, choose the default option "SCSI (Recommended). Click "Next".

On Specify Disk Capacity, choose the default 8 GB size, uncheck "Allocate all disk space now". Check "Split disk into 2 GB files."

http://cs.uccs.edu/%7Ecs591/hw/hw2/s...skCapacity.png

Make sure the "Allocate all disk space now" is unchecked. This allows the virtual machine to grow its disk usage without commit all disk space right away. It allows us to have more virtual machines with limited disk storage 350GB.

On Specify Disk File, choose the default "Other Linux vmdk". Click Finish.

We should see the canders2_bt3 label show up on the left panel.

Now let add two additional network interface cards so that the bt3 virtual machine can communicate with the XPup virtual machine.

Click "Edit Virtual machine settings" on the right panel of the bt3 virtual machine.
On Virtual Machine Settings, Click "Add".

http://cs.uccs.edu/%7Ecs591/hw/hw2/vmSettings.png

The Add Hardware Wizard appear, Click "Next".

On Hardware Type, Select "Ethernet Adapter". Click "Next".

http://cs.uccs.edu/%7Ecs591/hw/hw2/setHardwareType.png

Choose "Host-only" as network type. Click "Finish".

http://cs.uccs.edu/%7Ecs591/hw/hw2/addHWNetworkType.png

Repeat the above process to add the 3rd NIC with "custom network type" and chose /dev/vmnet2 as specific virtual network.

http://cs.uccs.edu/%7Ecs591/hw/hw2/a...tworkType2.png

Your final Virtual Machine Settings should like as follows:

http://cs.uccs.edu/%7Ecs591/hw/hw2/vmSettingFinal.png

Click "CD-ROM" device. Choose Use ISO image option and specify path /home/cs591/public_html/iso/bt3-final.iso which contains the iso image.

http://cs.uccs.edu/%7Ecs591/hw/hw2/s...D-ROMImage.png

Click Start to start the bt3 live CD

http://cs.uccs.edu/%7Ecs591/hw/hw2/b...Framework3.png

Click KDE start icon and select Backtrack | Penetration | Framework Version 3 | Framework3-Msfweb menuitem.

An console window shows the progress of metasploit framework web interface (msfweb)

http://cs.uccs.edu/%7Ecs591/hw/hw2/msfwebShell.png

<h3>

Start firefox browser. Enter http://127.0.0.1:55555 as url for the Metasploit Framework Web Console.

You will see the firefox restrict the scripts from being executed.

http://cs.uccs.edu/%7Ecs591/hw/hw2/b...ingProblem.png</h3>

Click "options" in the buttom right of the browser window and select "Allow http://127.0.0.1:55555" to enable the script execution.

http://cs.uccs.edu/%7Ecs591/hw/hw2/msfwebconsole.png

First select the "Exploits" tab on the web page. It shows a search text box for entering keyword or name of exploits.

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...chExploits.png

We are using a well known Windows XP exploit called Microsoft RPC DCOM Interface Overflow. You can type in RPC DCOM or just scroll down the list of explots, which is arranged in alphebetical order.

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...oitRPCDCOM.png

Click on the label of exploit. I will ask for the payload type.

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...loadTypes1.png

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...loadTypes2.png

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...loadTypes3.png

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...loadTypes4.png

It will bring up the dialog box for specifying the detail parameters for the exploits.
Make sure you replace the pass and user with hack<Last three digits of your SID>.

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...Parameter1.png

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...Parameter2.png

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...Parameter3.png

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...Parameter4.png

Enter RHOST which will be 10.0.<your designated subnet>.2 for your XPup.

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...serExploit.png

To prove that the exploit works, we login to XPup with Hack<last 3 digits of your SID> and examine User Account applet to see if an account with hack<Last three digits of your SID> was created there.

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...untCreated.png

Next we try to select same vulnerability but with different payload. The payload will inject VNC.dll, setup a TightVNC viewer, and lauch a metaexploit courtesy shell on the victim.

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...arameters1.png

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...arameters3.png

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...arameters4.png

Click Launch Exploit button. Here shows the progress of the exploit

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...ctExploit1.png

The tightVNC wil shows with courtesy shell.

http://cs.uccs.edu/%7Ecs591/hw/hw2/m...rtesyShell.png

Take a snapshot of the courtesy shell image. Create a text file with file name hack<Last 3 digits of SID> using notepad.exe.
Save the images of tightVNC screen with courtesy shell and the User account dialog which show a new account were establish on XPup in your cs591/images directory and submit the urls of these two images as part2 delliverable of your hw2.

=============================

هذا الموضوع اهداء أبطااااال الهكرز الاخلاقي

V!URS_HaCKEr
ClaW
العقرب الأسود
مستر نسر
DOoM
ابوبدر

وللجميع بشكل عام اتمنى مانسيت احد ولو نسيت اعذروني وسامحوني شباب

:00001793[1]: