The document summarizes how a hacker compromised an environment through reconnaissance and exploitation. It describes how the hacker used Nmap and Nessus to identify hosts, found vulnerabilities like buffer overflows and weak passwords, exploited them to gain access to internal servers, escalated privileges by cracking password hashes, and ultimately retrieved sensitive files and flags from the last server.

1. HackEire 2009
by @markofu
http://www.hackeire.net @hackeire

2. Aim of this Presentation
Ø Provide overview of how we compromised this
Environment.
Ø Note this is not the only way that you can
compromise this environment.
Ø There may be a number of methods that could
result in the same compromise of Data.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 2

3. The Scope
Ø The ‘Bhratach’ company has requested a full
Black-Box test.
Ø This presence is hosted within the company and
is connected to the company's internal corporate
LAN.
Ø Testing consists of the external DMZ and Internal
LAN.
Ø Use any tools that you legally own to test this
network.
Ø Identify any vulnerabilities with this environment?
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 3

4. The Reconnaissance
Ø Identify the Network.
Ø The tools that we used for Reconnaissance:
§ NMAP
§ Nessus
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 4

5. NMAP
Ø Use NMAP –sP 10.0.1.0/23
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 5

6. NMAP
Nmap –sT –vv –A 10.0.1.25
DNS Server
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 6

7. NMAP
Nmap –sT –vv –A 10.0.1.40
SMTP Server
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 7

8. NMAP
Nmap –sT –vv –A 10.0.1.50
Web Server
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 8

9. Nessus
Nessus Output
Web Server
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 9

10. 10.0.1.25
DNS Server
Zone Transfer & then ‘nmap –vv –A –iL ips.txt’
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 10

11. 10.0.1.25
DNS Server
Enum –u 10.0.1.25
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 11

12. 10.0.1.25
Brute force the smb accounts
Hydra –t 1 –w 0 –l Lyray –p 1234 10.0.1.25 smbnt
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 12

13. 10.0.1.25
Identify any potential Buffer Overflow
Server vulnerable to MS 08-067 exploit
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 13

14. 10.0.1.25
Exploiting the Buffer Overflow
Server vulnerable to MS 08-067 exploit
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 14

15. 10.0.1.25
Get shell & transfer netcat via ftp
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 15

16. 10.0.1.25
Transfer ‘pwdump’
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 16

17. 10.0.1.25
Extract new tools J
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 17

18. 10.0.1.25
Setting up netcat persistent Listener
With a shell J
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 18

19. 10.0.1.25
Connect via Netcat from Attacker system
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 19

20. 10.0.1.25
Through netcat, now on 10.0.1.25 (see LHS)
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 20

21. 10.0.1.25
Dumping the password file
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 21

22. 10.0.1.25
Transferring the password dump
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 22

23. 10.0.1.25
And the keyrings…..
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 23

24. 10.0.1.25
Use ‘John’ on the Password Dump
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 24

25. 10.0.1.40
Using compromised Lyray account
SSH to 3456 using username Lyray password 1234
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 25

26. 10.0.1.40
Identify the Linux Kernel
Use this to identify if there are vulnerabilities with the Kernel
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 26

27. 10.0.1.40
Look for the word exploit
These have been left lying around by a careless sysadmin who was
testing a patch
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 27

28. 10.0.1.40
Identify the exploit directory
These have been installed by a previous attacker via the FTP protocol.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 28

29. 10.0.1.40
Run the exploit
These have been installed by a previous attacker via the FTP protocol.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 29

30. 10.0.1.40
FTP to your attacker system
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 30

31. 10.0.1.40
Upload the flags
Using FTP upload the Flags or you may use SCP over port 3456 (more secure)
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 31

32. 10.0.1.40
Grab the Password Files
Using FTP upload the passwd and shadow file
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 32

33. 10.0.1.40
Get the ‘willy’ password
Using John ‘unshadow’ the merged password file.
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 33

34. 10.0.1.50
View the front page and source code
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 34

35. 10.0.1.50
Nmap show ‘webadmin’ up…what’s there?
Look for the shell directory on port 10000
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 35

36. 10.0.1.50
Connect to the Website
Enumerate the directories
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 36

37. 10.0.1.50
Shell vulnerability….
Create a User & SSH on as that user
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 37

38. 10.0.1.50
Or use Metatron to SSH
Cd & ‘ls -la’ the directories
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 38

39. 10.0.1.50
Transfer the flags - e.g. Winscp
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 39

40. 10.0.1.50
ifconfig -a
4th flag & ‘pii’ file must be on 10.0.2.75
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 40

41. 10.0.1.50
Identify the fourth server
Use arp to get all connected servers
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 41

42. 10.0.1.50
Port scan with netcat
SQL back-end? What’s 3333? SMB,
netbios – transfer files?
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 42

43. 10.0.1.50
Tcpdump shows something also….
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 43

44. 10.0.1.50
As root - ‘crontab -l’
Looks interesting……
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 44

45. 10.0.1.50
Ps auwx |grep asriel
Looks interesting……
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 45

46. 10.0.2.75
Identify shares on 10.0.2.75
Use a ‘valid’ account to enumerate
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 46

47. 10.0.2.75
Connecting via Asriel Share….
Transfer the keyrings to 10.0.1.50 & from there to system via scp
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 47

48. 10.0.2.75
Asriel Share?
Transfer the keyrings to 10.0.1.50 & from there to system via scp
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 48

49. 10.0.2.75
Temp Share…remember ‘Competitor Pack’
Transfer the keyrings to 10.0.1.50 & from there to system via scp
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 49

50. 10.0.2.75
Transferring final flag to 10.0.1.50….
HackEire -2009 19/11/2009 Copyright © 2009 IRISS www.irissie 50

51. 10.0.2.75
Scheduled Netcat Listener on Port 3333

52. Decryption

53. What am I?
Running pii.csv

54. Decode me?
Hydan…..

55. Who is Andrew Wiles?
Fermat s Last Theorem
x^n + y^n ≠ z^n
where n is integer >2
& x,y,z Ε Ζ