LOGIN
CATEGORIES
JOIN (/REGISTER.HTML)
UPLOAD
Search document...
(https://documents.mx/)
(/upload/document.h
Home (/) / Documents (/category/documents.html) / Root Password (/documents/root-password.html)
RECOM M ENDED
ROOT PASSWORD Oct 27, 2014
Documents (/category/documents.html)
amandeep-singh
Reset Root Password
(/Technology/Reset-RootPassword.html) CUCM Linux Root Password Recover
(/Documents/CucmLinux-Root-Password-Recover.html) Manual Cambio Password Root Centos
(/Documents/ManualCambio-Password-Root-Centos.html) Solaris 10 Forget Root Password
(/Technology/Solaris-10Forget-Root-Password.html) Reset Root Password Zfs Boot File System
(/Documents/Reset-RootPassword-Zfs-Boot-File-System.html) Changing A Forgotten Root Password On Aix
(/Documents/Changing-AForgotten-Root-Password-On-Aix.html)
Recuperar Password De Root En Linux Centos
(/Technology/RecuperarPassword-De-Root-En-LinuxCentos.html) Sudo-User For Resetting Root Password AmitS
(/Documents/Sudo-UserFor-Resetting-Root-Password-Amits.html) Cara Mengembalikan Password Root Yang Hilang
(/Documents/CaraMengembalikan-Password-Root-YangHilang.html) Best Way To Reset Root Password In Solaris 10
(/Documents/Best-WayTo-Reset-Root-Password-In-Solaris10.Html) Root User Password Is Missing Or Forgot For Linux
(/Software/Root-UserPassword-Is-Missing-Or-Forgot-ForLinux.html) Don Crawley Article--How To Prevent Root Password Guessing Attacks
(/Documents/DonCrawley-Article-How-To-Prevent-RootPassword-Guessing-Attacks.html)
View more (https://documents.mx/search/? q=Root+Password)
(/download/link/rootpassword)
1 of 63
All materials on our website are shared by users. If you have any
questions about copyright issues, please report (/document/report/root-password) us to resolve them. We are always happy to assist you.
(/documents/rootpassword.html)
Report (/document/report/root-password)
(https://www.facebook.com/sharer.php? (https://twitter.com/home? (https://plus.google.com/share? (https://pinterest.com/pin/create/bookmarklet/? (https://www.linkedin.com/shareArticle?
DESCRIPTION
s=100&p[url]=https://documents.mx/documents/rootstatus=Root url=https://documents.mx/documents/rootmedia=https://reader001.documents.mx/reader001/image/20170728/544d6156b1af9f2b638b459d.png&url=https://documents.mx/documents/rootmini=true&url=https://documents.mx/documents/rootpassword.html&p[title]=Root Password password.html) password.html&is_video=false&description=Root password.html&title=Root
TEXT
Certified Penetration Tester (CPT) Practical Examination Report Matthew Tiedeman
[email protected] February 21st, 2009 Contents 1. Password Password Password 2. 3. 4. Overview.......................................................................................4 Assumptions..................................................................................4 Documents+https://documents.mx/documents/rootTools.............................................................................................4 Penetration test details....................................................................5 A. Scanning...................................................................................5 i. Baseline Documents&p[summary]=Certified password.html) Documents) Documents&source=https://documents.mx/documents/rootscan of network..........................................................5 ii. Port scanning and OS fingerprinting...........................................5 iii. Service fingerprinting - TCP services.........................................7 iv. Service fingerprinting - Validation of Apache HTTP service............9 v. SNMP Penetration password.html) enumeration................................................................11 vi. Service fingerprinting - UDP services.......................................13 B. Sites used during the exploit research phase.................................14 C. Remote exploits........................................................................15 i. Tester Research via anyside.org.........................................................15 ii. Exploits – round 1.................................................................18 iii. Research via secwatch.org.....................................................19 iv. Exploits – round 2.................................................................19 D. (CPT) User discovery..........................................................................19 i. Abuse of finger......................................................................19 E. Brute force password guessing....................................................21 i. Discovery of password for “user” account..................................21 Practical ii. Discovery of password for “cptvm1” and “cptvm2” accounts........23 F. Research of cptvm1 and cptvm2 hosts..........................................25 i. cptvm1.................................................................................25 ii. Examination cptmv2................................................................................27 G. Penetration of cptvm1...............................................................29 i. Local exploit research via anyside.org.......................................29 ii. Local exploit research via secwatch.org....................................32 iii. Report Privilege escalation using a Kernel VMA exploit..........................33 iv. Maintaining access via creation of a new “r00t” account.............34 v. Gathering the shadow password file.........................................35 H. Cracking passwords of the cptvm1 host.......................................35 i. Matthew Cracking of “user”, “cptvm1” and “cptvm2”................................35 I. Penetration of cptvm2................................................................36 i. Privilege escalation using a Kernel vmsplice exploit.....................36 ii. Maintaining access via creation of a new “r00t” account..............37 iii. Gathering the shadow password file........................................38 J. Cracking passwords of the cptvm2 Tiedeman host........................................39 i. Cracking of “cptvm1”, “cptvm2”, “root” and “r00t”.......................39 K. Cracking passwords of the COMMENTS cptvm1 host – round 2.........................40 i. Cracking of “root” and “r00t”...................................................40 L. Ultimate
[email protected] goal............................................................................43 i. Cptvm1 and ctpvm2 hosts compromised...................................43 ii. 0 Comments Sort by Oldest Passwords for root accounts on cptvm1 and cptvm2...................43 M. Lessons learned.......................................................................43 February i. Searching exploit sites............................................................43 ii. Attack vectors.......................................................................44 5. Appendix.....................................................................................44 A. Source code for the Kernel 2.4 VMA 21st, exploit...................................44 B. Source code for the Kernel 2.6 vmsplice exploit.............................59 1. Overview The certified pen Add a comment... tester practical examination consists of the compromising of two VMware virtual machines, the recovery of the root passwords for each 2009 system and the creation of a penetration report. The penetration report will contain, at a minimum, the details of all of the penetration test findings and a prioritized list of the vulnerabilities discovered. The penetration report should be submitted for review to: Contents
[email protected] The following information was provided as part of the examination documentation: ! Virtual machine 1 (cptvm1) – Facebook Comments Plugin VM containing a Linux system. " The system has the following static configuration: # IP Address: 192.168.1.200 # Netmask: 255.255.255.0 1. 2. # Gateway: 192.168.1.254 # DNS: 192.168.1.254 ! Virtual machine 2 (cptvm2) – VM containing a Linux system. " The system has been configured to gain its network information via DHCP. ! Information gathered from one of the VM's during the penetration test may be required 3. 4. in order to compromise the other VM. 2. Assumptions ! ! While the penetration testing process consists of 5 phases (reconnaissance, scanning, penetration, maintaining connectivity and covering tracks), the reconnaissance and covering tracks phases will not be covered Copyright © 2017 Powered By Documents.mx - All Rights Reserved About (/about.html) / Terms (/info/terms.html) / DMCA (/info/dmca.html) / Overview.......................................................................................4… within this report. Stealthy scanning and penetration techniques will not be used. 3. Tools The following tools were used during the Contact (/contacts.html) completion of the penetration testing practical examination. ! back|track3 – Collection of penetration tester utilities. ! VMware Fusion – &p[images[0]=https://reader001.documents.mx/reader001/image/20170728/544d6156b1af9f2b638b459d.png) VMware virtual host software for OSX. ! Apple OSX – Host operating system used to execute VMware Fusion. ! nmap – Port scanning, fingerprinting, “swiss army knife” utility. ! httprint – HTTP fingerprinting utility. ! snmpenum.pl – SNMP enumeration utility. ! vi – Text editor. ! emacs – A “swiss army knife” editor (text/source code/etc). ! gcc – C, etc compiler. ! tftp – Trivial File Transfer Protocol client ! ssh – Secure shell client ! ! ! ! ! ! ! ! finger – Finger utility. bash shell scripting – Small scripts and main interactive shell. sed – A stream editing utility. awk – Lightweight regular expression text scripting utility. sort – Unix text sort utility. hydra – Multiple protocol dictionary attack utility. aspell – Dictionary utility. John the ripper, password cracker. 4. Penetration test details A. Scanning i. Baseline scan of network An initial scan of the network was performed to establish a baseline of the network configuration. The gateway (192.168.1.1), host computer (192.168.1.30), back| track3 (192.168.1.102), cptvm2 (192.168.1.104) and cptvm1 (192.168.1.200) were identified. At this point, the identification of the hosts and their use comes mainly from the exam documentation and the knowledge of how the local network is configured. bt live # nmap -sP -n 192.168.1.1/24 Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-19 07:59 GMT Host 192.168.1.1 appears to be up. MAC Address: XX:XX:XX:XX:XX:XX (Cisco-Linksys) Host 192.168.1.30 appears to be up. MAC Address: XX:XX:XX:XX:XX:XX (Apple Computer) Host 192.168.1.102 appears to be up. MAC Address: XX:XX:XX:XX:XX:XX (Apple Computer) Host 192.168.1.104 appears to be up. MAC Address: 00:0C:29:3B:43:BC (VMware) Host 192.168.1.200 appears to be up. MAC Address: 00:0C:29:27:60:0A (VMware) Nmap done: 256 IP addresses (4 hosts up) scanned in 3.269 seconds From the information gathered during this step, the systems of interest are configured as follows: cptvm1 (192.168.1.200) cptvm2 (192.168.1.104) ii. Port scanning and OS fingerprinting To determine the open ports and host operating system, a port scan and OS fingerprint of the specific VM IP addresses was conducted. The port scan included all TCP ports from 1 to 65535. Due to the differences between TCP and UDP, the UDP scan was completed only on ports from 1 to 1024. Based upon the list of open ports, it can be concluded that cptvm1, 192.168.1.200, is most likely a server. While cptvm2, 192.168.1.104, is most likely a client workstation. bt live # nmap -sS -O -n -p1-65535 192.168.1.200 192.168.1.104 Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:04 GMT Interesting ports on 192.168.1.200: Not shown: 65517 closed ports PORT STATE SERVICE 7/tcp open echo 21/tcp open ftp 22/tcp open ssh 23/tcp open telnet 79/tcp open finger 80/tcp open http 109/tcp open pop2 110/tcp open pop3 111/tcp open rpcbind 143/tcp open imap 199/tcp open smux 443/tcp open https 686/tcp open unknown 993/tcp open imaps 995/tcp open pop3s 6000/tcp open X11 32768/tcp open unknown 32770/tcp open sometimes-rpc3 MAC Address: 00:0C:29:27:60:0A (VMware) Device type: general purpose Running: Linux 2.4.X OS details: Linux 2.4.18 - 2.4.32 (likely embedded) Uptime: 0.121 days (since Tue Jan 20 09:11:03 2009) Network Distance: 1 hop Interesting ports on 192.168.1.104: Not shown: 65532 closed ports PORT STATE SERVICE 22/tcp open ssh 111/tcp open rpcbind 939/tcp open unknown MAC Address: 00:0C:29:3B:43:BC (VMware) Device type: general purpose Running: Linux 2.6.X OS details: Linux 2.6.9 - 2.6.23 Uptime: 0.106 days (since Tue Jan 20 09:32:16 2009) Network Distance: 1 hop OS detection performed. Please report any incorrect results at http://nmap.org/submit/ . Nmap done: 2 IP addresses (2 hosts up) scanned in 19.321 seconds bt live # nmap -sU -T5 -n -p1-1024 192.168.1.200 192.168.1.104 Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 15:53 GMT Warning: Giving up on port early because retransmission cap hit. Stats: 0:00:20 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan UDP Scan Timing: About 22.18% done; ETC: 15:54 (0:01:11 remaining) Stats: 0:00:22 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan UDP Scan Timing: About 24.37% done; ETC: 15:54 (0:01:09 remaining) Stats: 0:00:22 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan UDP Scan Timing: About 24.89% done; ETC: 15:54 (0:01:08 remaining) Stats: 0:00:23 elapsed; 0 hosts completed (2 up), 2 undergoing UDP Scan UDP Scan Timing: About 25.05% done; ETC: 15:54 (0:01:08 remaining) Interesting ports on 192.168.1.200: Not shown: 870 open|filtered ports, 151 closed ports PORT STATE SERVICE 7/udp open echo 13/udp open daytime 37/udp open time MAC Address: 00:0C:29:27:60:0A (VMware) All 1024 scanned ports on 192.168.1.104 are open|filtered (872) or closed (152) MAC Address: 00:0C:29:3B:43:BC (VMware) Nmap done: 2 IP addresses (2 hosts up) scanned in 146.229 seconds From the information gathered during this step, the systems of interest are configured as follows: cptvm1 (192.168.1.200) Operating system: Linux Kernel version: Linux 2.4.18 2.4.32 TCP ports: 7, 21, 22, 23, 79, 80, 109, 110, 111, 143, 199, 443, 686, 993, 995, 6000, 32768, 32770 UDP ports: 7, 13, 37 cptvm2 (192.168.1.104) Operating system: Linux Kernel version: Linux 2.6.9 - 2.6.23 TCP ports: 22, 111, 939 iii. Service fingerprinting - TCP services As a TCP port number does not directly identify a service, fingerprinting of the services listening on the ports is required. The majority of the TCP services were fingerprinted via nmap. The remaining services, port 109, port 993 and port 995 will require further research to properly fingerprint. bt live # nmap -sV --version-all -n -p7,21-23,79,80,109111,143,199,443,686,993,995,6000,32768,32770 192.168.1.200 Starting Nmap 4.60 ( http://nmap.org ) at 2009-01-20 12:27 GMT Interesting ports on 192.168.1.200: PORT STATE SERVICE VERSION 7/tcp open echo 21/tcp open ftp vsftpd 1.1.3 22/tcp open ssh OpenSSH 3.5p1 (protocol 1.99) 23/tcp open telnet Linux telnetd 79/tcp open finger Linux fingerd 80/tcp open http Apache httpd 2.0.40 ((Red Hat Linux)) 109/tcp open pop2? 110/tcp open pop3 ipopd 2001.78rh 111/tcp open rpcbind 2 (rpc #100000) 143/tcp open imap UW Imapd 2001.315rh 199/tcp open smux Linux SNMP multiplexer 443/tcp open ssl/http Apache httpd 2.0.40 ((Red Hat Linux)) 686/tcp open rquotad 1-2 (rpc #100011) 993/tcp open imaps? 995/tcp open pop3s? 6000/tcp open X11 (access denied) 32768/tcp open status 1 (rpc #100024) 32770/tcp open mountd 1-3 (rpc #100005) 1 service unrecognized despite returning data. If you know the service/version, please submit the following fingerprint at http://www.insecure.org/cgibin/servicefp-submit.cgi : SF-Port109-TCP:V=4.60%I=9%D=1/20%Time=4975C33E%P=i686-pc-linux-gnu%r(Gener