Pages

Wednesday, January 16, 2013

Kioptrix Noob-ing #1

As usual, I'll be reading PDF books on my tablet on my way to work. Train rides can get really boring. Anyhow, I'm currently reading "Advanced Penetration Testing for Highly-Secured Environments: The Ultimate Security Guide". I'm 100+ pages into it and i must say it has been informative. Get yours at http://www.amazon.com/Advanced-Penetration-Testing-Highly-Secured-Environments/dp/1849517746 or your *ahem* friends who might have it. 

So while I'm perusing through the pages, it recommended a Virtual Machine (VM) called Kioptrix to be downloaded at: http://www.kioptrix.com/blog/ for security testing purpose. The main objective is to obtain ROOT privileges through several ways you can think of: dictionary/bruteforce password, exploit, etc. (but since you can't do client-side attack, you probably can't social engineer, drive-by, mitm/sniff/, etc). Although there's a port 80 (and a 443) opened, you might not be able to do much via web attacks (but I might be wrong so drop a comment if you manage to do it =P ). 

Metasploit on Debian Raspberry (Soft-float) - Bad idea
Still obsessed with my little ARM friend, I tried to install metasploit on it. BUT, big BUT, it is SLOW. I don't mean "ah takes 15seconds" but "WTF, it's been 5minutes and i can't even bring up msfconsole" slow. Annoying as hell, I decided to rm -r msf3. I'll go back to BackTrack when I decide to proceed with an exploit. Yes, with several sweet ports open I would like to toss in some ready-made attacks to gain shell. However, I shall reserve it for later. 


*SPOILER ALERT*: Although I'm not pasting the results of the Kioptrix, I might reveal a few things that you may wish to discover yourself while playing around with Kioptrix. If you want to do Kioptrix all by your own without any influence/advice/help, please do not view the content below. You have been warned!

Recon & Next step against Kioptrix 
You can't do much except to see this very nice screen via VMware workstation (or vmplayer):

This VM will sit in your subnet. So if you're on 192.168.0.0/24, it might be a 192.168.0.5.
Remember, you'll need a DHCP (in this case my home router) in order for Kioptrix to get its IP.

So what I did so far:
1. Fping - sweep the whole friggin' subnet and identify the sorethumb.
2. Nmap - your fundamental reconnaissance, preferrably with OS detection and NSE scripts.
* I won't be pasting the spoiler results.
3. Bruteforce - even as I speak, my good ol' Rasp pal is bruteforcing the crap out of the Kioptrix. 

Python SSH Bruteforce
It's the standard garden variety bruteforcing in attempt to login by "guessing" the password on the SSH server listening on port 22. Either you do the dictionary attack (commonly used words, phrases, etc) or a literal bruteforce (every possible character set) and then pray that you get in. Not very elegant but heck, if it works, why not?
Btw, I'm using Christian Martorella's python program. More instructions at:
http://zeldor.biz/2011/01/how-to-bruteforce-ssh/ 
with the password list:
wget http://dazzlepod.com/site_media/txt/passwords.txt
I've been wanting to install Nessus 5 on it but seems like it only supports i386/x86-64 arch (RPi's ARM arch). Meanwhile, I'll keep searching for decent vulnerability scanners that can installed and used on the RPi.

Happy fun times~

Break To Protect,
J.S.

No comments:

Post a Comment