1. OS Linux (sebaiknya backtrack 2 atau 3 atau 4) atau trustix secure linux.
2. Sebungkus rokok
3. Camilan (kacang, kue, coklat, pop mie, dll)
4. Segelas kopi atau susu.
Kalau semua udah siap, mari kita langsung mulai !!!
Nmap
Nmap merupakan salah satu port scanner yang terkenal di linux, berguna melihat port-port target kita yang terbuka.
Berikut ini adalah beberapa teknik-teknik scan dengan nmap :
- Syn scan (untuk penjelasan syn silahkan cari artikel tentang three way handsake: syn, ack dan fin)
Metode scan ini mengirimkan paket syn dengan harapan target mengirimkan ack, mari kita lihat sample penggunaan:
view source
print?
1 nmap -sS 127.0.0.1
- Mengecek OS dengan nmap
Contoh penggunaan:
view source
print?
1 nmap -O 127.0.0.1
- Ping scan
Scanning ini akan mengirimkan icmp echo request ke target
Contoh penggunaan:
view source
print?
1 nmap -sP 127.0.0.1
- UDP Scan
Untuk scanning port udp di target:
view source
print?
1 nmap -sU 127.0.0.1
Contoh demo scanning dengan info traceroute,daemon fingerprinting,os guessing dan cek jumlah lompatan hop (-A):
Tcpdump
Nah ini dia salah satu sniffer terkenal di linux Untuk memantau aktivitas paket di jaringan.
Untuk menginstall tcpdump:
view source
print?
1 sudo apt-get install tcpdump
Untuk mulai menjalankan tcpdump ketikkan:
view source
print?
1 tcpdump
Sebelum mulai melakukan sniffing, kita lihat dulu network interface yang bisa kita capture dengan: tcpdump -D
contoh:
view source
print?
1 bt ~ # tcpdump -D
2 1.eth0
3 2.any (Pseudo-device that captures on all interfaces)
4 3.lo
5 bt ~ #
Ok mari kita langsung aja praktek dengan mengcapture paket 2 via interface eth0.
Sebelum mulai tcpdump kita coba dulu bind port dan listen dengan netcat untuk contoh, misal kita buka port 3333:
view source
print?
1 bt lampp # nc -l -p 3335 -vv
2 listening on [any] 3335 ...
Selanjutnya kita coba jalankan tcpdump untuk capture lalu lintas di port 3335 secara lokal (loopback address dengan interface lo):
view source
print?
1 tcpdump -vv -x -X -s 1500 -i lo 'port 3335'
Ok, selanjutnya untuk eksperimen kita coba koneksi ke localhost di port 3339:
view source
print?
1 bt network # telnet localhost 3335
2 Trying 127.0.0.1...
3 Connected to localhost.
4 Escape character is '^]'.
ketikkan string misalnya: hacked by mywisdom
Ok mari kita lihat plain text : "hacked by mywisdom" tadi tercapture via tcpdump :
view source
print?
01 bt ~ # tcpdump -vv -x -X -s 1500 -i lo 'port 3335'
02 tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 1500 bytes
03 23:32:27.414840 IP (tos 0x0, ttl 64, id 62383, offset 0, flags [DF], proto TCP (6), length 71) localhost.3335 > localhost.55714: P, cksum 0xfe3b (incorrect (-> 0xa241), 628168326:628168345(19) ack 622312675 win 1024 <nop,nop,timestamp 2367948 2363206>
04 0x0000: 4500 0047 f3af 4000 4006 48ff 7f00 0001 E..G..@.@.H.....
05 0x0010: 7f00 0001 0d07 d9a2 2571 1686 2517 bce3 ........%q..%...
06 0x0020: 8018 0400 fe3b 0000 0101 080a 0024 21cc .....;.......$!.
07 0x0030: 0024 0f46 6861 636b 6564 2062 7920 6d79 .$.Fhacked.by.my
08 0x0040: 7769 7364 6f6d 0a wisdom.
09 23:32:27.414860 IP (tos 0x10, ttl 64, id 22880, offset 0, flags [DF], proto TCP (6), length 52) localhost.55714 > localhost.3335: ., cksum 0x2c2b (correct), 1:1(0) ack 19 win 1025 <nop,nop,timestamp 2367948 2367948>
10 0x0000: 4510 0034 5960 4000 4006 e351 7f00 0001 E..4Y`@.@..Q....
11 0x0010: 7f00 0001 d9a2 0d07 2517 bce3 2571 1699 ........%...%q..
12 0x0020: 8010 0401 2c2b 0000 0101 080a 0024 21cc ....,+.......$!.
13 0x0030: 0024 21cc .$!.
Snort
Snort merupakan salah satu tool white hat hacker yang cukup terkenal. Snort(mengendus) ini apa ya? hmmm ok singkatnya gini: snort adalah suatu open source IDS (Intrusion Detection System) dengan beberapa fungsi: paket sniffer dan log, dan juga sbg mode IPS (intrusion prevention system)
Bisa digunakan memantau lalu lintas jaringan, mendeteksi penyusupan ke sistem dan mendeteksi adanya serangan DOS maupun DDOS.
Menginstal snort dan menghubungkan ke mysqld:
view source
print?
1 sudo apt-get install snort-mysql
Selanjutnya kita anggap anda sudah membuat rule untuk snort di mana elf binary snort ada di /usr/local/bin, Selanjutnya ke /etc/ lalu modifikasi file: rc.local
Dan jalankan snort pada program start up misal perintah snort:
view source
print?
1 /usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort -Dde
Untuk memantau lalu lintas jaringan di interface eth0 dimana rulenya kita gunakan file: /etc/snort/snort.conf
Ettercap
Suatu tool untuk sniffing alias intip mengintip bagi para penggemar teknik "Man in the middle attack".
Ok kita akan pakai yang cli aja yah.
view source
print?
01 ettercap -h
02
03 ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
04
05 Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]
06
07 TARGET is in the format MAC/IPs/PORTs (see the man for further detail)
08
09 Sniffing and Attack options:
10 -M, --mitm <METHOD:ARGS> perform a mitm attack
11 -o, --only-mitm don't sniff, only perform the mitm attack
12 -B, --bridge <IFACE> use bridged sniff (needs 2 ifaces)
13 -p, --nopromisc do not put the iface in promisc mode
14 -u, --unoffensive do not forward packets
15 -r, --read <file> read data from pcapfile <file>
16 -f, --pcapfilter <string> set the pcap filter <string>
17 -R, --reversed use reversed TARGET matching
18 -t, --proto <proto> sniff only this proto (default is all)
19
20 User Interface Type:
21 -T, --text use text only GUI
22 -q, --quiet do not display packet contents
23 -s, --script <CMD> issue these commands to the GUI
24 -C, --curses use curses GUI
25 -G, --gtk use GTK+ GUI
26 -D, --daemon daemonize ettercap (no GUI)
27
28 Logging options:
29 -w, --write <file> write sniffed data to pcapfile <file>
30 -L, --log <logfile> log all the traffic to this <logfile>
31 -l, --log-info <logfile> log only passive infos to this <logfile>
32 -m, --log-msg <logfile> log all the messages to this <logfile>
33 -c, --compress use gzip compression on log files
34
35 Visualization options:
36 -d, --dns resolves ip addresses into hostnames
37 -V, --visual <format> set the visualization format
38 -e, --regex <regex> visualize only packets matching this regex
39 -E, --ext-headers print extended header for every pck
40 -Q, --superquiet do not display user and password
41
42 General options:
43 -i, --iface <iface> use this network interface
44 -I, --iflist show all the network interfaces
45 -n, --netmask <netmask> force this <netmask> on iface
46 -P, --plugin <plugin> launch this <plugin>
47 -F, --filter <file> load the filter <file> (content filter)
48 -z, --silent do not perform the initial ARP scan
49 -j, --load-hosts <file> load the hosts list from <file>
50 -k, --save-hosts <file> save the hosts list to <file>
51 -W, --wep-key <wkey> use this wep key to decrypt wifi packets
52 -a, --config <config> use the alterative config file <config>
53
54 Standard options:
55 -U, --update updates the databases from ettercap website
56 -v, --version prints the version and exit
57 -h, --help this help screen
Ok misal kita tes untuk memantau jaringan kita:
view source
print?
1 ettercap -T
-DNS Poisoning dengan ettercap:
Contoh penggunaan:
view source
print?
1 ettercap -TQM arp:remote -P dns_spoof
- Plugin Remote Browser
digunakan untuk melihat aktivitas pengaksesan web target yang 1 subnet:
view source
print?
1 ettercap -T -Q -M arp:remote -i eth0 /target_ip/ /gateway_ip/ -P remote_browser
contoh untuk melihat ip-ip subnet dengan nmap:
view source
print?
1 nmap -sS 111.94.8.*
Contoh tampilan penggunaan ettercap via command line interface:
John the ripper
Untuk mendownload john the ripper silahkan kunjungi web ini:
view source
print?
1 http://www.openwall.com/john
Ini dia tool lama favorit kita semua untuk cracking password.
Cara gampang makenya:
view source
print?
1 john file_password
misal kita tes dulu yah :
Nikto
Merupakan open source web vulnerability scanner yang bisa didownload secara gratis yang dibuat dengan bahasa pemrograman perl.
Untuk menggunakan nikto (ke direktori di mana Anda menaruh skrip nikto.pl, misal di: /pentest/web/nikto):
view source
print?
01 bt nikto # pwd
02 /pentest/web/nikto
03 bt nikto # ./nikto.pl
04 ---------------------------------------------------------------------------
05 - Nikto 2.02/2.03 - cirt.net
06 + ERROR: No host specified
07
08 -Cgidirs+ scan these CGI dirs: 'none', 'all', or values like "/cgi/ /cgi-a/"
09 -dbcheck check database and other key files for syntax errors (cannot be abbreviated)
10 -evasion+ ids evasion technique
11 -Format+ save file (-o) format
12 -host+ target host
13 -Help Extended help information
14 -id+ host authentication to use, format is userid:password
15 -mutate+ Guess additional file names
16 -output+ write output to this file
17 -port+ port to use (default 80)
18 -Display+ turn on/off display outputs
19 -ssl force ssl mode on port
20 -Single Single request mode
21 -timeout+ timeout (default 2 seconds)
22 -Tuning+ scan tuning
23 -update update databases and plugins from cirt.net (cannot be abbreviated)
24 -Version print plugin and database versions
25 -vhost+ virtual host (for Host header)
26 + requires a value
Perintah yang biasa saya pakai untuk scan target:
view source
print?
1 ./nikto.pl -host target_web_anda.com
Misal kita scan v4-team.com:
view source
print?
1 bt nikto # ./nikto.pl -host v4-team.com
2 ---------------------------------------------------------------------------
3 - Nikto 2.02/2.03 - cirt.net
4 + Target IP: 67.222.154.99
5 + Target Hostname: v4-team.com
6 + Target Port: 80
7 + Start Time: 2010-02-09 1:31:01
8 ---------------------------------------------------------------------------
9 + Server: gws
Hydra
Hydra ini fungsinya mirip dengan program dengan nama brutus di microsoft windows
Ok, kali ini kita tes GUI nya untuk dictionary attack ftp secara lokal,
silahkan diset seperti gambar di bawah ini (jangan lupa aktifkan daemon ftp Anda untuk mendukung uji coba kali ini)
Lalu kita klik tab "Passwords":
Misal target username adalah: "mywisdom"
Lalu kita centang Password list karena kita akan menggunakan word list yang sudah kita siapkan, misal dalam
eksperimen kali ini kita pakai file password yang sudah kita siapkan di direktori /root
Ok selanjutnya kita klik tab Start dan kita klik tombol Start di kiri bawah dan hasilnya bisa kita lihat:
W3AF
http://sourceforge.net/projects/w3af/
W3af ini merupakan framework untuk audit web aplikasi (pentest) dengan aneka plugin. Berikut ini adalah plugin yang bisa kita pakai untuk penetrasi suatu web
view source
print?
01 LDAPi Find LDAP injection bugs.
02 + blindSqli Find blind SQL injection vulnerabilities.
03 buffOverflow Find buffer overflow vulnerabilities.
04 dav Tries to upload a file using HTTP PUT method.
05 + fileUpload Uploads a file and then searches for the file inside all known directories
06 .
07 formatString Find format string vulnerabilities.
08 + frontpage Tries to upload a file using frontpage extensions (author.dll).
09 + generic Find all kind of bugs without using a fixed database of errors.
10 globalRedirect Find scripts that redirect the browser to any site.
11 htaccessMethods Find misconfigurations in the "<LIMIT>" configuration of Apache.
12 localFileInclude Find local file inclusion vulnerabilities.
13 mxInjection Find MX injection vulnerabilities.
14 osCommanding Find OS Commanding vulnerabilities.
15 phishingVector Find phishing vectors.
16 preg_replace Find unsafe usage of PHPs preg_replace.
17 + remoteFileInclude Find remote file inclusion vulnerabilities.
18 responseSplitting Find response splitting vulnerabilities.
19 sqli Find SQL injection bugs.
20 ssi Find server side inclusion vulnerabilities.
21 sslCertificate Check the SSL certificate validity( if https is being used ).
22 unSSL Find out if secure content can also be fetched using http.
23 xpath Find XPATH injection vulnerabilities.
24 xsrf Find the easiest to exploit xsrf vulnerabilities.
25 + xss Find cross site scripting vulnerabilities.
26 xst Verify Cross Site Tracing vulnerabilities.
Untuk masuk ke konsole w3af silahkan ke direktori tempat anda taruh elf binary w3af Anda. misal di
/pentest/web/w3af
ketikkan :
view source
print?
1 ./w3af
Contoh:
view source
print?
01 bt w3af # pwd
02 /pentest/web/w3af
03 bt w3af # w3af
04 w3af>>> help
05 The following commands are available:
06 help You are here. help [command] prints more specific help.
07 http-settings Configure the URL opener.
08 misc-settings Configure w3af misc settings.
09 plugins Enable, disable and configure plugins.
10 profiles List and start scan profiles.
11 start Start site analysis.
12 exploit Exploit a vulnerability.
13 tools Enter the tools section.
14 target Set the target URL.
15 version Show the w3af version.
16 exit Exit w3af.
17 w3af>>>
Misal kita mao audit saja dengan menggunakan semua plugin di atas:
view source
print?
1 w3af>>> plugins
2 w3af/plugins>>>audit all
next ketikkan back:
view source
print?
1 w3af/plugins>>> back
2 w3af>>>
Lalu kita set target kita, ketikkan target:
view source
print?
1 w3af>>> target
2 w3af/target>>>
Misal kita set target url http://jasakom.com
view source
print?
1 w3af/target>>> set target http://jasakom.com
2 w3af/target>>> back
Untuk mulai kita ketik start:
view source
print?
01 w3af/target>>> set target http://jasakom.com
02 w3af/target>>> back
03 w3af>>> start
04 Auto-enabling plugin: grep.collectCookies
05 Auto-enabling plugin: grep.httpAuthDetect
06 Auto-enabling plugin: discovery.allowedMethods
07 Auto-enabling plugin: discovery.serverHeader
08 The Server header for this HTTP server is: Apache/2.2.4 (Ubuntu) mod_fastcgi/2.4.2
09 x-powered-by header for this HTTP server is: PHP/5.2.3-1ubuntu6.4
10 The methods: COPY, GET, HEAD, LOCK, MOVE, OPTIONS, POST, PROPFIND, PROPPATCH, TRACE, UNLOCK
11 are enabled on the following URLs:
12 - http://jasakom.com
13 - http://jasakom.com/
14 Found 4 URLs and 4 different points of injection.
15 The list of URLs is:
16 - http://jasakom.com
17 - http://jasakom.com/login.php?s=d6514d349395c77080b8c60a4a5afe85&do=login
18 - http://jasakom.com/search.php?do=process
19 - http://jasakom.com/profile.php?do=dismissnotice
20 The list of fuzzable requests is:
So here we go:
Vanish, wzap,zap, zap2, logzap2,uzapper
Merupakan tool-tool yang berguna untuk covering track. Ok kita tes dulu vanish (http://217.125.24.22/vanish.c)
Misal kita lihat dulu user2 apa saja yang ada di dalam sistem kita dengan mengetik: who
view source
print?
1 bt network # who
2 root tty1 Feb 8 01:15
3 root pts/0 Feb 8 01:16 (:0.0)
4 root pts/1 Feb 8 01:19 (:0.0)
5 root pts/2 Feb 8 01:22 (:0.0)
6 root pts/3 Feb 8 01:27 (:0.0)
7 root pts/4 Feb 8 01:28 (:0.0)
8 root pts/5 Feb 8 02:02 (:0.0)
9 bt network #
Ok coba kita pakai vanish:
view source
print?
01 bt bd # ./vanish root localhost localhost
02
03 utmp target processed.
04 wtmp target processed.
05 lastlog target processed.
06 Processing /var/log/messages DONE.
07 Processing /var/log/secure DONE.
08 Processing /var/log/xferlog DONE.
09 Processing /var/log/maillog DONE.
10 Processing /var/log/warn Couldn't open /var/log/warn
11
12 Processing /var/log/mail Couldn't open /var/log/mail
13
14 Processing /var/log/httpd.access_log Couldn't open /var/log/httpd.access_log
15
16 Processing /var/log/httpd.error_log Couldn't open /var/log/httpd.error_log
17
18 mv: cannot stat `warn.hm': No such file or directory
19 mv: cannot stat `mail.hm': No such file or directory
20 mv: cannot stat `httpda.hm': No such file or directory
21 mv: cannot stat `httpde.hm': No such file or directory
22
23 V_A_N_I_S_H_E_D_!
24 Your tracks have been removed
25 Exiting programm !!
Lalu kita tes lagi apakah masih keliatan user root yang ada di sistem:
view source
print?
1 bt bd # who
2 bt bd #
ok bukan sulap bukan sihir, sim salabim abra kadabra, user root hilang dari penampakan di sistem
Dsniff
Dsniff merupakan paket sniffer yang cukup terkenal di linux.Klo gak salah ada juga yang buat di windows.
Ok untuk mulai dsniff coba kita lihat dulu opsinya, ketik ini: dsniff -h
view source
print?
1 bt nikto # dsniff -h
2 Version: 2.4
3 Usage: dsniff [-cdmn] [-i interface] [-s snaplen] [-f services]
4 [-t trigger[,...]] [-r|-w savefile] [expression]
5 bt nikto #
Fast Track
Merupakan suatu framework untuk penetrasi website yang dibuat dengan bahasa pemrograman python.
Beberapa fitur di dalam fast track:
- SQL injector
- SQL Bruter (biasa digunakan untuk brute force akun SA di mssql server)
- MS DOS Remote shell payload
- Exploit2:
1.HP Openview Network Node Manager CGI Buffer Overflow
2.IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
3.HP Openview NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow
- Metasploit auto pawn
Ok kali ini kita akan gunakan fitur web based dari fast track, ke direktori fast-track.py anda lalu ketikkan:
view source
print?
1 ./fast-track.py -g
Selanjutnya buka browser Anda dan ketikkan:
view source
print?
1 http://127.0.0.1:44444
Tampilan web based fast track
Metasploit Framework
Metasploit merupakan framework yang berisi aneka exploit dan payload.
view source
print?
1 bt framework3 # ls
2 README external/ lib/ msfcli* msfelfscan* msfmachscan* msfpescan* msfweb* tools/
3 data/ framework3@ load.gif msfconsole* msfencode* msfopcode* msfrpc* plugins/
4 documentation/ karma.rc modules/ msfd* msfgui* msfpayload* msfrpcd* scripts/
5 bt framework3 #
di mana kita bisa menggunakan dalam aneka modus, yaitu mode konsole, web based, cli dan gui.
Untuk kali ini kita tes mode konsole, ketikkan:
view source
print?
1 ./msfconsole
view source
print?
01 bt framework3 # ./msfconsole
02
03 ## ### ## ##
04 ## ## #### ###### #### ##### ##### ## #### ######
05 ####### ## ## ## ## ## ## ## ## ## ## ### ##
06 ####### ###### ## ##### #### ## ## ## ## ## ## ##
07 ## # ## ## ## ## ## ## ##### ## ## ## ## ##
08 ## ## #### ### ##### ##### ## #### #### #### ###
09 ##
10
11 =[ msf v3.3-dev
12 + -- --=[ 294 exploits - 124 payloads
13 + -- --=[ 17 encoders - 6 nops
14 =[ 58 aux
15
16 msf >
Untuk melihat apa saja perintah di konsole ini ketik help:
view source
print?
01 msf > help
02
03 Core Commands
04 =============
05
06 Command Description
07 ------- -----------
08 ? Help menu
09 back Move back from the current context
10 banner Display an awesome metasploit banner
11 cd Change the current working directory
12 connect Communicate with a host
13 exit Exit the console
14 help Help menu
15 info Displays information about one or more module
16 irb Drop into irb scripting mode
17 jobs Displays and manages jobs
18 load Load a framework plugin
19 loadpath Searches for and loads modules from a path
20 quit Exit the console
21 resource Run the commands stored in a file
22 route Route traffic through a session
23 save Saves the active datastores
24 search Searches module names and descriptions
25 sessions Dump session listings and display information about sessions
26 set Sets a variable to a value
27 setg Sets a global variable to a value
28 show Displays modules of a given type, or all modules
29 sleep Do nothing for the specified number of seconds
30 unload Unload a framework plugin
31 unset Unsets one or more variables
32 unsetg Unsets one or more global variables
33 use Selects a module by name
34 version Show the console library version number
35
36 msf >
contoh penggunaan auxiliary:
view source
print?
1 msf > use auxiliary/spoof/dns/bailiwicked_host
2 msf auxiliary(bailiwicked_host) >
Sulley Fuzzing Framework
Merupakan suatu framework untuk fuzzing aplikasi (bisa daemon). Sulley bisa anda download dari http://www.fuzzing.org
Tool ini akan membantu anda melakukan fuzzing selain fuzzing manual.
![[Valid Atom 1.0]](valid-atom.png "Validate my Atom 1.0 feed")
Tidak ada komentar:
Posting Komentar