[b]Beberapa Tool-Tool Hacking di Linux[/b]
Penulis: mywisdom
tgl: 7 Februari 2010
Ada pepatah mengatakan bahwa jika tak kenal maka tak sayang, maka kali ini
kita akan coba mengenal tentang beberapa tool hacking yang umum dipakai di
linux.
Jika Anda tidak kenal siapa saya maka Anda tidak akan bisa sayang saya.
hehehe . Ok, langsung saja kita mulai.
Yang diperlukan dalam artikel kali ini:
1. OS Linux (sebaiknya backtrack 2 atau 3 atau 4) atau trustix secure
linux.
2. Sebungkus rokok
3. Camilan (kacang, kue, coklat, pop mie, dll)
4. Segelas kopi atau susu.
Kalau semua udah siap, mari kita langsung mulai !!!
[b]Nmap[/b]
Nmap merupakan salah satu port scanner yang terkenal di linux, berguna
melihat port-port target kita yang terbuka.
Berikut ini adalah beberapa teknik-teknik scan dengan nmap :
- Syn scan (untuk penjelasan syn silahkan cari artikel tentang three way
handsake: syn, ack dan fin)
Metode scan ini mengirimkan paket syn dengan harapan target mengirimkan
ack, mari kita lihat sample penggunaan:
[code]
nmap -sS 127.0.0.1
[/code]
- Mengecek OS dengan nmap
Contoh penggunaan:
[code]
nmap -O 127.0.0.1
[/code]
- Ping scan
Scanning ini akan mengirimkan icmp echo request ke target
Contoh penggunaan:
[code]
nmap -sP 127.0.0.1
[/code]
- UDP Scan
Untuk scanning port udp di target:
[code]
nmap -sU 127.0.0.1
[/code]
Contoh demo scanning dengan info traceroute,daemon fingerprinting,os
guessing dan cek jumlah lompatan hop (-A):
[img]http://www.fams-online.com/images/net1.jpg[/img]
[b]Tcpdump[/b]
Nah ini dia salah satu sniffer terkenal di linux Untuk memantau aktivitas
paket di jaringan.
Untuk menginstall tcpdump:
[code]
sudo apt-get install tcpdump
[/code]
Untuk mulai menjalankan tcpdump ketikkan:
[code]
tcpdump
[/code]
Sebelum mulai melakukan sniffing, kita lihat dulu network interface yang
bisa kita capture dengan: tcpdump -D
contoh:
[code]
bt ~ # tcpdump -D
1.eth0
2.any (Pseudo-device that captures on all interfaces)
3.lo
bt ~ #
[/code]
Ok mari kita langsung aja praktek dengan mengcapture paket 2 via interface
eth0.
Sebelum mulai tcpdump kita coba dulu bind port dan listen dengan netcat
untuk contoh, misal kita buka port 3333:
[code]
bt lampp # nc -l -p 3335 -vv
listening on [any] 3335 ...
[/code]
Selanjutnya kita coba jalankan tcpdump untuk capture lalu lintas di port
3335 secara lokal (loopback address dengan interface lo):
[code]
tcpdump -vv -x -X -s 1500 -i lo 'port 3335'
[/code]
Ok, selanjutnya untuk eksperimen kita coba koneksi ke localhost di port
3339:
[code]
bt network # telnet localhost 3335
Trying 127.0.0.1...
Connected to localhost.
Escape character is '^]'.
[/code]
ketikkan string misalnya: hacked by mywisdom
Ok mari kita lihat plain text : "hacked by mywisdom" tadi tercapture via
tcpdump :
[img]http://www.fams-online.com/images/net3.jpg[/img]
[code]
bt ~ # tcpdump -vv -x -X -s 1500 -i lo 'port 3335'
tcpdump: listening on lo, link-type EN10MB (Ethernet), capture size 1500
bytes
23:32:27.414840 IP (tos 0x0, ttl 64, id 62383, offset 0, flags [DF], proto
TCP (6), length 71) localhost.3335 > localhost.55714: P, cksum 0xfe3b
(incorrect (-> 0xa241), 628168326:628168345(19) ack 622312675 win 1024
0x0000: 4500 0047 f3af 4000 4006 48ff 7f00 0001 E..G..@.@.H.....
0x0010: 7f00 0001 0d07 d9a2 2571 1686 2517 bce3 ........%q..%...
0x0020: 8018 0400 fe3b 0000 0101 080a 0024 21cc .....;.......$!.
0x0030: 0024 0f46 6861 636b 6564 2062 7920 6d79 .$.Fhacked.by.my
0x0040: 7769 7364 6f6d 0a wisdom.
23:32:27.414860 IP (tos 0x10, ttl 64, id 22880, offset 0, flags [DF],
proto TCP (6), length 52) localhost.55714 > localhost.3335: ., cksum
0x2c2b (correct), 1:1(0) ack 19 win 1025
0x0000: 4510 0034 5960 4000 4006 e351 7f00 0001 E..4Y`@.@..Q....
0x0010: 7f00 0001 d9a2 0d07 2517 bce3 2571 1699 ........%...%q..
0x0020: 8010 0401 2c2b 0000 0101 080a 0024 21cc ....,+.......$!.
0x0030: 0024 21cc .$!.
[/code]
[b]Snort[/b]
Snort merupakan salah satu tool white hat hacker yang cukup terkenal.
Snort(mengendus) ini apa ya? hmmm ok singkatnya gini: snort adalah suatu
open source IDS (Intrusion Detection System) dengan beberapa fungsi: paket
sniffer dan log, dan juga sbg mode IPS (intrusion prevention system)
Bisa digunakan memantau lalu lintas jaringan, mendeteksi penyusupan ke
sistem dan mendeteksi adanya serangan DOS maupun DDOS.
Menginstal snort dan menghubungkan ke mysqld:
[code]
sudo apt-get install snort-mysql
[/code]
Selanjutnya kita anggap anda sudah membuat rule untuk snort di mana elf
binary snort ada di /usr/local/bin, Selanjutnya ke /etc/ lalu modifikasi
file: rc.local
Dan jalankan snort pada program start up misal perintah snort:
[code]
/usr/local/bin/snort -c /etc/snort/snort.conf -i eth0 -g snort -Dde
[/code]
Untuk memantau lalu lintas jaringan di interface eth0 dimana rulenya kita
gunakan file: /etc/snort/snort.conf
[b]Ettercap[/b]
Suatu tool untuk sniffing alias intip mengintip bagi para penggemar teknik
"Man in the middle attack".
Ok kita akan pakai yang cli aja yah.
[code]
ettercap -h
ettercap NG-0.7.3 copyright 2001-2004 ALoR & NaGA
Usage: ettercap [OPTIONS] [TARGET1] [TARGET2]
TARGET is in the format MAC/IPs/PORTs (see the man for further detail)
Sniffing and Attack options:
-M, --mitm perform a mitm attack
-o, --only-mitm don't sniff, only perform the mitm attack
-B, --bridge use bridged sniff (needs 2 ifaces)
-p, --nopromisc do not put the iface in promisc mode
-u, --unoffensive do not forward packets
-r, --read read data from pcapfile
-f, --pcapfilter set the pcap filter
-R, --reversed use reversed TARGET matching
-t, --proto sniff only this proto (default is all)
User Interface Type:
-T, --text use text only GUI
-q, --quiet do not display packet contents
-s, --script issue these commands to the GUI
-C, --curses use curses GUI
-G, --gtk use GTK+ GUI
-D, --daemon daemonize ettercap (no GUI)
Logging options:
-w, --write write sniffed data to pcapfile
-L, --log log all the traffic to this
-l, --log-info log only passive infos to this
-m, --log-msg log all the messages to this
-c, --compress use gzip compression on log files
Visualization options:
-d, --dns resolves ip addresses into hostnames
-V, --visual set the visualization format
-e, --regex visualize only packets matching this regex
-E, --ext-headers print extended header for every pck
-Q, --superquiet do not display user and password
General options:
-i, --iface use this network interface
-I, --iflist show all the network interfaces
-n, --netmask force this on iface
-P, --plugin launch this
-F, --filter load the filter (content filter)
-z, --silent do not perform the initial ARP scan
-j, --load-hosts load the hosts list from
-k, --save-hosts save the hosts list to
-W, --wep-key use this wep key to decrypt wifi packets
-a, --config use the alterative config file
Standard options:
-U, --update updates the databases from ettercap website
-v, --version prints the version and exit
-h, --help this help screen
[/code]
Ok misal kita tes untuk memantau jaringan kita:
[code]
ettercap -T
[/code]
-DNS Poisoning dengan ettercap:
Contoh penggunaan:
[code]
ettercap -TQM arp:remote -P dns_spoof
[/code]
- Plugin Remote Browser
digunakan untuk melihat aktivitas pengaksesan web target yang 1 subnet:
[code]
ettercap -T -Q -M arp:remote -i eth0 /target_ip/ /gateway_ip/ -P
remote_browser
[/code]
contoh untuk melihat ip-ip subnet dengan nmap:
[code]
nmap -sS 111.94.8.*
[/code]
Contoh tampilan penggunaan ettercap via command line interface:
[img]http://www.fams-online.com/images/net5.jpg[/img]
[b]John the ripper[/b]
Untuk mendownload john the ripper silahkan kunjungi web ini:
[code]
http://www.openwall.com/john
[/code]
Ini dia tool lama favorit kita semua untuk cracking password.
Cara gampang makenya:
[code]
john file_password
[/code]
[b]Nikto[/b]
Merupakan open source web vulnerability scanner yang bisa didownload
secara gratis yang dibuat dengan bahasa pemrograman perl.
Untuk menggunakan nikto (ke direktori di mana Anda menaruh skrip nikto.pl,
misal di: /pentest/web/nikto):
[code]
bt nikto # pwd
/pentest/web/nikto
bt nikto # ./nikto.pl
---------------------------------------------------------------------------
- Nikto 2.02/2.03 - cirt.net
+ ERROR: No host specified
-Cgidirs+ scan these CGI dirs: 'none', 'all', or
values like "/cgi/ /cgi-a/"
-dbcheck check database and other key files for
syntax errors (cannot be abbreviated)
-evasion+ ids evasion technique
-Format+ save file (-o) format
-host+ target host
-Help Extended help information
-id+ host authentication to use, format is
userid:password
-mutate+ Guess additional file names
-output+ write output to this file
-port+ port to use (default 80)
-Display+ turn on/off display outputs
-ssl force ssl mode on port
-Single Single request mode
-timeout+ timeout (default 2 seconds)
-Tuning+ scan tuning
-update update databases and plugins from cirt.net
(cannot be abbreviated)
-Version print plugin and database versions
-vhost+ virtual host (for Host header)
+ requires a value
[/code]
Perintah yang biasa saya pakai untuk scan target:
[code]
./nikto.pl -host target_web_anda.com
[/code]
Misal kita scan v4-team.com:
[code]
bt nikto # ./nikto.pl -host v4-team.com
---------------------------------------------------------------------------
- Nikto 2.02/2.03 - cirt.net
+ Target IP: 67.222.154.99
+ Target Hostname: v4-team.com
+ Target Port: 80
+ Start Time: 2010-02-09 1:31:01
---------------------------------------------------------------------------
+ Server: gws
[/code]
[b]Hydra[/b]
Hydra ini fungsinya mirip dengan program dengan nama brutus di microsoft
windows
Ok, kali ini kita tes GUI nya untuk dictionary attack ftp secara lokal,
silahkan diset seperti gambar di bawah ini (jangan lupa aktifkan daemon
ftp Anda untuk mendukung uji coba kali ini)
[img]http://www.fams-online.com/images/net8.jpg[/img]
Lalu kita klik tab "Passwords":
Misal target username adalah: "mywisdom"
Lalu kita centang Password list karena kita akan menggunakan word list
yang sudah kita siapkan, misal dalam
eksperimen kali ini kita pakai file password yang sudah kita siapkan di
direktori /root
[img]http://www.fams-online.com/images/net9.jpg[/img]
Ok selanjutnya kita klik tab Start dan kita klik tombol Start di kiri
bawah dan hasilnya bisa kita lihat:
[img]http://www.fams-online.com/images/net10.jpg[/img]
[b]W3AF[/b]
http://sourceforge.net/projects/w3af/
W3af ini merupakan framework untuk audit web aplikasi (pentest) dengan
aneka plugin. Berikut ini adalah plugin yang bisa kita pakai untuk
penetrasi suatu web
[code]
LDAPi Find LDAP injection bugs.
+ blindSqli Find blind SQL injection vulnerabilities.
buffOverflow Find buffer overflow vulnerabilities.
dav Tries to upload a file using HTTP PUT method.
+ fileUpload Uploads a file and then searches for the file inside
all known directories
.
formatString Find format string vulnerabilities.
+ frontpage Tries to upload a file using frontpage extensions
(author.dll).
+ generic Find all kind of bugs without using a fixed database
of errors.
globalRedirect Find scripts that redirect the browser to any site.
htaccessMethods Find misconfigurations in the "" configuration
of Apache.
localFileInclude Find local file inclusion vulnerabilities.
mxInjection Find MX injection vulnerabilities.
osCommanding Find OS Commanding vulnerabilities.
phishingVector Find phishing vectors.
preg_replace Find unsafe usage of PHPs preg_replace.
+ remoteFileInclude Find remote file inclusion vulnerabilities.
responseSplitting Find response splitting vulnerabilities.
sqli Find SQL injection bugs.
ssi Find server side inclusion vulnerabilities.
sslCertificate Check the SSL certificate validity( if https is being
used ).
unSSL Find out if secure content can also be fetched using
http.
xpath Find XPATH injection vulnerabilities.
xsrf Find the easiest to exploit xsrf vulnerabilities.
+ xss Find cross site scripting vulnerabilities.
xst Verify Cross Site Tracing vulnerabilities.
[/code]
Untuk masuk ke konsole w3af silahkan ke direktori tempat anda taruh elf
binary w3af Anda. misal di
/pentest/web/w3af
ketikkan :
[code]
./w3af
[/code]
Contoh:
[code]
bt w3af # pwd
/pentest/web/w3af
bt w3af # w3af
w3af>>> help
The following commands are available:
help You are here. help [command] prints more specific
help.
http-settings Configure the URL opener.
misc-settings Configure w3af misc settings.
plugins Enable, disable and configure plugins.
profiles List and start scan profiles.
start Start site analysis.
exploit Exploit a vulnerability.
tools Enter the tools section.
target Set the target URL.
version Show the w3af version.
exit Exit w3af.
w3af>>>
[/code]
Misal kita mao audit saja dengan menggunakan semua plugin di atas:
[code]
w3af>>> plugins
w3af/plugins>>>audit all
[/code]
next ketikkan back:
[code]
w3af/plugins>>> back
w3af>>>
[/code]
Lalu kita set target kita, ketikkan target:
[code]
w3af>>> target
w3af/target>>>
[/code]
Misal kita set target url http://jasakom.com
[code]
w3af/target>>> set target http://jasakom.com
w3af/target>>> back
[/code]
Untuk mulai kita ketik start:
[code]
w3af/target>>> set target http://jasakom.com
w3af/target>>> back
w3af>>> start
Auto-enabling plugin: grep.collectCookies
Auto-enabling plugin: grep.httpAuthDetect
Auto-enabling plugin: discovery.allowedMethods
Auto-enabling plugin: discovery.serverHeader
The Server header for this HTTP server is: Apache/2.2.4 (Ubuntu)
mod_fastcgi/2.4.2
x-powered-by header for this HTTP server is: PHP/5.2.3-1ubuntu6.4
The methods: COPY, GET, HEAD, LOCK, MOVE, OPTIONS, POST, PROPFIND,
PROPPATCH, TRACE, UNLOCK
are enabled on the following URLs:
- http://jasakom.com
- http://jasakom.com/
Found 4 URLs and 4 different points of injection.
The list of URLs is:
- http://jasakom.com
- http://jasakom.com/login.php?s=d6514d349395c77080b8c60a4a5afe85&do=login
- http://jasakom.com/search.php?do=process
- http://jasakom.com/profile.php?do=dismissnotice
The list of fuzzable requests is:
[/code]
So here we go:
[img]http://www.fams-online.com/images/net11.jpg[/img]
[b]Vanish, wzap,zap, zap2, logzap2,uzapper[/b]
Merupakan tool-tool yang berguna untuk covering track. Ok kita tes dulu
vanish (http://217.125.24.22/vanish.c)
Misal kita lihat dulu user2 apa saja yang ada di dalam sistem kita dengan
mengetik: who
[code]
bt network # who
root tty1 Feb 8 01:15
root pts/0 Feb 8 01:16 (:0.0)
root pts/1 Feb 8 01:19 (:0.0)
root pts/2 Feb 8 01:22 (:0.0)
root pts/3 Feb 8 01:27 (:0.0)
root pts/4 Feb 8 01:28 (:0.0)
root pts/5 Feb 8 02:02 (:0.0)
bt network #
[/code]
Ok coba kita pakai vanish:
[code]
bt bd # ./vanish root localhost localhost
utmp target processed.
wtmp target processed.
lastlog target processed.
Processing /var/log/messages DONE.
Processing /var/log/secure DONE.
Processing /var/log/xferlog DONE.
Processing /var/log/maillog DONE.
Processing /var/log/warn Couldn't open /var/log/warn
Processing /var/log/mail Couldn't open /var/log/mail
Processing /var/log/httpd.access_log Couldn't open
/var/log/httpd.access_log
Processing /var/log/httpd.error_log Couldn't open
/var/log/httpd.error_log
mv: cannot stat `warn.hm': No such file or directory
mv: cannot stat `mail.hm': No such file or directory
mv: cannot stat `httpda.hm': No such file or directory
mv: cannot stat `httpde.hm': No such file or directory
V_A_N_I_S_H_E_D_!
Your tracks have been removed
Exiting programm !!
[/code]
Lalu kita tes lagi apakah masih keliatan user root yang ada di sistem:
[code]
bt bd # who
bt bd #
[/code]
ok bukan sulap bukan sihir, sim salabim abra kadabra, user root hilang
dari penampakan di sistem
[img]http://www.fams-online.com/images/net12.jpg[/img]
[b]Dsniff[/b]
Dsniff merupakan paket sniffer yang cukup terkenal di linux.Klo gak salah
ada juga yang buat di windows.
Ok untuk mulai dsniff coba kita lihat dulu opsinya, ketik ini: dsniff -h
[code]
bt nikto # dsniff -h
Version: 2.4
Usage: dsniff [-cdmn] [-i interface] [-s snaplen] [-f services]
[-t trigger[,...]] [-r|-w savefile] [expression]
bt nikto #
[/code]
[b]Fast Track[/b]
Merupakan suatu framework untuk penetrasi website yang dibuat dengan
bahasa pemrograman python.
Beberapa fitur di dalam fast track:
- SQL injector
- SQL Bruter (biasa digunakan untuk brute force akun SA di mssql server)
- MS DOS Remote shell payload
- Exploit2:
1.HP Openview Network Node Manager CGI Buffer Overflow
2.IBM Tivoli Storage Manager Express CAD Service Buffer Overflow
3.HP Openview NNM 7.5.1 OVAS.EXE Pre Authentication SEH Overflow
- Metasploit auto pawn
Ok kali ini kita akan gunakan fitur web based dari fast track, ke
direktori fast-track.py anda lalu ketikkan:
[code]
./fast-track.py -g
[/code]
[img]http://www.fams-online.com/images/net13.jpg[/img]
Selanjutnya buka browser Anda dan ketikkan:
[code]
http://127.0.0.1:44444
[/code]
[b]Metasploit Framework[/b]
Metasploit merupakan framework yang berisi aneka exploit dan payload.
[code]
bt framework3 # ls
README external/ lib/ msfcli* msfelfscan*
msfmachscan* msfpescan* msfweb* tools/
data/ framework3@ load.gif msfconsole* msfencode*
msfopcode* msfrpc* plugins/
documentation/ karma.rc modules/ msfd* msfgui*
msfpayload* msfrpcd* scripts/
bt framework3 #
[/code]
di mana kita bisa menggunakan dalam aneka modus, yaitu mode konsole, web
based, cli dan gui.
Untuk kali ini kita tes mode konsole, ketikkan:
[code]
./msfconsole
[/code]
[code]
bt framework3 # ./msfconsole
## ### ## ##
## ## #### ###### #### ##### ##### ## #### ######
####### ## ## ## ## ## ## ## ## ## ## ### ##
####### ###### ## ##### #### ## ## ## ## ## ## ##
## # ## ## ## ## ## ## ##### ## ## ## ## ##
## ## #### ### ##### ##### ## #### #### #### ###
##
=[ msf v3.3-dev
+ -- --=[ 294 exploits - 124 payloads
+ -- --=[ 17 encoders - 6 nops
=[ 58 aux
msf >
[/code]
Untuk melihat apa saja perintah di konsole ini ketik help:
[code]
msf > help
Core Commands
=============
Command Description
------- -----------
? Help menu
back Move back from the current context
banner Display an awesome metasploit banner
cd Change the current working directory
connect Communicate with a host
exit Exit the console
help Help menu
info Displays information about one or more module
irb Drop into irb scripting mode
jobs Displays and manages jobs
load Load a framework plugin
loadpath Searches for and loads modules from a path
quit Exit the console
resource Run the commands stored in a file
route Route traffic through a session
save Saves the active datastores
search Searches module names and descriptions
sessions Dump session listings and display information about
sessions
set Sets a variable to a value
setg Sets a global variable to a value
show Displays modules of a given type, or all modules
sleep Do nothing for the specified number of seconds
unload Unload a framework plugin
unset Unsets one or more variables
unsetg Unsets one or more global variables
use Selects a module by name
version Show the console library version number
msf >
[/code]
contoh penggunaan auxiliary:
[code]
msf > use auxiliary/spoof/dns/bailiwicked_host
msf auxiliary(bailiwicked_host) >
[/code]
[img]http://www.fams-online.com/images/net15.jpg[/img]
[b]Sulley Fuzzing Framework[/b]
Merupakan suatu framework untuk fuzzing aplikasi (bisa daemon). Sulley
bisa anda download dari http://www.fuzzing.org
Tool ini akan membantu anda melakukan fuzzing selain fuzzing manual.
Ok sekian artikel saya semoga bermanfaat, karena udah cape jadi saya
lanjutkan lain kali. Good Luck